From: Andreas Geissler Date: Mon, 22 Apr 2024 15:14:43 +0000 (+0000) Subject: Merge "[AAI] Add model-loader tracing config" X-Git-Url: https://gerrit.onap.org/r/gitweb?p=oom.git;a=commitdiff_plain;h=refs%2Fheads%2Fmaster;hp=e4aac7a3c577b7bb9eaae93387d482f952ee4b72 Merge "[AAI] Add model-loader tracing config" --- diff --git a/.gitignore b/.gitignore index bb11f06df9..e7726292f1 100644 --- a/.gitignore +++ b/.gitignore @@ -16,6 +16,7 @@ kubernetes/common/dist/* Chart.lock **/charts/*.tgz *.orig +*_build # AAI Schema **/schema/* diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 980093a7a5..bcbafe5d5f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -6,7 +6,7 @@ repos: - id: trailing-whitespace #exclude: '^ordmodels/' - repo: https://github.com/jorisroovers/gitlint - rev: v0.17.0 + rev: v0.18.0 hooks: - id: gitlint stages: [commit-msg] diff --git a/.readthedocs.yaml b/.readthedocs.yaml index f724264ff4..78491afc51 100644 --- a/.readthedocs.yaml +++ b/.readthedocs.yaml @@ -3,18 +3,19 @@ # Read the Docs configuration file # See https://docs.readthedocs.io/en/stable/config-file/v2.html for details # Required +# version: 2 -formats: - - htmlzip - build: - image: latest + os: ubuntu-20.04 + tools: + python: "3.8" + apt_packages: + - graphviz python: - version: 3.7 - install: - - requirements: requirements.txt + install: + - requirements: docs/requirements-docs.txt sphinx: - configuration: docs/conf.py + configuration: docs/conf.py diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index a932d65a53..f736f079e4 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -17,49 +17,51 @@ limitations under the License. # Contributing to OOM Thanks for taking the time to contribute to OOM! -Please see a few informations on how to dot it. +Please see some information on how to do it. -## How to become a contributor and submit your own code +## Local setup -### Environment setup +### Install helm-push plugin -In order to be able to check on your side before submitting, you'll need to -install some binaries: +In order to push locally built charts to chartmuseum, the `helm-push` plugin must be installed. You can do that with: -* helm (satisfying the targeted version as seen in [setup guide]( -docs/oom_cloud_setup_guide.rst#software-requirements). -* chartmuseum (in order to push dependency charts) -* helm push (version 0.9.0 as of today) -* make - -### Linting and testing - -OOM use helm linting in order to check that the templates rendering is correct -with default values. +```sh +$ helm plugin install https://github.com/chartmuseum/helm-push +Downloading and installing helm-push v0.10.4 ... +https://github.com/chartmuseum/helm-push/releases/download/v0.10.3/helm-push_0.10.4_linux_amd64.tar.gz +Installed plugin: cm-push +``` -first step is to start chartmuseum: +### Run chartmuseum -```shell +``` shell +mkdir -p charts && docker-compose up +``` +or +``` shell nohup chartmuseum --storage="local" --storage-local-rootdir="/tmp/chartstorage" \ --port 6464 & ``` -then you add `local` repository to helm: +### Add a `local` chart repository +OOM contains `make` files that build the charts and push them to the local chartmuseum. +For that to work, helm needs to know about the `local` helm repository. ```shell -helm repo remove local && helm repo add local http://localhost:6464 +helm repo remove local; helm repo add local http://localhost:6464 ``` -As full rendering may be extremely long (~9h), you can only lint the common -part and the component you're working on. -Here's an example with AAI: +### Linting and testing +OOM uses helm linting in order to check that the template rendering is correct with default values. +As full rendering may be extremely long (~9h), you may only want to lint the common part and the component you're working on. +Here's an example with AAI: ```shell cd kubernetes make common && make aai ``` -If you work on non default path, it's strongly advised to also render the +If you work on a non default path, it's strongly advised to also render the template of your component / subcomponent to be sure it's as expected. Here's an example enabling service mesh on aai graphadmin: @@ -68,21 +70,19 @@ Here's an example enabling service mesh on aai graphadmin: cd aai/components/ helm template --release-name onap --debug \ --set global.ingress.virtualhost.baseurl=toto \ - --set global.ingress.enabled=true --set global.masterPassword="toto" \ - --set global.serviceMesh.enabled=true --set global.serviceMesh.tls=true \ + --set global.ingress.enabled=true \ + --set global.masterPassword="toto" \ + --set global.serviceMesh.enabled=true \ + --set global.serviceMesh.tls=true \ aai-graphadmin ``` +All the output will be rendered YAML if everything works as expected or an error if something goes wrong. +Usually the errors come from bad indentation or unknown values. -All the output will be the rendered YAML if it's OK or you may see an error. -Usually the errors comes from bad indentation or unknown value. - -### Contributing A Patch - +### Contributing a Patch 1. Fork the desired repo, develop and test your code changes. 2. Sign the LFN CLA () 3. Submit a pull request. 4. Work with the reviewers on their suggestions. -5. Ensure to rebase to the HEAD of your target branch and squash un-necessary - commits ( - ) - before final merger of your contribution. +5. Ensure to rebase to the HEAD of your target branch and [squash un-necessary commits](https://blog.carbonfive.com/always-squash-and-rebase-your-git-commits/) + before finally mergin your contribution. diff --git a/TOSCA/ONAP_TOSCA/onap_tosca.yaml b/TOSCA/ONAP_TOSCA/onap_tosca.yaml index e63901d35f..46e6ffa966 100644 --- a/TOSCA/ONAP_TOSCA/onap_tosca.yaml +++ b/TOSCA/ONAP_TOSCA/onap_tosca.yaml @@ -50,7 +50,7 @@ node_templates: chart-version: { get_input: chart-version } namespace: { get_input: namespace } stable-repo-url: { get_input: stable-repo-url} - config: '{ "aaf": {"enabled": false}, "aai": {"enabled": false}, "appc": {"enabled": false}, "clamp": {"enabled": false}, "cli": {"enabled": false}, "consul": {"enabled": false}, "dcaegen2": {"enabled": false}, "dmaap": {"enabled": false}, "log": {"enabled": false}, "sniro-emulator": {"enabled": false}, "msb": {"enabled": false}, "multicloud": {"enabled": false}, "nbi": {"enabled": false}, "oof": {"enabled": false}, "policy": {"enabled": false}, "pomba": {"enabled": false}, "portal": {"enabled": false}, "robot": {"enabled": false}, "sdc": {"enabled": false}, "sdnc": {"enabled": false}, "so": {"enabled": false}, "uui": {"enabled": false}, "vfc": {"enabled": false}, "vid": {"enabled": false}, "vnfsdk": {"enabled": false} }' + config: '{ "aaf": {"enabled": false}, "aai": {"enabled": false}, "clamp": {"enabled": false}, "cli": {"enabled": false}, "consul": {"enabled": false}, "dcaegen2": {"enabled": false}, "dmaap": {"enabled": false}, "log": {"enabled": false}, "sniro-emulator": {"enabled": false}, "msb": {"enabled": false}, "multicloud": {"enabled": false}, "nbi": {"enabled": false}, "oof": {"enabled": false}, "policy": {"enabled": false}, "pomba": {"enabled": false}, "portal": {"enabled": false}, "robot": {"enabled": false}, "sdc": {"enabled": false}, "sdnc": {"enabled": false}, "so": {"enabled": false}, "uui": {"enabled": false}, "vfc": {"enabled": false}, "vnfsdk": {"enabled": false} }' aaf: type: onap.nodes.component @@ -80,20 +80,6 @@ node_templates: - type: cloudify.relationships.connected_to target: onap_env - appc: - type: onap.nodes.component - properties: - tiller-server-ip: { get_input: tiller-server-ip } - tiller-server-port: { get_input: tiller-server-port } - component-name: appc - chart-repo-url: { get_input: chart-repo-url } - chart-version: { get_input: chart-version } - namespace: { get_input: namespace } - stable-repo-url: { get_input: stable-repo-url} - relationships: - - type: cloudify.relationships.connected_to - target: onap_env - clamp: type: onap.nodes.component properties: @@ -389,20 +375,6 @@ node_templates: - type: cloudify.relationships.connected_to target: onap_env - vid: - type: onap.nodes.component - properties: - tiller-server-ip: { get_input: tiller-server-ip } - tiller-server-port: { get_input: tiller-server-port } - component-name: vid - chart-repo-url: { get_input: chart-repo-url } - chart-version: { get_input: chart-version } - namespace: { get_input: namespace } - stable-repo-url: { get_input: stable-repo-url} - relationships: - - type: cloudify.relationships.connected_to - target: onap_env - vnfsdk: type: onap.nodes.component properties: diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000000..091cbca86c --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,13 @@ +version: '3' +services: + chartmuseum: + image: ghcr.io/helm/chartmuseum:v0.16.0 + ports: + - 6464:8080 + volumes: + - ./charts:/charts + environment: + PORT: 8080 + DEBUG: 1 + STORAGE: local + STORAGE_LOCAL_ROOTDIR: /charts \ No newline at end of file diff --git a/docs/_static/css/ribbon.css b/docs/_static/css/ribbon.css index 6008cb1a08..afb9480d67 100644 --- a/docs/_static/css/ribbon.css +++ b/docs/_static/css/ribbon.css @@ -59,5 +59,5 @@ /* fix width of the screen */ .wy-nav-content { - max-width: none; + max-width: 800px; } diff --git a/docs/archived/certs/hardcoded_certificates.csv b/docs/archived/certs/hardcoded_certificates.csv new file mode 100644 index 0000000000..83c761e582 --- /dev/null +++ b/docs/archived/certs/hardcoded_certificates.csv @@ -0,0 +1,16 @@ +Project,ONAP Certificate,Own Certificate,MSB Certificate,Path +AAF,No,Yes,No,aaf/charts/aaf-cert-service/resources/ +AAF,Yes,No,No,aaf/components/aaf-sms/resources/certs/intermediate_root_ca.pem +AAI,Yes,No,No,aai/oom/resources/config/aai/aai_keystore +AAI/SEARCH-DATA,Yes,No,No,aai/oom/components/aai-search-data/resources/config/auth/tomcat_keystore +AAI/SPARKY-BE,Yes,No,No,aai/oom/components/aai-spary-be/resources/config/auth/org.onap.aai.p12 +AAI/BABEL,No,Yes,No,aai/oom/components/aai-babel/resources/config/auth/tomcat_keystore +AAI/MODEL-LOADER,Yes,Yes,No,aai/oom/components/aai-model-loaderresources/config/auth/tomcat_keystore +certInitializer,Yes,No,No,kubernetes/common/certInitializer/resources +DMaaP/MR,Yes,No,No,Hardcoded in container +HOLMES,No,Yes,No,Hardcoded in container +MULTICLOUD,No,Yes,No,Hardcoded in container +Robot,Yes,No,No,kubernetes/robot/resources/config/lighttpd/ssl/onap-robot.onap.* +SDC,Yes,No?,No?,kubernetes/sdc/resources/cert +VID,Yes,No,No,Hardcoded in container +UUI,No,Yes,No,Hardcoded in container diff --git a/docs/images/consul/consulHealth.png b/docs/archived/images/consul/consulHealth.png similarity index 100% rename from docs/images/consul/consulHealth.png rename to docs/archived/images/consul/consulHealth.png diff --git a/docs/images/cp_vms/control_plane_1.png b/docs/archived/images/cp_vms/control_plane_1.png similarity index 100% rename from docs/images/cp_vms/control_plane_1.png rename to docs/archived/images/cp_vms/control_plane_1.png diff --git a/docs/images/cp_vms/control_plane_2.png b/docs/archived/images/cp_vms/control_plane_2.png similarity index 100% rename from docs/images/cp_vms/control_plane_2.png rename to docs/archived/images/cp_vms/control_plane_2.png diff --git a/docs/images/cp_vms/control_plane_3.png b/docs/archived/images/cp_vms/control_plane_3.png similarity index 100% rename from docs/images/cp_vms/control_plane_3.png rename to docs/archived/images/cp_vms/control_plane_3.png diff --git a/docs/images/cp_vms/control_plane_4.png b/docs/archived/images/cp_vms/control_plane_4.png similarity index 100% rename from docs/images/cp_vms/control_plane_4.png rename to docs/archived/images/cp_vms/control_plane_4.png diff --git a/docs/images/cp_vms/control_plane_5.png b/docs/archived/images/cp_vms/control_plane_5.png similarity index 100% rename from docs/images/cp_vms/control_plane_5.png rename to docs/archived/images/cp_vms/control_plane_5.png diff --git a/docs/images/cp_vms/control_plane_6.png b/docs/archived/images/cp_vms/control_plane_6.png similarity index 100% rename from docs/images/cp_vms/control_plane_6.png rename to docs/archived/images/cp_vms/control_plane_6.png diff --git a/docs/images/cp_vms/control_plane_7.png b/docs/archived/images/cp_vms/control_plane_7.png similarity index 100% rename from docs/images/cp_vms/control_plane_7.png rename to docs/archived/images/cp_vms/control_plane_7.png diff --git a/docs/images/cp_vms/control_plane_8.png b/docs/archived/images/cp_vms/control_plane_8.png similarity index 100% rename from docs/images/cp_vms/control_plane_8.png rename to docs/archived/images/cp_vms/control_plane_8.png diff --git a/docs/images/floating_ips/floating_1.png b/docs/archived/images/floating_ips/floating_1.png similarity index 100% rename from docs/images/floating_ips/floating_1.png rename to docs/archived/images/floating_ips/floating_1.png diff --git a/docs/images/floating_ips/floating_2.png b/docs/archived/images/floating_ips/floating_2.png similarity index 100% rename from docs/images/floating_ips/floating_2.png rename to docs/archived/images/floating_ips/floating_2.png diff --git a/docs/images/k8s/kubernetes_objects.png b/docs/archived/images/k8s/kubernetes_objects.png similarity index 100% rename from docs/images/k8s/kubernetes_objects.png rename to docs/archived/images/k8s/kubernetes_objects.png diff --git a/docs/images/keys/key_pair_1.png b/docs/archived/images/keys/key_pair_1.png similarity index 100% rename from docs/images/keys/key_pair_1.png rename to docs/archived/images/keys/key_pair_1.png diff --git a/docs/images/keys/key_pair_2.png b/docs/archived/images/keys/key_pair_2.png similarity index 100% rename from docs/images/keys/key_pair_2.png rename to docs/archived/images/keys/key_pair_2.png diff --git a/docs/images/keys/key_pair_3.png b/docs/archived/images/keys/key_pair_3.png similarity index 100% rename from docs/images/keys/key_pair_3.png rename to docs/archived/images/keys/key_pair_3.png diff --git a/docs/images/keys/key_pair_4.png b/docs/archived/images/keys/key_pair_4.png similarity index 100% rename from docs/images/keys/key_pair_4.png rename to docs/archived/images/keys/key_pair_4.png diff --git a/docs/images/msb/MSB-OOM-Diagram.png b/docs/archived/images/msb/MSB-OOM-Diagram.png similarity index 100% rename from docs/images/msb/MSB-OOM-Diagram.png rename to docs/archived/images/msb/MSB-OOM-Diagram.png diff --git a/docs/images/network/network_1.png b/docs/archived/images/network/network_1.png similarity index 100% rename from docs/images/network/network_1.png rename to docs/archived/images/network/network_1.png diff --git a/docs/images/network/network_2.png b/docs/archived/images/network/network_2.png similarity index 100% rename from docs/images/network/network_2.png rename to docs/archived/images/network/network_2.png diff --git a/docs/images/network/network_3.png b/docs/archived/images/network/network_3.png similarity index 100% rename from docs/images/network/network_3.png rename to docs/archived/images/network/network_3.png diff --git a/docs/images/network/network_4.png b/docs/archived/images/network/network_4.png similarity index 100% rename from docs/images/network/network_4.png rename to docs/archived/images/network/network_4.png diff --git a/docs/images/nfs_server/nfs_server_1.png b/docs/archived/images/nfs_server/nfs_server_1.png similarity index 100% rename from docs/images/nfs_server/nfs_server_1.png rename to docs/archived/images/nfs_server/nfs_server_1.png diff --git a/docs/images/nfs_server/nfs_server_10.png b/docs/archived/images/nfs_server/nfs_server_10.png similarity index 100% rename from docs/images/nfs_server/nfs_server_10.png rename to docs/archived/images/nfs_server/nfs_server_10.png diff --git a/docs/images/nfs_server/nfs_server_2.png b/docs/archived/images/nfs_server/nfs_server_2.png similarity index 100% rename from docs/images/nfs_server/nfs_server_2.png rename to docs/archived/images/nfs_server/nfs_server_2.png diff --git a/docs/images/nfs_server/nfs_server_3.png b/docs/archived/images/nfs_server/nfs_server_3.png similarity index 100% rename from docs/images/nfs_server/nfs_server_3.png rename to docs/archived/images/nfs_server/nfs_server_3.png diff --git a/docs/images/nfs_server/nfs_server_4.png b/docs/archived/images/nfs_server/nfs_server_4.png similarity index 100% rename from docs/images/nfs_server/nfs_server_4.png rename to docs/archived/images/nfs_server/nfs_server_4.png diff --git a/docs/images/nfs_server/nfs_server_5.png b/docs/archived/images/nfs_server/nfs_server_5.png similarity index 100% rename from docs/images/nfs_server/nfs_server_5.png rename to docs/archived/images/nfs_server/nfs_server_5.png diff --git a/docs/images/nfs_server/nfs_server_6.png b/docs/archived/images/nfs_server/nfs_server_6.png similarity index 100% rename from docs/images/nfs_server/nfs_server_6.png rename to docs/archived/images/nfs_server/nfs_server_6.png diff --git a/docs/images/nfs_server/nfs_server_7.png b/docs/archived/images/nfs_server/nfs_server_7.png similarity index 100% rename from docs/images/nfs_server/nfs_server_7.png rename to docs/archived/images/nfs_server/nfs_server_7.png diff --git a/docs/images/nfs_server/nfs_server_8.png b/docs/archived/images/nfs_server/nfs_server_8.png similarity index 100% rename from docs/images/nfs_server/nfs_server_8.png rename to docs/archived/images/nfs_server/nfs_server_8.png diff --git a/docs/images/nfs_server/nfs_server_9.png b/docs/archived/images/nfs_server/nfs_server_9.png similarity index 100% rename from docs/images/nfs_server/nfs_server_9.png rename to docs/archived/images/nfs_server/nfs_server_9.png diff --git a/docs/images/oom_logo/oomLogoV2-Configure.png b/docs/archived/images/oom_logo/oomLogoV2-Configure.png similarity index 100% rename from docs/images/oom_logo/oomLogoV2-Configure.png rename to docs/archived/images/oom_logo/oomLogoV2-Configure.png diff --git a/docs/images/oom_logo/oomLogoV2-Delete.png b/docs/archived/images/oom_logo/oomLogoV2-Delete.png similarity index 100% rename from docs/images/oom_logo/oomLogoV2-Delete.png rename to docs/archived/images/oom_logo/oomLogoV2-Delete.png diff --git a/docs/images/oom_logo/oomLogoV2-Deploy.png b/docs/archived/images/oom_logo/oomLogoV2-Deploy.png similarity index 100% rename from docs/images/oom_logo/oomLogoV2-Deploy.png rename to docs/archived/images/oom_logo/oomLogoV2-Deploy.png diff --git a/docs/images/oom_logo/oomLogoV2-Heal.png b/docs/archived/images/oom_logo/oomLogoV2-Heal.png similarity index 100% rename from docs/images/oom_logo/oomLogoV2-Heal.png rename to docs/archived/images/oom_logo/oomLogoV2-Heal.png diff --git a/docs/images/oom_logo/oomLogoV2-Monitor.png b/docs/archived/images/oom_logo/oomLogoV2-Monitor.png similarity index 100% rename from docs/images/oom_logo/oomLogoV2-Monitor.png rename to docs/archived/images/oom_logo/oomLogoV2-Monitor.png diff --git a/docs/images/oom_logo/oomLogoV2-Scale.png b/docs/archived/images/oom_logo/oomLogoV2-Scale.png similarity index 100% rename from docs/images/oom_logo/oomLogoV2-Scale.png rename to docs/archived/images/oom_logo/oomLogoV2-Scale.png diff --git a/docs/images/oom_logo/oomLogoV2-Upgrade.png b/docs/archived/images/oom_logo/oomLogoV2-Upgrade.png similarity index 100% rename from docs/images/oom_logo/oomLogoV2-Upgrade.png rename to docs/archived/images/oom_logo/oomLogoV2-Upgrade.png diff --git a/docs/images/oom_logo/oomLogoV2-medium.png b/docs/archived/images/oom_logo/oomLogoV2-medium.png similarity index 100% rename from docs/images/oom_logo/oomLogoV2-medium.png rename to docs/archived/images/oom_logo/oomLogoV2-medium.png diff --git a/docs/images/rke/rke_1.png b/docs/archived/images/rke/rke_1.png similarity index 100% rename from docs/images/rke/rke_1.png rename to docs/archived/images/rke/rke_1.png diff --git a/docs/images/sg/sg_1.png b/docs/archived/images/sg/sg_1.png similarity index 100% rename from docs/images/sg/sg_1.png rename to docs/archived/images/sg/sg_1.png diff --git a/docs/images/sg/sg_2.png b/docs/archived/images/sg/sg_2.png similarity index 100% rename from docs/images/sg/sg_2.png rename to docs/archived/images/sg/sg_2.png diff --git a/docs/images/wk_vms/worker_1.png b/docs/archived/images/wk_vms/worker_1.png similarity index 100% rename from docs/images/wk_vms/worker_1.png rename to docs/archived/images/wk_vms/worker_1.png diff --git a/docs/images/wk_vms/worker_2.png b/docs/archived/images/wk_vms/worker_2.png similarity index 100% rename from docs/images/wk_vms/worker_2.png rename to docs/archived/images/wk_vms/worker_2.png diff --git a/docs/images/wk_vms/worker_3.png b/docs/archived/images/wk_vms/worker_3.png similarity index 100% rename from docs/images/wk_vms/worker_3.png rename to docs/archived/images/wk_vms/worker_3.png diff --git a/docs/images/wk_vms/worker_4.png b/docs/archived/images/wk_vms/worker_4.png similarity index 100% rename from docs/images/wk_vms/worker_4.png rename to docs/archived/images/wk_vms/worker_4.png diff --git a/docs/images/wk_vms/worker_5.png b/docs/archived/images/wk_vms/worker_5.png similarity index 100% rename from docs/images/wk_vms/worker_5.png rename to docs/archived/images/wk_vms/worker_5.png diff --git a/docs/images/wk_vms/worker_6.png b/docs/archived/images/wk_vms/worker_6.png similarity index 100% rename from docs/images/wk_vms/worker_6.png rename to docs/archived/images/wk_vms/worker_6.png diff --git a/docs/images/wk_vms/worker_7.png b/docs/archived/images/wk_vms/worker_7.png similarity index 100% rename from docs/images/wk_vms/worker_7.png rename to docs/archived/images/wk_vms/worker_7.png diff --git a/docs/archived/oom_developer_guide.rst b/docs/archived/oom_developer_guide.rst new file mode 100644 index 0000000000..f6513bdf83 --- /dev/null +++ b/docs/archived/oom_developer_guide.rst @@ -0,0 +1,1149 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 +.. International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright 2018-2020 Amdocs, Bell Canada, Orange, Samsung +.. Modification copyright (C) 2022 Nordix Foundation + +.. Links +.. _Helm: https://docs.helm.sh/ +.. _Helm Charts: https://github.com/kubernetes/charts +.. _Kubernetes: https://Kubernetes.io/ +.. _Docker: https://www.docker.com/ +.. _Nexus: https://nexus.onap.org/ +.. _AWS Elastic Block Store: https://aws.amazon.com/ebs/ +.. _Azure File: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction +.. _GCE Persistent Disk: https://cloud.google.com/compute/docs/disks/ +.. _Gluster FS: https://www.gluster.org/ +.. _Kubernetes Storage Class: https://Kubernetes.io/docs/concepts/storage/storage-classes/ +.. _Assigning Pods to Nodes: https://Kubernetes.io/docs/concepts/configuration/assign-pod-node/ + + +.. _developer-guide-label: + +OOM Developer Guide +################### + +.. figure:: ../../resources/images/oom_logo/oomLogoV2-medium.png + :align: right + +ONAP consists of a large number of components, each of which are substantial +projects within themselves, which results in a high degree of complexity in +deployment and management. To cope with this complexity the ONAP Operations +Manager (OOM) uses a Helm_ model of ONAP - Helm being the primary management +system for Kubernetes_ container systems - to drive all user driven life-cycle +management operations. The Helm model of ONAP is composed of a set of +hierarchical Helm charts that define the structure of the ONAP components and +the configuration of these components. These charts are fully parameterized +such that a single environment file defines all of the parameters needed to +deploy ONAP. A user of ONAP may maintain several such environment files to +control the deployment of ONAP in multiple environments such as development, +pre-production, and production. + +The following sections describe how the ONAP Helm charts are constructed. + +.. contents:: + :depth: 3 + :local: +.. + +Container Background +==================== +Linux containers allow for an application and all of its operating system +dependencies to be packaged and deployed as a single unit without including a +guest operating system as done with virtual machines. The most popular +container solution is Docker_ which provides tools for container management +like the Docker Host (dockerd) which can create, run, stop, move, or delete a +container. Docker has a very popular registry of containers images that can be +used by any Docker system; however, in the ONAP context, Docker images are +built by the standard CI/CD flow and stored in Nexus_ repositories. OOM uses +the "standard" ONAP docker containers and three new ones specifically created +for OOM. + +Containers are isolated from each other primarily via name spaces within the +Linux kernel without the need for multiple guest operating systems. As such, +multiple containers can be deployed with little overhead such as all of ONAP +can be deployed on a single host. With some optimization of the ONAP components +(e.g. elimination of redundant database instances) it may be possible to deploy +ONAP on a single laptop computer. + +Helm Charts +=========== +A Helm chart is a collection of files that describe a related set of Kubernetes +resources. A simple chart might be used to deploy something simple, like a +memcached pod, while a complex chart might contain many micro-service arranged +in a hierarchy as found in the `aai` ONAP component. + +Charts are created as files laid out in a particular directory tree, then they +can be packaged into versioned archives to be deployed. There is a public +archive of `Helm Charts`_ on GitHub that includes many technologies applicable +to ONAP. Some of these charts have been used in ONAP and all of the ONAP charts +have been created following the guidelines provided. + +The top level of the ONAP charts is shown below: + +.. code-block:: bash + + common + ├── cassandra + │   ├── Chart.yaml + │   ├── resources + │   │   ├── config + │   │   │   └── docker-entrypoint.sh + │   │   ├── exec.py + │   │   └── restore.sh + │   ├── templates + │   │   ├── backup + │   │   │   ├── configmap.yaml + │   │   │   ├── cronjob.yaml + │   │   │   ├── pv.yaml + │   │   │   └── pvc.yaml + │   │   ├── configmap.yaml + │   │   ├── pv.yaml + │   │   ├── service.yaml + │   │   └── statefulset.yaml + │   └── values.yaml + ├── common + │   ├── Chart.yaml + │   ├── templates + │   │   ├── _createPassword.tpl + │   │   ├── _ingress.tpl + │   │   ├── _labels.tpl + │   │   ├── _mariadb.tpl + │   │   ├── _name.tpl + │   │   ├── _namespace.tpl + │   │   ├── _repository.tpl + │   │   ├── _resources.tpl + │   │   ├── _secret.yaml + │   │   ├── _service.tpl + │   │   ├── _storage.tpl + │   │   └── _tplValue.tpl + │   └── values.yaml + ├── ... + └── postgres-legacy +    ├── Chart.yaml + ├── charts + └── configs + +The common section of charts consists of a set of templates that assist with +parameter substitution (`_name.tpl`, `_namespace.tpl` and others) and a set of +charts for components used throughout ONAP. When the common components are used +by other charts they are instantiated each time or we can deploy a shared +instances for several components. + +All of the ONAP components have charts that follow the pattern shown below: + +.. code-block:: bash + + name-of-my-component + ├── Chart.yaml + ├── component + │   └── subcomponent-folder + ├── charts + │   └── subchart-folder + ├── resources + │   ├── folder1 + │   │   ├── file1 + │   │   └── file2 + │   └── folder1 + │   ├── file3 + │   └── folder3 + │      └── file4 + ├── templates + │   ├── NOTES.txt + │   ├── configmap.yaml + │   ├── deployment.yaml + │   ├── ingress.yaml + │   ├── job.yaml + │   ├── secrets.yaml + │   └── service.yaml + └── values.yaml + +Note that the component charts / components may include a hierarchy of sub +components and in themselves can be quite complex. + +You can use either `charts` or `components` folder for your subcomponents. +`charts` folder means that the subcomponent will always been deployed. + +`components` folders means we can choose if we want to deploy the +subcomponent. + +This choice is done in root `values.yaml`: + +.. code-block:: yaml + + --- + global: + key: value + + component1: + enabled: true + component2: + enabled: true + +Then in `Chart.yaml` dependencies section, you'll use these values: + +.. code-block:: yaml + + --- + dependencies: + - name: common + version: ~x.y-0 + repository: '@local' + - name: component1 + version: ~x.y-0 + repository: 'file://components/component1' + condition: component1.enabled + - name: component2 + version: ~x.y-0 + repository: 'file://components/component2' + condition: component2.enabled + +Configuration of the components varies somewhat from component to component but +generally follows the pattern of one or more `configmap.yaml` files which can +directly provide configuration to the containers in addition to processing +configuration files stored in the `config` directory. It is the responsibility +of each ONAP component team to update these configuration files when changes +are made to the project containers that impact configuration. + +The following section describes how the hierarchical ONAP configuration system +is key to management of such a large system. + +Configuration Management +======================== + +ONAP is a large system composed of many components - each of which are complex +systems in themselves - that needs to be deployed in a number of different +ways. For example, within a single operator's network there may be R&D +deployments under active development, pre-production versions undergoing system +testing and production systems that are operating live networks. Each of these +deployments will differ in significant ways, such as the version of the +software images deployed. In addition, there may be a number of application +specific configuration differences, such as operating system environment +variables. The following describes how the Helm configuration management +system is used within the OOM project to manage both ONAP infrastructure +configuration as well as ONAP components configuration. + +One of the artifacts that OOM/Kubernetes uses to deploy ONAP components is the +deployment specification, yet another yaml file. Within these deployment specs +are a number of parameters as shown in the following example: + +.. code-block:: yaml + + apiVersion: apps/v1 + kind: StatefulSet + metadata: + labels: + app.kubernetes.io/name: zookeeper + helm.sh/chart: zookeeper + app.kubernetes.io/component: server + app.kubernetes.io/managed-by: Tiller + app.kubernetes.io/instance: onap-oof + name: onap-oof-zookeeper + namespace: onap + spec: + <...> + replicas: 3 + selector: + matchLabels: + app.kubernetes.io/name: zookeeper + app.kubernetes.io/component: server + app.kubernetes.io/instance: onap-oof + serviceName: onap-oof-zookeeper-headless + template: + metadata: + labels: + app.kubernetes.io/name: zookeeper + helm.sh/chart: zookeeper + app.kubernetes.io/component: server + app.kubernetes.io/managed-by: Tiller + app.kubernetes.io/instance: onap-oof + spec: + <...> + affinity: + containers: + - name: zookeeper + <...> + image: gcr.io/google_samples/k8szk:v3 + imagePullPolicy: Always + <...> + ports: + - containerPort: 2181 + name: client + protocol: TCP + - containerPort: 3888 + name: election + protocol: TCP + - containerPort: 2888 + name: server + protocol: TCP + <...> + +Note that within the statefulset specification, one of the container arguments +is the key/value pair image: gcr.io/google_samples/k8szk:v3 which +specifies the version of the zookeeper software to deploy. Although the +statefulset specifications greatly simplify statefulset, maintenance of the +statefulset specifications themselves become problematic as software versions +change over time or as different versions are required for different +statefulsets. For example, if the R&D team needs to deploy a newer version of +mariadb than what is currently used in the production environment, they would +need to clone the statefulset specification and change this value. Fortunately, +this problem has been solved with the templating capabilities of Helm. + +The following example shows how the statefulset specifications are modified to +incorporate Helm templates such that key/value pairs can be defined outside of +the statefulset specifications and passed during instantiation of the component. + +.. code-block:: yaml + + apiVersion: apps/v1 + kind: StatefulSet + metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} + spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: {{- include "common.matchLabels" . | nindent 6 }} + # serviceName is only needed for StatefulSet + # put the postfix part only if you have add a postfix on the service name + serviceName: {{ include "common.servicename" . }}-{{ .Values.service.postfix }} + <...> + template: + metadata: + labels: {{- include "common.labels" . | nindent 8 }} + annotations: {{- include "common.tplValue" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + name: {{ include "common.name" . }} + spec: + <...> + containers: + - name: {{ include "common.name" . }} + image: {{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: + {{- range $index, $port := .Values.service.ports }} + - containerPort: {{ $port.port }} + name: {{ $port.name }} + {{- end }} + {{- range $index, $port := .Values.service.headlessPorts }} + - containerPort: {{ $port.port }} + name: {{ $port.name }} + {{- end }} + <...> + +This version of the statefulset specification has gone through the process of +templating values that are likely to change between statefulsets. Note that the +image is now specified as: image: {{ .Values.image }} instead of a +string used previously. During the statefulset phase, Helm (actually the Helm +sub-component Tiller) substitutes the {{ .. }} entries with a variable defined +in a values.yaml file. The content of this file is as follows: + +.. code-block:: yaml + + <...> + image: gcr.io/google_samples/k8szk:v3 + replicaCount: 3 + <...> + + +Within the values.yaml file there is an image key with the value +`gcr.io/google_samples/k8szk:v3` which is the same value used in +the non-templated version. Once all of the substitutions are complete, the +resulting statefulset specification ready to be used by Kubernetes. + +When creating a template consider the use of default values if appropriate. +Helm templating has built in support for DEFAULT values, here is +an example: + +.. code-block:: yaml + + imagePullSecrets: + - name: "{{ .Values.nsPrefix | default "onap" }}-docker-registry-key" + +The pipeline operator ("|") used here hints at that power of Helm templates in +that much like an operating system command line the pipeline operator allow +over 60 Helm functions to be embedded directly into the template (note that the +Helm template language is a superset of the Go template language). These +functions include simple string operations like upper and more complex flow +control operations like if/else. + +OOM is mainly helm templating. In order to have consistent deployment of the +different components of ONAP, some rules must be followed. + +Templates are provided in order to create Kubernetes resources (Secrets, +Ingress, Services, ...) or part of Kubernetes resources (names, labels, +resources requests and limits, ...). + +a full list and simple description is done in +`kubernetes/common/common/documentation.rst`. + +Service template +---------------- + +In order to create a Service for a component, you have to create a file (with +`service` in the name. +For normal service, just put the following line: + +.. code-block:: yaml + + {{ include "common.service" . }} + +For headless service, the line to put is the following: + +.. code-block:: yaml + + {{ include "common.headlessService" . }} + +The configuration of the service is done in component `values.yaml`: + +.. code-block:: yaml + + service: + name: NAME-OF-THE-SERVICE + postfix: MY-POSTFIX + type: NodePort + annotations: + someAnnotationsKey: value + ports: + - name: tcp-MyPort + port: 5432 + nodePort: 88 + - name: http-api + port: 8080 + nodePort: 89 + - name: https-api + port: 9443 + nodePort: 90 + +`annotations` and `postfix` keys are optional. +if `service.type` is `NodePort`, then you have to give `nodePort` value for your +service ports (which is the end of the computed nodePort, see example). + +It would render the following Service Resource (for a component named +`name-of-my-component`, with version `x.y.z`, helm deployment name +`my-deployment` and `global.nodePortPrefix` `302`): + +.. code-block:: yaml + + apiVersion: v1 + kind: Service + metadata: + annotations: + someAnnotationsKey: value + name: NAME-OF-THE-SERVICE-MY-POSTFIX + labels: + app.kubernetes.io/name: name-of-my-component + helm.sh/chart: name-of-my-component-x.y.z + app.kubernetes.io/instance: my-deployment-name-of-my-component + app.kubernetes.io/managed-by: Tiller + spec: + ports: + - port: 5432 + targetPort: tcp-MyPort + nodePort: 30288 + - port: 8080 + targetPort: http-api + nodePort: 30289 + - port: 9443 + targetPort: https-api + nodePort: 30290 + selector: + app.kubernetes.io/name: name-of-my-component + app.kubernetes.io/instance: my-deployment-name-of-my-component + type: NodePort + +In the deployment or statefulSet file, you needs to set the good labels in +order for the service to match the pods. + +here's an example to be sure it matches (for a statefulSet): + +.. code-block:: yaml + + apiVersion: apps/v1 + kind: StatefulSet + metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} + spec: + selector: + matchLabels: {{- include "common.matchLabels" . | nindent 6 }} + # serviceName is only needed for StatefulSet + # put the postfix part only if you have add a postfix on the service name + serviceName: {{ include "common.servicename" . }}-{{ .Values.service.postfix }} + <...> + template: + metadata: + labels: {{- include "common.labels" . | nindent 8 }} + annotations: {{- include "common.tplValue" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + name: {{ include "common.name" . }} + spec: + <...> + containers: + - name: {{ include "common.name" . }} + ports: + {{- range $index, $port := .Values.service.ports }} + - containerPort: {{ $port.port }} + name: {{ $port.name }} + {{- end }} + {{- range $index, $port := .Values.service.headlessPorts }} + - containerPort: {{ $port.port }} + name: {{ $port.name }} + {{- end }} + <...> + +The configuration of the service is done in component `values.yaml`: + +.. code-block:: yaml + + service: + name: NAME-OF-THE-SERVICE + headless: + postfix: NONE + annotations: + anotherAnnotationsKey : value + publishNotReadyAddresses: true + headlessPorts: + - name: tcp-MyPort + port: 5432 + - name: http-api + port: 8080 + - name: https-api + port: 9443 + +`headless.annotations`, `headless.postfix` and +`headless.publishNotReadyAddresses` keys are optional. + +If `headless.postfix` is not set, then we'll add `-headless` at the end of the +service name. + +If it set to `NONE`, there will be not postfix. + +And if set to something, it will add `-something` at the end of the service +name. + +It would render the following Service Resource (for a component named +`name-of-my-component`, with version `x.y.z`, helm deployment name +`my-deployment` and `global.nodePortPrefix` `302`): + +.. code-block:: yaml + + apiVersion: v1 + kind: Service + metadata: + annotations: + anotherAnnotationsKey: value + name: NAME-OF-THE-SERVICE + labels: + app.kubernetes.io/name: name-of-my-component + helm.sh/chart: name-of-my-component-x.y.z + app.kubernetes.io/instance: my-deployment-name-of-my-component + app.kubernetes.io/managed-by: Tiller + spec: + clusterIP: None + ports: + - port: 5432 + targetPort: tcp-MyPort + nodePort: 30288 + - port: 8080 + targetPort: http-api + nodePort: 30289 + - port: 9443 + targetPort: https-api + nodePort: 30290 + publishNotReadyAddresses: true + selector: + app.kubernetes.io/name: name-of-my-component + app.kubernetes.io/instance: my-deployment-name-of-my-component + type: ClusterIP + +Previous example of StatefulSet would also match (except for the `postfix` part +obviously). + +Creating Deployment or StatefulSet +---------------------------------- + +Deployment and StatefulSet should use the `apps/v1` (which has appeared in +v1.9). +As seen on the service part, the following parts are mandatory: + +.. code-block:: yaml + + apiVersion: apps/v1 + kind: StatefulSet + metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} + spec: + selector: + matchLabels: {{- include "common.matchLabels" . | nindent 6 }} + # serviceName is only needed for StatefulSet + # put the postfix part only if you have add a postfix on the service name + serviceName: {{ include "common.servicename" . }}-{{ .Values.service.postfix }} + <...> + template: + metadata: + labels: {{- include "common.labels" . | nindent 8 }} + annotations: {{- include "common.tplValue" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + name: {{ include "common.name" . }} + spec: + <...> + containers: + - name: {{ include "common.name" . }} + +ONAP Application Configuration +------------------------------ + +Dependency Management +--------------------- +These Helm charts describe the desired state +of an ONAP deployment and instruct the Kubernetes container manager as to how +to maintain the deployment in this state. These dependencies dictate the order +in-which the containers are started for the first time such that such +dependencies are always met without arbitrary sleep times between container +startups. For example, the SDC back-end container requires the Elastic-Search, +Cassandra and Kibana containers within SDC to be ready and is also dependent on +DMaaP (or the message-router) to be ready - where ready implies the built-in +"readiness" probes succeeded - before becoming fully operational. When an +initial deployment of ONAP is requested the current state of the system is NULL +so ONAP is deployed by the Kubernetes manager as a set of Docker containers on +one or more predetermined hosts. The hosts could be physical machines or +virtual machines. When deploying on virtual machines the resulting system will +be very similar to "Heat" based deployments, i.e. Docker containers running +within a set of VMs, the primary difference being that the allocation of +containers to VMs is done dynamically with OOM and statically with "Heat". +Example SO deployment descriptor file shows SO's dependency on its mariadb +data-base component: + +SO deployment specification excerpt: + +.. code-block:: yaml + + apiVersion: apps/v1 + kind: Deployment + metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} + spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: {{- include "common.matchLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ include "common.name" . }} + release: {{ .Release.Name }} + spec: + initContainers: + - command: + - /app/ready.py + args: + - --container-name + - so-mariadb + env: + ... + +Kubernetes Container Orchestration +================================== +The ONAP components are managed by the Kubernetes_ container management system +which maintains the desired state of the container system as described by one +or more deployment descriptors - similar in concept to OpenStack HEAT +Orchestration Templates. The following sections describe the fundamental +objects managed by Kubernetes, the network these components use to communicate +with each other and other entities outside of ONAP and the templates that +describe the configuration and desired state of the ONAP components. + +Name Spaces +----------- +Within the namespaces are Kubernetes services that provide external +connectivity to pods that host Docker containers. + +ONAP Components to Kubernetes Object Relationships +-------------------------------------------------- +Kubernetes deployments consist of multiple objects: + +- **nodes** - a worker machine - either physical or virtual - that hosts + multiple containers managed by Kubernetes. +- **services** - an abstraction of a logical set of pods that provide a + micro-service. +- **pods** - one or more (but typically one) container(s) that provide specific + application functionality. +- **persistent volumes** - One or more permanent volumes need to be established + to hold non-ephemeral configuration and state data. + +The relationship between these objects is shown in the following figure: + +.. .. uml:: +.. +.. @startuml +.. node PH { +.. component Service { +.. component Pod0 +.. component Pod1 +.. } +.. } +.. +.. database PV +.. @enduml + +.. figure:: ../../resources/images/k8s/kubernetes_objects.png + +OOM uses these Kubernetes objects as described in the following sections. + +Nodes +~~~~~ +OOM works with both physical and virtual worker machines. + +* Virtual Machine Deployments - If ONAP is to be deployed onto a set of virtual + machines, the creation of the VMs is outside of the scope of OOM and could be + done in many ways, such as + + * manually, for example by a user using the OpenStack Horizon dashboard or + AWS EC2, or + * automatically, for example with the use of a OpenStack Heat Orchestration + Template which builds an ONAP stack, Azure ARM template, AWS CloudFormation + Template, or + * orchestrated, for example with Cloudify creating the VMs from a TOSCA + template and controlling their life cycle for the life of the ONAP + deployment. + +* Physical Machine Deployments - If ONAP is to be deployed onto physical + machines there are several options but the recommendation is to use Rancher + along with Helm to associate hosts with a Kubernetes cluster. + +Pods +~~~~ +A group of containers with shared storage and networking can be grouped +together into a Kubernetes pod. All of the containers within a pod are +co-located and co-scheduled so they operate as a single unit. Within ONAP +Amsterdam release, pods are mapped one-to-one to docker containers although +this may change in the future. As explained in the Services section below the +use of Pods within each ONAP component is abstracted from other ONAP +components. + +Services +~~~~~~~~ +OOM uses the Kubernetes service abstraction to provide a consistent access +point for each of the ONAP components independent of the pod or container +architecture of that component. For example, the SDNC component may introduce +OpenDaylight clustering as some point and change the number of pods in this +component to three or more but this change will be isolated from the other ONAP +components by the service abstraction. A service can include a load balancer +on its ingress to distribute traffic between the pods and even react to dynamic +changes in the number of pods if they are part of a replica set. + +Persistent Volumes +~~~~~~~~~~~~~~~~~~ +To enable ONAP to be deployed into a wide variety of cloud infrastructures a +flexible persistent storage architecture, built on Kubernetes persistent +volumes, provides the ability to define the physical storage in a central +location and have all ONAP components securely store their data. + +When deploying ONAP into a public cloud, available storage services such as +`AWS Elastic Block Store`_, `Azure File`_, or `GCE Persistent Disk`_ are +options. Alternatively, when deploying into a private cloud the storage +architecture might consist of Fiber Channel, `Gluster FS`_, or iSCSI. Many +other storage options existing, refer to the `Kubernetes Storage Class`_ +documentation for a full list of the options. The storage architecture may vary +from deployment to deployment but in all cases a reliable, redundant storage +system must be provided to ONAP with which the state information of all ONAP +components will be securely stored. The Storage Class for a given deployment is +a single parameter listed in the ONAP values.yaml file and therefore is easily +customized. Operation of this storage system is outside the scope of the OOM. + +.. code-block:: yaml + + Insert values.yaml code block with storage block here + +Once the storage class is selected and the physical storage is provided, the +ONAP deployment step creates a pool of persistent volumes within the given +physical storage that is used by all of the ONAP components. ONAP components +simply make a claim on these persistent volumes (PV), with a persistent volume +claim (PVC), to gain access to their storage. + +The following figure illustrates the relationships between the persistent +volume claims, the persistent volumes, the storage class, and the physical +storage. + +.. graphviz:: + + digraph PV { + label = "Persistance Volume Claim to Physical Storage Mapping" + { + node [shape=cylinder] + D0 [label="Drive0"] + D1 [label="Drive1"] + Dx [label="Drivex"] + } + { + node [shape=Mrecord label="StorageClass:ceph"] + sc + } + { + node [shape=point] + p0 p1 p2 + p3 p4 p5 + } + subgraph clusterSDC { + label="SDC" + PVC0 + PVC1 + } + subgraph clusterSDNC { + label="SDNC" + PVC2 + } + subgraph clusterSO { + label="SO" + PVCn + } + PV0 -> sc + PV1 -> sc + PV2 -> sc + PVn -> sc + + sc -> {D0 D1 Dx} + PVC0 -> PV0 + PVC1 -> PV1 + PVC2 -> PV2 + PVCn -> PVn + + # force all of these nodes to the same line in the given order + subgraph { + rank = same; PV0;PV1;PV2;PVn;p0;p1;p2 + PV0->PV1->PV2->p0->p1->p2->PVn [style=invis] + } + + subgraph { + rank = same; D0;D1;Dx;p3;p4;p5 + D0->D1->p3->p4->p5->Dx [style=invis] + } + + } + +In-order for an ONAP component to use a persistent volume it must make a claim +against a specific persistent volume defined in the ONAP common charts. Note +that there is a one-to-one relationship between a PVC and PV. The following is +an excerpt from a component chart that defines a PVC: + +.. code-block:: yaml + + Insert PVC example here + +OOM Networking with Kubernetes +------------------------------ + +- DNS +- Ports - Flattening the containers also expose port conflicts between the + containers which need to be resolved. + +Node Ports +~~~~~~~~~~ + +Pod Placement Rules +------------------- +OOM will use the rich set of Kubernetes node and pod affinity / +anti-affinity rules to minimize the chance of a single failure resulting in a +loss of ONAP service. Node affinity / anti-affinity is used to guide the +Kubernetes orchestrator in the placement of pods on nodes (physical or virtual +machines). For example: + +- if a container used Intel DPDK technology the pod may state that it as + affinity to an Intel processor based node, or +- geographical based node labels (such as the Kubernetes standard zone or + region labels) may be used to ensure placement of a DCAE complex close to the + VNFs generating high volumes of traffic thus minimizing networking cost. + Specifically, if nodes were pre-assigned labels East and West, the pod + deployment spec to distribute pods to these nodes would be: + +.. code-block:: yaml + + nodeSelector: + failure-domain.beta.Kubernetes.io/region: {{ .Values.location }} + +- "location: West" is specified in the `values.yaml` file used to deploy + one DCAE cluster and "location: East" is specified in a second `values.yaml` + file (see OOM Configuration Management for more information about + configuration files like the `values.yaml` file). + +Node affinity can also be used to achieve geographic redundancy if pods are +assigned to multiple failure domains. For more information refer to `Assigning +Pods to Nodes`_. + +.. note:: + One could use Pod to Node assignment to totally constrain Kubernetes when + doing initial container assignment to replicate the Amsterdam release + OpenStack Heat based deployment. Should one wish to do this, each VM would + need a unique node name which would be used to specify a node constaint + for every component. These assignment could be specified in an environment + specific values.yaml file. Constraining Kubernetes in this way is not + recommended. + +Kubernetes has a comprehensive system called Taints and Tolerations that can be +used to force the container orchestrator to repel pods from nodes based on +static events (an administrator assigning a taint to a node) or dynamic events +(such as a node becoming unreachable or running out of disk space). There are +no plans to use taints or tolerations in the ONAP Beijing release. Pod +affinity / anti-affinity is the concept of creating a spacial relationship +between pods when the Kubernetes orchestrator does assignment (both initially +an in operation) to nodes as explained in Inter-pod affinity and anti-affinity. +For example, one might choose to co-located all of the ONAP SDC containers on a +single node as they are not critical runtime components and co-location +minimizes overhead. On the other hand, one might choose to ensure that all of +the containers in an ODL cluster (SDNC and APPC) are placed on separate nodes +such that a node failure has minimal impact to the operation of the cluster. +An example of how pod affinity / anti-affinity is shown below: + +Pod Affinity / Anti-Affinity + +.. code-block:: yaml + + apiVersion: v1 + kind: Pod + metadata: + name: with-pod-affinity + spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: security + operator: In + values: + - S1 + topologyKey: failure-domain.beta.Kubernetes.io/zone + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: security + operator: In + values: + - S2 + topologyKey: Kubernetes.io/hostname + containers: + - name: with-pod-affinity + image: gcr.io/google_containers/pause:2.0 + +This example contains both podAffinity and podAntiAffinity rules, the first +rule is is a must (requiredDuringSchedulingIgnoredDuringExecution) while the +second will be met pending other considerations +(preferredDuringSchedulingIgnoredDuringExecution). Preemption Another feature +that may assist in achieving a repeatable deployment in the presence of faults +that may have reduced the capacity of the cloud is assigning priority to the +containers such that mission critical components have the ability to evict less +critical components. Kubernetes provides this capability with Pod Priority and +Preemption. Prior to having more advanced production grade features available, +the ability to at least be able to re-deploy ONAP (or a subset of) reliably +provides a level of confidence that should an outage occur the system can be +brought back on-line predictably. + +Health Checks +------------- + +Monitoring of ONAP components is configured in the agents within JSON files and +stored in gerrit under the consul-agent-config, here is an example from the AAI +model loader (aai-model-loader-health.json): + +.. code-block:: json + + { + "service": { + "name": "A&AI Model Loader", + "checks": [ + { + "id": "model-loader-process", + "name": "Model Loader Presence", + "script": "/consul/config/scripts/model-loader-script.sh", + "interval": "15s", + "timeout": "1s" + } + ] + } + } + +Liveness Probes +--------------- + +These liveness probes can simply check that a port is available, that a +built-in health check is reporting good health, or that the Consul health check +is positive. For example, to monitor the SDNC component has following liveness +probe can be found in the SDNC DB deployment specification: + +.. code-block:: yaml + + sdnc db liveness probe + + livenessProbe: + exec: + command: ["mysqladmin", "ping"] + initialDelaySeconds: 30 periodSeconds: 10 + timeoutSeconds: 5 + +The 'initialDelaySeconds' control the period of time between the readiness +probe succeeding and the liveness probe starting. 'periodSeconds' and +'timeoutSeconds' control the actual operation of the probe. Note that +containers are inherently ephemeral so the healing action destroys failed +containers and any state information within it. To avoid a loss of state, a +persistent volume should be used to store all data that needs to be persisted +over the re-creation of a container. Persistent volumes have been created for +the database components of each of the projects and the same technique can be +used for all persistent state information. + + + +Environment Files +~~~~~~~~~~~~~~~~~ + +MSB Integration +=============== + +The \ `Microservices Bus +Project `__ provides +facilities to integrate micro-services into ONAP and therefore needs to +integrate into OOM - primarily through Consul which is the backend of +MSB service discovery. The following is a brief description of how this +integration will be done: + +A registrator to push the service endpoint info to MSB service +discovery. + +- The needed service endpoint info is put into the kubernetes yaml file + as annotation, including service name, Protocol,version, visual + range,LB method, IP, Port,etc. + +- OOM deploy/start/restart/scale in/scale out/upgrade ONAP components + +- Registrator watch the kubernetes event + +- When an ONAP component instance has been started/destroyed by OOM, + Registrator get the notification from kubernetes + +- Registrator parse the service endpoint info from annotation and + register/update/unregister it to MSB service discovery + +- MSB API Gateway uses the service endpoint info for service routing + and load balancing. + +Details of the registration service API can be found at \ `Microservice +Bus API +Documentation `__. + +ONAP Component Registration to MSB +---------------------------------- +The charts of all ONAP components intending to register against MSB must have +an annotation in their service(s) template. A `sdc` example follows: + +.. code-block:: yaml + + apiVersion: v1 + kind: Service + metadata: + labels: + app: sdc-be + name: sdc-be + namespace: "{{ .Values.nsPrefix }}" + annotations: + msb.onap.org/service-info: '[ + { + "serviceName": "sdc", + "version": "v1", + "url": "/sdc/v1", + "protocol": "REST", + "port": "8080", + "visualRange":"1" + }, + { + "serviceName": "sdc-deprecated", + "version": "v1", + "url": "/sdc/v1", + "protocol": "REST", + "port": "8080", + "visualRange":"1", + "path":"/sdc/v1" + } + ]' + ... + + +MSB Integration with OOM +------------------------ +A preliminary view of the OOM-MSB integration is as follows: + +.. figure:: ../../resources/images/msb/MSB-OOM-Diagram.png + +A message sequence chart of the registration process: + +.. uml:: + + participant "OOM" as oom + participant "ONAP Component" as onap + participant "Service Discovery" as sd + participant "External API Gateway" as eagw + participant "Router (Internal API Gateway)" as iagw + + box "MSB" #LightBlue + participant sd + participant eagw + participant iagw + end box + + == Deploy Servcie == + + oom -> onap: Deploy + oom -> sd: Register service endpoints + sd -> eagw: Services exposed to external system + sd -> iagw: Services for internal use + + == Component Life-cycle Management == + + oom -> onap: Start/Stop/Scale/Migrate/Upgrade + oom -> sd: Update service info + sd -> eagw: Update service info + sd -> iagw: Update service info + + == Service Health Check == + + sd -> onap: Check the health of service + sd -> eagw: Update service status + sd -> iagw: Update service status + + +MSB Deployment Instructions +--------------------------- +MSB is helm installable ONAP component which is often automatically deployed. +To install it individually enter:: + + > helm install /msb + +.. note:: + TBD: Vaidate if the following procedure is still required. + +Please note that Kubernetes authentication token must be set at +*kubernetes/kube2msb/values.yaml* so the kube2msb registrator can get the +access to watch the kubernetes events and get service annotation by +Kubernetes APIs. The token can be found in the kubectl configuration file +*~/.kube/config* + +More details can be found here `MSB installation `_. + +.. MISC +.. ==== +.. Note that although OOM uses Kubernetes facilities to minimize the effort +.. required of the ONAP component owners to implement a successful rolling +.. upgrade strategy there are other considerations that must be taken into +.. consideration. +.. For example, external APIs - both internal and external to ONAP - should be +.. designed to gracefully accept transactions from a peer at a different +.. software version to avoid deadlock situations. Embedded version codes in +.. messages may facilitate such capabilities. +.. +.. Within each of the projects a new configuration repository contains all of +.. the project specific configuration artifacts. As changes are made within +.. the project, it's the responsibility of the project team to make appropriate +.. changes to the configuration data. diff --git a/docs/oom_hardcoded_certificates.rst b/docs/archived/oom_hardcoded_certificates.rst similarity index 100% rename from docs/oom_hardcoded_certificates.rst rename to docs/archived/oom_hardcoded_certificates.rst diff --git a/docs/archived/oom_quickstart_guide.rst b/docs/archived/oom_quickstart_guide.rst new file mode 100644 index 0000000000..4727a3e13d --- /dev/null +++ b/docs/archived/oom_quickstart_guide.rst @@ -0,0 +1,285 @@ +.. This work is licensed under a +.. Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright 2019-2020 Amdocs, Bell Canada, Orange, Samsung +.. _oom_quickstart_guide: +.. _quick-start-label: + +OOM Quick Start Guide +##################### + +.. figure:: images/oom_logo/oomLogoV2-medium.png + :align: right + +Once a Kubernetes environment is available (follow the instructions in +:ref:`cloud-setup-guide-label` if you don't have a cloud environment +available), follow the following instructions to deploy ONAP. + +**Step 1.** Clone the OOM repository from ONAP gerrit:: + + > git clone -b http://gerrit.onap.org/r/oom --recurse-submodules + > cd oom/kubernetes + +where can be an official release tag, such as + +* 4.0.0-ONAP for Dublin +* 5.0.1-ONAP for El Alto +* 6.0.0 for Frankfurt +* 7.0.0 for Guilin +* 8.0.0 for Honolulu +* 9.0.0 for Istanbul +* 10.0.0 for Jakarta +* 11.0.0 for Kohn +* 12.0.0 for London + +**Step 2.** Install Helm Plugins required to deploy ONAP:: + + > cp -R ~/oom/kubernetes/helm/plugins/ ~/.local/share/helm/plugins + > helm plugin install https://github.com/chartmuseum/helm-push.git \ + --version 0.9.0 + +.. note:: + The ``--version 0.9.0`` is required as new version of helm (3.7.0 and up) is + now using ``push`` directly and helm-push is using ``cm-push`` starting + version ``0.10.0`` and up. + +**Step 3.** Install Chartmuseum:: + + > curl -LO https://s3.amazonaws.com/chartmuseum/release/latest/bin/linux/amd64/chartmuseum + > chmod +x ./chartmuseum + > mv ./chartmuseum /usr/local/bin + +**Step 4.** Install Cert-Manager:: + + > kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.yaml + +More details can be found :doc:`here `. + +**Step 4.1** Install Strimzi Kafka Operator: + +- Add the helm repo:: + + > helm repo add strimzi https://strimzi.io/charts/ + +- Install the operator:: + + > helm install strimzi-kafka-operator strimzi/strimzi-kafka-operator --namespace strimzi-system --version 0.28.0 --set watchAnyNamespace=true --create-namespace + +More details can be found :doc:`here `. + +**Step 5.** Customize the Helm charts like `oom/kubernetes/onap/values.yaml` or +an override file like `onap-all.yaml`, `onap-vfw.yaml` or `openstack.yaml` file +to suit your deployment with items like the OpenStack tenant information. + +.. note:: + Standard and example override files (e.g. `onap-all.yaml`, `openstack.yaml`) + can be found in the `oom/kubernetes/onap/resources/overrides/` directory. + + + a. You may want to selectively enable or disable ONAP components by changing + the ``enabled: true/false`` flags. + + + b. Encrypt the OpenStack password using the shell tool for Robot and put it in + the Robot Helm charts or Robot section of `openstack.yaml` + + + c. Encrypt the OpenStack password using the java based script for SO Helm + charts or SO section of `openstack.yaml`. + + + d. Update the OpenStack parameters that will be used by Robot, SO and APPC Helm + charts or use an override file to replace them. + + e. Add in the command line a value for the global master password + (global.masterPassword). + + + +a. Enabling/Disabling Components: +Here is an example of the nominal entries that need to be provided. +We have different values file available for different contexts. + +.. literalinclude:: ../kubernetes/onap/values.yaml + :language: yaml + + +b. Generating ROBOT Encrypted Password: +The Robot encrypted Password uses the same encryption.key as SO but an +openssl algorithm that works with the python based Robot Framework. + +.. note:: + To generate Robot ``openStackEncryptedPasswordHere``:: + + cd so/resources/config/mso/ + /oom/kubernetes/so/resources/config/mso# echo -n "" | openssl aes-128-ecb -e -K `cat encryption.key` -nosalt | xxd -c 256 -p`` + +c. Generating SO Encrypted Password: +The SO Encrypted Password uses a java based encryption utility since the +Java encryption library is not easy to integrate with openssl/python that +Robot uses in Dublin and upper versions. + +.. note:: + To generate SO ``openStackEncryptedPasswordHere`` and ``openStackSoEncryptedPassword`` + ensure `default-jdk` is installed:: + + apt-get update; apt-get install default-jdk + + Then execute:: + + SO_ENCRYPTION_KEY=`cat ~/oom/kubernetes/so/resources/config/mso/encryption.key` + OS_PASSWORD=XXXX_OS_CLEARTESTPASSWORD_XXXX + + git clone http://gerrit.onap.org/r/integration + cd integration/deployment/heat/onap-rke/scripts + + javac Crypto.java + java Crypto "$OS_PASSWORD" "$SO_ENCRYPTION_KEY" + +d. Update the OpenStack parameters: + +There are assumptions in the demonstration VNF Heat templates about the +networking available in the environment. To get the most value out of these +templates and the automation that can help confirm the setup is correct, please +observe the following constraints. + + +``openStackPublicNetId:`` + This network should allow Heat templates to add interfaces. + This need not be an external network, floating IPs can be assigned to the + ports on the VMs that are created by the heat template but its important that + neutron allow ports to be created on them. + +``openStackPrivateNetCidr: "10.0.0.0/16"`` + This ip address block is used to assign OA&M addresses on VNFs to allow ONAP + connectivity. The demonstration Heat templates assume that 10.0 prefix can be + used by the VNFs and the demonstration ip addressing plan embodied in the + preload template prevent conflicts when instantiating the various VNFs. If + you need to change this, you will need to modify the preload data in the + Robot Helm chart like integration_preload_parameters.py and the + demo/heat/preload_data in the Robot container. The size of the CIDR should + be sufficient for ONAP and the VMs you expect to create. + +``openStackOamNetworkCidrPrefix: "10.0"`` + This ip prefix mush match the openStackPrivateNetCidr and is a helper + variable to some of the Robot scripts for demonstration. A production + deployment need not worry about this setting but for the demonstration VNFs + the ip asssignment strategy assumes 10.0 ip prefix. + +Example Keystone v2.0 + +.. literalinclude:: yaml/example-integration-override.yaml + :language: yaml + +Example Keystone v3 (required for Rocky and later releases) + +.. literalinclude:: yaml/example-integration-override-v3.yaml + :language: yaml + + +**Step 6.** To setup a local Helm server to server up the ONAP charts:: + + > chartmuseum --storage local --storage-local-rootdir ~/helm3-storage -port 8879 & + +Note the port number that is listed and use it in the Helm repo add as +follows:: + + > helm repo add local http://127.0.0.1:8879 + +**Step 7.** Verify your Helm repository setup with:: + + > helm repo list + NAME URL + local http://127.0.0.1:8879 + +**Step 8.** Build a local Helm repository (from the kubernetes directory):: + + > make SKIP_LINT=TRUE [HELM_BIN=] all ; make SKIP_LINT=TRUE [HELM_BIN=] onap + +`HELM_BIN` + Sets the helm binary to be used. The default value use helm from PATH + + +**Step 9.** Display the onap charts that available to be deployed:: + + > helm repo update + > helm search repo onap + +.. literalinclude:: helm/helm-search.txt + +.. note:: + The setup of the Helm repository is a one time activity. If you make changes + to your deployment charts or values be sure to use ``make`` to update your + local Helm repository. + +**Step 10.** Once the repo is setup, installation of ONAP can be done with a +single command + +.. note:: + The ``--timeout 900s`` is currently required in Dublin and later + versions up to address long running initialization tasks for DMaaP + and SO. Without this timeout value both applications may fail to + deploy. + +.. danger:: + We've added the master password on the command line. + You shouldn't put it in a file for safety reason + please don't forget to change the value to something random + + A space is also added in front of the command so "history" doesn't catch it. + This masterPassword is very sensitive, please be careful! + + +To deploy all ONAP applications use this command:: + + > cd oom/kubernetes + > helm deploy dev local/onap --namespace onap --create-namespace --set global.masterPassword=myAwesomePasswordThatINeedToChange -f onap/resources/overrides/onap-all.yaml -f onap/resources/overrides/environment.yaml -f onap/resources/overrides/openstack.yaml --timeout 900s + +All override files may be customized (or replaced by other overrides) as per +needs. + +`onap-all.yaml` + Enables the modules in the ONAP deployment. As ONAP is very modular, it is + possible to customize ONAP and disable some components through this + configuration file. + +`onap-all-ingress-nginx-vhost.yaml` + Alternative version of the `onap-all.yaml` but with global ingress controller + enabled. It requires the cluster configured with the nginx ingress controller + and load balancer. Please use this file instead `onap-all.yaml` if you want + to use experimental ingress controller feature. + +`environment.yaml` + Includes configuration values specific to the deployment environment. + + Example: adapt readiness and liveness timers to the level of performance of + your infrastructure + +`openstack.yaml` + Includes all the OpenStack related information for the default target tenant + you want to use to deploy VNFs from ONAP and/or additional parameters for the + embedded tests. + +**Step 11.** Verify ONAP installation + +Use the following to monitor your deployment and determine when ONAP is ready +for use:: + + > kubectl get pods -n onap -o=wide + +.. note:: + While all pods may be in a Running state, it is not a guarantee that all + components are running fine. + + Launch the healthcheck tests using Robot to verify that the components are + healthy:: + + > ~/oom/kubernetes/robot/ete-k8s.sh onap health + +**Step 12.** Undeploy ONAP +:: + + > helm undeploy dev + +More examples of using the deploy and undeploy plugins can be found here: +https://wiki.onap.org/display/DW/OOM+Helm+%28un%29Deploy+plugins diff --git a/docs/oom_setup_kubernetes_rancher.rst b/docs/archived/oom_setup_kubernetes_rancher.rst similarity index 100% rename from docs/oom_setup_kubernetes_rancher.rst rename to docs/archived/oom_setup_kubernetes_rancher.rst diff --git a/docs/oom_setup_paas.rst b/docs/archived/oom_setup_paas.rst similarity index 100% rename from docs/oom_setup_paas.rst rename to docs/archived/oom_setup_paas.rst diff --git a/docs/oom_user_guide.rst b/docs/archived/oom_user_guide.rst similarity index 100% rename from docs/oom_user_guide.rst rename to docs/archived/oom_user_guide.rst diff --git a/docs/shell/master_nfs_node.sh b/docs/archived/shell/master_nfs_node.sh similarity index 100% rename from docs/shell/master_nfs_node.sh rename to docs/archived/shell/master_nfs_node.sh diff --git a/docs/shell/openstack-k8s-controlnode.sh b/docs/archived/shell/openstack-k8s-controlnode.sh similarity index 100% rename from docs/shell/openstack-k8s-controlnode.sh rename to docs/archived/shell/openstack-k8s-controlnode.sh diff --git a/docs/shell/openstack-k8s-workernode.sh b/docs/archived/shell/openstack-k8s-workernode.sh similarity index 100% rename from docs/shell/openstack-k8s-workernode.sh rename to docs/archived/shell/openstack-k8s-workernode.sh diff --git a/docs/shell/openstack-nfs-server.sh b/docs/archived/shell/openstack-nfs-server.sh similarity index 100% rename from docs/shell/openstack-nfs-server.sh rename to docs/archived/shell/openstack-nfs-server.sh diff --git a/docs/shell/slave_nfs_node.sh b/docs/archived/shell/slave_nfs_node.sh similarity index 100% rename from docs/shell/slave_nfs_node.sh rename to docs/archived/shell/slave_nfs_node.sh diff --git a/docs/yaml/cluster.yml b/docs/archived/yaml/cluster.yml similarity index 100% rename from docs/yaml/cluster.yml rename to docs/archived/yaml/cluster.yml diff --git a/docs/archived/yaml/example-integration-override-v3.yaml b/docs/archived/yaml/example-integration-override-v3.yaml new file mode 100644 index 0000000000..2c2742cc70 --- /dev/null +++ b/docs/archived/yaml/example-integration-override-v3.yaml @@ -0,0 +1,54 @@ +################################################################# +# This override file configures openstack parameters for ONAP +################################################################# +robot: + enabled: true + flavor: large + # KEYSTONE Version 3 Required for Rocky and beyond + openStackKeystoneAPIVersion: "v3" + # OS_AUTH_URL without the /v3 from the openstack .RC file + openStackKeyStoneUrl: "http://10.12.25.2:5000" + # tenantID=`openstack project show $tenantName | grep -w id | awk '{print $4}'` + # where "tenantName" is OS_PROJECT_NAME from openstack .RC file + openStackTenantId: "09d8566ea45e43aa974cf447ed591d77" + # OS_USERNAME from the openstack .RC file + openStackUserName: "OS_USERNAME_HERE" + # OS_PROJECT_DOMAIN_ID from the openstack .RC file + # in some environments it is a string but in other environmens it may be a numeric + openStackDomainId: "default" + # OS_USER_DOMAIN_NAME from the openstack .RC file + openStackUserDomain: "Default" + openStackProjectName: "OPENSTACK_PROJECT_NAME_HERE" + ubuntu14Image: "ubuntu-14-04-cloud-amd64" + ubuntu16Image: "ubuntu-16-04-cloud-amd64" + # From openstack network list output + openStackPublicNetId: "971040b2-7059-49dc-b220-4fab50cb2ad4" + # From openstack network list output + openStackPrivateNetId: "83c84b68-80be-4990-8d7f-0220e3c6e5c8" + # From openstack network list output + openStackPrivateSubnetId: "e571c1d1-8ac0-4744-9b40-c3218d0a53a0" + openStackPrivateNetCidr: "10.0.0.0/16" + openStackOamNetworkCidrPrefix: "10.0" + # From openstack security group list output + openStackSecurityGroup: "bbe028dc-b64f-4f11-a10f-5c6d8d26dc89" + dcaeCollectorIp: "10.12.6.109" + # SSH public key + vnfPubKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKXDgoo3+WOqcUG8/5uUbk81+yczgwC4Y8ywTmuQqbNxlY1oQ0YxdMUqUnhitSXs5S/yRuAVOYHwGg2mCs20oAINrP+mxBI544AMIb9itPjCtgqtE2EWo6MmnFGbHB4Sx3XioE7F4VPsh7japsIwzOjbrQe+Mua1TGQ5d4nfEOQaaglXLLPFfuc7WbhbJbK6Q7rHqZfRcOwAMXgDoBqlyqKeiKwnumddo2RyNT8ljYmvB6buz7KnMinzo7qB0uktVT05FH9Rg0CTWH5norlG5qXgP2aukL0gk1ph8iAt7uYLf1ktp+LJI2gaF6L0/qli9EmVCSLr1uJ38Q8CBflhkh" + demoArtifactsVersion: "1.4.0" + demoArtifactsRepoUrl: "https://nexus.onap.org/content/repositories/releases" + scriptVersion: "1.4.0" + # rancher node IP where RKE configired + rancherIpAddress: "10.12.6.160" + config: + # use the python utility to encrypt the OS_PASSWORD for the OS_USERNAME + openStackEncryptedPasswordHere: "XXXXXXXXXXXXXXXXXXXXXXXX_OPENSTACK_PYTHON_PASSWORD_HERE_XXXXXXXXXXXXXXXX" + openStackSoEncryptedPassword: "YYYYYYYYYYYYYYYYYYYYYYYY_OPENSTACK_JAVA_PASSWORD_HERE_YYYYYYYYYYYYYYYY" +so: + enabled: true + so-catalog-db-adapter: + config: + openStackUserName: "OS_USERNAME_HERE" + # OS_AUTH_URL (keep the /v3) from the openstack .RC file + openStackKeyStoneUrl: "http://10.12.25.2:5000/v3" + # use the SO Java utility to encrypt the OS_PASSWORD for the OS_USERNAME + openStackEncryptedPasswordHere: "YYYYYYYYYYYYYYYYYYYYYYYY_OPENSTACK_JAVA_PASSWORD_HERE_YYYYYYYYYYYYYYYY" diff --git a/docs/archived/yaml/example-integration-override.yaml b/docs/archived/yaml/example-integration-override.yaml new file mode 100644 index 0000000000..46e18fce8f --- /dev/null +++ b/docs/archived/yaml/example-integration-override.yaml @@ -0,0 +1,42 @@ +################################################################# +# This override file configures openstack parameters for ONAP +################################################################# +robot: + # OS_AUTH_URL without the /v2.0 from the openstack .RC file + openStackKeyStoneUrl: "http://10.12.25.2:5000" + # From openstack network list output + openStackPublicNetId: "971040b2-7059-49dc-b220-4fab50cb2ad4" + # tenantID=`openstack project show $tenantName | grep -w id | awk '{print $4}'` + # where "tenantName" is OS_PROJECT_NAME from openstack .RC file + openStackTenantId: "09d8566ea45e43aa974cf447ed591d77" + openStackUserName: "OPENSTACK_USERNAME_HERE" + ubuntu14Image: "ubuntu-14-04-cloud-amd64" + ubuntu16Image: "ubuntu-16-04-cloud-amd64" + # From openstack network list output + openStackPrivateNetId: "c7824f00-bef7-4864-81b9-f6c3afabd313" + # From openstack network list output + openStackPrivateSubnetId: "2a0e8888-f93e-4615-8d28-fc3d4d087fc3" + openStackPrivateNetCidr: "10.0.0.0/16" + # From openstack security group list output + openStackSecurityGroup: "3a7a1e7e-6d15-4264-835d-fab1ae81e8b0" + openStackOamNetworkCidrPrefix: "10.0" + # Control node IP + dcaeCollectorIp: "10.12.6.88" + # SSH public key + vnfPubKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKXDgoo3+WOqcUG8/5uUbk81+yczgwC4Y8ywTmuQqbNxlY1oQ0YxdMUqUnhitSXs5S/yRuAVOYHwGg2mCs20oAINrP+mxBI544AMIb9itPjCtgqtE2EWo6MmnFGbHB4Sx3XioE7F4VPsh7japsIwzOjbrQe+Mua1TGQ5d4nfEOQaaglXLLPFfuc7WbhbJbK6Q7rHqZfRcOwAMXgDoBqlyqKeiKwnumddo2RyNT8ljYmvB6buz7KnMinzo7qB0uktVT05FH9Rg0CTWH5norlG5qXgP2aukL0gk1ph8iAt7uYLf1ktp+LJI2gaF6L0/qli9EmVCSLr1uJ38Q8CBflhkh" + demoArtifactsVersion: "1.4.0-SNAPSHOT" + demoArtifactsRepoUrl: "https://nexus.onap.org/content/repositories/releases" + scriptVersion: "1.4.0-SNAPSHOT" + # rancher node IP where RKE configired + rancherIpAddress: "10.12.5.127" + config: + # openStackEncryptedPasswordHere should match the encrypted string used in SO and APPC and overridden per environment + openStackEncryptedPasswordHere: "XXXXXXXXXXXXXXXXXXXXXXXX_OPENSTACK_ENCRYPTED_PASSWORD_HERE_XXXXXXXXXXXXXXXX" +so: + # so server configuration + so-catalog-db-adapter: + config: + openStackUserName: "OPENSTACK_USERNAME_HERE" + # OS_AUTH_URL from the openstack .RC file + openStackKeyStoneUrl: "http://10.12.25.2:5000/v2.0" + openStackEncryptedPasswordHere: "XXXXXXXXXXXXXXXXXXXXXXXX_OPENSTACK_ENCRYPTED_PASSWORD_HERE_XXXXXXXXXXXXXXXX" diff --git a/docs/certs/hardcoded_certificates.csv b/docs/certs/hardcoded_certificates.csv deleted file mode 100644 index fbc7db3e11..0000000000 --- a/docs/certs/hardcoded_certificates.csv +++ /dev/null @@ -1,18 +0,0 @@ -Project,ONAP Certificate,Own Certificate,MSB Certificate,Path -AAF,No,Yes,No,aaf/charts/aaf-cert-service/resources/ -AAF,Yes,No,No,aaf/components/aaf-sms/resources/certs/intermediate_root_ca.pem -AAI,Yes,No,No,aai/oom/resources/config/aai/aai_keystore -AAI/SEARCH-DATA,Yes,No,No,aai/oom/components/aai-search-data/resources/config/auth/tomcat_keystore -AAI/SPARKY-BE,Yes,No,No,aai/oom/components/aai-spary-be/resources/config/auth/org.onap.aai.p12 -AAI/BABEL,No,Yes,No,aai/oom/components/aai-babel/resources/config/auth/tomcat_keystore -AAI/MODEL-LOADER,Yes,Yes,No,aai/oom/components/aai-model-loaderresources/config/auth/tomcat_keystore -APPC,Yes,No,No,kubernetes/appc/resources/config/certs/org.onap.appc.keyfile -APPC,Yes,No,No,kubernetes/appc/resources/config/certs/org.onap.appc.p12 -certInitializer,Yes,No,No,kubernetes/common/certInitializer/resources -DMaaP/MR,Yes,No,No,Hardcoded in container -HOLMES,No,Yes,No,Hardcoded in container -MULTICLOUD,No,Yes,No,Hardcoded in container -Robot,Yes,No,No,kubernetes/robot/resources/config/lighttpd/ssl/onap-robot.onap.* -SDC,Yes,No?,No?,kubernetes/sdc/resources/cert -VID,Yes,No,No,Hardcoded in container -UUI,No,Yes,No,Hardcoded in container diff --git a/docs/conf.py b/docs/conf.py index 3b28eb74a8..16ad9a9fc8 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -1,15 +1,61 @@ -from docs_conf.conf import * +project = "onap" +release = "master" +version = "master" -branch = 'latest' -master_doc = 'index' +author = "Open Network Automation Platform" +# yamllint disable-line rule:line-length +copyright = "ONAP. Licensed under Creative Commons Attribution 4.0 International License" -linkcheck_ignore = [ - 'http://localhost', +pygments_style = "sphinx" +html_theme = "sphinx_rtd_theme" +html_theme_options = { + "style_nav_header_background": "white", + "sticky_navigation": "False" } +html_logo = "_static/logo_onap_2017.png" +html_favicon = "_static/favicon.ico" +html_static_path = ["_static"] +html_show_sphinx = False + +extensions = [ + 'sphinx.ext.intersphinx', + 'sphinx.ext.graphviz', + 'sphinxcontrib.blockdiag', + 'sphinxcontrib.seqdiag', + 'sphinxcontrib.swaggerdoc', + 'sphinxcontrib.plantuml', + 'sphinx_toolbox.collapse' ] +exclude_patterns = ['archived/*.rst', '.tox'] +# +# Map to 'latest' if this file is used in 'latest' (master) 'doc' branch. +# Change to {releasename} after you have created the new 'doc' branch. +# + +branch = 'master' + intersphinx_mapping = {} +doc_url = 'https://docs.onap.org/projects' +master_doc = 'index' + +spelling_word_list_filename='spelling_wordlist.txt' +spelling_lang = "en_GB" + +# +# Example: +# intersphinx_mapping['onap-aai-aai-common'] = ('{}/onap-aai-aai-common/en/%s'.format(doc_url) % branch, None) +# html_last_updated_fmt = '%d-%b-%y %H:%M' + def setup(app): - app.add_css_file("css/ribbon_onap.css") + app.add_css_file("css/ribbon.css") + + +linkcheck_ignore = [ + "https://istio-release.storage.googleapis.com/charts", + "https://charts.bitnami.com/bitnami", + "https://codecentric.github.io/helm-charts", + r'http://localhost:\d+/' +] diff --git a/docs/conf.yaml b/docs/conf.yaml deleted file mode 100644 index ab5928131c..0000000000 --- a/docs/conf.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -project_cfg: onap -project: onap - -# Change this to ReleaseBranchName to modify the header -default-version: latest -# diff --git a/docs/helm/helm-search.txt b/docs/helm/helm-search.txt deleted file mode 100644 index 75c274957b..0000000000 --- a/docs/helm/helm-search.txt +++ /dev/null @@ -1,42 +0,0 @@ -NAME CHART VERSION APP VERSION DESCRIPTION -local/onap 11.0.0 Kohn Open Network Automation Platform (ONAP) -local/aaf 11.0.0 ONAP Application Authorization Framework -local/aai 11.0.0 ONAP Active and Available Inventory -local/appc 11.0.0 Application Controller -local/cassandra 11.0.0 ONAP cassandra -local/cds 11.0.0 ONAP Controller Design Studio (CDS) -local/clamp 11.0.0 ONAP Clamp -local/cli 11.0.0 ONAP Command Line Interface -local/common 11.0.0 Common templates for inclusion in other charts -local/consul 11.0.0 ONAP Consul Agent -local/contrib 11.0.0 ONAP optional tools -local/cps 11.0.0 ONAP Configuration Persistene Service (CPS) -local/dcaegen2 11.0.0 ONAP DCAE Gen2 -local/dgbuilder 11.0.0 D.G. Builder application -local/dmaap 11.0.0 ONAP DMaaP components -local/log 11.0.0 ONAP Logging ElasticStack -local/mariadb-galera 11.0.0 Chart for MariaDB Galera cluster -local/mongo 11.0.0 MongoDB Server -local/msb 11.0.0 ONAP MicroServices Bus -local/multicloud 11.0.0 ONAP multicloud broker -local/music 11.0.0 MUSIC - Multi-site State Coordination Service -local/mysql 11.0.0 MySQL Server -local/nbi 11.0.0 ONAP Northbound Interface -local/network-name-gen 11.0.0 Name Generation Micro Service -local/nfs-provisioner 11.0.0 NFS provisioner -local/oof 11.0.0 ONAP Optimization Framework -local/policy 11.0.0 ONAP Policy Administration Point -local/pomba 11.0.0 ONAP Post Orchestration Model Based Audit -local/portal 11.0.0 ONAP Web Portal -local/postgres 11.0.0 ONAP Postgres Server -local/robot 11.0.0 A helm Chart for kubernetes-ONAP Robot -local/sdc 11.0.0 Service Design and Creation Umbrella Helm charts -local/sdnc 11.0.0 SDN Controller -local/sdnc-prom 11.0.0 ONAP SDNC Policy Driven Ownership Management -local/sniro-emulator 11.0.0 ONAP Mock Sniro Emulator -local/so 11.0.0 ONAP Service Orchestrator -local/strimzi 11.0.0 ONAP Strimzi Apache Kafka -local/uui 11.0.0 ONAP uui -local/vfc 11.0.0 ONAP Virtual Function Controller (VF-C) -local/vid 11.0.0 ONAP Virtual Infrastructure Deployment -local/vnfsdk 11.0.0 ONAP VNF SDK diff --git a/docs/index.rst b/docs/index.rst index 94a4bf00e5..e889e0664c 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -2,20 +2,20 @@ .. International License. .. http://creativecommons.org/licenses/by/4.0 .. Copyright 2018-2021 Amdocs, Bell Canada, Orange, Samsung, Nokia -.. _master_index: +.. Modification copyright (C) 2022 Nordix Foundation +.. _master_index: OOM Documentation Repository ---------------------------- .. toctree:: :maxdepth: 2 - oom_project_description.rst - oom_quickstart_guide.rst - oom_user_guide.rst - oom_setup_paas.rst - oom_developer_guide.rst - oom_cloud_setup_guide.rst - release_notes/release-notes.rst - oom_setup_kubernetes_rancher.rst - oom_setup_ingress_controller.rst + sections/oom_project_description.rst + sections/guides/development_guides/oom_development.rst + sections/guides/infra_guides/oom_infra.rst + sections/guides/deployment_guides/oom_deployment.rst + sections/guides/user_guides/oom_user_guide.rst + sections/guides/access_guides/oom_access_info.rst + sections/release_notes/release-notes.rst + diff --git a/docs/oom_cloud_setup_guide.rst b/docs/oom_cloud_setup_guide.rst deleted file mode 100644 index 69062894cf..0000000000 --- a/docs/oom_cloud_setup_guide.rst +++ /dev/null @@ -1,113 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 -.. International License. -.. http://creativecommons.org/licenses/by/4.0 -.. Copyright 2019-2020 Amdocs, Bell Canada, Orange, Samsung -.. _oom_cloud_setup_guide: - -.. Links -.. _Microsoft Azure: https://wiki.onap.org/display/DW/Cloud+Native+Deployment#CloudNativeDeployment-MicrosoftAzure -.. _Amazon AWS: https://wiki.onap.org/display/DW/Cloud+Native+Deployment#CloudNativeDeployment-AmazonAWS -.. _Google GCE: https://wiki.onap.org/display/DW/Cloud+Native+Deployment#CloudNativeDeployment-GoogleGCE -.. _VMware VIO: https://wiki.onap.org/display/DW/ONAP+on+VMware+Integrated+OpenStack+-+Container+Orchestration -.. _OpenStack: https://wiki.onap.org/display/DW/ONAP+on+Kubernetes+on+OpenStack?src=contextnavpagetreemode -.. _Setting Up Kubernetes with Rancher: https://wiki.onap.org/display/DW/Cloud+Native+Deployment -.. _Setting Up Kubernetes with Kubeadm: https://wiki.onap.org/display/DW/Deploying+Kubernetes+Cluster+with+kubeadm -.. _Cloud Native Deployment Wiki: https://wiki.onap.org/display/DW/Cloud+Native+Deployment -.. _ONAP Development - 110 pod limit Wiki: https://wiki.onap.org/display/DW/ONAP+Development#ONAPDevelopment-Changemax-podsfromdefault110podlimit - -.. figure:: images/oom_logo/oomLogoV2-medium.png - :align: right - -.. _cloud-setup-guide-label: - -OOM Cloud Setup Guide -##################### - -OOM deploys and manages ONAP on a pre-established Kubernetes_ cluster - the -creation of this cluster is outside of the scope of the OOM project as there -are many options including public clouds with pre-established environments. -However, this guide includes instructions for how to create and use some of the -more popular environments which could be used to host ONAP. If creation of a -Kubernetes cluster is required, the life-cycle of this cluster is independent -of the life-cycle of the ONAP components themselves. Much like an OpenStack -environment, the Kubernetes environment may be used for an extended period of -time, possibly spanning multiple ONAP releases. - -.. note:: - Inclusion of a cloud technology or provider in this guide does not imply an - endorsement. - -.. _Kubernetes: https://kubernetes.io/ - -Software Requirements -===================== - -The versions of Kubernetes that are supported by OOM are as follows: - -.. table:: OOM Software Requirements - - ============== =========== ======= ======== ======== ============ - Release Kubernetes Helm kubectl Docker Cert-Manager - ============== =========== ======= ======== ======== ============ - amsterdam 1.7.x 2.3.x 1.7.x 1.12.x - beijing 1.8.10 2.8.2 1.8.10 17.03.x - casablanca 1.11.5 2.9.1 1.11.5 17.03.x - dublin 1.13.5 2.12.3 1.13.5 18.09.5 - el alto 1.15.2 2.14.2 1.15.2 18.09.x - frankfurt 1.15.9 2.16.6 1.15.11 18.09.x - guilin 1.15.11 2.16.10 1.15.11 18.09.x - honolulu 1.19.9 3.5.2 1.19.9 19.03.x 1.2.0 - Istanbul 1.19.11 3.6.3 1.19.11 19.03.x 1.5.4 - Jakarta 1.22.4 3.6.3 1.22.4 20.10.x 1.5.4 - ============== =========== ======= ======== ======== ============ - -Minimum Hardware Configuration -============================== - -The hardware requirements are provided below. Note that this is for a -full ONAP deployment (all components). Customizing ONAP to deploy only -components that are needed will drastically reduce the requirements. - -.. table:: OOM Hardware Requirements - - ===== ===== ====== ==================== - RAM HD vCores Ports - ===== ===== ====== ==================== - 224GB 160GB 112 0.0.0.0/0 (all open) - ===== ===== ====== ==================== - -.. note:: - Kubernetes supports a maximum of 110 pods per node - configurable in the - --max-pods=n setting off the "additional kubelet flags" box in the kubernetes - template window described in 'ONAP Development - 110 pod limit Wiki' - - this limit does not need to be modified . The use of many small nodes is - preferred over a few larger nodes (for example 14x16GB - 8 vCores each). - Subsets of ONAP may still be deployed on a single node. - -Cloud Installation -================== - -.. #. OOM supports deployment on major public clouds. The following guides -.. provide instructions on how to deploy ONAP on these clouds: -.. -.. - `Microsoft Azure`_, -.. - `Amazon AWS`_, -.. - `Google GCE`_, -.. - `VMware VIO`_, -.. - IBM, and -.. - `Openstack`_. -.. -.. #. Alternatively, OOM can be deployed on a private set of physical hosts or -.. VMs (or even a combination of the two). The following guides describe how -.. to create a Kubernetes cluster with popular tools: -.. -.. - `Setting up Kubernetes with Rancher`_ (recommended) -.. - `Setting up Kubernetes with Kubeadm`_ -.. - `Setting up Kubernetes with Cloudify`_ - -OOM can be deployed on a private set of physical hosts or VMs (or even a -combination of the two). The following guide describe the recommended method to -setup a Kubernetes cluster: :ref:`onap-on-kubernetes-with-rancher`. - -There are alternative deployment methods described on the -`Cloud Native Deployment Wiki`_ diff --git a/docs/oom_developer_guide.rst b/docs/oom_developer_guide.rst deleted file mode 100644 index 8df8e74acd..0000000000 --- a/docs/oom_developer_guide.rst +++ /dev/null @@ -1,1148 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 -.. International License. -.. http://creativecommons.org/licenses/by/4.0 -.. Copyright 2018-2020 Amdocs, Bell Canada, Orange, Samsung - -.. Links -.. _Helm: https://docs.helm.sh/ -.. _Helm Charts: https://github.com/kubernetes/charts -.. _Kubernetes: https://Kubernetes.io/ -.. _Docker: https://www.docker.com/ -.. _Nexus: https://nexus.onap.org/ -.. _AWS Elastic Block Store: https://aws.amazon.com/ebs/ -.. _Azure File: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction -.. _GCE Persistent Disk: https://cloud.google.com/compute/docs/disks/ -.. _Gluster FS: https://www.gluster.org/ -.. _Kubernetes Storage Class: https://Kubernetes.io/docs/concepts/storage/storage-classes/ -.. _Assigning Pods to Nodes: https://Kubernetes.io/docs/concepts/configuration/assign-pod-node/ - - -.. _developer-guide-label: - -OOM Developer Guide -################### - -.. figure:: images/oom_logo/oomLogoV2-medium.png - :align: right - -ONAP consists of a large number of components, each of which are substantial -projects within themselves, which results in a high degree of complexity in -deployment and management. To cope with this complexity the ONAP Operations -Manager (OOM) uses a Helm_ model of ONAP - Helm being the primary management -system for Kubernetes_ container systems - to drive all user driven life-cycle -management operations. The Helm model of ONAP is composed of a set of -hierarchical Helm charts that define the structure of the ONAP components and -the configuration of these components. These charts are fully parameterized -such that a single environment file defines all of the parameters needed to -deploy ONAP. A user of ONAP may maintain several such environment files to -control the deployment of ONAP in multiple environments such as development, -pre-production, and production. - -The following sections describe how the ONAP Helm charts are constructed. - -.. contents:: - :depth: 3 - :local: -.. - -Container Background -==================== -Linux containers allow for an application and all of its operating system -dependencies to be packaged and deployed as a single unit without including a -guest operating system as done with virtual machines. The most popular -container solution is Docker_ which provides tools for container management -like the Docker Host (dockerd) which can create, run, stop, move, or delete a -container. Docker has a very popular registry of containers images that can be -used by any Docker system; however, in the ONAP context, Docker images are -built by the standard CI/CD flow and stored in Nexus_ repositories. OOM uses -the "standard" ONAP docker containers and three new ones specifically created -for OOM. - -Containers are isolated from each other primarily via name spaces within the -Linux kernel without the need for multiple guest operating systems. As such, -multiple containers can be deployed with little overhead such as all of ONAP -can be deployed on a single host. With some optimization of the ONAP components -(e.g. elimination of redundant database instances) it may be possible to deploy -ONAP on a single laptop computer. - -Helm Charts -=========== -A Helm chart is a collection of files that describe a related set of Kubernetes -resources. A simple chart might be used to deploy something simple, like a -memcached pod, while a complex chart might contain many micro-service arranged -in a hierarchy as found in the `aai` ONAP component. - -Charts are created as files laid out in a particular directory tree, then they -can be packaged into versioned archives to be deployed. There is a public -archive of `Helm Charts`_ on GitHub that includes many technologies applicable -to ONAP. Some of these charts have been used in ONAP and all of the ONAP charts -have been created following the guidelines provided. - -The top level of the ONAP charts is shown below: - -.. code-block:: bash - - common - ├── cassandra - │   ├── Chart.yaml - │   ├── resources - │   │   ├── config - │   │   │   └── docker-entrypoint.sh - │   │   ├── exec.py - │   │   └── restore.sh - │   ├── templates - │   │   ├── backup - │   │   │   ├── configmap.yaml - │   │   │   ├── cronjob.yaml - │   │   │   ├── pv.yaml - │   │   │   └── pvc.yaml - │   │   ├── configmap.yaml - │   │   ├── pv.yaml - │   │   ├── service.yaml - │   │   └── statefulset.yaml - │   └── values.yaml - ├── common - │   ├── Chart.yaml - │   ├── templates - │   │   ├── _createPassword.tpl - │   │   ├── _ingress.tpl - │   │   ├── _labels.tpl - │   │   ├── _mariadb.tpl - │   │   ├── _name.tpl - │   │   ├── _namespace.tpl - │   │   ├── _repository.tpl - │   │   ├── _resources.tpl - │   │   ├── _secret.yaml - │   │   ├── _service.tpl - │   │   ├── _storage.tpl - │   │   └── _tplValue.tpl - │   └── values.yaml - ├── ... - └── postgres-legacy -    ├── Chart.yaml - ├── charts - └── configs - -The common section of charts consists of a set of templates that assist with -parameter substitution (`_name.tpl`, `_namespace.tpl` and others) and a set of -charts for components used throughout ONAP. When the common components are used -by other charts they are instantiated each time or we can deploy a shared -instances for several components. - -All of the ONAP components have charts that follow the pattern shown below: - -.. code-block:: bash - - name-of-my-component - ├── Chart.yaml - ├── component - │   └── subcomponent-folder - ├── charts - │   └── subchart-folder - ├── resources - │   ├── folder1 - │   │   ├── file1 - │   │   └── file2 - │   └── folder1 - │   ├── file3 - │   └── folder3 - │      └── file4 - ├── templates - │   ├── NOTES.txt - │   ├── configmap.yaml - │   ├── deployment.yaml - │   ├── ingress.yaml - │   ├── job.yaml - │   ├── secrets.yaml - │   └── service.yaml - └── values.yaml - -Note that the component charts / components may include a hierarchy of sub -components and in themselves can be quite complex. - -You can use either `charts` or `components` folder for your subcomponents. -`charts` folder means that the subcomponent will always been deployed. - -`components` folders means we can choose if we want to deploy the -subcomponent. - -This choice is done in root `values.yaml`: - -.. code-block:: yaml - - --- - global: - key: value - - component1: - enabled: true - component2: - enabled: true - -Then in `Chart.yaml` dependencies section, you'll use these values: - -.. code-block:: yaml - - --- - dependencies: - - name: common - version: ~x.y-0 - repository: '@local' - - name: component1 - version: ~x.y-0 - repository: 'file://components/component1' - condition: component1.enabled - - name: component2 - version: ~x.y-0 - repository: 'file://components/component2' - condition: component2.enabled - -Configuration of the components varies somewhat from component to component but -generally follows the pattern of one or more `configmap.yaml` files which can -directly provide configuration to the containers in addition to processing -configuration files stored in the `config` directory. It is the responsibility -of each ONAP component team to update these configuration files when changes -are made to the project containers that impact configuration. - -The following section describes how the hierarchical ONAP configuration system -is key to management of such a large system. - -Configuration Management -======================== - -ONAP is a large system composed of many components - each of which are complex -systems in themselves - that needs to be deployed in a number of different -ways. For example, within a single operator's network there may be R&D -deployments under active development, pre-production versions undergoing system -testing and production systems that are operating live networks. Each of these -deployments will differ in significant ways, such as the version of the -software images deployed. In addition, there may be a number of application -specific configuration differences, such as operating system environment -variables. The following describes how the Helm configuration management -system is used within the OOM project to manage both ONAP infrastructure -configuration as well as ONAP components configuration. - -One of the artifacts that OOM/Kubernetes uses to deploy ONAP components is the -deployment specification, yet another yaml file. Within these deployment specs -are a number of parameters as shown in the following example: - -.. code-block:: yaml - - apiVersion: apps/v1 - kind: StatefulSet - metadata: - labels: - app.kubernetes.io/name: zookeeper - helm.sh/chart: zookeeper - app.kubernetes.io/component: server - app.kubernetes.io/managed-by: Tiller - app.kubernetes.io/instance: onap-oof - name: onap-oof-zookeeper - namespace: onap - spec: - <...> - replicas: 3 - selector: - matchLabels: - app.kubernetes.io/name: zookeeper - app.kubernetes.io/component: server - app.kubernetes.io/instance: onap-oof - serviceName: onap-oof-zookeeper-headless - template: - metadata: - labels: - app.kubernetes.io/name: zookeeper - helm.sh/chart: zookeeper - app.kubernetes.io/component: server - app.kubernetes.io/managed-by: Tiller - app.kubernetes.io/instance: onap-oof - spec: - <...> - affinity: - containers: - - name: zookeeper - <...> - image: gcr.io/google_samples/k8szk:v3 - imagePullPolicy: Always - <...> - ports: - - containerPort: 2181 - name: client - protocol: TCP - - containerPort: 3888 - name: election - protocol: TCP - - containerPort: 2888 - name: server - protocol: TCP - <...> - -Note that within the statefulset specification, one of the container arguments -is the key/value pair image: gcr.io/google_samples/k8szk:v3 which -specifies the version of the zookeeper software to deploy. Although the -statefulset specifications greatly simplify statefulset, maintenance of the -statefulset specifications themselves become problematic as software versions -change over time or as different versions are required for different -statefulsets. For example, if the R&D team needs to deploy a newer version of -mariadb than what is currently used in the production environment, they would -need to clone the statefulset specification and change this value. Fortunately, -this problem has been solved with the templating capabilities of Helm. - -The following example shows how the statefulset specifications are modified to -incorporate Helm templates such that key/value pairs can be defined outside of -the statefulset specifications and passed during instantiation of the component. - -.. code-block:: yaml - - apiVersion: apps/v1 - kind: StatefulSet - metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: {{- include "common.labels" . | nindent 4 }} - spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: {{- include "common.matchLabels" . | nindent 6 }} - # serviceName is only needed for StatefulSet - # put the postfix part only if you have add a postfix on the service name - serviceName: {{ include "common.servicename" . }}-{{ .Values.service.postfix }} - <...> - template: - metadata: - labels: {{- include "common.labels" . | nindent 8 }} - annotations: {{- include "common.tplValue" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} - name: {{ include "common.name" . }} - spec: - <...> - containers: - - name: {{ include "common.name" . }} - image: {{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - {{- range $index, $port := .Values.service.ports }} - - containerPort: {{ $port.port }} - name: {{ $port.name }} - {{- end }} - {{- range $index, $port := .Values.service.headlessPorts }} - - containerPort: {{ $port.port }} - name: {{ $port.name }} - {{- end }} - <...> - -This version of the statefulset specification has gone through the process of -templating values that are likely to change between statefulsets. Note that the -image is now specified as: image: {{ .Values.image }} instead of a -string used previously. During the statefulset phase, Helm (actually the Helm -sub-component Tiller) substitutes the {{ .. }} entries with a variable defined -in a values.yaml file. The content of this file is as follows: - -.. code-block:: yaml - - <...> - image: gcr.io/google_samples/k8szk:v3 - replicaCount: 3 - <...> - - -Within the values.yaml file there is an image key with the value -`gcr.io/google_samples/k8szk:v3` which is the same value used in -the non-templated version. Once all of the substitutions are complete, the -resulting statefulset specification ready to be used by Kubernetes. - -When creating a template consider the use of default values if appropriate. -Helm templating has built in support for DEFAULT values, here is -an example: - -.. code-block:: yaml - - imagePullSecrets: - - name: "{{ .Values.nsPrefix | default "onap" }}-docker-registry-key" - -The pipeline operator ("|") used here hints at that power of Helm templates in -that much like an operating system command line the pipeline operator allow -over 60 Helm functions to be embedded directly into the template (note that the -Helm template language is a superset of the Go template language). These -functions include simple string operations like upper and more complex flow -control operations like if/else. - -OOM is mainly helm templating. In order to have consistent deployment of the -different components of ONAP, some rules must be followed. - -Templates are provided in order to create Kubernetes resources (Secrets, -Ingress, Services, ...) or part of Kubernetes resources (names, labels, -resources requests and limits, ...). - -a full list and simple description is done in -`kubernetes/common/common/documentation.rst`. - -Service template ----------------- - -In order to create a Service for a component, you have to create a file (with -`service` in the name. -For normal service, just put the following line: - -.. code-block:: yaml - - {{ include "common.service" . }} - -For headless service, the line to put is the following: - -.. code-block:: yaml - - {{ include "common.headlessService" . }} - -The configuration of the service is done in component `values.yaml`: - -.. code-block:: yaml - - service: - name: NAME-OF-THE-SERVICE - postfix: MY-POSTFIX - type: NodePort - annotations: - someAnnotationsKey: value - ports: - - name: tcp-MyPort - port: 5432 - nodePort: 88 - - name: http-api - port: 8080 - nodePort: 89 - - name: https-api - port: 9443 - nodePort: 90 - -`annotations` and `postfix` keys are optional. -if `service.type` is `NodePort`, then you have to give `nodePort` value for your -service ports (which is the end of the computed nodePort, see example). - -It would render the following Service Resource (for a component named -`name-of-my-component`, with version `x.y.z`, helm deployment name -`my-deployment` and `global.nodePortPrefix` `302`): - -.. code-block:: yaml - - apiVersion: v1 - kind: Service - metadata: - annotations: - someAnnotationsKey: value - name: NAME-OF-THE-SERVICE-MY-POSTFIX - labels: - app.kubernetes.io/name: name-of-my-component - helm.sh/chart: name-of-my-component-x.y.z - app.kubernetes.io/instance: my-deployment-name-of-my-component - app.kubernetes.io/managed-by: Tiller - spec: - ports: - - port: 5432 - targetPort: tcp-MyPort - nodePort: 30288 - - port: 8080 - targetPort: http-api - nodePort: 30289 - - port: 9443 - targetPort: https-api - nodePort: 30290 - selector: - app.kubernetes.io/name: name-of-my-component - app.kubernetes.io/instance: my-deployment-name-of-my-component - type: NodePort - -In the deployment or statefulSet file, you needs to set the good labels in -order for the service to match the pods. - -here's an example to be sure it matches (for a statefulSet): - -.. code-block:: yaml - - apiVersion: apps/v1 - kind: StatefulSet - metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: {{- include "common.labels" . | nindent 4 }} - spec: - selector: - matchLabels: {{- include "common.matchLabels" . | nindent 6 }} - # serviceName is only needed for StatefulSet - # put the postfix part only if you have add a postfix on the service name - serviceName: {{ include "common.servicename" . }}-{{ .Values.service.postfix }} - <...> - template: - metadata: - labels: {{- include "common.labels" . | nindent 8 }} - annotations: {{- include "common.tplValue" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} - name: {{ include "common.name" . }} - spec: - <...> - containers: - - name: {{ include "common.name" . }} - ports: - {{- range $index, $port := .Values.service.ports }} - - containerPort: {{ $port.port }} - name: {{ $port.name }} - {{- end }} - {{- range $index, $port := .Values.service.headlessPorts }} - - containerPort: {{ $port.port }} - name: {{ $port.name }} - {{- end }} - <...> - -The configuration of the service is done in component `values.yaml`: - -.. code-block:: yaml - - service: - name: NAME-OF-THE-SERVICE - headless: - postfix: NONE - annotations: - anotherAnnotationsKey : value - publishNotReadyAddresses: true - headlessPorts: - - name: tcp-MyPort - port: 5432 - - name: http-api - port: 8080 - - name: https-api - port: 9443 - -`headless.annotations`, `headless.postfix` and -`headless.publishNotReadyAddresses` keys are optional. - -If `headless.postfix` is not set, then we'll add `-headless` at the end of the -service name. - -If it set to `NONE`, there will be not postfix. - -And if set to something, it will add `-something` at the end of the service -name. - -It would render the following Service Resource (for a component named -`name-of-my-component`, with version `x.y.z`, helm deployment name -`my-deployment` and `global.nodePortPrefix` `302`): - -.. code-block:: yaml - - apiVersion: v1 - kind: Service - metadata: - annotations: - anotherAnnotationsKey: value - name: NAME-OF-THE-SERVICE - labels: - app.kubernetes.io/name: name-of-my-component - helm.sh/chart: name-of-my-component-x.y.z - app.kubernetes.io/instance: my-deployment-name-of-my-component - app.kubernetes.io/managed-by: Tiller - spec: - clusterIP: None - ports: - - port: 5432 - targetPort: tcp-MyPort - nodePort: 30288 - - port: 8080 - targetPort: http-api - nodePort: 30289 - - port: 9443 - targetPort: https-api - nodePort: 30290 - publishNotReadyAddresses: true - selector: - app.kubernetes.io/name: name-of-my-component - app.kubernetes.io/instance: my-deployment-name-of-my-component - type: ClusterIP - -Previous example of StatefulSet would also match (except for the `postfix` part -obviously). - -Creating Deployment or StatefulSet ----------------------------------- - -Deployment and StatefulSet should use the `apps/v1` (which has appeared in -v1.9). -As seen on the service part, the following parts are mandatory: - -.. code-block:: yaml - - apiVersion: apps/v1 - kind: StatefulSet - metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: {{- include "common.labels" . | nindent 4 }} - spec: - selector: - matchLabels: {{- include "common.matchLabels" . | nindent 6 }} - # serviceName is only needed for StatefulSet - # put the postfix part only if you have add a postfix on the service name - serviceName: {{ include "common.servicename" . }}-{{ .Values.service.postfix }} - <...> - template: - metadata: - labels: {{- include "common.labels" . | nindent 8 }} - annotations: {{- include "common.tplValue" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} - name: {{ include "common.name" . }} - spec: - <...> - containers: - - name: {{ include "common.name" . }} - -ONAP Application Configuration ------------------------------- - -Dependency Management ---------------------- -These Helm charts describe the desired state -of an ONAP deployment and instruct the Kubernetes container manager as to how -to maintain the deployment in this state. These dependencies dictate the order -in-which the containers are started for the first time such that such -dependencies are always met without arbitrary sleep times between container -startups. For example, the SDC back-end container requires the Elastic-Search, -Cassandra and Kibana containers within SDC to be ready and is also dependent on -DMaaP (or the message-router) to be ready - where ready implies the built-in -"readiness" probes succeeded - before becoming fully operational. When an -initial deployment of ONAP is requested the current state of the system is NULL -so ONAP is deployed by the Kubernetes manager as a set of Docker containers on -one or more predetermined hosts. The hosts could be physical machines or -virtual machines. When deploying on virtual machines the resulting system will -be very similar to "Heat" based deployments, i.e. Docker containers running -within a set of VMs, the primary difference being that the allocation of -containers to VMs is done dynamically with OOM and statically with "Heat". -Example SO deployment descriptor file shows SO's dependency on its mariadb -data-base component: - -SO deployment specification excerpt: - -.. code-block:: yaml - - apiVersion: apps/v1 - kind: Deployment - metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: {{- include "common.labels" . | nindent 4 }} - spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: {{- include "common.matchLabels" . | nindent 6 }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ .Release.Name }} - spec: - initContainers: - - command: - - /app/ready.py - args: - - --container-name - - so-mariadb - env: - ... - -Kubernetes Container Orchestration -================================== -The ONAP components are managed by the Kubernetes_ container management system -which maintains the desired state of the container system as described by one -or more deployment descriptors - similar in concept to OpenStack HEAT -Orchestration Templates. The following sections describe the fundamental -objects managed by Kubernetes, the network these components use to communicate -with each other and other entities outside of ONAP and the templates that -describe the configuration and desired state of the ONAP components. - -Name Spaces ------------ -Within the namespaces are Kubernetes services that provide external -connectivity to pods that host Docker containers. - -ONAP Components to Kubernetes Object Relationships --------------------------------------------------- -Kubernetes deployments consist of multiple objects: - -- **nodes** - a worker machine - either physical or virtual - that hosts - multiple containers managed by Kubernetes. -- **services** - an abstraction of a logical set of pods that provide a - micro-service. -- **pods** - one or more (but typically one) container(s) that provide specific - application functionality. -- **persistent volumes** - One or more permanent volumes need to be established - to hold non-ephemeral configuration and state data. - -The relationship between these objects is shown in the following figure: - -.. .. uml:: -.. -.. @startuml -.. node PH { -.. component Service { -.. component Pod0 -.. component Pod1 -.. } -.. } -.. -.. database PV -.. @enduml - -.. figure:: images/k8s/kubernetes_objects.png - -OOM uses these Kubernetes objects as described in the following sections. - -Nodes -~~~~~ -OOM works with both physical and virtual worker machines. - -* Virtual Machine Deployments - If ONAP is to be deployed onto a set of virtual - machines, the creation of the VMs is outside of the scope of OOM and could be - done in many ways, such as - - * manually, for example by a user using the OpenStack Horizon dashboard or - AWS EC2, or - * automatically, for example with the use of a OpenStack Heat Orchestration - Template which builds an ONAP stack, Azure ARM template, AWS CloudFormation - Template, or - * orchestrated, for example with Cloudify creating the VMs from a TOSCA - template and controlling their life cycle for the life of the ONAP - deployment. - -* Physical Machine Deployments - If ONAP is to be deployed onto physical - machines there are several options but the recommendation is to use Rancher - along with Helm to associate hosts with a Kubernetes cluster. - -Pods -~~~~ -A group of containers with shared storage and networking can be grouped -together into a Kubernetes pod. All of the containers within a pod are -co-located and co-scheduled so they operate as a single unit. Within ONAP -Amsterdam release, pods are mapped one-to-one to docker containers although -this may change in the future. As explained in the Services section below the -use of Pods within each ONAP component is abstracted from other ONAP -components. - -Services -~~~~~~~~ -OOM uses the Kubernetes service abstraction to provide a consistent access -point for each of the ONAP components independent of the pod or container -architecture of that component. For example, the SDNC component may introduce -OpenDaylight clustering as some point and change the number of pods in this -component to three or more but this change will be isolated from the other ONAP -components by the service abstraction. A service can include a load balancer -on its ingress to distribute traffic between the pods and even react to dynamic -changes in the number of pods if they are part of a replica set. - -Persistent Volumes -~~~~~~~~~~~~~~~~~~ -To enable ONAP to be deployed into a wide variety of cloud infrastructures a -flexible persistent storage architecture, built on Kubernetes persistent -volumes, provides the ability to define the physical storage in a central -location and have all ONAP components securely store their data. - -When deploying ONAP into a public cloud, available storage services such as -`AWS Elastic Block Store`_, `Azure File`_, or `GCE Persistent Disk`_ are -options. Alternatively, when deploying into a private cloud the storage -architecture might consist of Fiber Channel, `Gluster FS`_, or iSCSI. Many -other storage options existing, refer to the `Kubernetes Storage Class`_ -documentation for a full list of the options. The storage architecture may vary -from deployment to deployment but in all cases a reliable, redundant storage -system must be provided to ONAP with which the state information of all ONAP -components will be securely stored. The Storage Class for a given deployment is -a single parameter listed in the ONAP values.yaml file and therefore is easily -customized. Operation of this storage system is outside the scope of the OOM. - -.. code-block:: yaml - - Insert values.yaml code block with storage block here - -Once the storage class is selected and the physical storage is provided, the -ONAP deployment step creates a pool of persistent volumes within the given -physical storage that is used by all of the ONAP components. ONAP components -simply make a claim on these persistent volumes (PV), with a persistent volume -claim (PVC), to gain access to their storage. - -The following figure illustrates the relationships between the persistent -volume claims, the persistent volumes, the storage class, and the physical -storage. - -.. graphviz:: - - digraph PV { - label = "Persistance Volume Claim to Physical Storage Mapping" - { - node [shape=cylinder] - D0 [label="Drive0"] - D1 [label="Drive1"] - Dx [label="Drivex"] - } - { - node [shape=Mrecord label="StorageClass:ceph"] - sc - } - { - node [shape=point] - p0 p1 p2 - p3 p4 p5 - } - subgraph clusterSDC { - label="SDC" - PVC0 - PVC1 - } - subgraph clusterSDNC { - label="SDNC" - PVC2 - } - subgraph clusterSO { - label="SO" - PVCn - } - PV0 -> sc - PV1 -> sc - PV2 -> sc - PVn -> sc - - sc -> {D0 D1 Dx} - PVC0 -> PV0 - PVC1 -> PV1 - PVC2 -> PV2 - PVCn -> PVn - - # force all of these nodes to the same line in the given order - subgraph { - rank = same; PV0;PV1;PV2;PVn;p0;p1;p2 - PV0->PV1->PV2->p0->p1->p2->PVn [style=invis] - } - - subgraph { - rank = same; D0;D1;Dx;p3;p4;p5 - D0->D1->p3->p4->p5->Dx [style=invis] - } - - } - -In-order for an ONAP component to use a persistent volume it must make a claim -against a specific persistent volume defined in the ONAP common charts. Note -that there is a one-to-one relationship between a PVC and PV. The following is -an excerpt from a component chart that defines a PVC: - -.. code-block:: yaml - - Insert PVC example here - -OOM Networking with Kubernetes ------------------------------- - -- DNS -- Ports - Flattening the containers also expose port conflicts between the - containers which need to be resolved. - -Node Ports -~~~~~~~~~~ - -Pod Placement Rules -------------------- -OOM will use the rich set of Kubernetes node and pod affinity / -anti-affinity rules to minimize the chance of a single failure resulting in a -loss of ONAP service. Node affinity / anti-affinity is used to guide the -Kubernetes orchestrator in the placement of pods on nodes (physical or virtual -machines). For example: - -- if a container used Intel DPDK technology the pod may state that it as - affinity to an Intel processor based node, or -- geographical based node labels (such as the Kubernetes standard zone or - region labels) may be used to ensure placement of a DCAE complex close to the - VNFs generating high volumes of traffic thus minimizing networking cost. - Specifically, if nodes were pre-assigned labels East and West, the pod - deployment spec to distribute pods to these nodes would be: - -.. code-block:: yaml - - nodeSelector: - failure-domain.beta.Kubernetes.io/region: {{ .Values.location }} - -- "location: West" is specified in the `values.yaml` file used to deploy - one DCAE cluster and "location: East" is specified in a second `values.yaml` - file (see OOM Configuration Management for more information about - configuration files like the `values.yaml` file). - -Node affinity can also be used to achieve geographic redundancy if pods are -assigned to multiple failure domains. For more information refer to `Assigning -Pods to Nodes`_. - -.. note:: - One could use Pod to Node assignment to totally constrain Kubernetes when - doing initial container assignment to replicate the Amsterdam release - OpenStack Heat based deployment. Should one wish to do this, each VM would - need a unique node name which would be used to specify a node constaint - for every component. These assignment could be specified in an environment - specific values.yaml file. Constraining Kubernetes in this way is not - recommended. - -Kubernetes has a comprehensive system called Taints and Tolerations that can be -used to force the container orchestrator to repel pods from nodes based on -static events (an administrator assigning a taint to a node) or dynamic events -(such as a node becoming unreachable or running out of disk space). There are -no plans to use taints or tolerations in the ONAP Beijing release. Pod -affinity / anti-affinity is the concept of creating a spacial relationship -between pods when the Kubernetes orchestrator does assignment (both initially -an in operation) to nodes as explained in Inter-pod affinity and anti-affinity. -For example, one might choose to co-located all of the ONAP SDC containers on a -single node as they are not critical runtime components and co-location -minimizes overhead. On the other hand, one might choose to ensure that all of -the containers in an ODL cluster (SDNC and APPC) are placed on separate nodes -such that a node failure has minimal impact to the operation of the cluster. -An example of how pod affinity / anti-affinity is shown below: - -Pod Affinity / Anti-Affinity - -.. code-block:: yaml - - apiVersion: v1 - kind: Pod - metadata: - name: with-pod-affinity - spec: - affinity: - podAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: security - operator: In - values: - - S1 - topologyKey: failure-domain.beta.Kubernetes.io/zone - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: security - operator: In - values: - - S2 - topologyKey: Kubernetes.io/hostname - containers: - - name: with-pod-affinity - image: gcr.io/google_containers/pause:2.0 - -This example contains both podAffinity and podAntiAffinity rules, the first -rule is is a must (requiredDuringSchedulingIgnoredDuringExecution) while the -second will be met pending other considerations -(preferredDuringSchedulingIgnoredDuringExecution). Preemption Another feature -that may assist in achieving a repeatable deployment in the presence of faults -that may have reduced the capacity of the cloud is assigning priority to the -containers such that mission critical components have the ability to evict less -critical components. Kubernetes provides this capability with Pod Priority and -Preemption. Prior to having more advanced production grade features available, -the ability to at least be able to re-deploy ONAP (or a subset of) reliably -provides a level of confidence that should an outage occur the system can be -brought back on-line predictably. - -Health Checks -------------- - -Monitoring of ONAP components is configured in the agents within JSON files and -stored in gerrit under the consul-agent-config, here is an example from the AAI -model loader (aai-model-loader-health.json): - -.. code-block:: json - - { - "service": { - "name": "A&AI Model Loader", - "checks": [ - { - "id": "model-loader-process", - "name": "Model Loader Presence", - "script": "/consul/config/scripts/model-loader-script.sh", - "interval": "15s", - "timeout": "1s" - } - ] - } - } - -Liveness Probes ---------------- - -These liveness probes can simply check that a port is available, that a -built-in health check is reporting good health, or that the Consul health check -is positive. For example, to monitor the SDNC component has following liveness -probe can be found in the SDNC DB deployment specification: - -.. code-block:: yaml - - sdnc db liveness probe - - livenessProbe: - exec: - command: ["mysqladmin", "ping"] - initialDelaySeconds: 30 periodSeconds: 10 - timeoutSeconds: 5 - -The 'initialDelaySeconds' control the period of time between the readiness -probe succeeding and the liveness probe starting. 'periodSeconds' and -'timeoutSeconds' control the actual operation of the probe. Note that -containers are inherently ephemeral so the healing action destroys failed -containers and any state information within it. To avoid a loss of state, a -persistent volume should be used to store all data that needs to be persisted -over the re-creation of a container. Persistent volumes have been created for -the database components of each of the projects and the same technique can be -used for all persistent state information. - - - -Environment Files -~~~~~~~~~~~~~~~~~ - -MSB Integration -=============== - -The \ `Microservices Bus -Project `__ provides -facilities to integrate micro-services into ONAP and therefore needs to -integrate into OOM - primarily through Consul which is the backend of -MSB service discovery. The following is a brief description of how this -integration will be done: - -A registrator to push the service endpoint info to MSB service -discovery. - -- The needed service endpoint info is put into the kubernetes yaml file - as annotation, including service name, Protocol,version, visual - range,LB method, IP, Port,etc. - -- OOM deploy/start/restart/scale in/scale out/upgrade ONAP components - -- Registrator watch the kubernetes event - -- When an ONAP component instance has been started/destroyed by OOM, - Registrator get the notification from kubernetes - -- Registrator parse the service endpoint info from annotation and - register/update/unregister it to MSB service discovery - -- MSB API Gateway uses the service endpoint info for service routing - and load balancing. - -Details of the registration service API can be found at \ `Microservice -Bus API -Documentation `__. - -ONAP Component Registration to MSB ----------------------------------- -The charts of all ONAP components intending to register against MSB must have -an annotation in their service(s) template. A `sdc` example follows: - -.. code-block:: yaml - - apiVersion: v1 - kind: Service - metadata: - labels: - app: sdc-be - name: sdc-be - namespace: "{{ .Values.nsPrefix }}" - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "sdc", - "version": "v1", - "url": "/sdc/v1", - "protocol": "REST", - "port": "8080", - "visualRange":"1" - }, - { - "serviceName": "sdc-deprecated", - "version": "v1", - "url": "/sdc/v1", - "protocol": "REST", - "port": "8080", - "visualRange":"1", - "path":"/sdc/v1" - } - ]' - ... - - -MSB Integration with OOM ------------------------- -A preliminary view of the OOM-MSB integration is as follows: - -.. figure:: images/msb/MSB-OOM-Diagram.png - -A message sequence chart of the registration process: - -.. uml:: - - participant "OOM" as oom - participant "ONAP Component" as onap - participant "Service Discovery" as sd - participant "External API Gateway" as eagw - participant "Router (Internal API Gateway)" as iagw - - box "MSB" #LightBlue - participant sd - participant eagw - participant iagw - end box - - == Deploy Servcie == - - oom -> onap: Deploy - oom -> sd: Register service endpoints - sd -> eagw: Services exposed to external system - sd -> iagw: Services for internal use - - == Component Life-cycle Management == - - oom -> onap: Start/Stop/Scale/Migrate/Upgrade - oom -> sd: Update service info - sd -> eagw: Update service info - sd -> iagw: Update service info - - == Service Health Check == - - sd -> onap: Check the health of service - sd -> eagw: Update service status - sd -> iagw: Update service status - - -MSB Deployment Instructions ---------------------------- -MSB is helm installable ONAP component which is often automatically deployed. -To install it individually enter:: - - > helm install /msb - -.. note:: - TBD: Vaidate if the following procedure is still required. - -Please note that Kubernetes authentication token must be set at -*kubernetes/kube2msb/values.yaml* so the kube2msb registrator can get the -access to watch the kubernetes events and get service annotation by -Kubernetes APIs. The token can be found in the kubectl configuration file -*~/.kube/config* - -More details can be found here `MSB installation `_. - -.. MISC -.. ==== -.. Note that although OOM uses Kubernetes facilities to minimize the effort -.. required of the ONAP component owners to implement a successful rolling -.. upgrade strategy there are other considerations that must be taken into -.. consideration. -.. For example, external APIs - both internal and external to ONAP - should be -.. designed to gracefully accept transactions from a peer at a different -.. software version to avoid deadlock situations. Embedded version codes in -.. messages may facilitate such capabilities. -.. -.. Within each of the projects a new configuration repository contains all of -.. the project specific configuration artifacts. As changes are made within -.. the project, it's the responsibility of the project team to make appropriate -.. changes to the configuration data. diff --git a/docs/oom_project_description.rst b/docs/oom_project_description.rst deleted file mode 100644 index b672c48bc0..0000000000 --- a/docs/oom_project_description.rst +++ /dev/null @@ -1,100 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 -.. International License. -.. http://creativecommons.org/licenses/by/4.0 -.. Copyright 2018-2020 Amdocs, Bell Canada, Orange, Samsung -.. _oom_project_description: - -ONAP Operations Manager Project -############################### - -The ONAP Operations Manager (OOM) is responsible for life-cycle management of -the ONAP platform itself; components such as SO, SDNC, etc. It is not -responsible for the management of services, VNFs or infrastructure instantiated -by ONAP or used by ONAP to host such services or VNFs. OOM uses the open-source -Kubernetes container management system as a means to manage the Docker -containers that compose ONAP where the containers are hosted either directly on -bare-metal servers or on VMs hosted by a 3rd party management system. OOM -ensures that ONAP is easily deployable and maintainable throughout its life -cycle while using hardware resources efficiently. - -.. figure:: images/oom_logo/oomLogoV2-medium.png - :align: right - -In summary OOM provides the following capabilities: - -- **Deploy** - with built-in component dependency management -- **Configure** - unified configuration across all ONAP components -- **Monitor** - real-time health monitoring feeding to a Consul UI and - Kubernetes -- **Heal**- failed ONAP containers are recreated automatically -- **Scale** - cluster ONAP services to enable seamless scaling -- **Upgrade** - change-out containers or configuration with little or no - service impact -- **Delete** - cleanup individual containers or entire deployments - -OOM supports a wide variety of Kubernetes private clouds - built with Rancher, -Kubeadm or Cloudify - and public cloud infrastructures such as: Microsoft -Azure, Amazon AWS, Google GCD, VMware VIO, and OpenStack. - -The OOM documentation is broken into four different areas each targeted at a -different user: - -- :ref:`quick-start-label` - deploy ONAP on an existing cloud -- :ref:`user-guide-label` - a guide for operators of an ONAP instance -- :ref:`developer-guide-label` - a guide for developers of OOM and ONAP -- :ref:`cloud-setup-guide-label` - a guide for those setting up cloud - environments that ONAP will use -- :ref:`hardcoded-certificates-label` - the list of all hardcoded certificates - set in ONAP installation - -The :ref:`release_notes` for OOM describe the incremental features per release. - -Component Orchestration Overview -================================ -Multiple technologies, templates, and extensible plug-in frameworks are used in -ONAP to orchestrate platform instances of software component artifacts. A few -standard configurations are provide that may be suitable for test, development, -and some production deployments by substitution of local or platform wide -parameters. Larger and more automated deployments may require integration the -component technologies, templates, and frameworks with a higher level of -automated orchestration and control software. Design guidelines are provided to -insure the component level templates and frameworks can be easily integrated -and maintained. The following diagram provides an overview of these with links -to examples and templates for describing new ones. - -.. graphviz:: - - digraph COO { - rankdir="LR"; - - { - node [shape=folder] - oValues [label="values"] - cValues [label="values"] - comValues [label="values"] - sValues [label="values"] - oCharts [label="charts"] - cCharts [label="charts"] - comCharts [label="charts"] - sCharts [label="charts"] - blueprint [label="TOSCA blueprint"] - } - {oom [label="ONAP Operations Manager"]} - {hlo [label="High Level Orchestrator"]} - - - hlo -> blueprint - hlo -> oom - oom -> oValues - oom -> oCharts - oom -> component - oom -> common - common -> comValues - common -> comCharts - component -> cValues - component -> cCharts - component -> subcomponent - subcomponent -> sValues - subcomponent -> sCharts - blueprint -> component - } diff --git a/docs/oom_quickstart_guide.rst b/docs/oom_quickstart_guide.rst deleted file mode 100644 index b7749b1056..0000000000 --- a/docs/oom_quickstart_guide.rst +++ /dev/null @@ -1,284 +0,0 @@ -.. This work is licensed under a -.. Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 -.. Copyright 2019-2020 Amdocs, Bell Canada, Orange, Samsung -.. _oom_quickstart_guide: -.. _quick-start-label: - -OOM Quick Start Guide -##################### - -.. figure:: images/oom_logo/oomLogoV2-medium.png - :align: right - -Once a Kubernetes environment is available (follow the instructions in -:ref:`cloud-setup-guide-label` if you don't have a cloud environment -available), follow the following instructions to deploy ONAP. - -**Step 1.** Clone the OOM repository from ONAP gerrit:: - - > git clone -b http://gerrit.onap.org/r/oom --recurse-submodules - > cd oom/kubernetes - -where can be an official release tag, such as - -* 4.0.0-ONAP for Dublin -* 5.0.1-ONAP for El Alto -* 6.0.0 for Frankfurt -* 7.0.0 for Guilin -* 8.0.0 for Honolulu -* 9.0.0 for Istanbul -* 10.0.0 for Jakarta -* 11.0.0 for Kohn - -**Step 2.** Install Helm Plugins required to deploy ONAP:: - - > cp -R ~/oom/kubernetes/helm/plugins/ ~/.local/share/helm/plugins - > helm plugin install https://github.com/chartmuseum/helm-push.git \ - --version 0.9.0 - -.. note:: - The ``--version 0.9.0`` is required as new version of helm (3.7.0 and up) is - now using ``push`` directly and helm-push is using ``cm-push`` starting - version ``0.10.0`` and up. - -**Step 3.** Install Chartmuseum:: - - > curl -LO https://s3.amazonaws.com/chartmuseum/release/latest/bin/linux/amd64/chartmuseum - > chmod +x ./chartmuseum - > mv ./chartmuseum /usr/local/bin - -**Step 4.** Install Cert-Manager:: - - > kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.yaml - -More details can be found :doc:`here `. - -**Step 4.1** Install Strimzi Kafka Operator: - -- Add the helm repo:: - - > helm repo add strimzi https://strimzi.io/charts/ - -- Install the operator:: - - > helm install strimzi-kafka-operator strimzi/strimzi-kafka-operator --namespace strimzi-system --version 0.28.0 --set watchAnyNamespace=true --create-namespace - -More details can be found :doc:`here `. - -**Step 5.** Customize the Helm charts like `oom/kubernetes/onap/values.yaml` or -an override file like `onap-all.yaml`, `onap-vfw.yaml` or `openstack.yaml` file -to suit your deployment with items like the OpenStack tenant information. - -.. note:: - Standard and example override files (e.g. `onap-all.yaml`, `openstack.yaml`) - can be found in the `oom/kubernetes/onap/resources/overrides/` directory. - - - a. You may want to selectively enable or disable ONAP components by changing - the ``enabled: true/false`` flags. - - - b. Encrypt the OpenStack password using the shell tool for Robot and put it in - the Robot Helm charts or Robot section of `openstack.yaml` - - - c. Encrypt the OpenStack password using the java based script for SO Helm - charts or SO section of `openstack.yaml`. - - - d. Update the OpenStack parameters that will be used by Robot, SO and APPC Helm - charts or use an override file to replace them. - - e. Add in the command line a value for the global master password - (global.masterPassword). - - - -a. Enabling/Disabling Components: -Here is an example of the nominal entries that need to be provided. -We have different values file available for different contexts. - -.. literalinclude:: ../kubernetes/onap/values.yaml - :language: yaml - - -b. Generating ROBOT Encrypted Password: -The Robot encrypted Password uses the same encryption.key as SO but an -openssl algorithm that works with the python based Robot Framework. - -.. note:: - To generate Robot ``openStackEncryptedPasswordHere``:: - - cd so/resources/config/mso/ - /oom/kubernetes/so/resources/config/mso# echo -n "" | openssl aes-128-ecb -e -K `cat encryption.key` -nosalt | xxd -c 256 -p`` - -c. Generating SO Encrypted Password: -The SO Encrypted Password uses a java based encryption utility since the -Java encryption library is not easy to integrate with openssl/python that -Robot uses in Dublin and upper versions. - -.. note:: - To generate SO ``openStackEncryptedPasswordHere`` and ``openStackSoEncryptedPassword`` - ensure `default-jdk` is installed:: - - apt-get update; apt-get install default-jdk - - Then execute:: - - SO_ENCRYPTION_KEY=`cat ~/oom/kubernetes/so/resources/config/mso/encryption.key` - OS_PASSWORD=XXXX_OS_CLEARTESTPASSWORD_XXXX - - git clone http://gerrit.onap.org/r/integration - cd integration/deployment/heat/onap-rke/scripts - - javac Crypto.java - java Crypto "$OS_PASSWORD" "$SO_ENCRYPTION_KEY" - -d. Update the OpenStack parameters: - -There are assumptions in the demonstration VNF Heat templates about the -networking available in the environment. To get the most value out of these -templates and the automation that can help confirm the setup is correct, please -observe the following constraints. - - -``openStackPublicNetId:`` - This network should allow Heat templates to add interfaces. - This need not be an external network, floating IPs can be assigned to the - ports on the VMs that are created by the heat template but its important that - neutron allow ports to be created on them. - -``openStackPrivateNetCidr: "10.0.0.0/16"`` - This ip address block is used to assign OA&M addresses on VNFs to allow ONAP - connectivity. The demonstration Heat templates assume that 10.0 prefix can be - used by the VNFs and the demonstration ip addressing plan embodied in the - preload template prevent conflicts when instantiating the various VNFs. If - you need to change this, you will need to modify the preload data in the - Robot Helm chart like integration_preload_parameters.py and the - demo/heat/preload_data in the Robot container. The size of the CIDR should - be sufficient for ONAP and the VMs you expect to create. - -``openStackOamNetworkCidrPrefix: "10.0"`` - This ip prefix mush match the openStackPrivateNetCidr and is a helper - variable to some of the Robot scripts for demonstration. A production - deployment need not worry about this setting but for the demonstration VNFs - the ip asssignment strategy assumes 10.0 ip prefix. - -Example Keystone v2.0 - -.. literalinclude:: yaml/example-integration-override.yaml - :language: yaml - -Example Keystone v3 (required for Rocky and later releases) - -.. literalinclude:: yaml/example-integration-override-v3.yaml - :language: yaml - - -**Step 6.** To setup a local Helm server to server up the ONAP charts:: - - > chartmuseum --storage local --storage-local-rootdir ~/helm3-storage -port 8879 & - -Note the port number that is listed and use it in the Helm repo add as -follows:: - - > helm repo add local http://127.0.0.1:8879 - -**Step 7.** Verify your Helm repository setup with:: - - > helm repo list - NAME URL - local http://127.0.0.1:8879 - -**Step 8.** Build a local Helm repository (from the kubernetes directory):: - - > make SKIP_LINT=TRUE [HELM_BIN=] all ; make SKIP_LINT=TRUE [HELM_BIN=] onap - -`HELM_BIN` - Sets the helm binary to be used. The default value use helm from PATH - - -**Step 9.** Display the onap charts that available to be deployed:: - - > helm repo update - > helm search repo onap - -.. literalinclude:: helm/helm-search.txt - -.. note:: - The setup of the Helm repository is a one time activity. If you make changes - to your deployment charts or values be sure to use ``make`` to update your - local Helm repository. - -**Step 10.** Once the repo is setup, installation of ONAP can be done with a -single command - -.. note:: - The ``--timeout 900s`` is currently required in Dublin and later - versions up to address long running initialization tasks for DMaaP - and SO. Without this timeout value both applications may fail to - deploy. - -.. danger:: - We've added the master password on the command line. - You shouldn't put it in a file for safety reason - please don't forget to change the value to something random - - A space is also added in front of the command so "history" doesn't catch it. - This masterPassword is very sensitive, please be careful! - - -To deploy all ONAP applications use this command:: - - > cd oom/kubernetes - > helm deploy dev local/onap --namespace onap --create-namespace --set global.masterPassword=myAwesomePasswordThatINeedToChange -f onap/resources/overrides/onap-all.yaml -f onap/resources/overrides/environment.yaml -f onap/resources/overrides/openstack.yaml --timeout 900s - -All override files may be customized (or replaced by other overrides) as per -needs. - -`onap-all.yaml` - Enables the modules in the ONAP deployment. As ONAP is very modular, it is - possible to customize ONAP and disable some components through this - configuration file. - -`onap-all-ingress-nginx-vhost.yaml` - Alternative version of the `onap-all.yaml` but with global ingress controller - enabled. It requires the cluster configured with the nginx ingress controller - and load balancer. Please use this file instead `onap-all.yaml` if you want - to use experimental ingress controller feature. - -`environment.yaml` - Includes configuration values specific to the deployment environment. - - Example: adapt readiness and liveness timers to the level of performance of - your infrastructure - -`openstack.yaml` - Includes all the OpenStack related information for the default target tenant - you want to use to deploy VNFs from ONAP and/or additional parameters for the - embedded tests. - -**Step 11.** Verify ONAP installation - -Use the following to monitor your deployment and determine when ONAP is ready -for use:: - - > kubectl get pods -n onap -o=wide - -.. note:: - While all pods may be in a Running state, it is not a guarantee that all - components are running fine. - - Launch the healthcheck tests using Robot to verify that the components are - healthy:: - - > ~/oom/kubernetes/robot/ete-k8s.sh onap health - -**Step 12.** Undeploy ONAP -:: - - > helm undeploy dev - -More examples of using the deploy and undeploy plugins can be found here: -https://wiki.onap.org/display/DW/OOM+Helm+%28un%29Deploy+plugins diff --git a/docs/oom_setup_ingress_controller.rst b/docs/oom_setup_ingress_controller.rst deleted file mode 100644 index fafe0db987..0000000000 --- a/docs/oom_setup_ingress_controller.rst +++ /dev/null @@ -1,181 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 -.. International License. -.. http://creativecommons.org/licenses/by/4.0 -.. Copyright 2020, Samsung Electronics - -.. Links -.. _HELM Best Practices Guide: https://docs.helm.sh/chart_best_practices/#requirements -.. _kubectl Cheat Sheet: https://kubernetes.io/docs/reference/kubectl/cheatsheet/ -.. _Kubernetes documentation for emptyDir: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir -.. _metallb Metal Load Balancer installation: https://metallb.universe.tf/installation/ -.. _http://cd.onap.info:30223/mso/logging/debug: http://cd.onap.info:30223/mso/logging/debug -.. _Onboarding and Distributing a Vendor Software Product: https://wiki.onap.org/pages/viewpage.action?pageId=1018474 -.. _README.md: https://gerrit.onap.org/r/gitweb?p=oom.git;a=blob;f=kubernetes/README.md - -.. figure:: images/oom_logo/oomLogoV2-medium.png - :align: right - -.. _oom_setup_ingress_controller: - - -Ingress controller setup on HA Kubernetes Cluster -################################################# - -This guide provides instruction how to setup experimental ingress controller -feature. For this, we are hosting our cluster on OpenStack VMs and using the -Rancher Kubernetes Engine (RKE) to deploy and manage our Kubernetes Cluster and -ingress controller - -.. contents:: - :depth: 1 - :local: -.. - -The result at the end of this tutorial will be: - -#. Customization of the cluster.yaml file for ingress controller support - -#. Installation and configuration test DNS server for ingress host resolution - on testing machines - -#. Installation and configuration MLB (Metal Load Balancer) required for - exposing ingress service - -#. Installation and configuration NGINX ingress controller - -#. Additional info how to deploy ONAP with services exposed via Ingress - controller - -Customize cluster.yml file -========================== -Before setup cluster for ingress purposes DNS cluster IP and ingress provider -should be configured and following: - -.. code-block:: yaml - - --- - <...> - restore: - restore: false - snapshot_name: "" - ingress: - provider: none - dns: - provider: coredns - upstreamnameservers: - - :31555 - -Where the should be set to the same IP as the CONTROLPANE -node. - -For external load balancer purposes, minimum one of the worker node should be -configured with external IP address accessible outside the cluster. It can be -done using the following example node configuration: - -.. code-block:: yaml - - --- - <...> - - address: - internal_address: - port: "22" - role: - - worker - hostname_override: "onap-worker-0" - user: ubuntu - ssh_key_path: "~/.ssh/id_rsa" - <...> - -Where the is external worker node IP address, and -is internal node IP address if it is required. - - -DNS server configuration and installation -========================================= -DNS server deployed on the Kubernetes cluster makes it easy to use services -exposed through ingress controller because it resolves all subdomain related to -the ONAP cluster to the load balancer IP. Testing ONAP cluster requires a lot -of entries on the target machines in the /etc/hosts. Adding many entries into -the configuration files on testing machines is quite problematic and error -prone. The better wait is to create central DNS server with entries for all -virtual host pointed to simpledemo.onap.org and add custom DNS server as a -target DNS server for testing machines and/or as external DNS for Kubernetes -cluster. - -DNS server has automatic installation and configuration script, so installation -is quite easy:: - - > cd kubernetes/contrib/dns-server-for-vhost-ingress-testing - - > ./deploy\_dns.sh - -After DNS deploy you need to setup DNS entry on the target testing machine. -Because DNS listen on non standard port configuration require iptables rules -on the target machine. Please follow the configuration proposed by the deploy -scripts. -Example output depends on the IP address and example output looks like bellow:: - - DNS server already deployed: - 1. You can add the DNS server to the target machine using following commands: - sudo iptables -t nat -A OUTPUT -p tcp -d 192.168.211.211 --dport 53 -j DNAT --to-destination 10.10.13.14:31555 - sudo iptables -t nat -A OUTPUT -p udp -d 192.168.211.211 --dport 53 -j DNAT --to-destination 10.10.13.14:31555 - sudo sysctl -w net.ipv4.conf.all.route_localnet=1 - sudo sysctl -w net.ipv4.ip_forward=1 - 2. Update /etc/resolv.conf file with nameserver 192.168.211.211 entry on your target machine - - -MetalLB Load Balancer installation and configuration -==================================================== - -By default pure Kubernetes cluster requires external load balancer if we want -to expose external port using LoadBalancer settings. For this purpose MetalLB -can be used. Before installing the MetalLB you need to ensure that at least one -worker has assigned IP accessible outside the cluster. - -MetalLB Load balancer can be easily installed using automatic install script:: - - > cd kubernetes/contrib/metallb-loadbalancer-inst - - > ./install-metallb-on-cluster.sh - - -Configuration Nginx ingress controller -====================================== - -After installation DNS server and ingress controller we can install and -configure ingress controller. -It can be done using the following commands:: - - > cd kubernetes/contrib/ingress-nginx-post-inst - - > kubectl apply -f nginx_ingress_cluster_config.yaml - - > kubectl apply -f nginx_ingress_enable_optional_load_balacer_service.yaml - -After deploy NGINX ingress controller you can ensure that the ingress port is -exposed as load balancer service with external IP address:: - - > kubectl get svc -n ingress-nginx - NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE - default-http-backend ClusterIP 10.10.10.10 80/TCP 25h - ingress-nginx LoadBalancer 10.10.10.11 10.12.13.14 80:31308/TCP,443:30314/TCP 24h - - -ONAP with ingress exposed services -================================== -If you want to deploy onap with services exposed through ingress controller you -can use full onap deploy script:: - - > onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml - -Ingress also can be enabled on any onap setup override using following code: - -.. code-block:: yaml - - --- - <...> - global: - <...> - ingress: - enabled: true - diff --git a/docs/release_notes/release-notes-frankfurt.rst b/docs/release_notes/release-notes-frankfurt.rst deleted file mode 100644 index 8b07f4a0db..0000000000 --- a/docs/release_notes/release-notes-frankfurt.rst +++ /dev/null @@ -1,166 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 - International License. -.. http://creativecommons.org/licenses/by/4.0 -.. (c) ONAP Project and its contributors -.. _release_notes_frankfurt: - -:orphan: - -************************************* -ONAP Operations Manager Release Notes -************************************* - -Previous Release Notes -====================== - -- :ref:`El Alto ` -- :ref:`Dublin ` -- :ref:`Casablanca ` -- :ref:`Beijing ` -- :ref:`Amsterdam ` - -Abstract -======== - -This document provides the release notes for the Frankfurt release. - -Summary -======= - -The focus of this release is to strengthen the foundation of OOM installer. - -Release Data -============ - -+--------------------------------------+--------------------------------------+ -| **Project** | OOM | -| | | -+--------------------------------------+--------------------------------------+ -| **Docker images** | N/A | -| | | -+--------------------------------------+--------------------------------------+ -| **Release designation** | Frankfurt | -| | | -+--------------------------------------+--------------------------------------+ -| **Release date** | 2020/06/15 | -| | | -+--------------------------------------+--------------------------------------+ - -New features ------------- - -* Ingress deployment is getting more and more usable -* Use of dynamic Persistent Volume is available - -**Bug fixes** - -A list of issues resolved in this release can be found here: -https://jira.onap.org/projects/OOM/versions/10826 - -**Known Issues** - -- `OOM-1237 `_ Source Helm Charts from - ONAP Repo. Having helm charts repo is not possible for Frankfurt release. -- `OOM-1720 `_ galera container is - outdated. containers used for mariadb are outdated and not supported anymore. -- `OOM-1817 `_ Use of global.repository - inconsistent across Helm Charts. it's then may be hard to retrieve some - containers when deploying in constrained environment. -- `OOM-2075 `_ Invalid MTU for Canal CNI - interfaces -- `OOM-2227 `_ Cassandra Backup Mechanism - works only on "static PV" mode. -- `OOM-2230 `_ Missing requests/limits - for some PODS. This can lead to "memory bombing" so cautious monitoring of - Kubernetes resources usage must be set up. -- `OOM-2279 `_ OOM El Alto and master - clamp mariadb resources doesn't match chart. -- `OOM-2285 `_ deploy.sh does not work - for mariadb-galera. deploy script doesn't behave well with "-" in the - component name. -- `OOM-2369 `_ DMAAP Helm install takes - too long and often fails. -- `OOM-2418 `_ Readiness-check 2.0.2 not - working properly for stateful set. -- `OOM-2421 `_ OOM NBI chart deployment - error. In some case, NBI deployment fails. -- `OOM-2422 `_ Portal App is unreachable - when deploying without HTTPs - - -Deliverables ------------- - -Software Deliverables -~~~~~~~~~~~~~~~~~~~~~ - -OOM provides `Helm charts `_ that needs to be -"compiled" into Helm package. see step 6 in -:doc:`quickstart guide <../oom_quickstart_guide>`. - -Documentation Deliverables -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -- :doc:`Project Description <../oom_project_description>` -- :doc:`Cloud Setup Guide <../oom_cloud_setup_guide>` -- :doc:`Quick Start Guide <../oom_quickstart_guide>` -- :doc:`Setup Ingress Controller <../oom_setup_ingress_controller>` -- :doc:`Developer Guide <../oom_developer_guide>` -- :doc:`Hardcoded Certificates <../oom_hardcoded_certificates>` - -Known Limitations, Issues and Workarounds -========================================= - -Known Vulnerabilities ---------------------- - -- Hard coded password used for all OOM deployments - [`OJSI-188 `_] -- :doc:`Hard coded certificates <../oom_hardcoded_certificates>` in Helm packages - -Workarounds ------------ - -- `OOM-1237 `_ Workaround is to generate - them as explained in documentation. -- `OOM-1817 `_ Workaround is to use - offline installer if needed. -- `OOM-2227 `_ Workaround is to stick to - "static PV" (so, not using storage class) if backup is needed. -- `OOM-2285 `_ Workaround is to use - directly helm upgrade if needed. -- `OOM-2369 `_ Workaround is to play - postinstall jobs by hand. -- `OOM-2418 `_ Workaround is to use - version 2.2.2 in global part of override file if the new check is needed. -- `OOM-2421 `_ Workaround is to - undeploy/redeploy NBI. -- `OOM-2422 `_ Workaround is to create - first portal app service with service type Cluster IP then changing it to - NodePort or LoadBalancer so all the port are available. - -Security Notes --------------- - -**Fixed Security Issues** - -- In default deployment OOM (consul-server-ui) exposes HTTP port 30270 outside - of cluster. [`OJSI-134 `_] -- CVE-2019-12127 - OOM exposes unprotected API/UI on port 30270 - [`OJSI-202 `_] - -References -========== - -For more information on the ONAP Frankfurt release, please see: - -#. `ONAP Home Page`_ -#. `ONAP Documentation`_ -#. `ONAP Release Downloads`_ -#. `ONAP Wiki Page`_ - - -.. _`ONAP Home Page`: https://www.onap.org -.. _`ONAP Wiki Page`: https://wiki.onap.org -.. _`ONAP Documentation`: https://docs.onap.org -.. _`ONAP Release Downloads`: https://git.onap.org diff --git a/docs/release_notes/release-notes-guilin.rst b/docs/release_notes/release-notes-guilin.rst deleted file mode 100644 index 8d4b4322b8..0000000000 --- a/docs/release_notes/release-notes-guilin.rst +++ /dev/null @@ -1,150 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 - International License. -.. http://creativecommons.org/licenses/by/4.0 -.. (c) ONAP Project and its contributors -.. _release_notes_guilin: - -:orphan: - -************************************* -ONAP Operations Manager Release Notes -************************************* - -Previous Release Notes -====================== - -- :ref:`Frankfurt ` -- :ref:`El Alto ` -- :ref:`Dublin ` -- :ref:`Casablanca ` -- :ref:`Beijing ` -- :ref:`Amsterdam ` - -Abstract -======== - -This document provides the release notes for the Guilin release. - -Summary -======= - -The focus of this release is to strengthen the foundation of OOM installer. - -Release Data -============ - -+--------------------------------------+--------------------------------------+ -| **Project** | OOM | -| | | -+--------------------------------------+--------------------------------------+ -| **Docker images** | N/A | -| | | -+--------------------------------------+--------------------------------------+ -| **Release designation** | Guilin | -| | | -+--------------------------------------+--------------------------------------+ -| **Release date** | 2020/12/03 | -| | | -+--------------------------------------+--------------------------------------+ - -New features ------------- - -* Kubernetes support for version up to 1.19 -* Helm (experimental) support for version up to 3.3 -* Limits are set for most of the components - -**Bug fixes** - -A list of issues resolved in this release can be found here: -https://jira.onap.org/projects/OOM/versions/10826 - -**Known Issues** - -- `OOM-1237 `_ Source Helm Charts from - ONAP Repo. Having helm charts repo is not possible for Frankfurt release. -- `OOM-1720 `_ galera container is - outdated. containers used for mariadb are outdated and not supported anymore. -- `OOM-1817 `_ Use of global.repository - inconsistent across Helm Charts. it's then may be hard to retrieve some - containers when deploying in constrained environment. -- `OOM-2227 `_ Cassandra Backup Mechanism - works only on "static PV" mode. -- `OOM-2285 `_ deploy.sh does not work - for mariadb-galera. deploy script doesn't behave well with "-" in the - component name. -- `OOM-2421 `_ OOM nbi chart deployment - error -- `OOM-2534 `_ Cert-Service leverages - runtime external dependency -- `OOM-2554 `_ Common pods have java 8 -- `OOM-2588 `_ Various subcharts not - installing due to helm size issues -- `OOM-2629 `_ NetBox demo entry setup - not complete - - -Deliverables ------------- - -Software Deliverables -~~~~~~~~~~~~~~~~~~~~~ - -OOM provides `Helm charts `_ that needs to be -"compiled" into Helm package. see step 6 in -:doc:`quickstart guide <../oom_quickstart_guide>`. - -Documentation Deliverables -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -- :doc:`Project Description <../oom_project_description>` -- :doc:`Cloud Setup Guide <../oom_cloud_setup_guide>` -- :doc:`Quick Start Guide <../oom_quickstart_guide>` -- :doc:`Setup Ingress Controller <../oom_setup_ingress_controller>` -- :doc:`Developer Guide <../oom_developer_guide>` -- :doc:`Hardcoded Certificates <../oom_hardcoded_certificates>` - -Known Limitations, Issues and Workarounds -========================================= - -Known Vulnerabilities ---------------------- - -- Hard coded password used for all OOM deployments - [`OJSI-188 `_] -- :doc:`Hard coded certificates <../oom_hardcoded_certificates>` in Helm packages - -Workarounds ------------ - -- `OOM-1237 `_ Workaround is to generate - them as explained in documentation. -- `OOM-1817 `_ Workaround is to use - offline installer if needed. -- `OOM-2227 `_ Workaround is to stick to - "static PV" (so, not using storage class) if backup is needed. -- `OOM-2285 `_ Workaround is to use - directly helm upgrade if needed. -- `OOM-2534 `_ Workaround is to download - in advance docker.io/openjdk:11-jre-slim where you will generate the charts - -Security Notes --------------- - -**Fixed Security Issues** - -References -========== - -For more information on the ONAP Frankfurt release, please see: - -#. `ONAP Home Page`_ -#. `ONAP Documentation`_ -#. `ONAP Release Downloads`_ -#. `ONAP Wiki Page`_ - - -.. _`ONAP Home Page`: https://www.onap.org -.. _`ONAP Wiki Page`: https://wiki.onap.org -.. _`ONAP Documentation`: https://docs.onap.org -.. _`ONAP Release Downloads`: https://git.onap.org diff --git a/docs/release_notes/release-notes-honolulu.rst b/docs/release_notes/release-notes-honolulu.rst deleted file mode 100644 index bf91a44a3e..0000000000 --- a/docs/release_notes/release-notes-honolulu.rst +++ /dev/null @@ -1,162 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 - International License. -.. http://creativecommons.org/licenses/by/4.0 -.. (c) ONAP Project and its contributors -.. _release_notes_honolulu: - -:orphan: - -************************************* -ONAP Operations Manager Release Notes -************************************* - -Previous Release Notes -====================== - -- :ref:`Guilin ` -- :ref:`Frankfurt ` -- :ref:`El Alto ` -- :ref:`Dublin ` -- :ref:`Casablanca ` -- :ref:`Beijing ` -- :ref:`Amsterdam ` - -Abstract -======== - -This document provides the release notes for the Honolulu release. - -Summary -======= - -The focus of this release is to strengthen the foundation of OOM installer. - -Release Data -============ - -+--------------------------------------+--------------------------------------+ -| **Project** | OOM | -| | | -+--------------------------------------+--------------------------------------+ -| **Docker images** | N/A | -| | | -+--------------------------------------+--------------------------------------+ -| **Release designation** | Honolulu | -| | | -+--------------------------------------+--------------------------------------+ -| **Release date** | 2021/04/29 | -| | | -+--------------------------------------+--------------------------------------+ - -New features ------------- - -* Kubernetes support for version up to 1.20 -* Helm support for version up to 3.5 -* Limits are set for most of the components -* Portal-Cassandra image updated to Bitnami, supporting IPv4/IPv6 Dual Stack -* CMPv2 external issuer implemented which extends Cert-Manager with ability to - enroll X.509 certificates from CMPv2 servers -* New version for mariadb galera using Bitnami image, supporting IPv4/IPv6 Dual - Stack -* Bump version of common PostgreSQL and ElasticSearch -* Move to automatic certificates retrieval for 80% of the components -* Consistent retrieval of docker images, with ability to configure proxy for - the 4 repositories used by ONAP - -**Bug fixes** - -A list of issues resolved in this release can be found here: -https://jira.onap.org/projects/OOM/versions/11073 - -major issues solved: - -* Better handling of persistence on PostgreSQL -* Better Ingress templating -* Better Service templating - -**Known Issues** - -- `OOM-2554 `_ Common pods have java 8 -- `OOM-2435 `_ SDNC karaf shell: - log:list: Error executing command: Unrecognized configuration -- `OOM-2629 `_ NetBox demo entry setup - not complete -- `OOM-2706 `_ CDS Blueprint Processor - does not work with local DB -- `OOM-2713 `_ Problem on onboarding - custom cert to SDNC ONAP during deployment -- `OOM-2698 `_ SO helm override fails in - for value with multi-level replacement -- `OOM-2697 `_ SO with local MariaDB - deployment fails -- `OOM-2538 `_ strange error with - CertInitializer template -- `OOM-2547 `_ Health Check failures - seen after bringing down/up control plane & worker node VM instances on which - ONAP hosted -- `OOM-2699 `_ SO so-mariadb - readinessCheck fails for local MariaDB instance -- `OOM-2705 `_ SDNC DB installation fails - on local MariaDB instance -- `OOM-2603 `_ [SDNC] allign password for - scaleoutUser/restconfUser/odlUser - -Deliverables ------------- - -Software Deliverables -~~~~~~~~~~~~~~~~~~~~~ - -OOM provides `Helm charts `_ that needs to be -"compiled" into Helm package. see step 6 in -:doc:`quickstart guide <../oom_quickstart_guide>`. - -Documentation Deliverables -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -- :doc:`Project Description <../oom_project_description>` -- :doc:`Cloud Setup Guide <../oom_cloud_setup_guide>` -- :doc:`Quick Start Guide <../oom_quickstart_guide>` -- :doc:`Setup Ingress Controller <../oom_setup_ingress_controller>` -- :doc:`Developer Guide <../oom_developer_guide>` -- :doc:`Hardcoded Certificates <../oom_hardcoded_certificates>` - -Known Limitations, Issues and Workarounds -========================================= - -Known Vulnerabilities ---------------------- - -- Hard coded password used for all OOM deployments - [`OJSI-188 `_] -- :doc:`Hard coded certificates <../oom_hardcoded_certificates>` in Helm packages - -Workarounds ------------ - -- ``_ - Workaround is to generate a password with "short" strength or pregenerate - passwords without single quote in it. Default deployment is using "short" - password generation for mariadb. - -Security Notes --------------- - -**Fixed Security Issues** - -References -========== - -For more information on the ONAP Frankfurt release, please see: - -#. `ONAP Home Page`_ -#. `ONAP Documentation`_ -#. `ONAP Release Downloads`_ -#. `ONAP Wiki Page`_ - - -.. _`ONAP Home Page`: https://www.onap.org -.. _`ONAP Wiki Page`: https://wiki.onap.org -.. _`ONAP Documentation`: https://docs.onap.org -.. _`ONAP Release Downloads`: https://git.onap.org diff --git a/docs/release_notes/release-notes-isntanbul.rst b/docs/release_notes/release-notes-isntanbul.rst deleted file mode 100644 index bd320112c3..0000000000 --- a/docs/release_notes/release-notes-isntanbul.rst +++ /dev/null @@ -1,132 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 - International License. -.. http://creativecommons.org/licenses/by/4.0 -.. (c) ONAP Project and its contributors -.. _release_notes_istanbul: - -:orphan: - -************************************* -ONAP Operations Manager Release Notes -************************************* - -Previous Release Notes -====================== - -- :ref:`Honolulu ` -- :ref:`Guilin ` -- :ref:`Frankfurt ` -- :ref:`El Alto ` -- :ref:`Dublin ` -- :ref:`Casablanca ` -- :ref:`Beijing ` -- :ref:`Amsterdam ` - -Abstract -======== - -This document provides the release notes for the Istanbul release. - -Summary -======= - - - -Release Data -============ - -+--------------------------------------+--------------------------------------+ -| **Project** | OOM | -| | | -+--------------------------------------+--------------------------------------+ -| **Docker images** | N/A | -| | | -+--------------------------------------+--------------------------------------+ -| **Release designation** | Istanbul | -| | | -+--------------------------------------+--------------------------------------+ -| **Release date** | | -| | | -+--------------------------------------+--------------------------------------+ - -New features ------------- - - -**Bug fixes** - -A list of issues resolved in this release can be found here: -https://jira.onap.org/projects/OOM/versions/11074 - - -**Known Issues** - - -Deliverables ------------- - -Software Deliverables -~~~~~~~~~~~~~~~~~~~~~ - -OOM provides `Helm charts `_ that needs to be -"compiled" into Helm package. see step 6 in -:doc:`quickstart guide <../oom_quickstart_guide>`. - -Documentation Deliverables -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -- :doc:`Project Description <../oom_project_description>` -- :doc:`Cloud Setup Guide <../oom_cloud_setup_guide>` -- :doc:`Quick Start Guide <../oom_quickstart_guide>` -- :doc:`Setup Ingress Controller <../oom_setup_ingress_controller>` -- :doc:`Developer Guide <../oom_developer_guide>` -- :doc:`Hardcoded Certificates <../oom_hardcoded_certificates>` - -Known Limitations, Issues and Workarounds -========================================= - -Known Vulnerabilities ---------------------- - - -Workarounds ------------ - -- `OOM-2754 `_ - Because of *updateEndpoint* property added to *cmpv2issuer* CRD - it is impossible to upgrade platform component from Honolulu to Istanbul - release without manual steps. Actions that should be performed: - - #. Update the CRD definition:: - - > kubectl -n onap apply -f oom/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml - #. Upgrade the component:: - - > helm -n onap upgrade dev-platform oom/kubernetes/platform - #. Make sure that *cmpv2issuer* contains correct value for - *spec.updateEndpoint*. The value should be: *v1/certificate-update*. - If it's not, edit the resource:: - - > kubectl -n onap edit cmpv2issuer cmpv2-issuer-onap - - -Security Notes --------------- - -**Fixed Security Issues** - -References -========== - -For more information on the ONAP Istanbul release, please see: - -#. `ONAP Home Page`_ -#. `ONAP Documentation`_ -#. `ONAP Release Downloads`_ -#. `ONAP Wiki Page`_ - - -.. _`ONAP Home Page`: https://www.onap.org -.. _`ONAP Wiki Page`: https://wiki.onap.org -.. _`ONAP Documentation`: https://docs.onap.org -.. _`ONAP Release Downloads`: https://git.onap.org diff --git a/docs/release_notes/release-notes.rst b/docs/release_notes/release-notes.rst deleted file mode 100644 index 1ab2173e10..0000000000 --- a/docs/release_notes/release-notes.rst +++ /dev/null @@ -1,131 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 - International License. -.. http://creativecommons.org/licenses/by/4.0 -.. (c) ONAP Project and its contributors -.. _release_notes: - -************************************* -ONAP Operations Manager Release Notes -************************************* - -Previous Release Notes -====================== - -- :ref:`Istanbul ` -- :ref:`Honolulu ` -- :ref:`Guilin ` -- :ref:`Frankfurt ` -- :ref:`El Alto ` -- :ref:`Dublin ` -- :ref:`Casablanca ` -- :ref:`Beijing ` -- :ref:`Amsterdam ` - -Abstract -======== - -This document provides the release notes for the Jakarta release. - -Summary -======= - - - -Release Data -============ - -+--------------------------------------+--------------------------------------+ -| **Project** | OOM | -| | | -+--------------------------------------+--------------------------------------+ -| **Docker images** | N/A | -| | | -+--------------------------------------+--------------------------------------+ -| **Release designation** | Jakarta | -| | | -+--------------------------------------+--------------------------------------+ -| **Release date** | | -| | | -+--------------------------------------+--------------------------------------+ - -New features ------------- - - -**Bug fixes** - -A list of issues resolved in this release can be found here: -https://jira.onap.org/projects/OOM/versions/11498 - - -**Known Issues** - - -Deliverables ------------- - -Software Deliverables -~~~~~~~~~~~~~~~~~~~~~ - -OOM provides `Helm charts `_ that needs to be -"compiled" into Helm package. see step 6 in -:doc:`quickstart guide <../oom_quickstart_guide>`. - -Documentation Deliverables -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -- :doc:`Project Description <../oom_project_description>` -- :doc:`Cloud Setup Guide <../oom_cloud_setup_guide>` -- :doc:`Quick Start Guide <../oom_quickstart_guide>` -- :doc:`Setup Ingress Controller <../oom_setup_ingress_controller>` -- :doc:`Developer Guide <../oom_developer_guide>` -- :doc:`Hardcoded Certificates <../oom_hardcoded_certificates>` - -Known Limitations, Issues and Workarounds -========================================= - -Known Vulnerabilities ---------------------- - - -Workarounds ------------ - -- `OOM-2754 `_ - Because of *updateEndpoint* property added to *cmpv2issuer* CRD - it is impossible to upgrade platform component from Istanbul to Jakarta - release without manual steps. Actions that should be performed: - - #. Update the CRD definition:: - - > kubectl -n onap apply -f oom/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml - #. Upgrade the component:: - - > helm -n onap upgrade dev-platform oom/kubernetes/platform - #. Make sure that *cmpv2issuer* contains correct value for - *spec.updateEndpoint*. The value should be: *v1/certificate-update*. - If it's not, edit the resource:: - - > kubectl -n onap edit cmpv2issuer cmpv2-issuer-onap - - -Security Notes --------------- - -**Fixed Security Issues** - -References -========== - -For more information on the ONAP Istanbul release, please see: - -#. `ONAP Home Page`_ -#. `ONAP Documentation`_ -#. `ONAP Release Downloads`_ -#. `ONAP Wiki Page`_ - - -.. _`ONAP Home Page`: https://www.onap.org -.. _`ONAP Wiki Page`: https://wiki.onap.org -.. _`ONAP Documentation`: https://docs.onap.org -.. _`ONAP Release Downloads`: https://git.onap.org diff --git a/docs/requirements-docs.txt b/docs/requirements-docs.txt new file mode 100644 index 0000000000..be92e5dcea --- /dev/null +++ b/docs/requirements-docs.txt @@ -0,0 +1,9 @@ +sphinx>=4.2.0 # BSD +sphinx-rtd-theme>=1.0.0 # MIT +sphinxcontrib-blockdiag # BSD +sphinxcontrib-seqdiag # BSD +sphinxcontrib-swaggerdoc +sphinxcontrib-spelling +sphinxcontrib-plantuml +sphinx_toolbox>=3.2.0 +six \ No newline at end of file diff --git a/docs/sections/guides/access_guides/oom_access_info.rst b/docs/sections/guides/access_guides/oom_access_info.rst new file mode 100644 index 0000000000..ebc2f65104 --- /dev/null +++ b/docs/sections/guides/access_guides/oom_access_info.rst @@ -0,0 +1,152 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 +.. International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright (C) 2022 Nordix Foundation + +.. Links +.. _Kubernetes LoadBalancer: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer +.. _Kubernetes NodePort: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + +.. _oom_access_info_guide: + +OOM Access Info +############### + +.. figure:: ../../resources/images/oom_logo/oomLogoV2-medium.png + :align: right + +Access via Ingress (production) +******************************* + +Using Ingress as access method requires the installation of an Ingress +controller and the configuration of the ONAP deployment to use it. + +For "ONAP on ServiceMesh" you can find the instructions in: + +- :ref:`oom_base_optional_addons` +- :ref:`oom_customize_overrides` + +In the ServiceMesh deployment the Istio IngressGateway is the only access point +for ONAP component interfaces. +Usually the Ingress is accessed via a LoadBalancer IP (), +which is used as central address. +All APIs/UIs are provided via separate URLs which are routed to the component service. +To use these URLs they need to be resolvable via DNS or via /etc/hosts. + +The domain name is usually defined in the `global` section of the ONAP helm-charts, +`virtualhost.baseurl` (here "simpledemo.onap.org") whereas the hostname of +the service (e.g. "sdc-fe-ui") is defined in the component's chart. + +.. code-block:: none + + kiali.simpledemo.onap.org + cds-ui.simpledemo.onap.org + sdc-fe-ui.simpledemo.onap.org + ... + +To access e.g. the SDC UI now the new ssl-encrypted URL: + +``https://sdc-fe-ui.simpledemo.onap.org/sdc1`` + +Access via NodePort/Loadbalancer (development) +********************************************** + +In the development setop OOM operates in a private IP network that isn't +publicly accessible (i.e. OpenStack VMs with private internal network) which +blocks access to the ONAP User Interfaces. +To enable direct access to a service from a user's own environment (a laptop etc.) +the application's internal port is exposed through a `Kubernetes NodePort`_ or +`Kubernetes LoadBalancer`_ object. + +Typically, to be able to access the Kubernetes nodes publicly a public address +is assigned. In OpenStack this is a floating IP address. + +Most ONAP applications use the `NodePort` as predefined `service:type`, +which opens allows access to the service through the the IP address of each +Kubernetes node. +When using the `Loadbalancer` as `service:type` `Kubernetes LoadBalancer`_ object +which gets a separate IP address. + +When e.g. the `sdc-fe` chart is deployed a Kubernetes service is created that +instantiates a load balancer. The LB chooses the private interface of one of +the nodes as in the example below (10.0.0.4 is private to the K8s cluster only). +Then to be able to access the portal on port 8989 from outside the K8s & +OpenStack environment, the user needs to assign/get the floating IP address that +corresponds to the private IP as follows:: + + > kubectl -n onap get services|grep "sdc-fe" + sdc-fe LoadBalancer 10.43.142.201 10.0.0.4 8181:30207/TCP + + +In this example, use the 10.0.0.4 private address as a key find the +corresponding public address which in this example is 10.12.6.155. If you're +using OpenStack you'll do the lookup with the horizon GUI or the OpenStack CLI +for your tenant (openstack server list). That IP is then used in your +`/etc/hosts` to map the fixed DNS aliases required by the ONAP Portal as shown +below:: + + 10.43.142.201 sdc.fe.simpledemo.onap.org + +Ensure you've disabled any proxy settings the browser you are using to access +the portal and then simply access now the new ssl-encrypted URL: +``http://sdc.fe.simpledemo.onap.org:30207sdc1/portal`` + +.. note:: + Besides the ONAP SDC the Components can deliver additional user interfaces, + please check the Component specific documentation. + +.. note:: + + | Alternatives Considered: + + - Kubernetes port forwarding was considered but discarded as it would + require the end user to run a script that opens up port forwarding tunnels + to each of the pods that provides a portal application widget. + + - Reverting to a VNC server similar to what was deployed in the Amsterdam + release was also considered but there were many issues with resolution, + lack of volume mount, /etc/hosts dynamic update, file upload that were + a tall order to solve in time for the Beijing release. + + Observations: + + - If you are not using floating IPs in your Kubernetes deployment and + directly attaching a public IP address (i.e. by using your public provider + network) to your K8S Node VMs' network interface, then the output of + 'kubectl -n onap get services | grep "portal-app"' + will show your public IP instead of the private network's IP. Therefore, + you can grab this public IP directly (as compared to trying to find the + floating IP first) and map this IP in /etc/hosts. + +Some relevant information regarding accessing OOM from outside the cluster etc + +ONAP Nodeports +============== + +NodePorts are used to allow client applications, that run outside of +Kubernetes, access to ONAP components deployed by OOM. +A NodePort maps an externally reachable port to an internal port of an ONAP +microservice. +It should be noted that the use of NodePorts is temporary. +An alternative solution based on Ingress Controller, which initial support is +already in place. It is planned to become a default deployment option in the +London release. + +More information from official Kubernetes documentation about +`Kubernetes NodePort`_. + +The following table lists all the NodePorts used by ONAP. + +.. csv-table:: NodePorts table + :file: ../../resources/csv/nodeports.csv + :widths: 20,20,20,20,20 + :header-rows: 1 + + +This table retrieves information from the ONAP deployment using the following +Kubernetes command: + +.. code-block:: bash + + kubectl get svc -n onap -o go-template='{{range .items}}{{range.spec.ports}}{{if .nodePort}}{{.nodePort}}{{.}}{{"\n"}}{{end}}{{end}}{{end}}' + diff --git a/docs/sections/guides/deployment_guides/oom_customize_overrides.rst b/docs/sections/guides/deployment_guides/oom_customize_overrides.rst new file mode 100644 index 0000000000..a5458f8562 --- /dev/null +++ b/docs/sections/guides/deployment_guides/oom_customize_overrides.rst @@ -0,0 +1,171 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 +.. International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright (C) 2022 Nordix Foundation + +.. Links +.. _helm deploy: https://github.com/onap/oom/blob/master/kubernetes/helm/plugins/deploy/deploy.sh + +.. _oom_customize_overrides: + +OOM Custom Overrides +#################### + +The OOM `helm deploy`_ plugin requires deployment configuration as input, usually in the form of override yaml files. +These input files determine what ONAP components get deployed, and the configuration of the OOM deployment. + +Other helm config options like `--set log.enabled=true|false` are available. + +See the `helm deploy`_ plugin usage section for more detail, or it the plugin has already been installed, execute the following:: + + > helm deploy --help + +Users can customize the override files to suit their required deployment. + +.. note:: + Standard and example override files (e.g. `onap-all.yaml`, `onap-all-ingress-gatewayapi.yaml`) + can be found in the `oom/kubernetes/onap/resources/overrides/` directory. + + * Users can selectively enable or disable ONAP components by changing the ``enabled: true/false`` flags. + + * Add to the command line a value for the global master password (ie. --set global.masterPassword=My_superPassw0rd). + + +Enabling/Disabling Components +============================= + +Here is an example of the nominal entries that need to be provided. +Different values files are available for different contexts. + +.. collapse:: Default ONAP values.yaml + + .. include:: ../../../../kubernetes/onap/values.yaml + :code: yaml + +| + +ONAP "Production" Setup +======================= + +The production setup deploys ONAP components exposing its external services +via Ingress with TLS termination. +Internal traffic encryption will be ensured by using Istio ServiceMesh. + +For external access we start to establish Authentication via Oauth2-proxy +and Keycloak, which will be completed in the coming release. + +To enable both "ServiceMesh" and "Ingress" configuration entries need +to be set before deployment. + +Service Mesh and Ingress configuration +-------------------------------------- + +Global settings relevant for ServiceMesh and Ingress: + +.. code-block:: yaml + + global: + ingress: + # generally enable ingress for ONAP components + enabled: true + # enable all component's Ingress interfaces + enable_all: false + + # Provider: ingress, istio, gw-api + provider: gw-api + # Ingress class (only for provider "ingress"): e.g. nginx, traefik + ingressClass: + # Ingress Selector (only for provider "istio") to match with the + # ingress pod label "istio=ingress" + ingressSelector: ingress + # optional: common used Gateway (for Istio, GW-API) and listener names + commonGateway: + name: "" + httpListener: "" + httpsListener: "" + + # default Ingress base URL + # All http requests via ingress will be redirected + virtualhost: + # Default Ingress base URL + # can be overwritten in component by setting ingress.baseurlOverride + baseurl: "simpledemo.onap.org" + # prefix for baseaddr + # can be overwritten in component by setting ingress.preaddrOverride + preaddr: "" + # postfix for baseaddr + # can be overwritten in component by setting ingress.postaddrOverride + postaddr: "" + # All http requests via ingress will be redirected on Ingress controller + # only valid for Istio Gateway (ServiceMesh enabled) + config: + ssl: "redirect" + # you can set an own Secret containing a certificate + # only valid for Istio Gateway (ServiceMesh enabled) + # tls: + # secret: 'my-ingress-cert' + # optional: Namespace of the Istio IngressGateway + # only valid for Istio Gateway (ServiceMesh enabled) + namespace: istio-ingress + ... + serviceMesh: + enabled: true + tls: true + # be aware that linkerd is not well tested + engine: "istio" # valid value: istio or linkerd + ... + aafEnabled: false + cmpv2Enabled: false + tlsEnabled: false + msbEnabled: false + +ServiceMesh settings: + +- enabled: true → enables ServiceMesh functionality in the ONAP Namespace (Istio: enables Sidecar deployment) +- tls: true → enables mTLS encryption in Sidecar communication +- engine: istio → sets the SM engine (currently only Istio is supported) +- aafEnabled: false → disables AAF usage for TLS interfaces +- tlsEnabled: false → disables creation of TLS in component services +- cmpv2Enabled: false → disable cmpv2 feature +- msbEnabled: false → MSB is not used in Istio setup (Open, if all components are MSB independend) + +Ingress settings: + +- enabled: true → enables Ingress using: Nginx (when SM disabled), Istio IngressGateway (when SM enabled) +- enable_all: true → enables Ingress configuration in each component +- provider: "..." → sets the Ingress provider (ingress, istio, gw-api) +- ingressClass: "" → Ingress class (only for provider "ingress"): e.g. nginx, traefik +- ingressSelector: "" → Selector (only for provider "istio") to match with the ingress pod label "istio=ingress" +- commonGateway: "" → optional: common used Gateway (for Istio, GW-API) and http(s) listener names +- virtualhost.baseurl: "simpledemo.onap.org" → sets globally the URL for all Interfaces set by the components, + resulting in e.g. "aai-api.simpledemo.onap.org", can be overwritten in the component via: ingress.baseurlOverride +- virtualhost.preaddr: "pre-" → sets globally a prefix for the Application name for all Interfaces set by the components, + resulting in e.g. "pre-aai-api.simpledemo.onap.org", can be overwritten in the component via: ingress.preaddrOverride +- virtualhost.postaddr: "-post" → sets globally a postfix for the Application name for all Interfaces set by the components, + resulting in e.g. "aai-api-post.simpledemo.onap.org", can be overwritten in the component via: ingress.postaddrOverride +- config.ssl: redirect → sets in the Ingress globally the redirection of all Interfaces from http (port 80) to https (port 443) +- config.tls.secret: "..." → (optional) overrides the default selfsigned SSL certificate with a certificate stored in the specified secret +- namespace: istio-ingress → (optional) overrides the namespace of the ingress gateway which is used for the created SSL certificate + +.. note:: + For the Ingress setup example override files (`onap-all-ingress-istio.yaml`, `onap-all-ingress-gatewayapi.yaml`) + can be found in the `oom/kubernetes/onap/resources/overrides/` directory. + +External Authentication configuration +------------------------------------- + +For enabling of external authentication via Oauth2-Proxy and Keycloak +the following settings have to be done in the ONAP values override. +It will enable the deployment of the ONAP Realm to Keycloak and +installation and integration of the Oauth2-Proxy as external Auth-Provider. + +.. code-block:: yaml + + platform: + enabled: true + cmpv2-cert-service: + enabled: false + keycloak-init: + enabled: true + oauth2-proxy: + enabled: true \ No newline at end of file diff --git a/docs/sections/guides/deployment_guides/oom_deployment.rst b/docs/sections/guides/deployment_guides/oom_deployment.rst new file mode 100644 index 0000000000..110736939e --- /dev/null +++ b/docs/sections/guides/deployment_guides/oom_deployment.rst @@ -0,0 +1,42 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 +.. International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright (C) 2022 Nordix Foundation + +.. Links +.. _ONAP Release Long Term Roadmap: https://wiki.onap.org/display/DW/Long+Term+Roadmap + +.. _oom_deploy_guide: + +OOM Deployment Guide +-------------------- + +.. figure:: ../../resources/images/oom_logo/oomLogoV2-medium.png + :align: right + +ONAP OOM supports several options for the deployment of ONAP using it's helm charts. + + * :ref:`oom_helm_release_repo_deploy` + * :ref:`oom_helm_testing_repo_deploy` + * :ref:`oom_dev_testing_local_deploy` + +.. warning:: + | **Pre-requisites** + | The following sections must be completed before continuing with deployment: + + | :ref:`Set up your base platform` + + +Each deployment method can be customized to deploy a subset of ONAP component applications. +See the :ref:`oom_customize_overrides` section for more details. + + +.. toctree:: + :hidden: + + oom_customize_overrides.rst + oom_helm_release_repo_deploy.rst + oom_helm_testing_repo_deploy.rst + oom_dev_testing_local_deploy.rst + + diff --git a/docs/sections/guides/deployment_guides/oom_dev_testing_local_deploy.rst b/docs/sections/guides/deployment_guides/oom_dev_testing_local_deploy.rst new file mode 100644 index 0000000000..b0deff0e2b --- /dev/null +++ b/docs/sections/guides/deployment_guides/oom_dev_testing_local_deploy.rst @@ -0,0 +1,83 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 +.. International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright (C) 2022 Nordix Foundation + +.. Links + +.. _oom_dev_testing_local_deploy: + +OOM Developer Testing Deployment +================================ + +Developing and testing changes to the existing OOM project can be done locally by setting up some additional +tools to host the updated helm charts. + +**Step 1.** Clone the OOM repository from ONAP gerrit:: + + > git clone http://gerrit.onap.org/r/oom + + > cd oom/kubernetes + + +**Step 2.** Install Helm Plugin required to push helm charts to local repo:: + + > helm plugin install https://github.com/chartmuseum/helm-push.git --version 0.9.0 + +.. note:: + The ``--version 0.9.0`` is required as new version of helm (3.7.0 and up) is + now using ``push`` directly and helm-push is using ``cm-push`` starting + version ``0.10.0`` and up. + +**Step 3.** Install Chartmuseum + +Chart museum is required to host the helm charts locally when deploying in a development environment:: + + > curl https://raw.githubusercontent.com/helm/chartmuseum/main/scripts/get-chartmuseum | bash + +**Step 4.** To setup a local Helm server to store the ONAP charts:: + + > mkdir -p ~/helm3-storage + + > chartmuseum --storage local --storage-local-rootdir ~/helm3-storage -port 8879 & + +Note the port number that is listed and use it in the Helm repo add as follows:: + + > helm repo add local http://127.0.0.1:8879 + +**Step 5.** Verify your Helm repository setup with:: + + > helm repo list + NAME URL + local http://127.0.0.1:8879 + +**Step 6.** Build a local Helm repository (from the kubernetes directory):: + + > make SKIP_LINT=TRUE [HELM_BIN=] all + +`HELM_BIN` + Sets the helm binary to be used. The default value use helm from PATH + + +**Step 7.** Display the onap charts that are available to be deployed:: + + > helm repo update + + > helm search repo local + + +.. collapse:: Helm search repo output + + .. include:: ../../resources/helm/helm-search.txt + :code: yaml + +| + +.. note:: + The setup of the Helm repository is a one time activity. If you make changes + to your deployment charts or values be sure to use ``make`` to update your + local Helm repository. + + + + diff --git a/docs/sections/guides/deployment_guides/oom_helm_release_repo_deploy.rst b/docs/sections/guides/deployment_guides/oom_helm_release_repo_deploy.rst new file mode 100644 index 0000000000..e7dc2f0a35 --- /dev/null +++ b/docs/sections/guides/deployment_guides/oom_helm_release_repo_deploy.rst @@ -0,0 +1,44 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 +.. International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright (C) 2022 Nordix Foundation + +.. Links +.. _ONAP helm release repository: https://nexus3.onap.org/service/rest/repository/browse/onap-helm-release/ +.. _ONAP Release Long Term Roadmap: https://wiki.onap.org/display/DW/Long+Term+Roadmap + +.. _oom_helm_release_repo_deploy: + +OOM Helm Release Deployment +=========================== + +ONAP hosts the OOM release helm charts in it's `ONAP helm release repository`_. + +This is the officially supported repository for the deployment of OOM. + +.. note:: + ONAP supports up to N-1 releases. See `ONAP Release Long Term Roadmap`_ for more details. + +Add the OOM release repo & Deploy +--------------------------------- +Add the repository: + +- To add the onap release helm repo, execute the following:: + + > helm repo add onap-release https://nexus3.onap.org/repository/onap-helm-release/ + +.. note:: + The following helm command will deploy ONAP charts, with `all` OOM components enabled as per the onap-all.yml overrides file provided to the `-f` flag. + + To customize what applications are deployed, see the :ref:`oom_customize_overrides` section for more details, to provide your own custom overrides yaml file. + +- To deploy a release, execute the following, substituting the tag with your preferred release (ie. 13.0.0):: + + > helm deploy dev onap-release/onap --namespace onap --create-namespace --set global.masterPassword=myAwesomePasswordThatINeedToChange --version -f oom/kubernetes/onap/resources/overrides/onap-all.yaml + + + + + + + diff --git a/docs/sections/guides/deployment_guides/oom_helm_testing_repo_deploy.rst b/docs/sections/guides/deployment_guides/oom_helm_testing_repo_deploy.rst new file mode 100644 index 0000000000..e9312382b3 --- /dev/null +++ b/docs/sections/guides/deployment_guides/oom_helm_testing_repo_deploy.rst @@ -0,0 +1,46 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 +.. International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright (C) 2022 Nordix Foundation + +.. Links +.. _ONAP helm testing repository: https://nexus3.onap.org/service/rest/repository/browse/onap-helm-testing/ +.. _OOM: https://github.com/onap/oom + +.. _oom_helm_testing_repo_deploy: + +OOM Helm Testing Deployment +=========================== + +ONAP hosts the OOM `testing` helm charts in it's `ONAP helm testing repository`_. + +This is helm repo contains: + + * The `latest` charts built from the head of the `OOM`_ project's master + branch, tagged with the version number of the current development cycle (ie. 12.0.0). + + +Add the OOM testing repo & Deploy +--------------------------------- +.. note:: + The testing helm charts for earlier releases are not fully supported. Test at your own risk. + +Add the repository: + +- To add the onap testing helm repo, execute the following:: + + > helm repo add onap-testing https://nexus3.onap.org/repository/onap-helm-testing/ + +.. note:: + The following helm command will deploy ONAP charts, with `all` OOM components enabled as per the onap-all.yml overrides file provided to the `-f` flag. + + To customize what applications are deployed, see the :ref:`oom_customize_overrides` section for more details, to provide your own custom overrides yaml file. + +- To deploy the latest charts, we need to target the repo added previously:: + + > helm deploy dev onap-testing/onap --namespace onap --create-namespace --set global.masterPassword=myAwesomePasswordThatINeedToChange -f oom/kubernetes/onap/resources/overrides/onap-all.yaml + +This will deploy the latest testing version of the OOM helm charts. + + + diff --git a/docs/sections/guides/development_guides/oom_dev_config_management.rst b/docs/sections/guides/development_guides/oom_dev_config_management.rst new file mode 100644 index 0000000000..36a02dc85d --- /dev/null +++ b/docs/sections/guides/development_guides/oom_dev_config_management.rst @@ -0,0 +1,444 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 +.. International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright 2018-2020 Amdocs, Bell Canada, Orange, Samsung +.. Modification copyright (C) 2022 Nordix Foundation + +.. Links + +.. _oom_dev_config_management: + + +Configuration Management +######################## + +ONAP is a large system composed of many components - each of which are complex +systems in themselves - that needs to be deployed in a number of different +ways. For example, within a single operator's network there may be R&D +deployments under active development, pre-production versions undergoing system +testing and production systems that are operating live networks. Each of these +deployments will differ in significant ways, such as the version of the +software images deployed. In addition, there may be a number of application +specific configuration differences, such as operating system environment +variables. The following describes how the Helm configuration management +system is used within the OOM project to manage both ONAP infrastructure +configuration as well as ONAP components configuration. + +One of the artifacts that OOM/Kubernetes uses to deploy ONAP components is the +deployment specification, yet another yaml file. Within these deployment specs +are a number of parameters as shown in the following example: + +.. code-block:: yaml + + apiVersion: apps/v1 + kind: StatefulSet + metadata: + labels: + app.kubernetes.io/name: zookeeper + helm.sh/chart: zookeeper + app.kubernetes.io/component: server + app.kubernetes.io/managed-by: Tiller + app.kubernetes.io/instance: onap-oof + name: onap-oof-zookeeper + namespace: onap + spec: + <...> + replicas: 3 + selector: + matchLabels: + app.kubernetes.io/name: zookeeper + app.kubernetes.io/component: server + app.kubernetes.io/instance: onap-oof + serviceName: onap-oof-zookeeper-headless + template: + metadata: + labels: + app.kubernetes.io/name: zookeeper + helm.sh/chart: zookeeper + app.kubernetes.io/component: server + app.kubernetes.io/managed-by: Tiller + app.kubernetes.io/instance: onap-oof + spec: + <...> + affinity: + containers: + - name: zookeeper + <...> + image: gcr.io/google_samples/k8szk:v3 + imagePullPolicy: Always + <...> + ports: + - containerPort: 2181 + name: client + protocol: TCP + - containerPort: 3888 + name: election + protocol: TCP + - containerPort: 2888 + name: server + protocol: TCP + <...> + +Note that within the statefulset specification, one of the container arguments +is the key/value pair image: gcr.io/google_samples/k8szk:v3 which +specifies the version of the zookeeper software to deploy. Although the +statefulset specifications greatly simplify statefulset, maintenance of the +statefulset specifications themselves become problematic as software versions +change over time or as different versions are required for different +statefulsets. For example, if the R&D team needs to deploy a newer version of +mariadb than what is currently used in the production environment, they would +need to clone the statefulset specification and change this value. Fortunately, +this problem has been solved with the templating capabilities of Helm. + +The following example shows how the statefulset specifications are modified to +incorporate Helm templates such that key/value pairs can be defined outside of +the statefulset specifications and passed during instantiation of the component. + +.. code-block:: yaml + + apiVersion: apps/v1 + kind: StatefulSet + metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} + spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: {{- include "common.matchLabels" . | nindent 6 }} + # serviceName is only needed for StatefulSet + # put the postfix part only if you have add a postfix on the service name + serviceName: {{ include "common.servicename" . }}-{{ .Values.service.postfix }} + <...> + template: + metadata: + labels: {{- include "common.labels" . | nindent 8 }} + annotations: {{- include "common.tplValue" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + name: {{ include "common.name" . }} + spec: + <...> + containers: + - name: {{ include "common.name" . }} + image: {{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: + {{- range $index, $port := .Values.service.ports }} + - containerPort: {{ $port.port }} + name: {{ $port.name }} + {{- end }} + {{- range $index, $port := .Values.service.headlessPorts }} + - containerPort: {{ $port.port }} + name: {{ $port.name }} + {{- end }} + <...> + +This version of the statefulset specification has gone through the process of +templating values that are likely to change between statefulsets. Note that the +image is now specified as: image: {{ .Values.image }} instead of a +string used previously. During the statefulset phase, Helm (actually the Helm +sub-component Tiller) substitutes the {{ .. }} entries with a variable defined +in a values.yaml file. The content of this file is as follows: + +.. code-block:: yaml + + <...> + image: gcr.io/google_samples/k8szk:v3 + replicaCount: 3 + <...> + + +Within the values.yaml file there is an image key with the value +`gcr.io/google_samples/k8szk:v3` which is the same value used in +the non-templated version. Once all of the substitutions are complete, the +resulting statefulset specification ready to be used by Kubernetes. + +When creating a template consider the use of default values if appropriate. +Helm templating has built in support for DEFAULT values, here is +an example: + +.. code-block:: yaml + + imagePullSecrets: + - name: "{{ .Values.nsPrefix | default "onap" }}-docker-registry-key" + +The pipeline operator ("|") used here hints at that power of Helm templates in +that much like an operating system command line the pipeline operator allow +over 60 Helm functions to be embedded directly into the template (note that the +Helm template language is a superset of the Go template language). These +functions include simple string operations like upper and more complex flow +control operations like if/else. + +OOM is mainly helm templating. In order to have consistent deployment of the +different components of ONAP, some rules must be followed. + +Templates are provided in order to create Kubernetes resources (Secrets, +Ingress, Services, ...) or part of Kubernetes resources (names, labels, +resources requests and limits, ...). + +a full list and simple description is done in +`kubernetes/common/common/documentation.rst`. + +Service template +---------------- + +In order to create a Service for a component, you have to create a file (with +`service` in the name. +For normal service, just put the following line: + +.. code-block:: yaml + + {{ include "common.service" . }} + +For headless service, the line to put is the following: + +.. code-block:: yaml + + {{ include "common.headlessService" . }} + +The configuration of the service is done in component `values.yaml`: + +.. code-block:: yaml + + service: + name: NAME-OF-THE-SERVICE + postfix: MY-POSTFIX + type: NodePort + annotations: + someAnnotationsKey: value + ports: + - name: tcp-MyPort + port: 5432 + nodePort: 88 + - name: http-api + port: 8080 + nodePort: 89 + - name: https-api + port: 9443 + nodePort: 90 + +`annotations` and `postfix` keys are optional. +if `service.type` is `NodePort`, then you have to give `nodePort` value for your +service ports (which is the end of the computed nodePort, see example). + +It would render the following Service Resource (for a component named +`name-of-my-component`, with version `x.y.z`, helm deployment name +`my-deployment` and `global.nodePortPrefix` `302`): + +.. code-block:: yaml + + apiVersion: v1 + kind: Service + metadata: + annotations: + someAnnotationsKey: value + name: NAME-OF-THE-SERVICE-MY-POSTFIX + labels: + app.kubernetes.io/name: name-of-my-component + helm.sh/chart: name-of-my-component-x.y.z + app.kubernetes.io/instance: my-deployment-name-of-my-component + app.kubernetes.io/managed-by: Tiller + spec: + ports: + - port: 5432 + targetPort: tcp-MyPort + nodePort: 30288 + - port: 8080 + targetPort: http-api + nodePort: 30289 + - port: 9443 + targetPort: https-api + nodePort: 30290 + selector: + app.kubernetes.io/name: name-of-my-component + app.kubernetes.io/instance: my-deployment-name-of-my-component + type: NodePort + +In the deployment or statefulSet file, you needs to set the good labels in +order for the service to match the pods. + +here's an example to be sure it matches (for a statefulSet): + +.. code-block:: yaml + + apiVersion: apps/v1 + kind: StatefulSet + metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} + spec: + selector: + matchLabels: {{- include "common.matchLabels" . | nindent 6 }} + # serviceName is only needed for StatefulSet + # put the postfix part only if you have add a postfix on the service name + serviceName: {{ include "common.servicename" . }}-{{ .Values.service.postfix }} + <...> + template: + metadata: + labels: {{- include "common.labels" . | nindent 8 }} + annotations: {{- include "common.tplValue" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + name: {{ include "common.name" . }} + spec: + <...> + containers: + - name: {{ include "common.name" . }} + ports: + {{- range $index, $port := .Values.service.ports }} + - containerPort: {{ $port.port }} + name: {{ $port.name }} + {{- end }} + {{- range $index, $port := .Values.service.headlessPorts }} + - containerPort: {{ $port.port }} + name: {{ $port.name }} + {{- end }} + <...> + +The configuration of the service is done in component `values.yaml`: + +.. code-block:: yaml + + service: + name: NAME-OF-THE-SERVICE + headless: + postfix: NONE + annotations: + anotherAnnotationsKey : value + publishNotReadyAddresses: true + headlessPorts: + - name: tcp-MyPort + port: 5432 + - name: http-api + port: 8080 + - name: https-api + port: 9443 + +`headless.annotations`, `headless.postfix` and +`headless.publishNotReadyAddresses` keys are optional. + +If `headless.postfix` is not set, then we'll add `-headless` at the end of the +service name. + +If it set to `NONE`, there will be not postfix. + +And if set to something, it will add `-something` at the end of the service +name. + +It would render the following Service Resource (for a component named +`name-of-my-component`, with version `x.y.z`, helm deployment name +`my-deployment` and `global.nodePortPrefix` `302`): + +.. code-block:: yaml + + apiVersion: v1 + kind: Service + metadata: + annotations: + anotherAnnotationsKey: value + name: NAME-OF-THE-SERVICE + labels: + app.kubernetes.io/name: name-of-my-component + helm.sh/chart: name-of-my-component-x.y.z + app.kubernetes.io/instance: my-deployment-name-of-my-component + app.kubernetes.io/managed-by: Tiller + spec: + clusterIP: None + ports: + - port: 5432 + targetPort: tcp-MyPort + nodePort: 30288 + - port: 8080 + targetPort: http-api + nodePort: 30289 + - port: 9443 + targetPort: https-api + nodePort: 30290 + publishNotReadyAddresses: true + selector: + app.kubernetes.io/name: name-of-my-component + app.kubernetes.io/instance: my-deployment-name-of-my-component + type: ClusterIP + +Previous example of StatefulSet would also match (except for the `postfix` part +obviously). + +Creating Deployment or StatefulSet +---------------------------------- + +Deployment and StatefulSet should use the `apps/v1` (which has appeared in +v1.9). +As seen on the service part, the following parts are mandatory: + +.. code-block:: yaml + + apiVersion: apps/v1 + kind: StatefulSet + metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} + spec: + selector: + matchLabels: {{- include "common.matchLabels" . | nindent 6 }} + # serviceName is only needed for StatefulSet + # put the postfix part only if you have add a postfix on the service name + serviceName: {{ include "common.servicename" . }}-{{ .Values.service.postfix }} + <...> + template: + metadata: + labels: {{- include "common.labels" . | nindent 8 }} + annotations: {{- include "common.tplValue" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + name: {{ include "common.name" . }} + spec: + <...> + containers: + - name: {{ include "common.name" . }} + +Dependency Management +--------------------- +These Helm charts describe the desired state +of an ONAP deployment and instruct the Kubernetes container manager as to how +to maintain the deployment in this state. These dependencies dictate the order +in-which the containers are started for the first time such that such +dependencies are always met without arbitrary sleep times between container +startups. For example, the SDC back-end container requires the Elastic-Search, +Cassandra and Kibana containers within SDC to be ready and is also dependent on +DMaaP (or the message-router) to be ready - where ready implies the built-in +"readiness" probes succeeded - before becoming fully operational. When an +initial deployment of ONAP is requested the current state of the system is NULL +so ONAP is deployed by the Kubernetes manager as a set of Docker containers on +one or more predetermined hosts. The hosts could be physical machines or +virtual machines. When deploying on virtual machines the resulting system will +be very similar to "Heat" based deployments, i.e. Docker containers running +within a set of VMs, the primary difference being that the allocation of +containers to VMs is done dynamically with OOM and statically with "Heat". +Example SO deployment descriptor file shows SO's dependency on its mariadb +data-base component: + +SO deployment specification excerpt: + +.. code-block:: yaml + + apiVersion: apps/v1 + kind: Deployment + metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} + spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: {{- include "common.matchLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ include "common.name" . }} + release: {{ .Release.Name }} + spec: + initContainers: + - command: + - /app/ready.py + args: + - --container-name + - so-mariadb + env: + ... \ No newline at end of file diff --git a/docs/sections/guides/development_guides/oom_dev_container_orchestration.rst b/docs/sections/guides/development_guides/oom_dev_container_orchestration.rst new file mode 100644 index 0000000000..b137bff8b6 --- /dev/null +++ b/docs/sections/guides/development_guides/oom_dev_container_orchestration.rst @@ -0,0 +1,366 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 +.. International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright 2018-2020 Amdocs, Bell Canada, Orange, Samsung +.. Modification copyright (C) 2022 Nordix Foundation + +.. Links +.. _Kubernetes: https://Kubernetes.io/ +.. _AWS Elastic Block Store: https://aws.amazon.com/ebs/ +.. _Azure File: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction +.. _GCE Persistent Disk: https://cloud.google.com/compute/docs/disks/ +.. _Gluster FS: https://www.gluster.org/ +.. _Kubernetes Storage Class: https://Kubernetes.io/docs/concepts/storage/storage-classes/ +.. _Assigning Pods to Nodes: https://Kubernetes.io/docs/concepts/configuration/assign-pod-node/ + + +.. _oom_dev_container_orch: + +Kubernetes Container Orchestration +################################## + +The ONAP components are managed by the Kubernetes_ container management system +which maintains the desired state of the container system as described by one +or more deployment descriptors - similar in concept to OpenStack HEAT +Orchestration Templates. The following sections describe the fundamental +objects managed by Kubernetes, the network these components use to communicate +with each other and other entities outside of ONAP and the templates that +describe the configuration and desired state of the ONAP components. + +**Name Spaces** + +Within the namespaces are Kubernetes services that provide external +connectivity to pods that host Docker containers. + +ONAP Components to Kubernetes Object Relationships +-------------------------------------------------- +Kubernetes deployments consist of multiple objects: + +- **nodes** - a worker machine - either physical or virtual - that hosts + multiple containers managed by Kubernetes. +- **services** - an abstraction of a logical set of pods that provide a + micro-service. +- **pods** - one or more (but typically one) container(s) that provide specific + application functionality. +- **persistent volumes** - One or more permanent volumes need to be established + to hold non-ephemeral configuration and state data. + +The relationship between these objects is shown in the following figure: + +.. .. uml:: +.. +.. @startuml +.. node PH { +.. component Service { +.. component Pod0 +.. component Pod1 +.. } +.. } +.. +.. database PV +.. @enduml + +.. figure:: ../../resources/images/k8s/kubernetes_objects.png + +OOM uses these Kubernetes objects as described in the following sections. + +Nodes +~~~~~ +OOM works with both physical and virtual worker machines. + +* Virtual Machine Deployments - If ONAP is to be deployed onto a set of virtual + machines, the creation of the VMs is outside of the scope of OOM and could be + done in many ways, such as + + * manually, for example by a user using the OpenStack Horizon dashboard or + AWS EC2, or + * automatically, for example with the use of a OpenStack Heat Orchestration + Template which builds an ONAP stack, Azure ARM template, AWS CloudFormation + Template, or + * orchestrated, for example with Cloudify creating the VMs from a TOSCA + template and controlling their life cycle for the life of the ONAP + deployment. + +* Physical Machine Deployments - If ONAP is to be deployed onto physical + machines there are several options but the recommendation is to use Rancher + along with Helm to associate hosts with a Kubernetes cluster. + +Pods +~~~~ +A group of containers with shared storage and networking can be grouped +together into a Kubernetes pod. All of the containers within a pod are +co-located and co-scheduled so they operate as a single unit. Within ONAP +Amsterdam release, pods are mapped one-to-one to docker containers although +this may change in the future. As explained in the Services section below the +use of Pods within each ONAP component is abstracted from other ONAP +components. + +Services +~~~~~~~~ +OOM uses the Kubernetes service abstraction to provide a consistent access +point for each of the ONAP components independent of the pod or container +architecture of that component. For example, the SDNC component may introduce +OpenDaylight clustering as some point and change the number of pods in this +component to three or more but this change will be isolated from the other ONAP +components by the service abstraction. A service can include a load balancer +on its ingress to distribute traffic between the pods and even react to dynamic +changes in the number of pods if they are part of a replica set. + +Persistent Volumes +~~~~~~~~~~~~~~~~~~ +To enable ONAP to be deployed into a wide variety of cloud infrastructures a +flexible persistent storage architecture, built on Kubernetes persistent +volumes, provides the ability to define the physical storage in a central +location and have all ONAP components securely store their data. + +When deploying ONAP into a public cloud, available storage services such as +`AWS Elastic Block Store`_, `Azure File`_, or `GCE Persistent Disk`_ are +options. Alternatively, when deploying into a private cloud the storage +architecture might consist of Fiber Channel, `Gluster FS`_, or iSCSI. Many +other storage options existing, refer to the `Kubernetes Storage Class`_ +documentation for a full list of the options. The storage architecture may vary +from deployment to deployment but in all cases a reliable, redundant storage +system must be provided to ONAP with which the state information of all ONAP +components will be securely stored. The Storage Class for a given deployment is +a single parameter listed in the ONAP values.yaml file and therefore is easily +customized. Operation of this storage system is outside the scope of the OOM. + +.. code-block:: yaml + + Insert values.yaml code block with storage block here + +Once the storage class is selected and the physical storage is provided, the +ONAP deployment step creates a pool of persistent volumes within the given +physical storage that is used by all of the ONAP components. ONAP components +simply make a claim on these persistent volumes (PV), with a persistent volume +claim (PVC), to gain access to their storage. + +The following figure illustrates the relationships between the persistent +volume claims, the persistent volumes, the storage class, and the physical +storage. + +.. graphviz:: + + digraph PV { + label = "Persistance Volume Claim to Physical Storage Mapping" + { + node [shape=cylinder] + D0 [label="Drive0"] + D1 [label="Drive1"] + Dx [label="Drivex"] + } + { + node [shape=Mrecord label="StorageClass:ceph"] + sc + } + { + node [shape=point] + p0 p1 p2 + p3 p4 p5 + } + subgraph clusterSDC { + label="SDC" + PVC0 + PVC1 + } + subgraph clusterSDNC { + label="SDNC" + PVC2 + } + subgraph clusterSO { + label="SO" + PVCn + } + PV0 -> sc + PV1 -> sc + PV2 -> sc + PVn -> sc + + sc -> {D0 D1 Dx} + PVC0 -> PV0 + PVC1 -> PV1 + PVC2 -> PV2 + PVCn -> PVn + + # force all of these nodes to the same line in the given order + subgraph { + rank = same; PV0;PV1;PV2;PVn;p0;p1;p2 + PV0->PV1->PV2->p0->p1->p2->PVn [style=invis] + } + + subgraph { + rank = same; D0;D1;Dx;p3;p4;p5 + D0->D1->p3->p4->p5->Dx [style=invis] + } + + } + +In-order for an ONAP component to use a persistent volume it must make a claim +against a specific persistent volume defined in the ONAP common charts. Note +that there is a one-to-one relationship between a PVC and PV. The following is +an excerpt from a component chart that defines a PVC: + +.. code-block:: yaml + + Insert PVC example here + +OOM Networking with Kubernetes +------------------------------ + +- DNS +- Ports - Flattening the containers also expose port conflicts between the + containers which need to be resolved. + + +Pod Placement Rules +------------------- +OOM will use the rich set of Kubernetes node and pod affinity / +anti-affinity rules to minimize the chance of a single failure resulting in a +loss of ONAP service. Node affinity / anti-affinity is used to guide the +Kubernetes orchestrator in the placement of pods on nodes (physical or virtual +machines). For example: + +- if a container used Intel DPDK technology the pod may state that it as + affinity to an Intel processor based node, or +- geographical based node labels (such as the Kubernetes standard zone or + region labels) may be used to ensure placement of a DCAE complex close to the + VNFs generating high volumes of traffic thus minimizing networking cost. + Specifically, if nodes were pre-assigned labels East and West, the pod + deployment spec to distribute pods to these nodes would be: + +.. code-block:: yaml + + nodeSelector: + failure-domain.beta.Kubernetes.io/region: {{ .Values.location }} + +- "location: West" is specified in the `values.yaml` file used to deploy + one DCAE cluster and "location: East" is specified in a second `values.yaml` + file (see OOM Configuration Management for more information about + configuration files like the `values.yaml` file). + +Node affinity can also be used to achieve geographic redundancy if pods are +assigned to multiple failure domains. For more information refer to `Assigning +Pods to Nodes`_. + +.. note:: + One could use Pod to Node assignment to totally constrain Kubernetes when + doing initial container assignment to replicate the Amsterdam release + OpenStack Heat based deployment. Should one wish to do this, each VM would + need a unique node name which would be used to specify a node constaint + for every component. These assignment could be specified in an environment + specific values.yaml file. Constraining Kubernetes in this way is not + recommended. + +Kubernetes has a comprehensive system called Taints and Tolerations that can be +used to force the container orchestrator to repel pods from nodes based on +static events (an administrator assigning a taint to a node) or dynamic events +(such as a node becoming unreachable or running out of disk space). There are +no plans to use taints or tolerations in the ONAP Beijing release. Pod +affinity / anti-affinity is the concept of creating a spacial relationship +between pods when the Kubernetes orchestrator does assignment (both initially +an in operation) to nodes as explained in Inter-pod affinity and anti-affinity. +For example, one might choose to co-located all of the ONAP SDC containers on a +single node as they are not critical runtime components and co-location +minimizes overhead. On the other hand, one might choose to ensure that all of +the containers in an ODL cluster (SDNC and APPC) are placed on separate nodes +such that a node failure has minimal impact to the operation of the cluster. +An example of how pod affinity / anti-affinity is shown below: + +Pod Affinity / Anti-Affinity + +.. code-block:: yaml + + apiVersion: v1 + kind: Pod + metadata: + name: with-pod-affinity + spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: security + operator: In + values: + - S1 + topologyKey: failure-domain.beta.Kubernetes.io/zone + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: security + operator: In + values: + - S2 + topologyKey: Kubernetes.io/hostname + containers: + - name: with-pod-affinity + image: gcr.io/google_containers/pause:2.0 + +This example contains both podAffinity and podAntiAffinity rules, the first +rule is is a must (requiredDuringSchedulingIgnoredDuringExecution) while the +second will be met pending other considerations +(preferredDuringSchedulingIgnoredDuringExecution). Preemption Another feature +that may assist in achieving a repeatable deployment in the presence of faults +that may have reduced the capacity of the cloud is assigning priority to the +containers such that mission critical components have the ability to evict less +critical components. Kubernetes provides this capability with Pod Priority and +Preemption. Prior to having more advanced production grade features available, +the ability to at least be able to re-deploy ONAP (or a subset of) reliably +provides a level of confidence that should an outage occur the system can be +brought back on-line predictably. + +Health Checks +------------- + +Monitoring of ONAP components is configured in the agents within JSON files and +stored in gerrit under the consul-agent-config, here is an example from the AAI +model loader (aai-model-loader-health.json): + +.. code-block:: json + + { + "service": { + "name": "A&AI Model Loader", + "checks": [ + { + "id": "model-loader-process", + "name": "Model Loader Presence", + "script": "/consul/config/scripts/model-loader-script.sh", + "interval": "15s", + "timeout": "1s" + } + ] + } + } + +Liveness Probes +--------------- + +These liveness probes can simply check that a port is available, that a +built-in health check is reporting good health, or that the Consul health check +is positive. For example, to monitor the SDNC component has following liveness +probe can be found in the SDNC DB deployment specification: + +.. code-block:: yaml + + sdnc db liveness probe + + livenessProbe: + exec: + command: ["mysqladmin", "ping"] + initialDelaySeconds: 30 periodSeconds: 10 + timeoutSeconds: 5 + +The 'initialDelaySeconds' control the period of time between the readiness +probe succeeding and the liveness probe starting. 'periodSeconds' and +'timeoutSeconds' control the actual operation of the probe. Note that +containers are inherently ephemeral so the healing action destroys failed +containers and any state information within it. To avoid a loss of state, a +persistent volume should be used to store all data that needs to be persisted +over the re-creation of a container. Persistent volumes have been created for +the database components of each of the projects and the same technique can be +used for all persistent state information. \ No newline at end of file diff --git a/docs/sections/guides/development_guides/oom_dev_helm_chart_info.rst b/docs/sections/guides/development_guides/oom_dev_helm_chart_info.rst new file mode 100644 index 0000000000..533f60e29b --- /dev/null +++ b/docs/sections/guides/development_guides/oom_dev_helm_chart_info.rst @@ -0,0 +1,172 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 +.. International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright 2018-2020 Amdocs, Bell Canada, Orange, Samsung +.. Modification copyright (C) 2022 Nordix Foundation + +.. Links +.. _Helm Charts: https://artifacthub.io/packages/search +.. _aai: https://github.com/onap/oom/tree/master/kubernetes/aai +.. _name.tpl: https://github.com/onap/oom/blob/master/kubernetes/common/common/templates/_name.tpl +.. _namespace.tpl: https://github.com/onap/oom/blob/master/kubernetes/common/common/templates/_namespace.tpl + +.. _oom_helm_chart_info: + +Helm Charts +########### + +A Helm chart is a collection of files that describe a related set of Kubernetes +resources. A simple chart might be used to deploy something simple, like a +memcached pod, while a complex chart might contain many micro-service arranged +in a hierarchy as found in the `aai`_ ONAP component. + +Charts are created as files laid out in a particular directory tree, then they +can be packaged into versioned archives to be deployed. There is a public +archive of `Helm Charts`_ on ArtifactHUB that includes many technologies applicable +to ONAP. Some of these charts have been used in ONAP and all of the ONAP charts +have been created following the guidelines provided. + +An example structure of the OOM common helm charts is shown below: + +.. code-block:: bash + + common + ├── cassandra + │   ├── Chart.yaml + │   ├── resources + │   │   ├── config + │   │   │   └── docker-entrypoint.sh + │   │   ├── exec.py + │   │   └── restore.sh + │   ├── templates + │   │   ├── backup + │   │   │   ├── configmap.yaml + │   │   │   ├── cronjob.yaml + │   │   │   ├── pv.yaml + │   │   │   └── pvc.yaml + │   │   ├── configmap.yaml + │   │   ├── pv.yaml + │   │   ├── service.yaml + │   │   └── statefulset.yaml + │   └── values.yaml + ├── common + │   ├── Chart.yaml + │   ├── templates + │   │   ├── _createPassword.tpl + │   │   ├── _ingress.tpl + │   │   ├── _labels.tpl + │   │   ├── _mariadb.tpl + │   │   ├── _name.tpl + │   │   ├── _namespace.tpl + │   │   ├── _repository.tpl + │   │   ├── _resources.tpl + │   │   ├── _secret.yaml + │   │   ├── _service.tpl + │   │   ├── _storage.tpl + │   │   └── _tplValue.tpl + │   └── values.yaml + ├── ... + └── postgres-legacy +    ├── Chart.yaml + ├── charts + └── configs + +The common section of charts consists of a set of templates that assist with +parameter substitution (`name.tpl`_, `namespace.tpl`_, etc) and a set of +charts for components used throughout ONAP. When the common components are used +by other charts they are instantiated each time or we can deploy a shared +instances for several components. + +All of the ONAP components have charts that follow the pattern shown below: + +.. code-block:: bash + + name-of-my-component + ├── Chart.yaml + ├── component + │   └── subcomponent-folder + ├── charts + │   └── subchart-folder + ├── resources + │   ├── folder1 + │   │   ├── file1 + │   │   └── file2 + │   └── folder1 + │   ├── file3 + │   └── folder3 + │      └── file4 + ├── templates + │   ├── NOTES.txt + │   ├── configmap.yaml + │   ├── deployment.yaml + │   ├── ingress.yaml + │   ├── job.yaml + │   ├── secrets.yaml + │   └── service.yaml + └── values.yaml + +Note that the /components sub dir may include a hierarchy of sub +components and in themselves can be quite complex. + +You can use either `charts` or `components` folder for your subcomponents. +`charts` folder means that the subcomponent will always been deployed. + +`components` folders means we can choose if we want to deploy the subcomponent. + +This choice is done in root `values.yaml`: + +.. code-block:: yaml + + --- + global: + key: value + + component1: + enabled: true + component2: + enabled: true + +Then in `Chart.yaml` dependencies section, you'll use these values: + +.. code-block:: yaml + + --- + dependencies: + - name: common + version: ~x.y-0 + repository: '@local' + - name: component1 + version: ~x.y-0 + repository: 'file://components/component1' + condition: component1.enabled + - name: component2 + version: ~x.y-0 + repository: 'file://components/component2' + condition: component2.enabled + +Configuration of the components varies somewhat from component to component but +generally follows the pattern of one or more `configmap.yaml` files which can +directly provide configuration to the containers in addition to processing +configuration files stored in the `config` directory. It is the responsibility +of each ONAP component team to update these configuration files when changes +are made to the project containers that impact configuration. + +The following section describes how the hierarchical ONAP configuration system +is key to management of such a large system. + + +.. MISC +.. ==== +.. Note that although OOM uses Kubernetes facilities to minimize the effort +.. required of the ONAP component owners to implement a successful rolling +.. upgrade strategy there are other considerations that must be taken into +.. consideration. +.. For example, external APIs - both internal and external to ONAP - should be +.. designed to gracefully accept transactions from a peer at a different +.. software version to avoid deadlock situations. Embedded version codes in +.. messages may facilitate such capabilities. +.. +.. Within each of the projects a new configuration repository contains all of +.. the project specific configuration artifacts. As changes are made within +.. the project, it's the responsibility of the project team to make appropriate +.. changes to the configuration data. diff --git a/docs/sections/guides/development_guides/oom_development.rst b/docs/sections/guides/development_guides/oom_development.rst new file mode 100644 index 0000000000..169e211450 --- /dev/null +++ b/docs/sections/guides/development_guides/oom_development.rst @@ -0,0 +1,64 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 +.. International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright (C) 2022 Nordix Foundation + +.. Links +.. _Helm: https://docs.helm.sh/ +.. _Helm Charts: https://github.com/kubernetes/charts +.. _Kubernetes: https://Kubernetes.io/ +.. _Docker: https://www.docker.com/ +.. _Nexus: https://nexus.onap.org/ + +.. _oom_dev_guide: + +OOM Developer Guide +################### + +.. figure:: ../../resources/images/oom_logo/oomLogoV2-medium.png + :align: right + +ONAP consists of a large number of components, each of which are substantial +projects within themselves, which results in a high degree of complexity in +deployment and management. To cope with this complexity the ONAP Operations +Manager (OOM) uses a Helm_ model of ONAP - Helm being the primary management +system for Kubernetes_ container systems - to drive all user driven life-cycle +management operations. The Helm model of ONAP is composed of a set of +hierarchical Helm charts that define the structure of the ONAP components and +the configuration of these components. These charts are fully parameterized +such that a single environment file defines all of the parameters needed to +deploy ONAP. A user of ONAP may maintain several such environment files to +control the deployment of ONAP in multiple environments such as development, +pre-production, and production. + + + +.. rubric:: Container Background + +Linux containers allow for an application and all of its operating system +dependencies to be packaged and deployed as a single unit without including a +guest operating system as done with virtual machines. The most popular +container solution is Docker_ which provides tools for container management +like the Docker Host (dockerd) which can create, run, stop, move, or delete a +container. Docker has a very popular registry of containers images that can be +used by any Docker system; however, in the ONAP context, Docker images are +built by the standard CI/CD flow and stored in Nexus_ repositories. OOM uses +the "standard" ONAP docker containers and three new ones specifically created +for OOM. + +Containers are isolated from each other primarily via name spaces within the +Linux kernel without the need for multiple guest operating systems. As such, +multiple containers can be deployed with little overhead such as all of ONAP +can be deployed on a single host. With some optimization of the ONAP components +(e.g. elimination of redundant database instances) it may be possible to deploy +ONAP on a single laptop computer. + +The following sections describe how the ONAP Helm charts are constructed. + +.. toctree:: + :maxdepth: 1 + + oom_dev_helm_chart_info.rst + oom_dev_config_management.rst + oom_dev_container_orchestration.rst + diff --git a/docs/sections/guides/infra_guides/oom_infra.rst b/docs/sections/guides/infra_guides/oom_infra.rst new file mode 100644 index 0000000000..5c1d1f1434 --- /dev/null +++ b/docs/sections/guides/infra_guides/oom_infra.rst @@ -0,0 +1,33 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 +.. International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright (C) 2022 Nordix Foundation + +.. Links +.. _Kubernetes: https://kubernetes.io/ + + +.. _oom_infra_guide: + +OOM Infrastructure Guide +======================== + +.. figure:: ../../resources/images/oom_logo/oomLogoV2-medium.png + :align: right + +OOM deploys and manages ONAP on a pre-established Kubernetes_ cluster - the +creation of this cluster is outside of the scope of the OOM project as there +are many options including public clouds with pre-established environments. +If creation of a Kubernetes cluster is required, the life-cycle of this +cluster is independent of the life-cycle of the ONAP components themselves. + +For more information about functionality and processes please refer to the +following documents: + +.. toctree:: + :maxdepth: 1 + + oom_infra_deployment_options.rst + oom_infra_deployment_requirements.rst + oom_infra_base_config_setup.rst + oom_infra_optional_addons.rst diff --git a/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst b/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst new file mode 100644 index 0000000000..f25f4e716c --- /dev/null +++ b/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst @@ -0,0 +1,408 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 +.. International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright (C) 2022 Nordix Foundation + +.. Links +.. _HELM Best Practices Guide: https://docs.helm.sh/chart_best_practices/#requirements +.. _helm installation guide: https://helm.sh/docs/intro/install/ +.. _kubectl installation guide: https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/ +.. _Curated applications for Kubernetes: https://github.com/kubernetes/charts +.. _Cert-Manager Installation documentation: https://cert-manager.io/docs/installation/kubernetes/ +.. _Cert-Manager kubectl plugin documentation: https://cert-manager.io/docs/usage/kubectl-plugin/ +.. _Strimzi Apache Kafka Operator helm Installation documentation: https://strimzi.io/docs/operators/in-development/deploying.html#deploying-cluster-operator-helm-chart-str +.. _ONAP Next Generation Security & Logging Structure: https://wiki.onap.org/pages/viewpage.action?pageId=103417456 +.. _Istio setup guide: https://istio.io/latest/docs/setup/install/helm/ +.. _Gateway-API: https://gateway-api.sigs.k8s.io/ +.. _Istio-Gateway: https://istio.io/latest/docs/reference/config/networking/gateway/ +.. _DefaultStorageClass: https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/ + +.. _oom_base_setup_guide: + +OOM Base Platform +================= + +As part of the initial base setup of the host Kubernetes cluster, +the following mandatory installation and configuration steps must be completed. + +.. contents:: + :backlinks: top + :depth: 1 + :local: +.. + +For additional platform add-ons, see the :ref:`oom_base_optional_addons` section. + +Install & configure kubectl +--------------------------- + +The Kubernetes command line interface used to manage a Kubernetes cluster needs to be installed +and configured to run as non root. + +For additional information regarding kubectl installation and configuration see the `kubectl installation guide`_ + +To install kubectl, execute the following, replacing the with the version defined +in the :ref:`versions_table` table:: + + > curl -LO https://dl.k8s.io/release/v/bin/linux/amd64/kubectl + + > chmod +x ./kubectl + + > sudo mv ./kubectl /usr/local/bin/kubectl + + > mkdir ~/.kube + + > cp kube_config_cluster.yml ~/.kube/config.onap + + > export KUBECONFIG=~/.kube/config.onap + + > kubectl config use-context onap + +Validate the installation:: + + > kubectl get nodes + +:: + + NAME STATUS ROLES AGE VERSION + onap-control-1 Ready controlplane,etcd 3h53m v1.27.5 + onap-control-2 Ready controlplane,etcd 3h53m v1.27.5 + onap-k8s-1 Ready worker 3h53m v1.27.5 + onap-k8s-2 Ready worker 3h53m v1.27.5 + onap-k8s-3 Ready worker 3h53m v1.27.5 + onap-k8s-4 Ready worker 3h53m v1.27.5 + onap-k8s-5 Ready worker 3h53m v1.27.5 + onap-k8s-6 Ready worker 3h53m v1.27.5 + + +Install & configure helm +------------------------ + +Helm is used for package and configuration management of the relevant helm charts. +For additional information, see the `helm installation guide`_ + +To install helm, execute the following, replacing the with the version defined +in the :ref:`versions_table` table:: + + > wget https://get.helm.sh/helm-v-linux-amd64.tar.gz + + > tar -zxvf helm-v-linux-amd64.tar.gz + + > sudo mv linux-amd64/helm /usr/local/bin/helm + +Verify the helm version with:: + + > helm version + +Helm's default CNCF provided `Curated applications for Kubernetes`_ repository called +*stable* can be removed to avoid confusion:: + + > helm repo remove stable + +Install the additional OOM plugins required to un/deploy the OOM helm charts:: + + > git clone http://gerrit.onap.org/r/oom + + > helm plugin install ~/oom/kubernetes/helm/plugins/deploy + + > helm plugin install ~/oom/kubernetes/helm/plugins/undeploy + +Verify the plugins are installed:: + + > helm plugin ls + +:: + + NAME VERSION DESCRIPTION + deploy 1.0.0 install (upgrade if release exists) parent chart and all subcharts as separate but related releases + undeploy 1.0.0 delete parent chart and subcharts that were deployed as separate releases + +Set the default StorageClass +---------------------------- + +In some ONAP components it is important to have a default storageClass defined (e.g. cassandra), +if you don't want to explicitly set it during the deployment via helm overrides. + +Therefor you should set the default storageClass (if not done during the K8S cluster setup) via the command:: + + > kubectl patch storageclass -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}' + +see `DefaultStorageClass`_ + +Install the Strimzi Kafka Operator +---------------------------------- + +Strimzi Apache Kafka provides a way to run an Apache Kafka cluster on Kubernetes +in various deployment configurations by using kubernetes operators. +Operators are a method of packaging, deploying, and managing Kubernetes applications. + +Strimzi Operators extend the Kubernetes functionality, automating common +and complex tasks related to a Kafka deployment. By implementing +knowledge of Kafka operations in code, the Kafka administration +tasks are simplified and require less manual intervention. + +The Strimzi cluster operator is deployed using helm to install the parent chart +containing all of the required custom resource definitions. This should be done +by a kubernetes administrator to allow for deployment of custom resources in to +any kubernetes namespace within the cluster. + +Full installation instructions can be found in the +`Strimzi Apache Kafka Operator helm Installation documentation`_. + +To add the required helm repository, execute the following:: + + > helm repo add strimzi https://strimzi.io/charts/ + +To install the strimzi kafka operator, execute the following, replacing the with the version defined +in the :ref:`versions_table` table:: + + > helm install strimzi-kafka-operator strimzi/strimzi-kafka-operator --namespace strimzi-system --version --set watchAnyNamespace=true --create-namespace + +Verify the installation:: + + > kubectl get po -n strimzi-system + +:: + + NAME READY STATUS RESTARTS AGE + strimzi-cluster-operator-7f7d6b46cf-mnpjr 1/1 Running 0 2m + + +.. _oom_base_setup_cert_manager: + +Install Cert-Manager +-------------------- + +Cert-Manager is a native Kubernetes certificate management controller. +It can help with issuing certificates from a variety of sources, such as +Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, self +signed or external issuers. It ensures certificates are valid and up to +date, and attempt to renew certificates at a configured time before expiry. + +Cert-Manager is deployed using regular YAML manifests which include all +the needed resources (the CustomResourceDefinitions, cert-manager, +namespace, and the webhook component). + +Full installation instructions, including details on how to configure extra +functionality in Cert-Manager can be found in the +`Cert-Manager Installation documentation`_. + +There is also a kubectl plugin (kubectl cert-manager) that can help you +to manage cert-manager resources inside your cluster. For installation +steps, please refer to `Cert-Manager kubectl plugin documentation`_. + + +To install cert-manager, execute the following, replacing the with the version defined +in the :ref:`versions_table` table:: + + > kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v/cert-manager.yaml + +Verify the installation:: + + > kubectl get po -n cert-manager + +:: + + NAME READY STATUS RESTARTS AGE + cert-manager-776c4cfcb6-vgnpw 1/1 Running 0 2m + cert-manager-cainjector-7d9668978d-hdxf7 1/1 Running 0 2m + cert-manager-webhook-66c8f6c75-dxmtz 1/1 Running 0 2m + +Istio Service Mesh +------------------ + +.. note:: + The ONAP deployment supports the + `ONAP Next Generation Security & Logging Structure`_ + +ONAP is currenty supporting Istio as default ServiceMesh platform. +Therefor the following instructions describe the setup of Istio and required tools. +Used `Istio setup guide`_ + +.. _oom_base_optional_addons_istio_installation: + +Istio Platform Installation +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Install Istio Basic Platform +"""""""""""""""""""""""""""" + +- Configure the Helm repository:: + + > helm repo add istio https://istio-release.storage.googleapis.com/charts + + > helm repo update + +- Create a namespace for "mesh-level" configurations:: + + > kubectl create namespace istio-config + +- Create a namespace istio-system for Istio components:: + + > kubectl create namespace istio-system + +- Install the Istio Base chart which contains cluster-wide resources used by the + Istio control plane, replacing the with the version + defined in the :ref:`versions_table` table:: + + > helm upgrade -i istio-base istio/base -n istio-system --version + +- Create an override for istiod (e.g. istiod.yaml) to add the oauth2-proxy as external + authentication provider and apply some specific config settings + + .. collapse:: istiod.yaml + + .. include:: ../../resources/yaml/istiod.yaml + :code: yaml + +- Install the Istio Base Istio Discovery chart which deploys the istiod service, replacing the + with the version defined in the :ref:`versions_table` table:: + + > helm upgrade -i istiod istio/istiod -n istio-system --version + --wait -f ./istiod.yaml + +Add an EnvoyFilter for HTTP header case +""""""""""""""""""""""""""""""""""""""" + +When handling HTTP/1.1, Envoy will normalize the header keys to be all +lowercase. While this is compliant with the HTTP/1.1 spec, in practice this +can result in issues when migrating existing systems that might rely on +specific header casing. In our case a problem was detected in the SDC client +implementation, which relies on uppercase header values. To solve this problem +in general we add a EnvoyFilter to keep the uppercase header in the +istio-config namespace to apply for all namespaces, but set the context to +SIDECAR_INBOUND to avoid problems in the connection between Istio-Gateway and +Services + +- Create a EnvoyFilter file (e.g. envoyfilter-case.yaml) + + .. collapse:: envoyfilter-case.yaml + + .. include:: ../../resources/yaml/envoyfilter-case.yaml + :code: yaml + +- Apply the change to Istio:: + + > kubectl apply -f envoyfilter-case.yaml + + +Ingress Controller Installation +------------------------------- + +In the production setup 2 different Ingress setups are supported. + +- Gateway API `Gateway-API`_ (recommended) +- Istio Gateway `Istio-Gateway`_ (alternative, but in the future deprecated) + +Depending on the solution, the ONAP helm values.yaml has to be configured. +See the :ref:`OOM customized deployment` section for more details. + +Gateway-API (recommended) +^^^^^^^^^^^^^^^^^^^^^^^^^ + +- Install the Gateway-API CRDs replacing the + with the version defined in + the :ref:`versions_table` table:: + + > kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download//experimental-install.yaml + +- Create a common Gateway instance named "common-gateway" + The following example uses provides listeners for HTTP(s), UDP and TCP + + .. collapse:: common-gateway.yaml + + .. include:: ../../resources/yaml/common-gateway.yaml + :code: yaml + +- Apply the change:: + + > kubectl apply -f common-gateway.yaml + +Istio Gateway (alternative) +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +- Create a namespace istio-ingress for the Istio Ingress gateway + and enable istio-injection:: + + > kubectl create namespace istio-ingress + + > kubectl label namespace istio-ingress istio-injection=enabled + +- To expose additional ports besides HTTP/S (e.g. for external Kafka access, SDNC-callhome) + create an override file (e.g. istio-ingress.yaml) + + .. collapse:: istio-ingress.yaml + + .. include:: ../../resources/yaml/istio-ingress.yaml + :code: yaml + +- Install the Istio Gateway chart using the override file, replacing the + with the version defined in + the :ref:`versions_table` table:: + + > helm upgrade -i istio-ingress istio/gateway -n istio-ingress + --version -f ingress-istio.yaml --wait + + +Keycloak Installation +--------------------- + +- Add helm repositories:: + + > helm repo add bitnami https://charts.bitnami.com/bitnami + + > helm repo add codecentric https://codecentric.github.io/helm-charts + + > helm repo update + +- create keycloak namespace:: + + > kubectl create namespace keycloak + > kubectl label namespace keycloak istio-injection=disabled + +Install Keycloak-Database +^^^^^^^^^^^^^^^^^^^^^^^^^ + +- To configure the Postgres DB + create an override file (e.g. keycloak-db-values.yaml) + + .. collapse:: keycloak-db-values.yaml + + .. include:: ../../resources/yaml/keycloak-db-values.yaml + :code: yaml + +- Install the Postgres DB:: + + > helm -n keycloak upgrade -i keycloak-db bitnami/postgresql --values ./keycloak-db-values.yaml + +Configure Keycloak +^^^^^^^^^^^^^^^^^^ + +- To configure the Keycloak instance + create an override file (e.g. keycloak-server-values.yaml) + + .. collapse:: keycloak-server-values.yaml + + .. include:: ../../resources/yaml/keycloak-server-values.yaml + :code: yaml + +- Install keycloak:: + + > helm -n keycloak upgrade -i keycloak codecentric/keycloakx --values ./keycloak-server-values.yaml + +The required Ingress entry and REALM will be provided by the ONAP "Platform" +component. + +- Create Ingress gateway entry for the keycloak web interface + using the configured Ingress (here "simpledemo.onap.org") + as described in :ref:`oom_customize_overrides` + + .. collapse:: keycloak-ingress.yaml + + .. include:: ../../resources/yaml/keycloak-ingress.yaml + :code: yaml + +- Add the Ingress entry for Keycloak:: + + > kubectl -n keycloak apply -f keycloak-ingress.yaml + diff --git a/docs/sections/guides/infra_guides/oom_infra_deployment_options.rst b/docs/sections/guides/infra_guides/oom_infra_deployment_options.rst new file mode 100644 index 0000000000..3b198cf1d6 --- /dev/null +++ b/docs/sections/guides/infra_guides/oom_infra_deployment_options.rst @@ -0,0 +1,40 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 +.. International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright (C) 2022 Nordix Foundation + +.. Links +.. _Kubernetes: https://kubernetes.io/ +.. _Kubernetes best practices: https://kubernetes.io/docs/setup/best-practices/cluster-large/ +.. _kubelet config guide: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/ + + + +ONAP Deployment Options +======================= + +OOM supports 2 different deployment options of ONAP. + +- Development Setup +- Production Setup + +In the following sections describe the different setups. + +Development setup +----------------- + +The development setup deploys ONAP components exposing its external services +via NodePorts and without TLS termination and internal traffic encryption. + +Production setup +---------------- + +The production setup deploys ONAP components exposing its external services +via Ingress with TLS termination. +Internal traffic encryption will be ensured by using Istio ServiceMesh. + +.. figure:: ../../resources/images/servicemesh/ServiceMesh.png + :align: center + +For external access we propose to establish Authentication via Oauth2-proxy +and Keycloak which is described in this document. diff --git a/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst b/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst new file mode 100644 index 0000000000..4b2a7528cb --- /dev/null +++ b/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst @@ -0,0 +1,74 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 +.. International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright (C) 2022 Nordix Foundation + +.. Links +.. _Kubernetes: https://kubernetes.io/ +.. _Kubernetes best practices: https://kubernetes.io/docs/setup/best-practices/cluster-large/ +.. _kubelet config guide: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/ + + + +ONAP Deployment Requirements +============================ + +.. rubric:: Minimum Hardware Configuration + +Some recommended hardware requirements are provided below. Note that this is for a +full ONAP deployment (all components). + +.. table:: OOM Hardware Requirements + + ===== ===== ====== ==================== + RAM HD vCores Ports + ===== ===== ====== ==================== + 224GB 160GB 112 0.0.0.0/0 (all open) + ===== ===== ====== ==================== + +Customizing ONAP to deploy only components that are needed will drastically reduce these requirements. +See the :ref:`OOM customized deployment` section for more details. + +.. note:: + | Kubernetes supports a maximum of 110 pods per node - this can be overcome by modifying your kubelet config. + | See the `kubelet config guide`_ for more information. + + | The use of many small nodes is preferred over a few larger nodes (for example 14 x 16GB - 8 vCores each). + + | OOM can be deployed on a private set of physical hosts or VMs (or even a combination of the two). + +.. rubric:: Software Requirements + +The versions of software that are supported and tested by OOM are as follows: + +.. _versions_table: + +.. table:: OOM Software Requirements (base) + + ============== =========== ======= ======== ======== ============= ======== + Release Kubernetes Helm kubectl Docker Cert-Manager Strimzi + ============== =========== ======= ======== ======== ============= ======== + London 1.23.8 3.8.2 1.23.x 20.10.x 1.12.2 0.35.0 + Montreal 1.27.5 3.12.3 1.27.x 20.10.x 1.13.2 0.36.1 + New Delhi 1.27.5 3.12.3 1.27.x 20.10.x 1.13.2 0.40.0 + ============== =========== ======= ======== ======== ============= ======== + +.. table:: OOM Software Requirements (production) + + ============== ====== ============ ============== + Release Istio Gateway-API Keycloak + ============== ====== ============ ============== + London 1.17.2 v0.6.2 19.0.3-legacy + Montreal 1.19.3 v1.0.0 19.0.3-legacy + New Delhi 1.19.3 v1.0.0 22.0.4 + ============== ====== ============ ============== + +.. table:: OOM Software Requirements (optional) + + ============== ================= ========== ================= + Release Prometheus Stack K8ssandra MariaDB-Operator + ============== ================= ========== ================= + London 45.x 1.6.1 + Montreal 45.x 1.10.2 0.23.1 + New Delhi 45.x 1.11.0 0.24.0 + ============== ================= ========== ================= diff --git a/docs/sections/guides/infra_guides/oom_infra_optional_addons.rst b/docs/sections/guides/infra_guides/oom_infra_optional_addons.rst new file mode 100644 index 0000000000..fb164bc5e6 --- /dev/null +++ b/docs/sections/guides/infra_guides/oom_infra_optional_addons.rst @@ -0,0 +1,199 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 +.. International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright (C) 2022 Nordix Foundation + +.. Links +.. _Prometheus stack README: https://github.com/prometheus-community/helm-charts/blob/main/charts/kube-prometheus-stack/README.md +.. _ONAP Next Generation Security & Logging Structure: https://wiki.onap.org/pages/viewpage.action?pageId=103417456 +.. _Istio setup guide: https://istio.io/latest/docs/setup/install/helm/ +.. _Kiali setup guide: https://kiali.io/docs/installation/installation-guide/example-install/ +.. _Kserve setup guide: https://kserve.github.io/website/0.10/admin/kubernetes_deployment/ +.. _K8ssandra setup guide: https://docs.k8ssandra.io/install/ +.. _Mariadb-Operator setup guide: https://github.com/mariadb-operator/mariadb-operator +.. _Postgres-Operator setup guide: https://github.com/CrunchyData/postgres-operator + +.. _oom_base_optional_addons: + +OOM Optional Addons +=================== + +The following optional applications can be added to your kubernetes +environment. + +Install Prometheus Stack +------------------------ + +Prometheus is an open-source systems monitoring and alerting toolkit with +an active ecosystem. + +Kube Prometheus Stack is a collection of Kubernetes manifests, Grafana +dashboards, and Prometheus rules combined with documentation and scripts to +provide easy to operate end-to-end Kubernetes cluster monitoring with +Prometheus using the Prometheus Operator. As it includes both Prometheus +Operator and Grafana dashboards, there is no need to set up them separately. +See the `Prometheus stack README`_ for more information. + +To install the prometheus stack, execute the following: + +- Add the prometheus-community Helm repository:: + + > helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +- Update your local Helm chart repository cache:: + + > helm repo update + +- To install prometheus, execute the following, replacing the with the version defined in the :ref:`versions_table` table:: + + > helm install prometheus prometheus-community/kube-prometheus-stack --namespace=prometheus --create-namespace --version= + + +Kiali Installation +------------------ + +Kiali is used to visualize the Network traffic in a ServiceMesh enabled cluster +For setup the kiali operator is used, see `Kiali setup guide`_ + +- Install kiali-operator namespace:: + + > kubectl create namespace kiali-operator + + > kubectl label namespace kiali-operator istio-injection=enabled + +- Install the kiali-operator:: + + > helm repo add kiali https://kiali.org/helm-charts + + > helm repo update kiali + + > helm install --namespace kiali-operator kiali/kiali-operator + +- Create Kiali CR file (e.g. kiali.yaml) + + .. collapse:: kiali.yaml + + .. include:: ../../resources/yaml/kiali.yaml + :code: yaml + +- Install kiali:: + + > kubectl apply -f kiali.yaml + +- Create Ingress gateway entry for the kiali web interface + using the configured Ingress (here "simpledemo.onap.org") + as described in :ref:`oom_customize_overrides` + + .. collapse:: kiali-ingress.yaml + + .. include:: ../../resources/yaml/kiali-ingress.yaml + :code: yaml + +- Add the Ingress entry for Kiali:: + + > kubectl -n istio-system apply -f kiali-ingress.yaml + + +Jaeger Installation +------------------- + +To be done... + +K8ssandra-Operator Installation +------------------------------- + +K8ssandra-Operator is used to ease the installation and lifecycle management +Cassandra clusters, including monitoring and backup + +For setup the K8ssandra operator is used, see `K8ssandra setup guide`_ + +- Install k8ssandra-operator namespace:: + + > kubectl create namespace k8ssandra-operator + + > kubectl label namespace k8ssandra-operator istio-injection=enabled + +- Install the k8ssandra-operator replacing the with the version defined in the :ref:`versions_table` table:: + + > helm repo add k8ssandra https://helm.k8ssandra.io/stable + + > helm repo update k8ssandra + + > helm install k8ssandra-operator --namespace k8ssandra-operator + k8ssandra/k8ssandra-operator --set global.clusterScoped=true + --version= + +Mariadb-Operator Installation +----------------------------- + +Mariadb-Operator is used to ease the installation and lifecycle management of +MariaDB Galera and Replication clusters, including monitoring and backup + +For setup the Mariadb-Operator is used, see `Mariadb-Operator setup guide`_ + +- Install mariadb-operator namespace:: + + > kubectl create namespace mariadb-operator + + > kubectl label namespace mariadb-operator istio-injection=enabled + +- Install the mariadb-operator replacing the with the version defined in the :ref:`versions_table` table:::: + + > helm repo add mariadb-operator https://mariadb-operator.github.io/mariadb-operator + + > helm repo update mariadb-operator + + > helm install mariadb-operator --namespace mariadb-operator + mariadb-operator/mariadb-operator --set ha.enabled=true + --set metrics.enabled=true --set webhook.certificate.certManager=true + --version= + +Postgres-Operator Installation +------------------------------ + +Postgres-Operator is used to ease the installation and lifecycle management of +Postgres DB clusters, including monitoring and backup + +For setup the Postgres-Operator is used, see `Postgres-Operator setup guide`_ + +Kserve Installation +------------------- + +KServe is a standard Model Inference Platform on Kubernetes. It supports +RawDeployment mode to enable InferenceService deployment with Kubernetes +resources. Comparing to serverless deployment it unlocks Knative limitations +such as mounting multiple volumes, on the other hand Scale down and from Zero +is not supported in RawDeployment mode. + +This installation is necessary for the ML models to be deployed as inference +service. Once deployed, the inference services can be queried for the +prediction. + +**Kserve participant component in Policy ACM requires this installation. Kserve participant deploy/undeploy inference services in Kserve.** + +Dependent component version compatibility details and installation instructions +can be found at `Kserve setup guide`_ + +Kserve installation requires the following components: + +- Istio. Its installation instructions can be found at :ref:`oom_base_optional_addons_istio_installation` + +- Cert-Manager. Its installation instructions can be found at :ref:`oom_base_setup_cert_manager` + +Installation instructions as follows, + +- Create kserve namespace:: + + > kubectl create namespace kserve + +- Install Kserve:: + + > kubectl apply -f https://github.com/kserve/kserve/releases/download/v/kserve.yaml + +- Install Kserve default serving runtimes:: + + > kubectl apply -f https://github.com/kserve/kserve/releases/download/v/kserve-runtimes.yaml + +- Patch ConfigMap inferenceservice-config as follows:: + + > kubectl patch configmap/inferenceservice-config -n kserve --type=strategic -p '{"data": {"deploy": "{\"defaultDeploymentMode\": \"RawDeployment\"}"}}' diff --git a/docs/sections/guides/user_guides/oom_user_guide.rst b/docs/sections/guides/user_guides/oom_user_guide.rst new file mode 100644 index 0000000000..d31c818d44 --- /dev/null +++ b/docs/sections/guides/user_guides/oom_user_guide.rst @@ -0,0 +1,569 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 +.. International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright (C) 2022 Nordix Foundation + +.. Links +.. _Curated applications for Kubernetes: https://github.com/kubernetes/charts +.. _Services: https://kubernetes.io/docs/concepts/services-networking/service/ +.. _ReplicaSet: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/ +.. _StatefulSet: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/ +.. _Helm Documentation: https://docs.helm.sh/helm/ +.. _Helm: https://docs.helm.sh/ +.. _Kubernetes: https://Kubernetes.io/ +.. _Kubernetes LoadBalancer: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer +.. _user-guide-label: + + +.. _oom_user_guide: + + +OOM User Guide +############## + +.. warning:: + + **THIS PAGE NEEDS TO BE EITHER REWRITTEN OR SOMETHING AS SOME INFO IS NO LONGER RELEVANT** + +The ONAP Operations Manager (OOM) provide the ability to manage the entire +life-cycle of an ONAP installation, from the initial deployment to final +decommissioning. This guide provides instructions for users of ONAP to +use the Kubernetes_/Helm_ system as a complete ONAP management system. + +This guide provides many examples of Helm command line operations. For a +complete description of these commands please refer to the `Helm +Documentation`_. + +.. figure:: ../../resources/images/oom_logo/oomLogoV2-medium.png + :align: right + +The following sections describe the life-cycle operations: + +- Deploy_ - with built-in component dependency management +- Configure_ - unified configuration across all ONAP components +- Monitor_ - real-time health monitoring feeding to a Consul UI and Kubernetes +- Heal_- failed ONAP containers are recreated automatically +- Scale_ - cluster ONAP services to enable seamless scaling +- Upgrade_ - change-out containers or configuration with little or no service impact +- Delete_ - cleanup individual containers or entire deployments + +.. figure:: ../../resources/images/oom_logo/oomLogoV2-Deploy.png + :align: right + +Deploy +====== + +The OOM team with assistance from the ONAP project teams, have built a +comprehensive set of Helm charts, yaml files very similar to TOSCA files, that +describe the composition of each of the ONAP components and the relationship +within and between components. Using this model Helm is able to deploy all of +ONAP with a few simple commands. + +Please refer to the :ref:`oom_deploy_guide` for deployment pre-requisites and options + +.. note:: + Refer to the :ref:`oom_customize_overrides` section on how to update overrides.yaml and values.yaml + +.. figure:: ../../resources/images/oom_logo/oomLogoV2-Configure.png + :align: right + +Configure +========= + +Each project within ONAP has its own configuration data generally consisting +of: environment variables, configuration files, and database initial values. +Many technologies are used across the projects resulting in significant +operational complexity and an inability to apply global parameters across the +entire ONAP deployment. OOM solves this problem by introducing a common +configuration technology, Helm charts, that provide a hierarchical +configuration with the ability to override values with higher +level charts or command line options. + +The structure of the configuration of ONAP is shown in the following diagram. +Note that key/value pairs of a parent will always take precedence over those +of a child. Also note that values set on the command line have the highest +precedence of all. + +.. graphviz:: + + digraph config { + { + node [shape=folder] + oValues [label="values.yaml"] + demo [label="onap-demo.yaml"] + prod [label="onap-production.yaml"] + oReq [label="Chart.yaml"] + soValues [label="values.yaml"] + soReq [label="Chart.yaml"] + mdValues [label="values.yaml"] + } + { + oResources [label="resources"] + } + onap -> oResources + onap -> oValues + oResources -> environments + oResources -> oReq + oReq -> so + environments -> demo + environments -> prod + so -> soValues + so -> soReq + so -> charts + charts -> mariadb + mariadb -> mdValues + + } + +The top level onap/values.yaml file contains the values required to be set +before deploying ONAP. Here is the contents of this file: + +.. collapse:: Default ONAP values.yaml + + .. include:: ../../../../kubernetes/onap/values.yaml + :code: yaml + +| + + +One may wish to create a value file that is specific to a given deployment such +that it can be differentiated from other deployments. For example, a +onap-development.yaml file may create a minimal environment for development +while onap-production.yaml might describe a production deployment that operates +independently of the developer version. + +For example, if the production OpenStack instance was different from a +developer's instance, the onap-production.yaml file may contain a different +value for the vnfDeployment/openstack/oam_network_cidr key as shown below. + +.. code-block:: yaml + + nsPrefix: onap + nodePortPrefix: 302 + apps: consul msb mso message-router sdnc vid robot portal policy appc aai + sdc dcaegen2 log cli multicloud clamp vnfsdk aaf kube2msb + dataRootDir: /dockerdata-nfs + + # docker repositories + repository: + onap: nexus3.onap.org:10001 + oom: oomk8s + aai: aaionap + filebeat: docker.elastic.co + + image: + pullPolicy: Never + + # vnf deployment environment + vnfDeployment: + openstack: + ubuntu_14_image: "Ubuntu_14.04.5_LTS" + public_net_id: "e8f51956-00dd-4425-af36-045716781ffc" + oam_network_id: "d4769dfb-c9e4-4f72-b3d6-1d18f4ac4ee6" + oam_subnet_id: "191f7580-acf6-4c2b-8ec0-ba7d99b3bc4e" + oam_network_cidr: "192.168.30.0/24" + <...> + + +To deploy ONAP with this environment file, enter:: + + > helm deploy local/onap -n onap -f onap/resources/environments/onap-production.yaml --set global.masterPassword=password + + +.. collapse:: Default ONAP values.yaml + + .. include:: ../../resources/yaml/environments_onap_demo.yaml + :code: yaml + +| + +When deploying all of ONAP, the dependencies section of the Chart.yaml file +controls which and what version of the ONAP components are included. +Here is an excerpt of this file: + +.. code-block:: yaml + + dependencies: + <...> + - name: so + version: ~12.0.0 + repository: '@local' + condition: so.enabled + <...> + +The ~ operator in the `so` version value indicates that the latest "10.X.X" +version of `so` shall be used thus allowing the chart to allow for minor +upgrades that don't impact the so API; hence, version 10.0.1 will be installed +in this case. + +The onap/resources/environment/dev.yaml (see the excerpt below) enables +for fine grained control on what components are included as part of this +deployment. By changing this `so` line to `enabled: false` the `so` component +will not be deployed. If this change is part of an upgrade the existing `so` +component will be shut down. Other `so` parameters and even `so` child values +can be modified, for example the `so`'s `liveness` probe could be disabled +(which is not recommended as this change would disable auto-healing of `so`). + +.. code-block:: yaml + + ################################################################# + # Global configuration overrides. + # + # These overrides will affect all helm charts (ie. applications) + # that are listed below and are 'enabled'. + ################################################################# + global: + <...> + + ################################################################# + # Enable/disable and configure helm charts (ie. applications) + # to customize the ONAP deployment. + ################################################################# + aaf: + enabled: false + <...> + so: # Service Orchestrator + enabled: true + + replicaCount: 1 + + liveness: + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + + <...> + + +.. figure:: ../../resources/images/oom_logo/oomLogoV2-Monitor.png + :align: right + +Monitor +======= + +All highly available systems include at least one facility to monitor the +health of components within the system. Such health monitors are often used as +inputs to distributed coordination systems (such as etcd, Zookeeper, or Consul) +and monitoring systems (such as Nagios or Zabbix). OOM provides two mechanisms +to monitor the real-time health of an ONAP deployment: + +- a Consul GUI for a human operator or downstream monitoring systems and + Kubernetes liveness probes that enable automatic healing of failed + containers, and +- a set of liveness probes which feed into the Kubernetes manager which + are described in the Heal section. + +Within ONAP, Consul is the monitoring system of choice and deployed by OOM in +two parts: + +- a three-way, centralized Consul server cluster is deployed as a highly + available monitor of all of the ONAP components, and +- a number of Consul agents. + +The Consul server provides a user interface that allows a user to graphically +view the current health status of all of the ONAP components for which agents +have been created - a sample from the ONAP Integration labs follows: + +.. figure:: ../../resources/images/consul/consulHealth.png + :align: center + +To see the real-time health of a deployment go to: ``http://:30270/ui/`` +where a GUI much like the following will be found: + +.. note:: + If Consul GUI is not accessible, you can refer this + `kubectl port-forward `_ method to access an application + +.. figure:: ../../resources/images/oom_logo/oomLogoV2-Heal.png + :align: right + +Heal +==== + +The ONAP deployment is defined by Helm charts as mentioned earlier. These Helm +charts are also used to implement automatic recoverability of ONAP components +when individual components fail. Once ONAP is deployed, a "liveness" probe +starts checking the health of the components after a specified startup time. + +Should a liveness probe indicate a failed container it will be terminated and a +replacement will be started in its place - containers are ephemeral. Should the +deployment specification indicate that there are one or more dependencies to +this container or component (for example a dependency on a database) the +dependency will be satisfied before the replacement container/component is +started. This mechanism ensures that, after a failure, all of the ONAP +components restart successfully. + +To test healing, the following command can be used to delete a pod:: + + > kubectl delete pod [pod name] -n [pod namespace] + +One could then use the following command to monitor the pods and observe the +pod being terminated and the service being automatically healed with the +creation of a replacement pod:: + + > kubectl get pods --all-namespaces -o=wide + +.. figure:: ../../resources/images/oom_logo/oomLogoV2-Scale.png + :align: right + +Scale +===== + +Many of the ONAP components are horizontally scalable which allows them to +adapt to expected offered load. During the Beijing release scaling is static, +that is during deployment or upgrade a cluster size is defined and this cluster +will be maintained even in the presence of faults. The parameter that controls +the cluster size of a given component is found in the values.yaml file for that +component. Here is an excerpt that shows this parameter: + +.. code-block:: yaml + + # default number of instances + replicaCount: 1 + +In order to change the size of a cluster, an operator could use a helm upgrade +(described in detail in the next section) as follows:: + + > helm upgrade [RELEASE] [CHART] [flags] + +The RELEASE argument can be obtained from the following command:: + + > helm list + +Below is the example for the same:: + + > helm list + NAME REVISION UPDATED STATUS CHART APP VERSION NAMESPACE + dev 1 Wed Oct 14 13:49:52 2020 DEPLOYED onap-12.0.0 london onap + dev-cassandra 5 Thu Oct 15 14:45:34 2020 DEPLOYED cassandra-12.0.0 onap + dev-contrib 1 Wed Oct 14 13:52:53 2020 DEPLOYED contrib-12.0.0 onap + dev-mariadb-galera 1 Wed Oct 14 13:55:56 2020 DEPLOYED mariadb-galera-12.0.0 onap + +Here the Name column shows the RELEASE NAME, In our case we want to try the +scale operation on cassandra, thus the RELEASE NAME would be dev-cassandra. + +Now we need to obtain the chart name for cassandra. Use the below +command to get the chart name:: + + > helm search cassandra + +Below is the example for the same:: + + > helm search cassandra + NAME CHART VERSION APP VERSION DESCRIPTION + local/cassandra 12.0.0 ONAP cassandra + local/portal-cassandra 12.0.0 Portal cassandra + local/aaf-cass 12.0.0 ONAP AAF cassandra + local/sdc-cs 12.0.0 ONAP Service Design and Creation Cassandra + +Here the Name column shows the chart name. As we want to try the scale +operation for cassandra, thus the corresponding chart name is local/cassandra + + +Now we have both the command's arguments, thus we can perform the +scale operation for cassandra as follows:: + + > helm upgrade dev-cassandra local/cassandra --set replicaCount=3 + +Using this command we can scale up or scale down the cassandra db instances. + + +The ONAP components use Kubernetes provided facilities to build clustered, +highly available systems including: Services_ with load-balancers, ReplicaSet_, +and StatefulSet_. Some of the open-source projects used by the ONAP components +directly support clustered configurations, for example ODL and MariaDB Galera. + +The Kubernetes Services_ abstraction to provide a consistent access point for +each of the ONAP components, independent of the pod or container architecture +of that component. For example, SDN-C uses OpenDaylight clustering with a +default cluster size of three but uses a Kubernetes service to and change the +number of pods in this abstract this cluster from the other ONAP components +such that the cluster could change size and this change is isolated from the +other ONAP components by the load-balancer implemented in the ODL service +abstraction. + +A ReplicaSet_ is a construct that is used to describe the desired state of the +cluster. For example 'replicas: 3' indicates to Kubernetes that a cluster of 3 +instances is the desired state. Should one of the members of the cluster fail, +a new member will be automatically started to replace it. + +Some of the ONAP components many need a more deterministic deployment; for +example to enable intra-cluster communication. For these applications the +component can be deployed as a Kubernetes StatefulSet_ which will maintain a +persistent identifier for the pods and thus a stable network id for the pods. +For example: the pod names might be web-0, web-1, web-{N-1} for N 'web' pods +with corresponding DNS entries such that intra service communication is simple +even if the pods are physically distributed across multiple nodes. An example +of how these capabilities can be used is described in the Running Consul on +Kubernetes tutorial. + +.. figure:: ../../resources/images/oom_logo/oomLogoV2-Upgrade.png + :align: right + +Upgrade +======= + +Helm has built-in capabilities to enable the upgrade of pods without causing a +loss of the service being provided by that pod or pods (if configured as a +cluster). As described in the OOM Developer's Guide, ONAP components provide +an abstracted 'service' end point with the pods or containers providing this +service hidden from other ONAP components by a load balancer. This capability +is used during upgrades to allow a pod with a new image to be added to the +service before removing the pod with the old image. This 'make before break' +capability ensures minimal downtime. + +Prior to doing an upgrade, determine of the status of the deployed charts:: + + > helm list + NAME REVISION UPDATED STATUS CHART NAMESPACE + so 1 Mon Feb 5 10:05:22 2020 DEPLOYED so-12.0.0 onap + +When upgrading a cluster a parameter controls the minimum size of the cluster +during the upgrade while another parameter controls the maximum number of nodes +in the cluster. For example, SNDC configured as a 3-way ODL cluster might +require that during the upgrade no fewer than 2 pods are available at all times +to provide service while no more than 5 pods are ever deployed across the two +versions at any one time to avoid depleting the cluster of resources. In this +scenario, the SDNC cluster would start with 3 old pods then Kubernetes may add +a new pod (3 old, 1 new), delete one old (2 old, 1 new), add two new pods (2 +old, 3 new) and finally delete the 2 old pods (3 new). During this sequence +the constraints of the minimum of two pods and maximum of five would be +maintained while providing service the whole time. + +Initiation of an upgrade is triggered by changes in the Helm charts. For +example, if the image specified for one of the pods in the SDNC deployment +specification were to change (i.e. point to a new Docker image in the nexus3 +repository - commonly through the change of a deployment variable), the +sequence of events described in the previous paragraph would be initiated. + +For example, to upgrade a container by changing configuration, specifically an +environment value:: + + > helm upgrade so onap/so --version 12.0.1 --set enableDebug=true + +Issuing this command will result in the appropriate container being stopped by +Kubernetes and replaced with a new container with the new environment value. + +To upgrade a component to a new version with a new configuration file enter:: + + > helm upgrade so onap/so --version 12.0.1 -f environments/demo.yaml + +To fetch release history enter:: + + > helm history so + REVISION UPDATED STATUS CHART DESCRIPTION + 1 Mon Jul 5 10:05:22 2022 SUPERSEDED so-12.0.0 Install complete + 2 Mon Jul 5 10:10:55 2022 DEPLOYED so-12.0.1 Upgrade complete + +Unfortunately, not all upgrades are successful. In recognition of this the +lineup of pods within an ONAP deployment is tagged such that an administrator +may force the ONAP deployment back to the previously tagged configuration or to +a specific configuration, say to jump back two steps if an incompatibility +between two ONAP components is discovered after the two individual upgrades +succeeded. + +This rollback functionality gives the administrator confidence that in the +unfortunate circumstance of a failed upgrade the system can be rapidly brought +back to a known good state. This process of rolling upgrades while under +service is illustrated in this short YouTube video showing a Zero Downtime +Upgrade of a web application while under a 10 million transaction per second +load. + +For example, to roll-back back to previous system revision enter:: + + > helm rollback so 1 + + > helm history so + REVISION UPDATED STATUS CHART DESCRIPTION + 1 Mon Jul 5 10:05:22 2022 SUPERSEDED so-12.0.0 Install complete + 2 Mon Jul 5 10:10:55 2022 SUPERSEDED so-12.0.1 Upgrade complete + 3 Mon Jul 5 10:14:32 2022 DEPLOYED so-12.0.0 Rollback to 1 + +.. note:: + + The description field can be overridden to document actions taken or include + tracking numbers. + +Many of the ONAP components contain their own databases which are used to +record configuration or state information. The schemas of these databases may +change from version to version in such a way that data stored within the +database needs to be migrated between versions. If such a migration script is +available it can be invoked during the upgrade (or rollback) by Container +Lifecycle Hooks. Two such hooks are available, PostStart and PreStop, which +containers can access by registering a handler against one or both. Note that +it is the responsibility of the ONAP component owners to implement the hook +handlers - which could be a shell script or a call to a specific container HTTP +endpoint - following the guidelines listed on the Kubernetes site. Lifecycle +hooks are not restricted to database migration or even upgrades but can be used +anywhere specific operations need to be taken during lifecycle operations. + +OOM uses Helm K8S package manager to deploy ONAP components. Each component is +arranged in a packaging format called a chart - a collection of files that +describe a set of k8s resources. Helm allows for rolling upgrades of the ONAP +component deployed. To upgrade a component Helm release you will need an +updated Helm chart. The chart might have modified, deleted or added values, +deployment yamls, and more. To get the release name use:: + + > helm ls + +To easily upgrade the release use:: + + > helm upgrade [RELEASE] [CHART] + +To roll back to a previous release version use:: + + > helm rollback [flags] [RELEASE] [REVISION] + +For example, to upgrade the onap-so helm release to the latest SO container +release v1.1.2: + +- Edit so values.yaml which is part of the chart +- Change "so: nexus3.onap.org:10001/openecomp/so:v1.1.1" to + "so: nexus3.onap.org:10001/openecomp/so:v1.1.2" +- From the chart location run:: + + > helm upgrade onap-so + +The previous so pod will be terminated and a new so pod with an updated so +container will be created. + +.. figure:: ../../resources/images/oom_logo/oomLogoV2-Delete.png + :align: right + +Delete +====== + +Existing deployments can be partially or fully removed once they are no longer +needed. To minimize errors it is recommended that before deleting components +from a running deployment the operator perform a 'dry-run' to display exactly +what will happen with a given command prior to actually deleting anything. +For example:: + + > helm undeploy onap --dry-run + +will display the outcome of deleting the 'onap' release from the +deployment. +To completely delete a release and remove it from the internal store enter:: + + > helm undeploy onap + +Once complete undeploy is done then delete the namespace as well +using following command:: + + > kubectl delete namespace + +.. note:: + You need to provide the namespace name which you used during deployment, + below is the example:: + + > kubectl delete namespace onap + +One can also remove individual components from a deployment by changing the +ONAP configuration values. For example, to remove `so` from a running +deployment enter:: + + > helm undeploy onap-so + +will remove `so` as the configuration indicates it's no longer part of the +deployment. This might be useful if a one wanted to replace just `so` by +installing a custom version. diff --git a/docs/sections/oom_project_description.rst b/docs/sections/oom_project_description.rst new file mode 100644 index 0000000000..774237946d --- /dev/null +++ b/docs/sections/oom_project_description.rst @@ -0,0 +1,104 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 +.. International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright 2018-2020 Amdocs, Bell Canada, Orange, Samsung +.. Modification copyright (C) 2022 Nordix Foundation + +.. _oom_project_description: + +ONAP Operations Manager Project +############################### + +.. warning:: + + THIS PAGE PROB NEEDS A REWRITE AS IT IS OUTDATED + +The ONAP Operations Manager (OOM) is responsible for life-cycle management of +the ONAP platform itself; components such as SO, SDNC, etc. It is not +responsible for the management of services, VNFs or infrastructure instantiated +by ONAP or used by ONAP to host such services or VNFs. OOM uses the open-source +Kubernetes container management system as a means to manage the Docker +containers that compose ONAP where the containers are hosted either directly on +bare-metal servers or on VMs hosted by a 3rd party management system. OOM +ensures that ONAP is easily deployable and maintainable throughout its life +cycle while using hardware resources efficiently. + +.. figure:: resources/images/oom_logo/oomLogoV2-medium.png + :align: right + +In summary OOM provides the following capabilities: + +- **Deploy** - with built-in component dependency management +- **Configure** - unified configuration across all ONAP components +- **Monitor** - real-time health monitoring feeding to a Consul UI and + Kubernetes +- **Heal**- failed ONAP containers are recreated automatically +- **Scale** - cluster ONAP services to enable seamless scaling +- **Upgrade** - change-out containers or configuration with little or no + service impact +- **Delete** - cleanup individual containers or entire deployments + +OOM supports a wide variety of Kubernetes private clouds - built with ClusterAPI, +Kubespray - and public cloud infrastructures such as: Microsoft +Azure, Amazon AWS, Google GCD, VMware VIO, and OpenStack. + +The OOM documentation is broken into four different areas each targeted at a +different user: + +- :ref:`oom_dev_guide` - a guide for developers of OOM +- :ref:`oom_infra_guide` - a guide for those setting up the environments that OOM will use +- :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing cloud +- :ref:`oom_user_guide` - a guide for operators of an OOM instance +- :ref:`oom_access_info_guide` - a guide for operators who require access to OOM applications + +The :ref:`release_notes` for OOM describe the incremental features per release. + +Component Orchestration Overview +================================ +Multiple technologies, templates, and extensible plug-in frameworks are used in +ONAP to orchestrate platform instances of software component artifacts. A few +standard configurations are provide that may be suitable for test, development, +and some production deployments by substitution of local or platform wide +parameters. Larger and more automated deployments may require integration the +component technologies, templates, and frameworks with a higher level of +automated orchestration and control software. Design guidelines are provided to +insure the component level templates and frameworks can be easily integrated +and maintained. The following diagram provides an overview of these with links +to examples and templates for describing new ones. + +.. graphviz:: + + digraph COO { + rankdir="LR"; + + { + node [shape=folder] + oValues [label="values"] + cValues [label="values"] + comValues [label="values"] + sValues [label="values"] + oCharts [label="charts"] + cCharts [label="charts"] + comCharts [label="charts"] + sCharts [label="charts"] + blueprint [label="TOSCA blueprint"] + } + {oom [label="ONAP Operations Manager"]} + {hlo [label="High Level Orchestrator"]} + + + hlo -> blueprint + hlo -> oom + oom -> oValues + oom -> oCharts + oom -> component + oom -> common + common -> comValues + common -> comCharts + component -> cValues + component -> cCharts + component -> subcomponent + subcomponent -> sValues + subcomponent -> sCharts + blueprint -> component + } diff --git a/docs/release_notes/release-notes-amsterdam.rst b/docs/sections/release_notes/release-notes-amsterdam.rst similarity index 100% rename from docs/release_notes/release-notes-amsterdam.rst rename to docs/sections/release_notes/release-notes-amsterdam.rst diff --git a/docs/release_notes/release-notes-beijing.rst b/docs/sections/release_notes/release-notes-beijing.rst similarity index 100% rename from docs/release_notes/release-notes-beijing.rst rename to docs/sections/release_notes/release-notes-beijing.rst diff --git a/docs/release_notes/release-notes-casablanca.rst b/docs/sections/release_notes/release-notes-casablanca.rst similarity index 100% rename from docs/release_notes/release-notes-casablanca.rst rename to docs/sections/release_notes/release-notes-casablanca.rst diff --git a/docs/release_notes/release-notes-dublin.rst b/docs/sections/release_notes/release-notes-dublin.rst similarity index 100% rename from docs/release_notes/release-notes-dublin.rst rename to docs/sections/release_notes/release-notes-dublin.rst diff --git a/docs/release_notes/release-notes-elalto.rst b/docs/sections/release_notes/release-notes-elalto.rst similarity index 100% rename from docs/release_notes/release-notes-elalto.rst rename to docs/sections/release_notes/release-notes-elalto.rst diff --git a/docs/sections/release_notes/release-notes-frankfurt.rst b/docs/sections/release_notes/release-notes-frankfurt.rst new file mode 100644 index 0000000000..c0374a6dd8 --- /dev/null +++ b/docs/sections/release_notes/release-notes-frankfurt.rst @@ -0,0 +1,152 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 + International License. +.. http://creativecommons.org/licenses/by/4.0 +.. (c) ONAP Project and its contributors +.. _release_notes_frankfurt: + +:orphan: + +************************************* +ONAP Operations Manager Release Notes +************************************* + +Previous Release Notes +====================== + +- :ref:`El Alto ` +- :ref:`Dublin ` +- :ref:`Casablanca ` +- :ref:`Beijing ` +- :ref:`Amsterdam ` + +Abstract +======== + +This document provides the release notes for the Frankfurt release. + +Summary +======= + +The focus of this release is to strengthen the foundation of OOM installer. + +Release Data +============ + ++--------------------------------------+--------------------------------------+ +| **Project** | OOM | +| | | ++--------------------------------------+--------------------------------------+ +| **Docker images** | N/A | +| | | ++--------------------------------------+--------------------------------------+ +| **Release designation** | Frankfurt | +| | | ++--------------------------------------+--------------------------------------+ +| **Release date** | 2020/06/15 | +| | | ++--------------------------------------+--------------------------------------+ + +New features +------------ + +* Ingress deployment is getting more and more usable +* Use of dynamic Persistent Volume is available + +**Bug fixes** + +A list of issues resolved in this release can be found here: +https://jira.onap.org/projects/OOM/versions/10826 + +**Known Issues** + +- `OOM-1237 `_ Source Helm Charts from + ONAP Repo. Having helm charts repo is not possible for Frankfurt release. +- `OOM-1720 `_ galera container is + outdated. containers used for mariadb are outdated and not supported anymore. +- `OOM-1817 `_ Use of global.repository + inconsistent across Helm Charts. it's then may be hard to retrieve some + containers when deploying in constrained environment. +- `OOM-2075 `_ Invalid MTU for Canal CNI + interfaces +- `OOM-2227 `_ Cassandra Backup Mechanism + works only on "static PV" mode. +- `OOM-2230 `_ Missing requests/limits + for some PODS. This can lead to "memory bombing" so cautious monitoring of + Kubernetes resources usage must be set up. +- `OOM-2279 `_ OOM El Alto and master + clamp mariadb resources doesn't match chart. +- `OOM-2285 `_ deploy.sh does not work + for mariadb-galera. deploy script doesn't behave well with "-" in the + component name. +- `OOM-2369 `_ DMAAP Helm install takes + too long and often fails. +- `OOM-2418 `_ Readiness-check 2.0.2 not + working properly for stateful set. +- `OOM-2421 `_ OOM NBI chart deployment + error. In some case, NBI deployment fails. +- `OOM-2422 `_ Portal App is unreachable + when deploying without HTTPs + + +Deliverables +------------ + +Software Deliverables +~~~~~~~~~~~~~~~~~~~~~ + + +Documentation Deliverables +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Known Limitations, Issues and Workarounds +========================================= + +Known Vulnerabilities +--------------------- + +Workarounds +----------- + +- `OOM-1237 `_ Workaround is to generate + them as explained in documentation. +- `OOM-1817 `_ Workaround is to use + offline installer if needed. +- `OOM-2227 `_ Workaround is to stick to + "static PV" (so, not using storage class) if backup is needed. +- `OOM-2285 `_ Workaround is to use + directly helm upgrade if needed. +- `OOM-2369 `_ Workaround is to play + postinstall jobs by hand. +- `OOM-2418 `_ Workaround is to use + version 2.2.2 in global part of override file if the new check is needed. +- `OOM-2421 `_ Workaround is to + undeploy/redeploy NBI. +- `OOM-2422 `_ Workaround is to create + first portal app service with service type Cluster IP then changing it to + NodePort or LoadBalancer so all the port are available. + +Security Notes +-------------- + +**Fixed Security Issues** + +- In default deployment OOM (consul-server-ui) exposes HTTP port 30270 outside + of cluster. [`OJSI-134 `_] +- CVE-2019-12127 - OOM exposes unprotected API/UI on port 30270 + [`OJSI-202 `_] + +References +========== + +For more information on the ONAP Frankfurt release, please see: + +#. `ONAP Home Page`_ +#. `ONAP Documentation`_ +#. `ONAP Release Downloads`_ +#. `ONAP Wiki Page`_ + + +.. _`ONAP Home Page`: https://www.onap.org +.. _`ONAP Wiki Page`: https://wiki.onap.org +.. _`ONAP Documentation`: https://docs.onap.org +.. _`ONAP Release Downloads`: https://git.onap.org diff --git a/docs/sections/release_notes/release-notes-guilin.rst b/docs/sections/release_notes/release-notes-guilin.rst new file mode 100644 index 0000000000..e8fda544c2 --- /dev/null +++ b/docs/sections/release_notes/release-notes-guilin.rst @@ -0,0 +1,142 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 + International License. +.. http://creativecommons.org/licenses/by/4.0 +.. (c) ONAP Project and its contributors +.. _release_notes_guilin: + +:orphan: + +************************************* +ONAP Operations Manager Release Notes +************************************* + +Previous Release Notes +====================== + +- :ref:`Frankfurt ` +- :ref:`El Alto ` +- :ref:`Dublin ` +- :ref:`Casablanca ` +- :ref:`Beijing ` +- :ref:`Amsterdam ` + +Abstract +======== + +This document provides the release notes for the Guilin release. + +Summary +======= + +The focus of this release is to strengthen the foundation of OOM installer. + +Release Data +============ + ++--------------------------------------+--------------------------------------+ +| **Project** | OOM | +| | | ++--------------------------------------+--------------------------------------+ +| **Docker images** | N/A | +| | | ++--------------------------------------+--------------------------------------+ +| **Release designation** | Guilin | +| | | ++--------------------------------------+--------------------------------------+ +| **Release date** | 2020/12/03 | +| | | ++--------------------------------------+--------------------------------------+ + +New features +------------ + +* Kubernetes support for version up to 1.19 +* Helm (experimental) support for version up to 3.3 +* Limits are set for most of the components + +**Bug fixes** + +A list of issues resolved in this release can be found here: +https://jira.onap.org/projects/OOM/versions/10826 + +**Known Issues** + +- `OOM-1237 `_ Source Helm Charts from + ONAP Repo. Having helm charts repo is not possible for Frankfurt release. +- `OOM-1720 `_ galera container is + outdated. containers used for mariadb are outdated and not supported anymore. +- `OOM-1817 `_ Use of global.repository + inconsistent across Helm Charts. it's then may be hard to retrieve some + containers when deploying in constrained environment. +- `OOM-2227 `_ Cassandra Backup Mechanism + works only on "static PV" mode. +- `OOM-2285 `_ deploy.sh does not work + for mariadb-galera. deploy script doesn't behave well with "-" in the + component name. +- `OOM-2421 `_ OOM nbi chart deployment + error +- `OOM-2534 `_ Cert-Service leverages + runtime external dependency +- `OOM-2554 `_ Common pods have java 8 +- `OOM-2588 `_ Various subcharts not + installing due to helm size issues +- `OOM-2629 `_ NetBox demo entry setup + not complete + + +Deliverables +------------ + +Software Deliverables +~~~~~~~~~~~~~~~~~~~~~ + +OOM provides `Helm charts `_ that needs to be +"compiled". + +Documentation Deliverables +~~~~~~~~~~~~~~~~~~~~~~~~~~ + + +Known Limitations, Issues and Workarounds +========================================= + +Known Vulnerabilities +--------------------- + +- Hard coded password used for all OOM deployments + [`OJSI-188 `_] + +Workarounds +----------- + +- `OOM-1237 `_ Workaround is to generate + them as explained in documentation. +- `OOM-1817 `_ Workaround is to use + offline installer if needed. +- `OOM-2227 `_ Workaround is to stick to + "static PV" (so, not using storage class) if backup is needed. +- `OOM-2285 `_ Workaround is to use + directly helm upgrade if needed. +- `OOM-2534 `_ Workaround is to download + in advance docker.io/openjdk:11-jre-slim where you will generate the charts + +Security Notes +-------------- + +**Fixed Security Issues** + +References +========== + +For more information on the ONAP Frankfurt release, please see: + +#. `ONAP Home Page`_ +#. `ONAP Documentation`_ +#. `ONAP Release Downloads`_ +#. `ONAP Wiki Page`_ + + +.. _`ONAP Home Page`: https://www.onap.org +.. _`ONAP Wiki Page`: https://wiki.onap.org +.. _`ONAP Documentation`: https://docs.onap.org +.. _`ONAP Release Downloads`: https://git.onap.org diff --git a/docs/sections/release_notes/release-notes-honolulu.rst b/docs/sections/release_notes/release-notes-honolulu.rst new file mode 100644 index 0000000000..832ec580cc --- /dev/null +++ b/docs/sections/release_notes/release-notes-honolulu.rst @@ -0,0 +1,155 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 + International License. +.. http://creativecommons.org/licenses/by/4.0 +.. (c) ONAP Project and its contributors +.. _release_notes_honolulu: + +:orphan: + +************************************* +ONAP Operations Manager Release Notes +************************************* + +Previous Release Notes +====================== + +- :ref:`Guilin ` +- :ref:`Frankfurt ` +- :ref:`El Alto ` +- :ref:`Dublin ` +- :ref:`Casablanca ` +- :ref:`Beijing ` +- :ref:`Amsterdam ` + +Abstract +======== + +This document provides the release notes for the Honolulu release. + +Summary +======= + +The focus of this release is to strengthen the foundation of OOM installer. + +Release Data +============ + ++--------------------------------------+--------------------------------------+ +| **Project** | OOM | +| | | ++--------------------------------------+--------------------------------------+ +| **Docker images** | N/A | +| | | ++--------------------------------------+--------------------------------------+ +| **Release designation** | Honolulu | +| | | ++--------------------------------------+--------------------------------------+ +| **Release date** | 2021/04/29 | +| | | ++--------------------------------------+--------------------------------------+ + +New features +------------ + +* Kubernetes support for version up to 1.20 +* Helm support for version up to 3.5 +* Limits are set for most of the components +* Portal-Cassandra image updated to Bitnami, supporting IPv4/IPv6 Dual Stack +* CMPv2 external issuer implemented which extends Cert-Manager with ability to + enroll X.509 certificates from CMPv2 servers +* New version for mariadb galera using Bitnami image, supporting IPv4/IPv6 Dual + Stack +* Bump version of common PostgreSQL and ElasticSearch +* Move to automatic certificates retrieval for 80% of the components +* Consistent retrieval of docker images, with ability to configure proxy for + the 4 repositories used by ONAP + +**Bug fixes** + +A list of issues resolved in this release can be found here: +https://jira.onap.org/projects/OOM/versions/11073 + +major issues solved: + +* Better handling of persistence on PostgreSQL +* Better Ingress templating +* Better Service templating + +**Known Issues** + +- `OOM-2554 `_ Common pods have java 8 +- `OOM-2435 `_ SDNC karaf shell: + log:list: Error executing command: Unrecognized configuration +- `OOM-2629 `_ NetBox demo entry setup + not complete +- `OOM-2706 `_ CDS Blueprint Processor + does not work with local DB +- `OOM-2713 `_ Problem on onboarding + custom cert to SDNC ONAP during deployment +- `OOM-2698 `_ SO helm override fails in + for value with multi-level replacement +- `OOM-2697 `_ SO with local MariaDB + deployment fails +- `OOM-2538 `_ strange error with + CertInitializer template +- `OOM-2547 `_ Health Check failures + seen after bringing down/up control plane & worker node VM instances on which + ONAP hosted +- `OOM-2699 `_ SO so-mariadb + readinessCheck fails for local MariaDB instance +- `OOM-2705 `_ SDNC DB installation fails + on local MariaDB instance +- `OOM-2603 `_ [SDNC] allign password for + scaleoutUser/restconfUser/odlUser + +Deliverables +------------ + +Software Deliverables +~~~~~~~~~~~~~~~~~~~~~ + +OOM provides `Helm charts `_ that needs to be +"compiled". + +Documentation Deliverables +~~~~~~~~~~~~~~~~~~~~~~~~~~ + + +Known Limitations, Issues and Workarounds +========================================= + +Known Vulnerabilities +--------------------- + +- Hard coded password used for all OOM deployments + [`OJSI-188 `_] +- `Hard coded certificates <../oom_hardcoded_certificates>` in Helm packages + +Workarounds +----------- + +- ``_ + Workaround is to generate a password with "short" strength or pregenerate + passwords without single quote in it. Default deployment is using "short" + password generation for mariadb. + +Security Notes +-------------- + +**Fixed Security Issues** + +References +========== + +For more information on the ONAP Frankfurt release, please see: + +#. `ONAP Home Page`_ +#. `ONAP Documentation`_ +#. `ONAP Release Downloads`_ +#. `ONAP Wiki Page`_ + + +.. _`ONAP Home Page`: https://www.onap.org +.. _`ONAP Wiki Page`: https://wiki.onap.org +.. _`ONAP Documentation`: https://docs.onap.org +.. _`ONAP Release Downloads`: https://git.onap.org diff --git a/docs/sections/release_notes/release-notes-istanbul.rst b/docs/sections/release_notes/release-notes-istanbul.rst new file mode 100644 index 0000000000..a29b1e2f2d --- /dev/null +++ b/docs/sections/release_notes/release-notes-istanbul.rst @@ -0,0 +1,124 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 + International License. +.. http://creativecommons.org/licenses/by/4.0 +.. (c) ONAP Project and its contributors +.. _release_notes_istanbul: + +:orphan: + +************************************* +ONAP Operations Manager Release Notes +************************************* + +Previous Release Notes +====================== + +- :ref:`Honolulu ` +- :ref:`Guilin ` +- :ref:`Frankfurt ` +- :ref:`El Alto ` +- :ref:`Dublin ` +- :ref:`Casablanca ` +- :ref:`Beijing ` +- :ref:`Amsterdam ` + +Abstract +======== + +This document provides the release notes for the Istanbul release. + +Summary +======= + + + +Release Data +============ + ++--------------------------------------+--------------------------------------+ +| **Project** | OOM | +| | | ++--------------------------------------+--------------------------------------+ +| **Docker images** | N/A | +| | | ++--------------------------------------+--------------------------------------+ +| **Release designation** | Istanbul | +| | | ++--------------------------------------+--------------------------------------+ +| **Release date** | 2021/11/04 | +| | | ++--------------------------------------+--------------------------------------+ + +New features +------------ + + +**Bug fixes** + +A list of issues resolved in this release can be found here: +https://jira.onap.org/projects/OOM/versions/11074 + + +**Known Issues** + + +Deliverables +------------ + +Software Deliverables +~~~~~~~~~~~~~~~~~~~~~ + +OOM provides `Helm charts `_ + + +Documentation Deliverables +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Known Limitations, Issues and Workarounds +========================================= + +Known Vulnerabilities +--------------------- + + +Workarounds +----------- + +- `OOM-2754 `_ + Because of *updateEndpoint* property added to *cmpv2issuer* CRD + it is impossible to upgrade platform component from Honolulu to Istanbul + release without manual steps. Actions that should be performed: + + #. Update the CRD definition:: + + > kubectl -n onap apply -f oom/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml + #. Upgrade the component:: + + > helm -n onap upgrade dev-platform oom/kubernetes/platform + #. Make sure that *cmpv2issuer* contains correct value for + *spec.updateEndpoint*. The value should be: *v1/certificate-update*. + If it's not, edit the resource:: + + > kubectl -n onap edit cmpv2issuer cmpv2-issuer-onap + + +Security Notes +-------------- + +**Fixed Security Issues** + +References +========== + +For more information on the ONAP Istanbul release, please see: + +#. `ONAP Home Page`_ +#. `ONAP Documentation`_ +#. `ONAP Release Downloads`_ +#. `ONAP Wiki Page`_ + + +.. _`ONAP Home Page`: https://www.onap.org +.. _`ONAP Wiki Page`: https://wiki.onap.org +.. _`ONAP Documentation`: https://docs.onap.org +.. _`ONAP Release Downloads`: https://git.onap.org diff --git a/docs/sections/release_notes/release-notes-jakarta.rst b/docs/sections/release_notes/release-notes-jakarta.rst new file mode 100644 index 0000000000..cfc57888a6 --- /dev/null +++ b/docs/sections/release_notes/release-notes-jakarta.rst @@ -0,0 +1,124 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 + International License. +.. http://creativecommons.org/licenses/by/4.0 +.. (c) ONAP Project and its contributors +.. _release_notes_jakarta: + +:orphan: + +************************************* +ONAP Operations Manager Release Notes +************************************* + +Previous Release Notes +====================== + +- :ref:`Istanbul ` +- :ref:`Honolulu ` +- :ref:`Guilin ` +- :ref:`Frankfurt ` +- :ref:`El Alto ` +- :ref:`Dublin ` +- :ref:`Casablanca ` +- :ref:`Beijing ` +- :ref:`Amsterdam ` + +Abstract +======== + +This document provides the release notes for the Jakarta release. + +Summary +======= + + + +Release Data +============ + ++--------------------------------------+--------------------------------------+ +| **Project** | OOM | +| | | ++--------------------------------------+--------------------------------------+ +| **Docker images** | N/A | +| | | ++--------------------------------------+--------------------------------------+ +| **Release designation** | Jakarta | +| | | ++--------------------------------------+--------------------------------------+ +| **Release date** | 2022/06/23 | +| | | ++--------------------------------------+--------------------------------------+ + +New features +------------ + + +**Bug fixes** + +A list of issues resolved in this release can be found here: +https://jira.onap.org/projects/OOM/versions/11498 + + +**Known Issues** + + +Deliverables +------------ + +Software Deliverables +~~~~~~~~~~~~~~~~~~~~~ + +OOM provides `Helm charts `_ + +Documentation Deliverables +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Known Limitations, Issues and Workarounds +========================================= + +Known Vulnerabilities +--------------------- + + +Workarounds +----------- + +- `OOM-2754 `_ + Because of *updateEndpoint* property added to *cmpv2issuer* CRD + it is impossible to upgrade platform component from Istanbul to Jakarta + release without manual steps. Actions that should be performed: + + #. Update the CRD definition:: + + > kubectl -n onap apply -f oom/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml + #. Upgrade the component:: + + > helm -n onap upgrade dev-platform oom/kubernetes/platform + #. Make sure that *cmpv2issuer* contains correct value for + *spec.updateEndpoint*. The value should be: *v1/certificate-update*. + If it's not, edit the resource:: + + > kubectl -n onap edit cmpv2issuer cmpv2-issuer-onap + + +Security Notes +-------------- + +**Fixed Security Issues** + +References +========== + +For more information on the ONAP Istanbul release, please see: + +#. `ONAP Home Page`_ +#. `ONAP Documentation`_ +#. `ONAP Release Downloads`_ +#. `ONAP Wiki Page`_ + + +.. _`ONAP Home Page`: https://www.onap.org +.. _`ONAP Wiki Page`: https://wiki.onap.org +.. _`ONAP Documentation`: https://docs.onap.org +.. _`ONAP Release Downloads`: https://git.onap.org diff --git a/docs/sections/release_notes/release-notes-kohn.rst b/docs/sections/release_notes/release-notes-kohn.rst new file mode 100644 index 0000000000..66d04628c1 --- /dev/null +++ b/docs/sections/release_notes/release-notes-kohn.rst @@ -0,0 +1,128 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 + International License. +.. http://creativecommons.org/licenses/by/4.0 +.. (c) ONAP Project and its contributors +.. _release_notes_kohn: + +:orphan: + +************************************* +ONAP Operations Manager Release Notes +************************************* + +Previous Release Notes +====================== + +- :ref:`Jakarta ` +- :ref:`Istanbul ` +- :ref:`Honolulu ` +- :ref:`Guilin ` +- :ref:`Frankfurt ` +- :ref:`El Alto ` +- :ref:`Dublin ` +- :ref:`Casablanca ` +- :ref:`Beijing ` +- :ref:`Amsterdam ` + +Abstract +======== + +This document provides the release notes for the Kohn release. + +Summary +======= + + + +Release Data +============ + ++--------------------------------------+--------------------------------------+ +| **Project** | OOM | +| | | ++--------------------------------------+--------------------------------------+ +| **Docker images** | N/A | +| | | ++--------------------------------------+--------------------------------------+ +| **Release designation** | Kohn | +| | | ++--------------------------------------+--------------------------------------+ +| **Release date** | 2022/12/05 | +| | | ++--------------------------------------+--------------------------------------+ + +New features +------------ + +* Kubernetes support for version up to 1.23.8 +* Helm support for version up to Helm: 3.8.2 +* Kubespray version used for automated deployment 2.19 (used for automated deployment) +* Initial Setup for "ONAP on ServiceMesh" deployment + + * using Istio 1.14.1 as SM platform + * including Istio Ingress Gateway for external access + * modify 90% of ONAP component charts to support SeviceMesh + +**Bug fixes** + +A list of issues resolved in this release can be found here: +https://jira.onap.org/projects/OOM/versions/11499 + + +**Known Issues** + + +Deliverables +------------ + +Software Deliverables +~~~~~~~~~~~~~~~~~~~~~ + +OOM provides `Helm charts `_ + +Documentation Deliverables +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- :ref:`Project Description ` - a guide for developers of OOM +- :ref:`oom_dev_guide` - a guide for developers of OOM +- :ref:`oom_infra_guide` - a guide for those setting up the environments that OOM will use +- :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing cloud +- :ref:`oom_user_guide` - a guide for operators of an OOM instance +- :ref:`oom_access_info_guide` - a guide for operators who require access to OOM applications + +Known Limitations, Issues and Workarounds +========================================= + +Known Vulnerabilities +--------------------- + +* Cassandra version needs to be updated to support new Python version + see `OOM-2900 `_ + +Workarounds +----------- + + +Security Notes +-------------- + +**Fixed Security Issues** + +* Fixed vulnerabilities for oom-platform-cert-service + see `Fixes `_ + +References +========== + +For more information on the ONAP Istanbul release, please see: + +#. `ONAP Home Page`_ +#. `ONAP Documentation`_ +#. `ONAP Release Downloads`_ +#. `ONAP Wiki Page`_ + + +.. _`ONAP Home Page`: https://www.onap.org +.. _`ONAP Wiki Page`: https://wiki.onap.org +.. _`ONAP Documentation`: https://docs.onap.org +.. _`ONAP Release Downloads`: https://git.onap.org diff --git a/docs/sections/release_notes/release-notes-london.rst b/docs/sections/release_notes/release-notes-london.rst new file mode 100644 index 0000000000..28911b8923 --- /dev/null +++ b/docs/sections/release_notes/release-notes-london.rst @@ -0,0 +1,144 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 + International License. +.. http://creativecommons.org/licenses/by/4.0 +.. (c) ONAP Project and its contributors +.. _release_notes_london: + +:orphan: + +************************************* +ONAP Operations Manager Release Notes +************************************* + +Previous Release Notes +====================== + +- :ref:`Kohn ` +- :ref:`Jakarta ` +- :ref:`Istanbul ` +- :ref:`Honolulu ` +- :ref:`Guilin ` +- :ref:`Frankfurt ` +- :ref:`El Alto ` +- :ref:`Dublin ` +- :ref:`Casablanca ` +- :ref:`Beijing ` +- :ref:`Amsterdam ` + +Abstract +======== + +This document provides the release notes for the London release. + +Summary +======= + + + +Release Data +============ + ++--------------------------------------+--------------------------------------+ +| **Project** | OOM | +| | | ++--------------------------------------+--------------------------------------+ +| **Docker images** | N/A | +| | | ++--------------------------------------+--------------------------------------+ +| **Release designation** | London | +| | | ++--------------------------------------+--------------------------------------+ +| **Release date** | 2023/06/xx | +| | | ++--------------------------------------+--------------------------------------+ + +New features +------------ + +* Introduction of "Production" ONAP setup, including: + + * Istio Service Mesh based deployment + * Ingress (Istio-Gateway) deployment and usage as standard external access method + * Internal Security provided by ServiceMesh and Component2Component AuthorizationPolicies + * External Security by introducing AuthN/Z using Keycloak and OAuth2Proxy for Ingress Access + +* Removal of unsupported components (AAF, Portal, Contrib,...) +* Update of Helmcharts to use common templates and practices +* Optional support for Cassandra 4.x using k8ssandra-operator + +* `REQ-1349 `_ Removal of AAF. + Internal communication encryption and authorization is offered by ServiceMesh + +* `REQ-1350 `_ All component must be + able to run without MSB. Component helm charts modified to use MSB optionally + and test the components during Daily and Gating with and without MSB + +* `REQ-1351 `_ External secure + communication only via Ingress. + Ingress resources created by templates and Ingress installation is described + in the OOM documents + +**Bug fixes** + +A list of issues resolved in this release can be found here: +https://jira.onap.org/projects/OOM/versions/11500 + +**Known Issues** + +* Components not working under ServiceMesh + + * CDS UI + * SO Monitor UI + * CLI + +Deliverables +------------ + +Software Deliverables +~~~~~~~~~~~~~~~~~~~~~ + +OOM provides `Helm charts `_ + +Documentation Deliverables +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- :ref:`Project Description ` - a guide for developers of OOM +- :ref:`oom_dev_guide` - a guide for developers of OOM +- :ref:`oom_infra_guide` - a guide for those setting up the environments that OOM will use +- :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing cloud +- :ref:`oom_user_guide` - a guide for operators of an OOM instance +- :ref:`oom_access_info_guide` - a guide for operators who require access to OOM applications + +Known Limitations, Issues and Workarounds +========================================= + +Known Vulnerabilities +--------------------- + +* Cassandra version needs to be updated to support new Python version + see `OOM-2900 `_ + In London supported as option (using k8ssandra-operator), see :ref:`oom_base_optional_addons` + +Workarounds +----------- + +Security Notes +-------------- + +**Fixed Security Issues** + +References +========== + +For more information on the ONAP Istanbul release, please see: + +#. `ONAP Home Page`_ +#. `ONAP Documentation`_ +#. `ONAP Release Downloads`_ +#. `ONAP Wiki Page`_ + + +.. _`ONAP Home Page`: https://www.onap.org +.. _`ONAP Wiki Page`: https://wiki.onap.org +.. _`ONAP Documentation`: https://docs.onap.org +.. _`ONAP Release Downloads`: https://git.onap.org diff --git a/docs/sections/release_notes/release-notes.rst b/docs/sections/release_notes/release-notes.rst new file mode 100644 index 0000000000..0df9483e95 --- /dev/null +++ b/docs/sections/release_notes/release-notes.rst @@ -0,0 +1,129 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 + International License. +.. http://creativecommons.org/licenses/by/4.0 +.. (c) ONAP Project and its contributors +.. _release_notes: + +************************************* +ONAP Operations Manager Release Notes +************************************* + +Previous Release Notes +====================== + +- :ref:`London ` +- :ref:`Kohn ` +- :ref:`Jakarta ` +- :ref:`Istanbul ` +- :ref:`Honolulu ` +- :ref:`Guilin ` +- :ref:`Frankfurt ` +- :ref:`El Alto ` +- :ref:`Dublin ` +- :ref:`Casablanca ` +- :ref:`Beijing ` +- :ref:`Amsterdam ` + +Abstract +======== + +This document provides the release notes for the Montreal release. + +Summary +======= + + + +Release Data +============ + ++--------------------------------------+--------------------------------------+ +| **Project** | OOM | +| | | ++--------------------------------------+--------------------------------------+ +| **Docker images** | N/A | +| | | ++--------------------------------------+--------------------------------------+ +| **Release designation** | Montreal | +| | | ++--------------------------------------+--------------------------------------+ +| **Release date** | 2023/12/xx | +| | | ++--------------------------------------+--------------------------------------+ + +New features +------------ + +* Introduction of "Production" ONAP setup, including: + + * Besides the Istio Ingress APIs now the support for `Gateway-API`_ + is added to the templates, which includes: + + * TCP Routes + * UDP Routes + +* Update of Helmcharts to use common templates and practices +* Default support for Cassandra 4.x using k8ssandra-operator +* Default support for MariaDB 11.x using mariadb-operator + +**Bug fixes** + +A list of issues resolved in this release can be found here: +https://jira.onap.org/projects/OOM/versions/11501 + +**Known Issues** + +* Components not working under ServiceMesh + + * SO Monitor UI + * Policy UI + +Deliverables +------------ + +Software Deliverables +~~~~~~~~~~~~~~~~~~~~~ + +OOM provides `Helm charts `_ + +Documentation Deliverables +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- :ref:`Project Description ` - a guide for developers of OOM +- :ref:`oom_dev_guide` - a guide for developers of OOM +- :ref:`oom_infra_guide` - a guide for those setting up the environments that OOM will use +- :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing cloud +- :ref:`oom_user_guide` - a guide for operators of an OOM instance +- :ref:`oom_access_info_guide` - a guide for operators who require access to OOM applications + +Known Limitations, Issues and Workarounds +========================================= + +Known Vulnerabilities +--------------------- + + +Workarounds +----------- + +Security Notes +-------------- + +**Fixed Security Issues** + +References +========== + +For more information on the ONAP Istanbul release, please see: + +#. `ONAP Home Page`_ +#. `ONAP Documentation`_ +#. `ONAP Release Downloads`_ +#. `ONAP Wiki Page`_ + + +.. _`ONAP Home Page`: https://www.onap.org +.. _`ONAP Wiki Page`: https://wiki.onap.org +.. _`ONAP Documentation`: https://docs.onap.org +.. _`ONAP Release Downloads`: https://git.onap.org +.. _`Gateway-API`: https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/ diff --git a/docs/sections/resources/csv/nodeports.csv b/docs/sections/resources/csv/nodeports.csv new file mode 100644 index 0000000000..096e25eada --- /dev/null +++ b/docs/sections/resources/csv/nodeports.csv @@ -0,0 +1,42 @@ +NodePort,Component,Service name,targetPort,Port +30201,SDNC,sdnc-portal,8443,8443 +30203,SDNC,sdnc-dgbuilder,3100,3000 +30204,SDC,sdc-be-external,8443,8443 +30207,SDC,sdc-fe,9443,9443 +30209,ROBOT,robot,443,443 +30210,AAI,aai-modelloader,8080,8080 +30218,POLICY,pap,9091,9091 +30219,POLICY,pap,8443,8443 +30220,AAI,aai-sparky-be,8000,8000 +30222,DCAE,dcae-hv-ves-collector,6061,6061 +30226,DMAAP,message-router-external,3905,3905 +30229,AAI,aai-modelloader,8443,8443 +30233,AAI,aai,8443,8443 +30242,DMAAP,dmaap-bc,8443,8443 +30248,OOF,oof-osdf,8699,8698 +30256,SDC,sdc-wfd-fe,8443,8443 +30257,SDC,sdc-wfd-be,8443,8443 +30260,CLI,cli,443,443 +30264,DCAE,sdc-dcae-fe,9444,9444 +30266,DCAE,sdc-dcae-dt,9446,9446 +30267,SDNC,sdnc,8443,8443 +30269,DMAAP,dmaapr-prov,443,8443 +30271,CLI,cli,9090,9090 +30274,EXTAPI,nbi,8443,8443 +30275,OOF,oof-has-api,8091,8091 +30277,SO,so,8080,8080 +30279,AAI,aai-babel,9516,9516 +30283,MSB,msb-iag,443,443 +30284,MSB,msb-eag,443,443 +30297,VNFSDK,refrepo,8703,8703 +30398,UUI,uui,8443,8443 +30399,UUI,uui-server,8082,8082 +30406,SO,so-vnfm-adapter,9092,9092 +30407,MUSIC,music,8443,8443 +30417,DCAE,xdcae-ves-collector,8443,8443 +30418,DCAE,dashboard,8443,8443 +30490,DMAAP,message-router-kafka-0,9091,9091 +30491,DMAAP,message-router-kafka-1,9091,9091 +30492,DMAAP,message-router-kafka-2,9091,9091 +30494,DMAAP,dmaap-dr-node-external,8443,8443 +30497,CDS,cds-ui,3000,3000 \ No newline at end of file diff --git a/docs/sections/resources/helm/helm-search.txt b/docs/sections/resources/helm/helm-search.txt new file mode 100644 index 0000000000..fbca944bf9 --- /dev/null +++ b/docs/sections/resources/helm/helm-search.txt @@ -0,0 +1,29 @@ +NAME CHART VERSION APP VERSION DESCRIPTION +local/onap 12.0.0 London Open Network Automation Platform (ONAP) +local/a1policymanagement 12.0.0 ONAP A1 Policy Management +local/aai 12.0.0 ONAP Active and Available Inventory +local/cassandra 12.0.0 ONAP cassandra +local/cds 12.0.0 ONAP Controller Design Studio (CDS) +local/cli 12.0.0 ONAP Command Line Interface +local/common 12.0.0 Common templates for inclusion in other charts +local/cps 12.0.0 ONAP Configuration Persistene Service (CPS) +local/dcaegen2 12.0.0 ONAP DCAE Gen2 +local/dmaap 12.0.0 ONAP DMaaP components +local/mariadb-galera 12.0.0 Chart for MariaDB Galera cluster +local/msb 12.0.0 ONAP MicroServices Bus +local/multicloud 12.0.0 ONAP multicloud broker +local/nbi 12.0.0 ONAP Northbound Interface +local/nfs-provisioner 12.0.0 NFS provisioner +local/oof 12.0.0 ONAP Optimization Framework +local/policy 12.0.0 ONAP Policy Administration Point +local/postgres 12.0.0 ONAP Postgres Server +local/robot 12.0.0 A helm Chart for kubernetes-ONAP Robot +local/sdc 12.0.0 Service Design and Creation Umbrella Helm charts +local/sdnc 12.0.0 SDN Controller +local/sdnc-prom 12.0.0 ONAP SDNC Policy Driven Ownership Management +local/sniro-emulator 12.0.0 ONAP Mock Sniro Emulator +local/so 12.0.0 ONAP Service Orchestrator +local/strimzi 12.0.0 ONAP Strimzi Apache Kafka +local/uui 12.0.0 ONAP uui +local/vfc 12.0.0 ONAP Virtual Function Controller (VF-C) +local/vnfsdk 12.0.0 ONAP VNF SDK diff --git a/docs/sections/resources/images/consul/consulHealth.png b/docs/sections/resources/images/consul/consulHealth.png new file mode 100644 index 0000000000..cd7e730c39 Binary files /dev/null and b/docs/sections/resources/images/consul/consulHealth.png differ diff --git a/docs/sections/resources/images/k8s/kubernetes_objects.png b/docs/sections/resources/images/k8s/kubernetes_objects.png new file mode 100644 index 0000000000..768a3adb99 Binary files /dev/null and b/docs/sections/resources/images/k8s/kubernetes_objects.png differ diff --git a/docs/sections/resources/images/msb/MSB-OOM-Diagram.png b/docs/sections/resources/images/msb/MSB-OOM-Diagram.png new file mode 100644 index 0000000000..4ee878d833 Binary files /dev/null and b/docs/sections/resources/images/msb/MSB-OOM-Diagram.png differ diff --git a/docs/sections/resources/images/oom_logo/oomLogoV2-Configure.png b/docs/sections/resources/images/oom_logo/oomLogoV2-Configure.png new file mode 100644 index 0000000000..bdb1ece10c Binary files /dev/null and b/docs/sections/resources/images/oom_logo/oomLogoV2-Configure.png differ diff --git a/docs/sections/resources/images/oom_logo/oomLogoV2-Delete.png b/docs/sections/resources/images/oom_logo/oomLogoV2-Delete.png new file mode 100644 index 0000000000..10c43d2fb3 Binary files /dev/null and b/docs/sections/resources/images/oom_logo/oomLogoV2-Delete.png differ diff --git a/docs/sections/resources/images/oom_logo/oomLogoV2-Deploy.png b/docs/sections/resources/images/oom_logo/oomLogoV2-Deploy.png new file mode 100644 index 0000000000..706097cd6c Binary files /dev/null and b/docs/sections/resources/images/oom_logo/oomLogoV2-Deploy.png differ diff --git a/docs/sections/resources/images/oom_logo/oomLogoV2-Heal.png b/docs/sections/resources/images/oom_logo/oomLogoV2-Heal.png new file mode 100644 index 0000000000..97ac58e9ec Binary files /dev/null and b/docs/sections/resources/images/oom_logo/oomLogoV2-Heal.png differ diff --git a/docs/sections/resources/images/oom_logo/oomLogoV2-Monitor.png b/docs/sections/resources/images/oom_logo/oomLogoV2-Monitor.png new file mode 100644 index 0000000000..c9a184ac37 Binary files /dev/null and b/docs/sections/resources/images/oom_logo/oomLogoV2-Monitor.png differ diff --git a/docs/sections/resources/images/oom_logo/oomLogoV2-Scale.png b/docs/sections/resources/images/oom_logo/oomLogoV2-Scale.png new file mode 100644 index 0000000000..140e5ca54f Binary files /dev/null and b/docs/sections/resources/images/oom_logo/oomLogoV2-Scale.png differ diff --git a/docs/sections/resources/images/oom_logo/oomLogoV2-Upgrade.png b/docs/sections/resources/images/oom_logo/oomLogoV2-Upgrade.png new file mode 100644 index 0000000000..d51f6cfcde Binary files /dev/null and b/docs/sections/resources/images/oom_logo/oomLogoV2-Upgrade.png differ diff --git a/docs/sections/resources/images/oom_logo/oomLogoV2-medium.png b/docs/sections/resources/images/oom_logo/oomLogoV2-medium.png new file mode 100644 index 0000000000..20aea693e0 Binary files /dev/null and b/docs/sections/resources/images/oom_logo/oomLogoV2-medium.png differ diff --git a/docs/sections/resources/images/servicemesh/ServiceMesh.png b/docs/sections/resources/images/servicemesh/ServiceMesh.png new file mode 100644 index 0000000000..7448ff0dc2 Binary files /dev/null and b/docs/sections/resources/images/servicemesh/ServiceMesh.png differ diff --git a/docs/sections/resources/yaml/common-gateway.yaml b/docs/sections/resources/yaml/common-gateway.yaml new file mode 100644 index 0000000000..3cc1cc55bc --- /dev/null +++ b/docs/sections/resources/yaml/common-gateway.yaml @@ -0,0 +1,96 @@ +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: Gateway +metadata: + name: common-gateway + namespace: istio-ingress +spec: + gatewayClassName: istio + listeners: + - name: http-80 + hostname: "*.{{ onap_baseurl }}" + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: All + - name: https-443 + hostname: "*.{{ onap_baseurl }}" + port: 443 + protocol: HTTPS + allowedRoutes: + namespaces: + from: All + tls: + mode: Terminate + certificateRefs: + - kind: Secret + group: "" + name: ingress-tls-secret + - name: udp-162 + protocol: UDP + port: 162 + allowedRoutes: + kinds: + - kind: UDPRoute + namespaces: + from: All + - name: tcp-4334 + protocol: TCP + port: 4334 + allowedRoutes: + kinds: + - kind: TCPRoute + namespaces: + from: All + - name: tcp-9000 + allowedRoutes: + namespaces: + from: All + hostname: "kafka-api{{ onap_postaddr }}.{{ onap_baseurl }}" + port: 9000 + protocol: TLS + tls: + certificateRefs: + - group: "" + kind: Secret + name: ingress-tls-secret + mode: Terminate + - name: tcp-9001 + allowedRoutes: + namespaces: + from: All + hostname: "kafka-api{{ onap_postaddr }}.{{ onap_baseurl }}" + port: 9001 + protocol: TLS + tls: + certificateRefs: + - group: "" + kind: Secret + name: ingress-tls-secret + mode: Terminate + - name: tcp-9002 + allowedRoutes: + namespaces: + from: All + hostname: "kafka-api{{ onap_postaddr }}.{{ onap_baseurl }}" + port: 9002 + protocol: TLS + tls: + certificateRefs: + - group: "" + kind: Secret + name: ingress-tls-secret + mode: Terminate + - name: tcp-9010 + allowedRoutes: + namespaces: + from: All + hostname: "kafka-bootstrap-api{{ onap_postaddr }}.{{ onap_baseurl }}" + port: 9010 + protocol: TLS + tls: + certificateRefs: + - group: "" + kind: Secret + name: ingress-tls-secret + mode: Terminate diff --git a/docs/sections/resources/yaml/environments_onap_demo.yaml b/docs/sections/resources/yaml/environments_onap_demo.yaml new file mode 100644 index 0000000000..64dee3e846 --- /dev/null +++ b/docs/sections/resources/yaml/environments_onap_demo.yaml @@ -0,0 +1,87 @@ +################################################################# +# Global configuration overrides. +# +# These overrides will affect all helm charts (ie. applications) +# that are listed below and are 'enabled'. +################################################################# +global: + # Change to an unused port prefix range to prevent port conflicts + # with other instances running within the same k8s cluster + nodePortPrefix: 302 + + # image repositories + repository: nexus3.onap.org:10001 + repositorySecret: eyJuZXh1czMub25hcC5vcmc6MTAwMDEiOnsidXNlcm5hbWUiOiJkb2NrZXIiLCJwYXNzd29yZCI6ImRvY2tlciIsImVtYWlsIjoiQCIsImF1dGgiOiJaRzlqYTJWeU9tUnZZMnRsY2c9PSJ9fQ== + # readiness check + readinessImage: onap/oom/readiness:6.0.3 + # logging agent + loggingRepository: docker.elastic.co + + # image pull policy + pullPolicy: IfNotPresent + + # override default mount path root directory + # referenced by persistent volumes and log files + persistence: + mountPath: /dockerdata + + # flag to enable debugging - application support required + debugEnabled: true + +################################################################# +# Enable/disable and configure helm charts (ie. applications) +# to customize the ONAP deployment. +################################################################# +aai: + enabled: false +cli: + enabled: false +cps: + enabled: false +dcaegen2: + enabled: false +message-router: + enabled: false +msb: + enabled: false +multicloud: + enabled: false +policy: + enabled: false +robot: # Robot Health Check + enabled: true +sdc: + enabled: false +sdnc: + enabled: false +so: # Service Orchestrator + enabled: true + + replicaCount: 1 + + liveness: + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + + # so server configuration + config: + # message router configuration + dmaapTopic: "AUTO" + # openstack configuration + openStackUserName: "vnf_user" + openStackRegion: "RegionOne" + openStackKeyStoneUrl: "http://1.2.3.4:5000" + openStackServiceTenantName: "service" + openStackEncryptedPasswordHere: "c124921a3a0efbe579782cde8227681e" + + # configure embedded mariadb + mariadb: + config: + mariadbRootPassword: password +uui: + enabled: false +vfc: + enabled: false +vnfsdk: + enabled: false diff --git a/docs/sections/resources/yaml/envoyfilter-case.yaml b/docs/sections/resources/yaml/envoyfilter-case.yaml new file mode 100644 index 0000000000..31e80374e2 --- /dev/null +++ b/docs/sections/resources/yaml/envoyfilter-case.yaml @@ -0,0 +1,83 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: header-casing + namespace: istio-config +spec: + configPatches: + - applyTo: CLUSTER + match: + context: SIDECAR_INBOUND + patch: + operation: MERGE + value: + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + use_downstream_protocol_config: + http_protocol_options: + header_key_format: + stateful_formatter: + name: preserve_case + typed_config: + '@type': type.googleapis.com/envoy.extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig + - applyTo: NETWORK_FILTER + match: + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + patch: + operation: MERGE + value: + typed_config: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + http_protocol_options: + header_key_format: + stateful_formatter: + name: preserve_case + typed_config: + '@type': type.googleapis.com/envoy.extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: header-casing-outbound + namespace: istio-config + #annotations: + # argocd.argoproj.io/hook: PostSync +spec: + configPatches: + - applyTo: CLUSTER + match: + context: SIDECAR_OUTBOUND + patch: + operation: MERGE + value: + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + use_downstream_protocol_config: + http_protocol_options: + header_key_format: + stateful_formatter: + name: preserve_case + typed_config: + '@type': type.googleapis.com/envoy.extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig + - applyTo: NETWORK_FILTER + match: + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + patch: + operation: MERGE + value: + typed_config: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + http_protocol_options: + header_key_format: + stateful_formatter: + name: preserve_case + typed_config: + '@type': type.googleapis.com/envoy.extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig \ No newline at end of file diff --git a/docs/sections/resources/yaml/istio-ingress.yaml b/docs/sections/resources/yaml/istio-ingress.yaml new file mode 100644 index 0000000000..ae215c118a --- /dev/null +++ b/docs/sections/resources/yaml/istio-ingress.yaml @@ -0,0 +1,36 @@ +service: + # Type of service. Set to "None" to disable the service entirely + type: LoadBalancer + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + - name: kafka-bootstrap + port: 9010 + targetPort: 9010 + protocol: TCP + - name: kafka-0 + port: 9000 + targetPort: 9000 + protocol: TCP + - name: kafka-1 + port: 9001 + targetPort: 9001 + protocol: TCP + - name: kafka-2 + port: 9002 + targetPort: 9002 + protocol: TCP + - name: sdnc-callhome + port: 4334 + targetPort: 4334 + protocol: TCP \ No newline at end of file diff --git a/docs/sections/resources/yaml/istiod.yaml b/docs/sections/resources/yaml/istiod.yaml new file mode 100644 index 0000000000..792f686cc6 --- /dev/null +++ b/docs/sections/resources/yaml/istiod.yaml @@ -0,0 +1,20 @@ +global: + proxy: + # Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready + holdApplicationUntilProxyStarts: true + #logging: + # level: "default:debug" +meshConfig: + rootNamespace: istio-config + extensionProviders: + - name: oauth2-proxy + envoyExtAuthzHttp: + service: oauth2-proxy.default.svc.cluster.local + port: 80 + timeout: 1.5s + includeHeadersInCheck: ["authorization", "cookie"] + headersToUpstreamOnAllow: ["x-forwarded-access-token", "authorization", "path", "x-auth-request-user", "x-auth-request-email", "x-auth-request-access-token"] + headersToDownstreamOnDeny: ["content-type", "set-cookie"] +pilot: + env: + PILOT_HTTP10: true \ No newline at end of file diff --git a/docs/sections/resources/yaml/keycloak-db-values.yaml b/docs/sections/resources/yaml/keycloak-db-values.yaml new file mode 100644 index 0000000000..ae1459bea7 --- /dev/null +++ b/docs/sections/resources/yaml/keycloak-db-values.yaml @@ -0,0 +1,7 @@ +# See https://github.com/bitnami/charts/tree/master/bitnami/postgresql +global: + postgresql: + auth: + username: dbusername + password: dbpassword + database: keycloak \ No newline at end of file diff --git a/docs/sections/resources/yaml/keycloak-ingress.yaml b/docs/sections/resources/yaml/keycloak-ingress.yaml new file mode 100644 index 0000000000..91fc34f381 --- /dev/null +++ b/docs/sections/resources/yaml/keycloak-ingress.yaml @@ -0,0 +1,55 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + labels: + app.kubernetes.io/managed-by: Helm + name: keycloak-ui-http-route + namespace: keycloak +spec: + hostnames: + - keycloak-ui.simpledemo.onap.org + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: common-gateway + namespace: istio-ingress + sectionName: https-80 + rules: + Filters: + Request Redirect: + Port: 443 + Scheme: https + Status Code: 301 + Type: RequestRedirect + Matches: + Path: + Type: PathPrefix + Value: /auth +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + labels: + app.kubernetes.io/managed-by: Helm + name: keycloak-ui-http-route + namespace: keycloak +spec: + hostnames: + - keycloak-ui.simpledemo.onap.org + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: common-gateway + namespace: istio-ingress + sectionName: https-443 + rules: + - backendRefs: + - group: "" + kind: Service + name: keycloak-keycloakx-http + port: 80 + weight: 1 + matches: + - path: + type: PathPrefix + value: /auth diff --git a/docs/sections/resources/yaml/keycloak-server-values.yaml b/docs/sections/resources/yaml/keycloak-server-values.yaml new file mode 100644 index 0000000000..0160ce86e8 --- /dev/null +++ b/docs/sections/resources/yaml/keycloak-server-values.yaml @@ -0,0 +1,48 @@ +--- +command: + - "/opt/keycloak/bin/kc.sh" + - "--verbose" + - "start" + - "--http-enabled=true" + - "--http-port=8080" + - "--hostname-strict=false" + - "--hostname-strict-https=false" + - "--spi-events-listener-jboss-logging-success-level=info" + - "--spi-events-listener-jboss-logging-error-level=warn" + +extraEnv: | + - name: KEYCLOAK_ADMIN + valueFrom: + secretKeyRef: + name: {{ include "keycloak.fullname" . }}-admin-creds + key: user + - name: KEYCLOAK_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "keycloak.fullname" . }}-admin-creds + key: password + - name: JAVA_OPTS_APPEND + value: >- + -XX:+UseContainerSupport + -XX:MaxRAMPercentage=50.0 + -Djava.awt.headless=true + -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless + - name: PROXY_ADDRESS_FORWARDING + value: "true" + +dbchecker: + enabled: true + +database: + vendor: postgres + hostname: keycloak-db-postgresql + port: 5432 + username: dbusername + password: dbpassword + database: keycloak + +secrets: + admin-creds: + stringData: + user: admin + password: secret diff --git a/docs/sections/resources/yaml/kiali-ingress.yaml b/docs/sections/resources/yaml/kiali-ingress.yaml new file mode 100644 index 0000000000..44f806203a --- /dev/null +++ b/docs/sections/resources/yaml/kiali-ingress.yaml @@ -0,0 +1,30 @@ +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + name: kiali-gateway +spec: + selector: + istio: ingressgateway + servers: + - hosts: + - kiali.simpledemo.onap.org + port: + name: http + number: 80 + protocol: HTTP +--- +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: kiali-service +spec: + hosts: + - kiali.simpledemo.onap.org + gateways: + - kiali-gateway + http: + - route: + - destination: + port: + number: 20001 + host: kiali \ No newline at end of file diff --git a/docs/sections/resources/yaml/kiali.yaml b/docs/sections/resources/yaml/kiali.yaml new file mode 100644 index 0000000000..71d86ce265 --- /dev/null +++ b/docs/sections/resources/yaml/kiali.yaml @@ -0,0 +1,24 @@ +apiVersion: kiali.io/v1alpha1 +kind: Kiali +metadata: + name: kiali + namespace: istio-system + annotations: + ansible.operator-sdk/verbosity: "1" +spec: + auth: + strategy: anonymous + istio_component_namespaces: + prometheus: monitoring + external_services: + grafana: + in_cluster_url: http://prometheus-stack-grafana.monitoring + prometheus: + url: http://prometheus-stack-kube-prom-prometheus.monitoring:9090 + tracing: + in_cluster_url: http://istio-query.observability:16686 + deployment: + accessible_namespaces: ["**"] + view_only_mode: false + server: + web_root: "/kiali" \ No newline at end of file diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/ns_attrib.dat b/docs/spelling_wordlist.txt similarity index 100% rename from kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/ns_attrib.dat rename to docs/spelling_wordlist.txt diff --git a/docs/tox.ini b/docs/tox.ini new file mode 100644 index 0000000000..b0a7bbafa3 --- /dev/null +++ b/docs/tox.ini @@ -0,0 +1,38 @@ +[tox] +minversion = 1.6 +envlist = docs,docs-linkcheck,docs-spellcheck +skipsdist = true + +[testenv:docs] +basepython = python3.8 +deps = + -r{toxinidir}/requirements-docs.txt + -chttps://releases.openstack.org/constraints/upper/yoga + -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt?h=master +allowlist_externals = sudo +commands = + sudo apt install graphviz + sphinx-build -W -q -b html -n -d {envtmpdir}/doctrees {toxinidir} {toxinidir}/_build/html + +[testenv:docs-linkcheck] +basepython = python3.8 +deps = + -r{toxinidir}/requirements-docs.txt + -chttps://releases.openstack.org/constraints/upper/yoga + -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt?h=master +allowlist_externals = sudo +commands = + sudo apt install graphviz + sphinx-build -W -q -b linkcheck -d {envtmpdir}/doctrees {toxinidir} {toxinidir}/_build/linkcheck + +[testenv:docs-spellcheck] +basepython = python3.8 +deps = + -r{toxinidir}/requirements-docs.txt + -chttps://releases.openstack.org/constraints/upper/yoga + -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt?h=master +allowlist_externals = sudo +commands = + sudo apt install graphviz + sphinx-build -b spelling -d {envtmpdir}/doctrees {toxinidir} {toxinidir}/_build/spellcheck + diff --git a/docs/yaml/environments_onap_demo.yaml b/docs/yaml/environments_onap_demo.yaml deleted file mode 100644 index 8b697cbda2..0000000000 --- a/docs/yaml/environments_onap_demo.yaml +++ /dev/null @@ -1,103 +0,0 @@ -################################################################# -# Global configuration overrides. -# -# These overrides will affect all helm charts (ie. applications) -# that are listed below and are 'enabled'. -################################################################# -global: - # Change to an unused port prefix range to prevent port conflicts - # with other instances running within the same k8s cluster - nodePortPrefix: 302 - - # image repositories - repository: nexus3.onap.org:10001 - repositorySecret: eyJuZXh1czMub25hcC5vcmc6MTAwMDEiOnsidXNlcm5hbWUiOiJkb2NrZXIiLCJwYXNzd29yZCI6ImRvY2tlciIsImVtYWlsIjoiQCIsImF1dGgiOiJaRzlqYTJWeU9tUnZZMnRsY2c9PSJ9fQ== - # readiness check - readinessImage: onap/oom/readiness:3.0.1 - # logging agent - loggingRepository: docker.elastic.co - - # image pull policy - pullPolicy: IfNotPresent - - # override default mount path root directory - # referenced by persistent volumes and log files - persistence: - mountPath: /dockerdata - - # flag to enable debugging - application support required - debugEnabled: true - -################################################################# -# Enable/disable and configure helm charts (ie. applications) -# to customize the ONAP deployment. -################################################################# -aaf: - enabled: false -aai: - enabled: false -appc: - enabled: false -clamp: - enabled: true -cli: - enabled: false -consul: # Consul Health Check Monitoring - enabled: false -cps: - enabled: false -dcaegen2: - enabled: false -log: - enabled: false -message-router: - enabled: false -mock: - enabled: false -msb: - enabled: false -multicloud: - enabled: false -policy: - enabled: false -portal: - enabled: false -robot: # Robot Health Check - enabled: true -sdc: - enabled: false -sdnc: - enabled: false -so: # Service Orchestrator - enabled: true - - replicaCount: 1 - - liveness: - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - - # so server configuration - config: - # message router configuration - dmaapTopic: "AUTO" - # openstack configuration - openStackUserName: "vnf_user" - openStackRegion: "RegionOne" - openStackKeyStoneUrl: "http://1.2.3.4:5000" - openStackServiceTenantName: "service" - openStackEncryptedPasswordHere: "c124921a3a0efbe579782cde8227681e" - - # configure embedded mariadb - mariadb: - config: - mariadbRootPassword: password -uui: - enabled: false -vfc: - enabled: false -vid: - enabled: false -vnfsdk: - enabled: false diff --git a/docs/yaml/example-integration-override-v3.yaml b/docs/yaml/example-integration-override-v3.yaml deleted file mode 100644 index a55b1c08fc..0000000000 --- a/docs/yaml/example-integration-override-v3.yaml +++ /dev/null @@ -1,69 +0,0 @@ -################################################################# -# This override file configures openstack parameters for ONAP -################################################################# -robot: - enabled: true - flavor: large - appcUsername: "appc@appc.onap.org" - appcPassword: "demo123456!" - # KEYSTONE Version 3 Required for Rocky and beyond - openStackKeystoneAPIVersion: "v3" - # OS_AUTH_URL without the /v3 from the openstack .RC file - openStackKeyStoneUrl: "http://10.12.25.2:5000" - # tenantID=`openstack project show $tenantName | grep -w id | awk '{print $4}'` - # where "tenantName" is OS_PROJECT_NAME from openstack .RC file - openStackTenantId: "09d8566ea45e43aa974cf447ed591d77" - # OS_USERNAME from the openstack .RC file - openStackUserName: "OS_USERNAME_HERE" - # OS_PROJECT_DOMAIN_ID from the openstack .RC file - # in some environments it is a string but in other environmens it may be a numeric - openStackDomainId: "default" - # OS_USER_DOMAIN_NAME from the openstack .RC file - openStackUserDomain: "Default" - openStackProjectName: "OPENSTACK_PROJECT_NAME_HERE" - ubuntu14Image: "ubuntu-14-04-cloud-amd64" - ubuntu16Image: "ubuntu-16-04-cloud-amd64" - # From openstack network list output - openStackPublicNetId: "971040b2-7059-49dc-b220-4fab50cb2ad4" - # From openstack network list output - openStackPrivateNetId: "83c84b68-80be-4990-8d7f-0220e3c6e5c8" - # From openstack network list output - openStackPrivateSubnetId: "e571c1d1-8ac0-4744-9b40-c3218d0a53a0" - openStackPrivateNetCidr: "10.0.0.0/16" - openStackOamNetworkCidrPrefix: "10.0" - # From openstack security group list output - openStackSecurityGroup: "bbe028dc-b64f-4f11-a10f-5c6d8d26dc89" - dcaeCollectorIp: "10.12.6.109" - # SSH public key - vnfPubKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKXDgoo3+WOqcUG8/5uUbk81+yczgwC4Y8ywTmuQqbNxlY1oQ0YxdMUqUnhitSXs5S/yRuAVOYHwGg2mCs20oAINrP+mxBI544AMIb9itPjCtgqtE2EWo6MmnFGbHB4Sx3XioE7F4VPsh7japsIwzOjbrQe+Mua1TGQ5d4nfEOQaaglXLLPFfuc7WbhbJbK6Q7rHqZfRcOwAMXgDoBqlyqKeiKwnumddo2RyNT8ljYmvB6buz7KnMinzo7qB0uktVT05FH9Rg0CTWH5norlG5qXgP2aukL0gk1ph8iAt7uYLf1ktp+LJI2gaF6L0/qli9EmVCSLr1uJ38Q8CBflhkh" - demoArtifactsVersion: "1.4.0" - demoArtifactsRepoUrl: "https://nexus.onap.org/content/repositories/releases" - scriptVersion: "1.4.0" - # rancher node IP where RKE configired - rancherIpAddress: "10.12.6.160" - config: - # use the python utility to encrypt the OS_PASSWORD for the OS_USERNAME - openStackEncryptedPasswordHere: "XXXXXXXXXXXXXXXXXXXXXXXX_OPENSTACK_PYTHON_PASSWORD_HERE_XXXXXXXXXXXXXXXX" - openStackSoEncryptedPassword: "YYYYYYYYYYYYYYYYYYYYYYYY_OPENSTACK_JAVA_PASSWORD_HERE_YYYYYYYYYYYYYYYY" -so: - enabled: true - so-catalog-db-adapter: - config: - openStackUserName: "OS_USERNAME_HERE" - # OS_AUTH_URL (keep the /v3) from the openstack .RC file - openStackKeyStoneUrl: "http://10.12.25.2:5000/v3" - # use the SO Java utility to encrypt the OS_PASSWORD for the OS_USERNAME - openStackEncryptedPasswordHere: "YYYYYYYYYYYYYYYYYYYYYYYY_OPENSTACK_JAVA_PASSWORD_HERE_YYYYYYYYYYYYYYYY" -appc: - enabled: true - replicaCount: 3 - config: - enableClustering: true - openStackType: "OpenStackProvider" - openStackName: "OpenStack" - # OS_AUTH_URL from the openstack .RC file - openStackKeyStoneUrl: "http://10.12.25.2:5000/v3" - openStackServiceTenantName: "OPENSTACK_PROJECT_NAME_HERE" - openStackDomain: "OPEN_STACK_DOMAIN_NAME_HERE" - openStackUserName: "OS_USER_NAME_HERE" - openStackEncryptedPassword: "OPENSTACK_CLEAR_TEXT_PASSWORD_HERE" diff --git a/docs/yaml/example-integration-override.yaml b/docs/yaml/example-integration-override.yaml deleted file mode 100644 index 5eeee5e2f5..0000000000 --- a/docs/yaml/example-integration-override.yaml +++ /dev/null @@ -1,56 +0,0 @@ -################################################################# -# This override file configures openstack parameters for ONAP -################################################################# -appc: - config: - enableClustering: false - openStackType: "OpenStackProvider" - openStackName: "OpenStack" - # OS_AUTH_URL from the openstack .RC file - openStackKeyStoneUrl: "http://10.12.25.2:5000/v2.0" - openStackServiceTenantName: "OPENSTACK_TENANTNAME_HERE" - # OS_USER_DOMAIN_NAME from the openstack .RC file - openStackDomain: "Default" - openStackUserName: "OPENSTACK_USERNAME_HERE" - openStackEncryptedPassword: "XXXXXXXXXXXXXXXXXXXXXXXX_OPENSTACK_PASSWORD_HERE_XXXXXXXXXXXXXXXX" -robot: - appcUsername: "appc@appc.onap.org" - appcPassword: "demo123456!" - # OS_AUTH_URL without the /v2.0 from the openstack .RC file - openStackKeyStoneUrl: "http://10.12.25.2:5000" - # From openstack network list output - openStackPublicNetId: "971040b2-7059-49dc-b220-4fab50cb2ad4" - # tenantID=`openstack project show $tenantName | grep -w id | awk '{print $4}'` - # where "tenantName" is OS_PROJECT_NAME from openstack .RC file - openStackTenantId: "09d8566ea45e43aa974cf447ed591d77" - openStackUserName: "OPENSTACK_USERNAME_HERE" - ubuntu14Image: "ubuntu-14-04-cloud-amd64" - ubuntu16Image: "ubuntu-16-04-cloud-amd64" - # From openstack network list output - openStackPrivateNetId: "c7824f00-bef7-4864-81b9-f6c3afabd313" - # From openstack network list output - openStackPrivateSubnetId: "2a0e8888-f93e-4615-8d28-fc3d4d087fc3" - openStackPrivateNetCidr: "10.0.0.0/16" - # From openstack security group list output - openStackSecurityGroup: "3a7a1e7e-6d15-4264-835d-fab1ae81e8b0" - openStackOamNetworkCidrPrefix: "10.0" - # Control node IP - dcaeCollectorIp: "10.12.6.88" - # SSH public key - vnfPubKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKXDgoo3+WOqcUG8/5uUbk81+yczgwC4Y8ywTmuQqbNxlY1oQ0YxdMUqUnhitSXs5S/yRuAVOYHwGg2mCs20oAINrP+mxBI544AMIb9itPjCtgqtE2EWo6MmnFGbHB4Sx3XioE7F4VPsh7japsIwzOjbrQe+Mua1TGQ5d4nfEOQaaglXLLPFfuc7WbhbJbK6Q7rHqZfRcOwAMXgDoBqlyqKeiKwnumddo2RyNT8ljYmvB6buz7KnMinzo7qB0uktVT05FH9Rg0CTWH5norlG5qXgP2aukL0gk1ph8iAt7uYLf1ktp+LJI2gaF6L0/qli9EmVCSLr1uJ38Q8CBflhkh" - demoArtifactsVersion: "1.4.0-SNAPSHOT" - demoArtifactsRepoUrl: "https://nexus.onap.org/content/repositories/releases" - scriptVersion: "1.4.0-SNAPSHOT" - # rancher node IP where RKE configired - rancherIpAddress: "10.12.5.127" - config: - # openStackEncryptedPasswordHere should match the encrypted string used in SO and APPC and overridden per environment - openStackEncryptedPasswordHere: "XXXXXXXXXXXXXXXXXXXXXXXX_OPENSTACK_ENCRYPTED_PASSWORD_HERE_XXXXXXXXXXXXXXXX" -so: - # so server configuration - so-catalog-db-adapter: - config: - openStackUserName: "OPENSTACK_USERNAME_HERE" - # OS_AUTH_URL from the openstack .RC file - openStackKeyStoneUrl: "http://10.12.25.2:5000/v2.0" - openStackEncryptedPasswordHere: "XXXXXXXXXXXXXXXXXXXXXXXX_OPENSTACK_ENCRYPTED_PASSWORD_HERE_XXXXXXXXXXXXXXXX" diff --git a/kubernetes/Makefile b/kubernetes/Makefile index 1b24a7962c..b92d41fe3f 100644 --- a/kubernetes/Makefile +++ b/kubernetes/Makefile @@ -24,7 +24,7 @@ HELM_BIN := helm HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}" 2>/dev/null) -# use this if you would like to push onap charts to repo with other name +# use this if you would like to cm-push onap charts to repo with other name # WARNING: Helm v3+ only # WARNING: Make sure to edit also Chart files HELM_REPO := local @@ -36,26 +36,30 @@ else endif SUBMODS := robot -EXCLUDES := config oneclick readiness test dist helm $(PARENT_CHART) dcae $(SUBMODS) -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) $(PARENT_CHART) +EXCLUDES := common config oneclick readiness test dist helm $(PARENT_CHART) dcae $(SUBMODS) +HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) check-for-staging-images -all: print_helm_bin $(COMMON_CHARTS_DIR) $(SUBMODS) $(HELM_CHARTS) helm-repo-update plugins +all: print_helm_bin $(COMMON_CHARTS_DIR) $(SUBMODS) $(HELM_CHARTS) $(PARENT_CHART) helm-repo-update plugins -$(COMMON_CHARTS): +$(COMMON_CHARTS_DIR): @echo "\n[$@]" @make package-$@ -$(HELM_CHARTS): +$(HELM_CHARTS): $(COMMON_CHARTS_DIR) @echo "\n[$@]" @make package-$@ -$(SUBMODS): +$(SUBMODS): $(COMMON_CHARTS_DIR) @echo "\n[$@]" @make submod-$@ @make package-$@ +$(PARENT_CHART): $(HELM_CHARTS) + @echo "\n[$@]" + @make package-$@ + submod-%: @make $*/Chart.yaml @@ -76,7 +80,8 @@ lint-%: dep-% package-%: lint-% @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) push -f $$PACKAGE_NAME $(HELM_REPO); fi + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME $(HELM_REPO); fi + @sleep 3 clean: @rm -f */Chart.lock @@ -85,13 +90,14 @@ clean: # publish helm plugins via distrubtion directory plugins: + @mkdir -p $(PACKAGE_DIR) @cp -R helm $(PACKAGE_DIR)/ check-for-staging-images: $(ROOT_DIR)/../.ci/check-for-staging-images.sh -helm-repo-update: +helm-repo-update: $(PARENT_CHART) @$(HELM_BIN) repo update %: - @: + @: \ No newline at end of file diff --git a/kubernetes/README.md b/kubernetes/README.md index 9d8d4cc9ab..46636b9385 100644 --- a/kubernetes/README.md +++ b/kubernetes/README.md @@ -1,5 +1,8 @@ ## **Quick Start Guide** +> **WARNING**: This README is no longer maintained and will be deprecated. +> Please refer to the official OOM guide here - [OOM Guide](https://docs.onap.org/projects/onap-oom/en/latest/sections/oom_project_description.html) + This is a quick start guide describing how to deploy ONAP on Kubernetes using Helm. @@ -51,7 +54,6 @@ Step 5. Display the charts that are available to be deployed: ``` > helm search -l NAME VERSION DESCRIPTION -local/appc 2.0.0 Application Controller local/clamp 2.0.0 ONAP Clamp local/onap 2.0.0 Open Network Automation Platform (ONAP) local/robot 2.0.0 A helm Chart for kubernetes-ONAP Robot diff --git a/kubernetes/a1policymanagement/Chart.yaml b/kubernetes/a1policymanagement/Chart.yaml index 563ee2094a..5bd25f0280 100644 --- a/kubernetes/a1policymanagement/Chart.yaml +++ b/kubernetes/a1policymanagement/Chart.yaml @@ -20,18 +20,15 @@ apiVersion: v2 appVersion: "1.0.0" description: A Helm chart for A1 Policy Management Service name: a1policymanagement -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 - repository: '@local' - - name: certInitializer - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/a1policymanagement/resources/config/application.yaml b/kubernetes/a1policymanagement/resources/config/application.yaml index 37754ca00c..789f3eb673 100644 --- a/kubernetes/a1policymanagement/resources/config/application.yaml +++ b/kubernetes/a1policymanagement/resources/config/application.yaml @@ -39,35 +39,33 @@ management: logging: # Configuration of logging level: - ROOT: DEBUG - org.springframework: DEBUG - org.springframework.data: DEBUG - org.springframework.web.reactive.function.client.ExchangeFunctions: DEBUG - org.onap.ccsdk.oran.a1policymanagementservice: DEBUG + ROOT: ERROR + org.springframework: ERROR + org.springframework.data: ERROR + org.springframework.web.reactive.function.client.ExchangeFunctions: ERROR + org.onap.ccsdk.oran.a1policymanagementservice: INFO file: name: /var/log/policy-agent/application.log server: # Configuration of the HTTP/REST server. The parameters are defined and handeled by the springboot framework. # See springboot documentation. - port: 8433 + #port: 8081 http-port: 8081 ssl: + enabled: false key-store-type: PKCS12 - key-store-password: ${KEYSTORE_PASSWORD} - key-store: {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 - key-password: ${KEYSTORE_PASSWORD} - key-alias: {{ .Values.certInitializer.fqi }} + key-store-password: "" + key-store: "" + key-password: "" + key-alias: "" app: # Location of the component configuration file. The file will only be used if the Consul database is not used; # configuration from the Consul will override the file. filepath: /opt/app/policy-agent/data/application_configuration.json webclient: - # Configuration of the trust store used for the HTTP client (outgoing requests) - # The file location and the password for the truststore is only relevant if trust-store-used == true - # Note that the same keystore as for the server is used. trust-store-used: false - trust-store-password: ${TRUSTSORE_PASSWORD} - trust-store: {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks + trust-store-password: "" + trust-store: "" # Configuration of usage of HTTP Proxy for the southbound accesses. # The HTTP proxy (if configured) will only be used for accessing NearRT RIC:s http.proxy-host: diff --git a/kubernetes/a1policymanagement/resources/config/application_configuration.json b/kubernetes/a1policymanagement/resources/config/application_configuration.json index 6b8ebfb35e..837ce0c5b8 100644 --- a/kubernetes/a1policymanagement/resources/config/application_configuration.json +++ b/kubernetes/a1policymanagement/resources/config/application_configuration.json @@ -8,22 +8,6 @@ "password": "${A1CONTROLLER_PASSWORD}" } ], - "ric": {{ include "a1p.generateRics" . | indent 6 | trim }}, - "streams_publishes": { - "dmaap_publisher": { - "type": "message_router", - "dmaap_info": { - "topic_url": "{{ .Values.streamPublish }}" - } - } - }, - "streams_subscribes": { - "dmaap_subscriber": { - "type": "message_router", - "dmaap_info": { - "topic_url": "{{ .Values.streamSubscribe }}" - } - } - } + "ric": {{ include "a1p.generateRics" . | indent 6 | trim}} } } diff --git a/kubernetes/a1policymanagement/templates/configmap.yaml b/kubernetes/a1policymanagement/templates/configmap.yaml index e84beac2ab..13dd4dbd05 100644 --- a/kubernetes/a1policymanagement/templates/configmap.yaml +++ b/kubernetes/a1policymanagement/templates/configmap.yaml @@ -18,7 +18,6 @@ apiVersion: v1 kind: ConfigMap -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} - name: {{ include "common.fullname" . }}-policy-conf +metadata: {{- include "common.resourceMetadata" (dict "dot" . "suffix" "policy-conf" ) | nindent 2 }} data: {{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/a1policymanagement/templates/envsubst-configmap.yaml b/kubernetes/a1policymanagement/templates/envsubst-configmap.yaml index 99449638f4..f12d60127f 100644 --- a/kubernetes/a1policymanagement/templates/envsubst-configmap.yaml +++ b/kubernetes/a1policymanagement/templates/envsubst-configmap.yaml @@ -17,7 +17,6 @@ */}} apiVersion: v1 kind: ConfigMap -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} - name: {{ include "common.fullname" . }}-envsubst-scripts +metadata: {{- include "common.resourceMetadata" (dict "dot" . "suffix" "envsubst-scripts" ) | nindent 2 }} data: {{ tpl (.Files.Glob "resources/envsubst/*").AsConfig . | indent 2 }} diff --git a/kubernetes/a1policymanagement/templates/ingress.yaml b/kubernetes/a1policymanagement/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/kubernetes/a1policymanagement/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/a1policymanagement/templates/statefulset.yaml b/kubernetes/a1policymanagement/templates/statefulset.yaml index 0114b30158..4458744a55 100644 --- a/kubernetes/a1policymanagement/templates/statefulset.yaml +++ b/kubernetes/a1policymanagement/templates/statefulset.yaml @@ -28,9 +28,8 @@ spec: metadata: labels: {{- include "common.labels" . | nindent 8 }} spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + {{- include "common.imagePullSecrets" . | nindent 6 }} + initContainers: - name: {{ include "common.name" . }}-bootstrap-config image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -39,8 +38,6 @@ spec: args: - -c - | - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop\ - | xargs -0) cd /config-input for PFILE in `ls -1` do @@ -53,7 +50,7 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "login") | indent 10 }} - name: A1CONTROLLER_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "password") | indent 10 }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} + volumeMounts: - mountPath: /config-input name: {{ include "common.fullname" . }}-policy-conf-input - mountPath: /config @@ -95,10 +92,10 @@ spec: httpGet: path: /status port: {{ .Values.liveness.port }} - scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }} + scheme: HTTP initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} + volumeMounts: - name: config mountPath: /opt/app/policy-agent/data/application_configuration.json subPath: application_configuration.json @@ -109,7 +106,7 @@ spec: mountPath: "/var/policy-management-service/database" resources: {{ include "common.resources" . | nindent 10 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} + volumes: - name: {{ include "common.fullname" . }}-policy-conf-input configMap: name: {{ include "common.fullname" . }}-policy-conf diff --git a/kubernetes/a1policymanagement/values.yaml b/kubernetes/a1policymanagement/values.yaml index 17fa320472..9ae6b60626 100644 --- a/kubernetes/a1policymanagement/values.yaml +++ b/kubernetes/a1policymanagement/values.yaml @@ -30,40 +30,7 @@ secrets: password: '{{ .Values.a1controller.password }}' passwordPolicy: required -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: a1p-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: a1p - fqi: a1p@a1p.onap.org - public_fqdn: a1p.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - fqi_namespace: org.onap.a1p - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSORE_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** save the generated passwords" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop - echo "TRUSTSORE_PASSWORD=${TRUSTSORE_PASSWORD}" >> mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 . - -image: onap/ccsdk-oran-a1policymanagementservice:1.3.2 +image: onap/ccsdk-oran-a1policymanagementservice:1.5.0 userID: 1000 #Should match with image-defined user ID groupID: 999 #Should match with image-defined group ID pullPolicy: IfNotPresent @@ -72,20 +39,25 @@ replicaCount: 1 service: type: NodePort name: a1policymanagement - both_tls_and_plain: true ports: - name: api - port: 8433 - plain_port: 8081 + port: 8081 port_protocol: http nodePort: '94' +ingress: + enabled: false + service: + - baseaddr: 'a1policymanagement-api' + name: 'a1policymanagement' + port: 8081 + # SDNC Credentials are used here a1controller: user: admin password: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U -sdncLink: https://sdnc.onap:8443 +sdncLink: http://sdnc.onap:8282 # The information about A1-Mediator/RICs can be added here. # The A1 policy management service supports both STD & OSC versions. # Alternatively, the A1 simulator from ORAN-SC can also be used. It provides STD & OSC versions for A1 termination. @@ -104,8 +76,6 @@ sdncLink: https://sdnc.onap:8443 # - kista3 # - kista4 rics: -streamPublish: http://message-router:3904/events/A1-POLICY-AGENT-WRITE -streamSubscribe: http://message-router:3904/events/A1-POLICY-AGENT-READ/users/policy-agent?timeout=15000&limit=100 liveness: port: api @@ -122,18 +92,18 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 300Mi + cpu: "2" + memory: "600Mi" requests: - cpu: 1 - memory: 150Mi + cpu: "1" + memory: "300Mi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "4" + memory: "8Gi" requests: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" unlimited: {} ## Persist data to a persistent volume diff --git a/kubernetes/aaf/.gitignore b/kubernetes/aaf/.gitignore deleted file mode 100644 index 71fbb5cbb9..0000000000 --- a/kubernetes/aaf/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -/sms/ -components/dist diff --git a/kubernetes/aaf/.helmignore b/kubernetes/aaf/.helmignore deleted file mode 100644 index 7ddbad7ef4..0000000000 --- a/kubernetes/aaf/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -components/ diff --git a/kubernetes/aaf/Chart.yaml b/kubernetes/aaf/Chart.yaml deleted file mode 100644 index bcbe9fa155..0000000000 --- a/kubernetes/aaf/Chart.yaml +++ /dev/null @@ -1,63 +0,0 @@ -# Copyright © 2018 ZTE -# Modifications Copyright © 2018 AT&T, Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Application Authorization Framework -name: aaf -version: 11.0.0 - -dependencies: - - name: aaf-cass - version: ~11.x-0 - repository: 'file://components/aaf-cass' - condition: aaf-authz.enabled - - name: aaf-cm - version: ~11.x-0 - repository: 'file://components/aaf-cm' - condition: aaf-authz.enabled - - name: aaf-fs - version: ~11.x-0 - repository: 'file://components/aaf-fs' - condition: aaf-authz.enabled - - name: aaf-gui - version: ~11.x-0 - repository: 'file://components/aaf-gui' - condition: aaf-authz.enabled - - name: aaf-hello - version: ~11.x-0 - repository: 'file://components/aaf-hello' - condition: aaf-hello.enabled - - name: aaf-locate - version: ~11.x-0 - repository: 'file://components/aaf-locate' - condition: aaf-authz.enabled - - name: aaf-oauth - version: ~11.x-0 - repository: 'file://components/aaf-oauth' - condition: aaf-authz.enabled - - name: aaf-service - version: ~11.x-0 - repository: 'file://components/aaf-service' - condition: aaf-authz.enabled - - name: aaf-sms - version: ~11.x-0 - repository: 'file://components/aaf-sms' - condition: aaf-sms.enabled - - name: aaf-sshsm - version: ~11.x-0 - repository: 'file://components/aaf-sshsm' - condition: aaf-sshsm.enabled diff --git a/kubernetes/aaf/Makefile b/kubernetes/aaf/Makefile deleted file mode 100644 index dbb84a1eff..0000000000 --- a/kubernetes/aaf/Makefile +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright © 2020 Samsung Electronics, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts -HELM_BIN := helm -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/aaf/components/Makefile b/kubernetes/aaf/components/Makefile deleted file mode 100644 index 4a15d0251b..0000000000 --- a/kubernetes/aaf/components/Makefile +++ /dev/null @@ -1,54 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -PROCESSED_FIRST := aaf-templates -TO_FILTER := $(PROCESSED_FIRST) $(EXCLUDES) - -HELM_CHARTS := $(PROCESSED_FIRST) $(filter-out $(TO_FILTER), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/aaf/components/aaf-cass/.helmignore b/kubernetes/aaf/components/aaf-cass/.helmignore deleted file mode 100644 index daebc7da77..0000000000 --- a/kubernetes/aaf/components/aaf-cass/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/aaf/components/aaf-cass/Chart.yaml b/kubernetes/aaf/components/aaf-cass/Chart.yaml deleted file mode 100644 index 0006c9b8f7..0000000000 --- a/kubernetes/aaf/components/aaf-cass/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP AAF cassandra -name: aaf-cass -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/artifact.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/artifact.dat deleted file mode 100644 index 8a923b2bff..0000000000 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/artifact.dat +++ /dev/null @@ -1,74 +0,0 @@ -a1p@a1p.onap.org|a1p|local|/opt/app/osaaf/local||mailto:|org.onap.a1p|root|30|{'a1policymanagement.onap', 'a1policymanagement', 'a1policymanagement.api.simpledemo.onap.org'}|mmanager@osaaf.org|{'file', 'pkcs12'} -aaf@aaf.osaaf.org|aaf-hello|local|/opt/app/osaaf/local||mailto:|org.osaaf.aaf|root|30|{'aaf-hello', 'aaf-hello.api.simpledemo.onap.org', 'aaf-hello.onap', 'aaf.osaaf.org'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -aaf@aaf.osaaf.org|aaf|local|/opt/app/osaaf/local||mailto:|org.osaaf.aaf|root|30|{'aaf', 'aaf.api.simpledemo.onap.org', 'aaf.onap'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -aaf-sms@aaf-sms.onap.org|aaf-sms|local|/opt/app/osaaf/local||mailto:|org.onap.aaf-sms|root|30|{'aaf-sms-db.onap', 'aaf-sms.api.simpledemo.onap.org', 'aaf-sms.onap', 'aaf-sms.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'pkcs12', 'file'} -aai@aai.onap.org|aai1|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|30|{'aai-babel.onap', 'aai-babel', 'aai-modelloader.onap', 'aai-modelloader', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'pkcs12'} -aai@aai.onap.org|aai2|aaf|/Users/jf2512||mailto:|org.onap.aai|jf2512|60|{'aai-babel.onap', 'aai-babel', 'aai-modelloader.onap', 'aai-modelloader', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.onap aai-sparky-be.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org aai1.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -aai@aai.onap.org|aai|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|60|{'aai-babel.onap', 'aai-babel', 'aai-graphadmin', 'aai-graphadmin.onap', 'aai-modelloader.onap', 'aai-modelloader', 'aai-search-data.onap', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'} -aai@aai.onap.org|aai.onap|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|30|{'aai-babel.onap', 'aai-babel', 'aai-modelloader.onap', 'aai-modelloader', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12'} -aai@aai.onap.org|mithrilcsp.sbc.com|local|/tmp/onap||mailto:|org.onap.aai|jg1555|30|{'aai-babel.onap', 'aai-babel', 'aai-modelloader.onap', 'aai-modelloader', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'file', 'pkcs12', 'script'} -aai-resources@aai-resources.onap.org|aai-resources|local|/opt/app/osaaf/local||mailto:|org.onap.aai-resources|root|30|{'aai-resources', 'aai-resources.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'} -aai-schema-service@aai-schema-service.onap.org|aai-schema-service|local|/opt/app/osaaf/local||mailto:|org.onap.aai-schema-service|root|30|{'aai-schema-service', 'aai-schema-service.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'} -aai-traversal@aai-traversal.onap.org|aai-traversal|local|/opt/app/osaaf/local||mailto:|org.onap.aai-traversal|root|30|{'aai-traversal', 'aai-traversal.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'} -appc@appc.onap.org|appc|local|/opt/app/osaaf/local||mailto:|org.onap.appc|root|60|{'appc.api.simpledemo.onap.org', 'appc.onap', 'appc.simpledemo.onap.org'}|mmanager@osaaf.org|{'pkcs12'} -appc-cdt@appc-cdt.onap.org|appc-cdt|local|/opt/app/osaaf/local||mailto:|org.onap.appc-cdt|root|30|{'appc-cdt', 'appc-cdt.api.simpledemo.onap.org', 'appc-cdt.onap'}|mmanager@osaaf.org|{'file', 'pkcs12', 'script'} -clamp@clamp.onap.org|clamp|local|/opt/app/osaaf/local||mailto:|org.onap.clamp|root|30|{'clamp', 'clamp-onap', 'clamp.api.simpledemo.onap.org', 'clamp.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -clamp@clamp.onap.org|mithrilcsp.sbc.com|local|/tmp/onap||mailto:|org.onap.clamp|jg1555|30|{'clamp.api.simpledemo.onap.org', 'clamp.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12'} -cli@cli.onap.org|cli|local|/opt/app/osaaf/local||mailto:|org.onap.cli|root|30|{'cli', 'cli.api.simpledemo.onap.org', 'cli.onap'}|mmanager@osaaf.org|{'file', 'pkcs12', 'jks'} -dcae@dcae.onap.org|dcae|local|/opt/app/osaaf/local||mailto:|org.onap.dcae|root|60|{'bbs-event-processor', 'bbs-event-processor.onap', 'bbs-event-processor.onap.svc.cluster.local', 'config-binding-service', 'config-binding-service.onap', 'config-binding-service.onap.svc.cluster.local', 'dashboard', 'dashboard.onap', 'dashboard.onap.svc.cluster.local', 'dcae-cloudify-manager', 'dcae-cloudify-manager.onap', 'dcae-cloudify-manager.onap.svc.cluster.local', 'dcae-datafile-collector', 'dcae-datafile-collector.onap', 'dcae-datafile-collector.onap.svc.cluster.local', 'dcae-hv-ves-collector', 'dcae-hv-ves-collector.onap', 'dcae-hv-ves-collector.onap.svc.cluster.local', 'dcae-pm-mapper', 'dcae-pm-mapper.onap', 'dcae-pm-mapper.onap.svc.cluster.local', 'dcae-pmsh', 'dcae-pmsh.onap', 'dcae-pmsh.onap.svc.cluster.local', 'dcae-prh', 'dcae-prh.onap', 'dcae-prh.onap.svc.cluster.local', 'dcae-tca-analytics', 'dcae-tca-analytics.onap', 'dcae-tca-analytics.onap.svc.cluster.local', 'dcae-ves-collector', 'dcae-ves-collector.onap', 'dcae-ves-collector.onap.svc.cluster.local', 'deployment-handler', 'deployment-handler.onap', 'deployment-handler.onap.svc.cluster.local', 'holmes-engine-mgmt', 'holmes-engine-mgmt.onap', 'holmes-engine-mgmt.onap.svc.cluster.local', 'holmes-rule-mgmt', 'holmes-rules-mgmt.onap', 'holmes-rules-mgmt.onap.svc.cluster.local', 'inventory', 'inventory.onap', 'inventory.onap.svc.cluster.local', 'policy-handler', 'policy-handler.onap', 'policy-handler.onap.svc.cluster.local'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -dmaap-bc@dmaap-bc.onap.org|dmaap-bc|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap-bc|root|30|{'dmaap-bc', 'dmaap-bc.api.simpledemo.onap.org', 'dmaap-bc.onap'}|mmanager@osaaf.org|{'jks', 'pkcs12', 'script'} -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|dmaap-bc-mm-prov|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap-bc-mm-prov|root|30|{'dmaap-bc-mm-prov', 'dmaap-bc-mm-prov.api.simpledemo.onap.org', 'dmaap-bc-mm-prov.onap', 'onap.dmaap-bc-mm-prov'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|dmaap-bc-topic-mgr|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap-bc-topic-mgr|root|30|{'dmaap-bc-topic-mgr', 'dmaap-bc-topic-mgr.api.simpledemo.onap.org', 'dmaap-bc-topic-mgr.onap', 'onap.dmaap-bc-topic-mgr'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -dmaap-dr@dmaap-dr.onap.org|dmaap-dr|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap-dr|root|30|{'dmaap-dr', 'dmaap-dr.api.simpledemo.onap.org', 'dmaap-dr.onap', 'onap.dmaap-dr'}|aaf_admin@osaaf.org|{'jks', 'script'} -dmaap-dr-node@dmaap-dr-node.onap.org|dmaap-dr-node|local|/opt/app/osaaf/local||mailto:|onap.dmaap-dr-node|root|30|{'dmaap-dr-node', 'dmaap-dr-node.api.simpledemo.onap.org', 'dmaap-dr-node.onap'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -dmaap-dr-node@dmaap-dr.onap.org|dmaap-dr-node|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap-dr|root|30|{'dmaap-dr-node', 'dmaap-dr-node.api.simpledemo.onap.org', 'dmaap-dr-node.onap'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -dmaap-dr-node@dmaap-dr.onap.org|mithril|local|/Volumes/Data/open/authz/auth/docker/dmaap_dr_node||mailto:|org.onap.dmaap-dr|jg1555|30|{'dmaap-dr-node', 'dmaap-dr-node.api.simpledemo.onap.org', 'dmaap-dr-node.onap'}|aaf_admin@osaaf.org|{'jks', 'pkcs12', 'script'} -dmaap-dr-prov@dmaap-dr.onap.org|dmaap-dr-prov|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap-dr|root|30|{'dmaap-dr-prov', 'dmaap-dr-prov.api.simpledemo.onap.org', 'dmaap-dr-prov.onap'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -dmaap-dr-prov@dmaap-dr.onap.org|mithril|local|/tmp/temp||mailto:|org.onap.dmaap-dr|jg1555|30|{'dmaap-dr-prov', 'dmaap-dr-prov.api.simpledemo.onap.org', 'dmaap-dr-prov.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12', 'script'} -dmaap-dr-prov@dmaap-dr-prov.onap.org|dmaap-dr-prov|local|/opt/app/osaaf/local||mailto:|onap.dmaap-dr-prov|root|30|{'dmaap-dr-prov', 'dmaap-dr-prov.api.simpledemo.onap.org', 'dmaap-dr-prov.onap'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -dmaap-mr@dmaap-mr.onap.org|dmaap-mr|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap-mr|root|30|{'dmaap-mr', 'dmaap-mr.onap', 'message-router', 'message-router.onap', 'mr.api.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'jks', 'pkcs12', 'script'} -dmaap.mr@mr.dmaap.onap.org|10.12.25.177|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap.mr|root|30|{'message-router mr.api.simpledemo.onap.org message-router.onap dmaapmr dmaap.mr dmaap-mr dmaap.mr.onap dmaap-mr.onap dmaap-mr dmaapmr.onap'}|@osaaf.org|{'pkcs12', 'script'} -dmaapmr@mr.dmaap.onap.org|dmaapmr|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap.mr|root|30|{'message-router', 'message-router.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -dmaapmr@mr.dmaap.onap.org|dmaap-mr|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap.mr|root|30|{'message-router-kafka-0', 'message-router-kafka-0.onap', '{{include "common.release" .}}-message-router-kafka-0.message-router-kafka.onap.svc.cluster.local', 'message-router-kafka-1', 'message-router-kafka-1.onap', '{{include "common.release" .}}-message-router-kafka-1.message-router-kafka.onap.svc.cluster.local', 'message-router-kafka-2', 'message-router-kafka-2.onap', '{{include "common.release" .}}-message-router-kafka-2.message-router-kafka.onap.svc.cluster.local', 'message-router', 'mr.api.simpledemo.onap.org', 'message-router.onap', 'dmaapmr dmaap.mr', 'dmaap-mr', 'dmaap.mr.onap', 'dmaap-mr.onap', 'dmaap-mr dmaapmr.onap'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -dmaapmr@mr.dmaap.onap.org|dmaap.mr|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap.mr|root|30|{'message-router mr.api.simpledemo.onap.org message-router.onap dmaapmr dmaap.mr dmaap-mr dmaap.mr.onap dmaap-mr.onap dmaap-mr dmaapmr.onap'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -dmaap.mr@mr.dmaap.onap.org|dmaap.mr|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap.mr|root|30|{'message-router mr.api.simpledemo.onap.org message-router.onap dmaapmr dmaap.mr dmaap-mr dmaap.mr.onap dmaap-mr.onap dmaap-mr dmaapmr.onap'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -dmaap.mr@mr.dmaap.onap.org|dmaapmr|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap.mr|root|30|{'message-router mr.api.simpledemo.onap.org message-router.onap dmaapmr dmaap.mr dmaap-mr dmaap.mr.onap dmaap-mr.onap dmaap-mr dmaapmr.onap'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -dmaap.mr@mr.dmaap.onap.org|dmaap-mr|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap.mr|root|30|{'message-router mr.api.simpledemo.onap.org message-router.onap dmaapmr dmaap.mr dmaap-mr dmaap.mr.onap dmaap-mr.onap dmaap-mr dmaapmr.onap'}|@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -holmes@holmes.onap.org|holmes|local|/opt/app/osaaf/local||mailto:|org.onap.holmes|root|30|{'holmes.api.simpledemo.onap.org', 'holmes.onap'}|aaf_admin@osaaf.org|{'pkcs12'} -holmes-rule-mgmt@holmes-rule-mgmt.onap.org|holmes-rule-mgmt|local|/opt/app/osaaf/local||mailto:|org.onap.holmes-rule-mgmt|root|30|{'holmes-rule-mgmt', 'holmes-rule-mgmt.api.simpledemo.onap.org', 'holmes-rule-mgmt.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12'} -holmes-engine-mgmt@holmes-engine-mgmt.onap.org|holmes-engine-mgmt|local|/opt/app/osaaf/local||mailto:|org.onap.holmes-engine-mgmt|root|30|{'holmes-engine-mgmt', 'holmes-engine-mgmt.api.simpledemo.onap.org', 'holmes-engine-mgmt.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12'} -msb-eag@msb-eag.onap.org|msb-eag|local|/opt/app/osaaf/local||mailto:|org.onap.msb-eag|root|30|{'msb-eag', 'msb-eag.api.simpledemo.onap.org', 'msb-eag.onap'}|mmanager@osaaf.org|{'file', 'pkcs12'} -msb-iag@msb-iag.onap.org|msb-iag|local|/opt/app/osaaf/local||mailto:|org.onap.msb-iag|root|30|{'msb-iag', 'msb-iag.api.simpledemo.onap.org', 'msb-iag.onap'}|mmanager@osaaf.org|{'file', 'pkcs12'} -music@music.onap.org|music|aaf|/opt/app/aaf/local||mailto:|org.onap.music|root|30|{'music.api.simpledemo.onap.org', 'music.onap'}|mmanager@osaaf.org|{'pkcs12', 'script'} -music@music.onap.org|music.onap|local|/opt/app/osaaf/local||mailto:|org.onap.music|root|30|{'music-api', 'music-api.onap', 'music-onap', 'music.api.simpledemo.onap.org', 'music.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -nbi@nbi.onap.org|nbi|local|/opt/app/osaaf/local||mailto:|org.onap.nbi|root|30|{'nbi', 'nbi.api.simpledemo.onap.org', 'nbi.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12'} -ngi@ngi.onap.org|ngi|local|/opt/app/osaaf/local||mailto:|org.onap.ngi|root|30|{'ngi.api.simpledemo.onap.org', 'ngi.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12'} -oof@oof.onap.org|oof.api.simpledemo.onap.org|local|/opt/app/osaaf/local||mailto:jflood@att.com|org.onap.oof|root|30|{'cmso-onap', 'cmso.api.simpledemo.onap.org', 'cmso.onap', 'oof-has-api', 'oof-has-api.onap', 'oof-onap', 'oof-opteng', 'oof-opteng.onap', 'oof-osdf', 'oof-osdf.onap', 'oof.api.simpledemo.onap.org', 'oof.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -oof@oof.onap.org|oof|local|/opt/app/osaaf/local||mailto:jflood@att.com|org.onap.oof|root|30|{'cmso-onap', 'cmso.api.simpledemo.onap.org', 'cmso.onap', 'oof-has-api', 'oof-has-api.onap', 'oof-onap', 'oof-osdf', 'oof-osdf.onap', 'oof.api.simpledemo.onap.org', 'oof.onap'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -oof@oof.onap.org|oof.onap|local|/opt/app/osaaf/local||mailto:jflood@att.com|org.onap.oof|root|30|{'cmso-onap', 'cmso.api.simpledemo.onap.org', 'cmso.onap', 'oof-cmso', 'oof-cmso-optimizer', 'oof-cmso-ticketmgt', 'oof-cmso-topology', 'oof-has-api', 'oof-has-api.onap', 'oof-onap', 'oof-opteng', 'oof-opteng.onap', 'oof-osdf', 'oof-osdf.onap', 'oof.api.simpledemo.onap.org', 'oof.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -policy@policy.onap.org|policy|local|/opt/app/osaaf/local||mailto:|org.onap.policy|root|60|{'policy-drools-pdp', 'policy-drools-pdp.onap', 'policy', 'policy-apex-pdp', 'policy-apex-pdp.onap', 'policy-api', 'policy-api.onap', 'policy-distribution', 'policy-distribution.onap', 'policy-pap', 'policy-pap.onap', 'policy-xacml-pdp', 'policy-xacml-pdp.onap', 'policy.api.simpledemo.onap.org'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -pomba@pomba.onap.org|onap.pomba|local|/opt/app/osaaf/local||mailto:|org.onap.pomba|root|30|{'onap.pomba', 'onap_pomba', 'pomba', 'pomba.api.simpledemo.onap.org', 'pomba.onap', 'pomba_onap'}|aaf_admin@osaaf.org|{'jks', 'pkcs12', 'script'} -portal@portal.onap.org|portal|local|/opt/app/osaaf/local||mailto:|org.onap.portal|root|30|{'onap.portal', 'onap_portal', 'portal', 'portal-app', 'portal.api.simpledemo.onap.org', 'portal.onap', 'portal_onap'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -refrepo@refrepo.onap.org|refrepo|local|/opt/app/osaaf/local||mailto:|org.onap.refrepo|root|30|{'refrepo', 'refrepo.api.simpledemo.onap.org', 'refrepo.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12'} -sdc@sdc.onap.org|sdc-fe.onap|local|/opt/app/osaaf/local||mailto:|org.onap.sdc|root|30|{'sdc-fe.onap', 'sdc.api.simpledemo.onap.org', 'sdc.onap'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -sdc@sdc.onap.org|sdc|local|/opt/app/osaaf/local||mailto:|org.onap.sdc|root|60|{'*.onap', '*.onap.org', 'sdc', 'sdc-be.onap', 'sdc-dcae-be.onap', 'sdc-dcae-dt.onap', 'sdc-dcae-fe.onap', 'sdc-dcae-tosca-lab.onap', 'sdc-es.onap', 'sdc-fe.onap', 'sdc-kb.onap', 'sdc-onap.org', 'sdc-onboarding-be.onap', 'sdc-wfd-be.onap', 'sdc-wfd-fe.onap', 'sdc.api.fe.simpledemo.onap.org', 'sdc.api.simpledemo.onap.org', 'sdc.dcae.plugin.simpledemo.onap.org', 'sdc.workflow.plugin.simpledemo.onap.org', 'webseal.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -sdc@sdc.onap.org|sdc.onap|local|/opt/app/osaaf/local||mailto:|org.onap.sdc|root|60|{'*.onap', '*.onap.org', 'sdc', 'sdc-be.onap', 'sdc-dcae-be.onap', 'sdc-dcae-dt.onap', 'sdc-dcae-fe.onap', 'sdc-dcae-tosca-lab.onap', 'sdc-es.onap', 'sdc-fe.onap', 'sdc-kb.onap', 'sdc-onap.org', 'sdc-onboarding-be.onap', 'sdc-wfd-be.onap', 'sdc-wfd-fe.onap', 'sdc.api.fe.simpledemo.onap.org', 'sdc.api.simpledemo.onap.org', 'sdc.dcae.plugin.simpledemo.onap.org', 'sdc.workflow.plugin.simpledemo.onap.org', 'webseal.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -sdnc-cds@sdnc-cds.onap.org|sdnc-cds|local|/opt/app/osaaf/local||mailto:|org.onap.sdnc-cds|root|30|{'c1.vm1.sdnc-cds.simpledemo.onap', 'c2.vm1.sdnc-cds.simpledemo.onap', 'c3.vm1.sdnc-cds.simpledemo.onap', 'c4.vm1.sdnc-cds.simpledemo.onap', 'onap-sdnc-cds', 'onap-sdnc-cds.onap', 'sdnc-cds', 'sdnc-cds.api.simpledemo.onap.org', 'sdnc-cds.onap', 'vm1.sdnc-cds.simpledemo.onap.org'}|mmanager@osaaf.org|{'file', 'pkcs12', 'script'} -sdnc@sdnc.onap.org|ccsdk-sdnc-heat-dev|local|/home/ubuntu/cert||mailto:|org.onap.sdnc|ubuntu|60|{'c1.vm1.sdnc.simpledemo.onap', 'c2.vm1.sdnc.simpledemo.onap', 'c3.vm1.sdnc.simpledemo.onap', 'c4.vm1.sdnc.simpledemo.onap', 'onap-sdnc', 'onap-sdnc.onap', 'sdnc', 'sdnc.api.simpledemo.onap.org', 'sdnc.onap', 'vm1.sdnc.simpledemo.onap.org'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'} -sdnc@sdnc.onap.org|sdnc|local|/opt/app/osaaf/local||mailto:|org.onap.sdnc|root|60|{'c1.vm1.sdnc.simpledemo.onap', 'c2.vm1.sdnc.simpledemo.onap', 'c3.vm1.sdnc.simpledemo.onap', 'c4.vm1.sdnc.simpledemo.onap', 'onap-sdnc', 'onap-sdnc.onap', 'sdnc', 'sdnc.api.simpledemo.onap.org', 'sdnc.onap', 'vm1.sdnc.simpledemo.onap.org'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'} -shi@shi.onap.org|onap.shi|local|/opt/app/osaaf/local||mailto:|onap.shi|root|30|{'onap_shi', 'shi', 'shi.api.simpledemo.onap.org', 'shi_onap'}|aaf_admin@osaaf.org|{'jks', 'pkcs12', 'script'} -so@so.onap.org|aai-simulator|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'aai-simulator', 'localhost'}|aaf_admin@osaaf.org|{'pkcs12'} -so@so.onap.org|bpmn-infra|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'bpmn-infra', 'bpmn-infra.onap'}|mmanager@osaaf.org|{'pkcs12'} -so@so.onap.org|sdc-simulator|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'localhost', 'sdc-simulator'}|aaf_admin@osaaf.org|{'pkcs12'} -so@so.onap.org|sdnc-simulator|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'localhost', 'sdnc-simulator'}|aaf_admin@osaaf.org|{'pkcs12'} -so@so.onap.org|so-apih|local|/opt/app/osaaf/local||mailto:rp6768@att.com|org.onap.so|root|30|{'mso-asdc-controller-svc', 'mso-bpmn-infra-svc', 'mso-catalog-db-adapter-svc', 'mso-openstack-adapter-svc', 'mso-request-db-adapter-svc', 'mso-sdnc-adapter-svc'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -so@so.onap.org|so-client|local|/opt/app/osaaf/local||mailto:rp6768@att.com|org.onap.so|root|30||mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -so@so.onap.org|so|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'so.api.simpledemo.onap.org', 'so.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12', 'script'} -so@so.onap.org|so-vnfm-adapter|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'so-vnfm-adapter', 'so-vnfm-adapter.onap'}|aaf_admin@osaaf.org|{'pkcs12'} -so@so.onap.org|so-vnfm-simulator|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'so-vnfm-simulator', 'so-vnfm-simulator.onap'}|aaf_admin@osaaf.org|{'pkcs12'} -tester1@test.portal.onap.org|tester1|aaf|/||mailto:|org.onap.portal.test|root|30||@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -vfc@vfc.onap.org|vfc|local|/opt/app/osaaf/local||mailto:|org.onap.vfc|root|30|{'vfc.api.simpledemo.onap.org vfc.onap'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -vid1@vid1.onap.org|vid1|local|/opt/app/osaaf/local||mailto:|org.onap.vid1|root|30|{'onap', 'onap.vid1', 'vid1', 'vid1.api.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -vid2@vid2.onap.org|vid2|local|/opt/app/osaaf/local||mailto:|org.onap.vid2|root|30|{'onap.vid2', 'vid2', 'vid2.api.simpledemo.onap.org', 'vid2.onap'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -vid@vid.onap.org|vid|local|/opt/app/osaaf/local||mailto:|org.onap.vid|root|30|{'vid.api.simpledemo.onap.org', 'vid.onap'}|mmanager@osaaf.org|{'jks', 'pkcs12'} -uui@uui.onap.org|uui|local|/opt/app/osaaf/local||mailto:|org.onap.uui|root|30|{'uui', 'uui.api.simpledemo.onap.org', 'uui.onap','uui-server', 'uui-server.api.simpledemo.onap.org', 'uui-server.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12'} diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/config.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/config.dat deleted file mode 100644 index 18b5c90fd6..0000000000 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/config.dat +++ /dev/null @@ -1,10 +0,0 @@ -aaf|aaf_env|DEV -aaf|aaf_oauth2_introspect_url|https://AAF_LOCATE_URL/%CNS.%AAF_NS.introspect:2.1/introspect -aaf|aaf_oauth2_token_url|https://AAF_LOCATE_URL/%CNS.%AAF_NS.token:2.1/token -aaf|aaf_url_cm|https://AAF_LOCATE_URL/%CNS.%AAF_NS.cm:2.1 -aaf|aaf_url_fs|https://AAF_LOCATE_URL/%CNS.%AAF_NS.fs:2.1 -aaf|aaf_url_gui|https://AAF_LOCATE_URL/%CNS.%AAF_NS.gui:2.1 -aaf|aaf_url|https://AAF_LOCATE_URL/%CNS.%AAF_NS.service:2.1 -aaf|aaf_url_oauth|https://AAF_LOCATE_URL/%CNS.%AAF_NS.oauth:2.1 -aaf|cadi_protocols|TLSv1.1,TLSv1.2 -aaf|cadi_x509_issuers|CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/cred.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/cred.dat deleted file mode 100644 index 1279c363b5..0000000000 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/cred.dat +++ /dev/null @@ -1,59 +0,0 @@ -portal@portal.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.portal|53344|| -shi@shi.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.shi|53344|| -a1p@a1p.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.a1p|53344|| -aaf@aaf.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.aaf|53344|| -aaf-sms@aaf-sms.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.aaf-sms|53344|| -clamp@clamp.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.clamp|53344|| -aai@aai.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.aai|53344|| -aai-resources@aai-resources.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.aai-resources|53344|| -aai-schema-service@aai-schema-service.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.aai-schema-service|53344|| -aai-traversal@aai-traversal.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.aai-traversal|53344|| -appc@appc.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.appc|53344|| -appc-cdt@appc-cdt.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.appc-cdt|53344|| -cli@cli.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.cli|53344|| -dcae@dcae.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.dcae|53344|| -oof@oof.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.oof|53344|| -so@so.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.so|53344|| -sdc@sdc.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.sdc|53344|| -sdnc@sdnc.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.sdnc|53344|| -sdnc-cds@sdnc-cds.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.sdnc-cds|53344|| -vfc@vfc.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.vfc|53344|| -policy@policy.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.policy|53344|| -pomba@pomba.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.pomba|53344|| -holmes@holmes.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.holmes|53344|| -holmes-engine-mgmt@holmes-engine-mgmt.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.holmes-engine-mgmt|53344|| -holmes-rule-mgmt@holmes-rule-mgmt.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.holmes-rule-mgmt|53344|| -nbi@nbi.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.nbi|53344|| -msb-eag@msb-eag.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.msb-eag|53344|| -msb-iag@msb-iag.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.msb-iag|53344|| -music@music.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.music|53344|| -refrepo@refrepo.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.refrepo|53344|| -vid@vid.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.vid|53344|| -vid1@vid1.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.vid1|53344|| -vid2@vid2.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.vid2|53344|| -dmaap-bc@dmaap-bc.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.dmaap-bc|53344|| -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.dmaap-bc-topic-mgr|53344|| -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.dmaap-bc-mm-prov|53344|| -dmaap-dr@dmaap-dr.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.dmaap-dr|53344|| -dmaap-dr-prov@dmaap-dr-prov.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.dmaap-dr-prov|53344|| -dmaap-dr-node@dmaap-dr-node.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.dmaap-dr-node|53344|| -dmaap-mr@dmaap-mr.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.dmaap-mr|53344|| -dmaapmr@dmaapmr.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.dmaapmr|53344|| -#dmaap.mr@#dmaap.mr.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.mr.#dmaap|53344|| -iowna@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -mmanager@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -bdevl@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -mmarket@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -demo@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -jh0003@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -cs0008@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -jm0007@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -op0001@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -gv0001@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -pm0001@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -gs0001@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -ps0001@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -aaf_admin@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -deployer@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -portal_admin@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -uui@uui.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.uui|53344|| diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/ns.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/ns.dat deleted file mode 100644 index 7d20d55c31..0000000000 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/ns.dat +++ /dev/null @@ -1,88 +0,0 @@ -org.onap.a1p||org.onap||3 -org.onap.aaf-sms||org.onap||3 -org.onap.aai||org.onap||3 -org.onap.aai-resources||org.onap||3 -org.onap.aai-schema-service||org.onap||3 -org.onap.aai-traversal||org.onap||3 -org.onap.appc||org.onap||3 -org.onap.appc-cdt||org.onap||3 -org.onap.cds||org.onap||3 -org.onap.clampdemo|Onap clamp demo NS|org.onap|2|2 -org.onap.clamp||org.onap||3 -org.onap.clamptest|Onap clamp test NS|org.onap|2|2 -org.onap.cli||org.onap||3 -org.onap.dcae||org.onap||3 -org.onap.dmaap-bc.api||org.onap.dmaap-bc||3 -org.onap.dmaap-bc-mm-prov||org.onap||3 -org.onap.dmaap-bc||org.onap||3 -org.onap.dmaap.bc||org.onap||3 -org.onap.dmaapbc||org.onap||3 -org.onap.dmaap-bc-topic-mgr||org.onap||3 -org.onap.dmaap-dr||org.onap||3 -org.onap.dmaap.mr.aNewTopic-123450||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aNewTopic-123451||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aNewTopic-1547667570||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aNewTopic-||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTest-1547665517||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTest-1547666628||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTest-1547666760||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTest-1547666950||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTest-1547667031||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-123456||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-123457||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-1547660509||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-1547660861||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-1547661011||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-1547662122||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-1547662451||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-1547664813||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-1547664928||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-1547666068||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTopic-1547654909||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.dgl000||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.dgl_ready||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.IdentityTopic-12345||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.IdentityTopic-1547839476||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.mirrormakeragent||org.onap.dmaap.mr||3 -org.onap.dmaap-mr||org.onap||3 -org.onap.dmaap.mr||org.onap||3 -org.onap.dmaap.mr.partitionTest-1546033194||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.PM_MAPPER||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.PNF_READY||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.PNF_REGISTRATION||org.onap.dmaap.mr||3 -org.onap.dmaap-mr.sunil||org.onap.dmaap-mr||3 -org.onap.dmaap-mr.test||org.onap.dmaap-mr||3 -org.onap.dmaap.mr.topic-000||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.topic-001||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.topic-002||org.onap.dmaap.mr||3 -org.onap.dmaap||org.onap||3 -org.onap.holmes||org.onap||3 -org.onap.holmes-engine-mgmt||org.onap||3 -org.onap.holmes-rule-mgmt||org.onap||3 -org.onap.music||org.onap||3 -org.onap.msb-eag||org.onap||3 -org.onap.msb-iag||org.onap||3 -org.onap.nbi||org.onap||3 -org.onap|ONAP|org|2|2 -org.onap.oof||org.onap||3 -org.onap.policy||org.onap||3 -org.onap.pomba||org.onap||3 -org.onap.portal|ONAP Portal|org.onap.portal|3|3 -org.onap.portal.test||org.onap.portal||3 -org.onap.refrepo||org.onap||3 -org.onap.sdc||org.onap||3 -org.onap.sdnc-cds||org.onap||3 -org.onap.sdnc||org.onap||3 -org.onap.so||org.onap||3 -org.onap.vfc||org.onap||3 -org.onap.vid1||org.onap||3 -org.onap.vid2||org.onap||3 -org.onap.vid||org.onap||3 -org.onap.uui||org.onap||3 -org.openecomp.dcae|DCAE Namespace Org|org.openecomp|3|3 -org.openecomp.dmaapBC|DMaap NS|org.openecomp|3|3 -org.openecomp|Open EComp NS|org|2|2 -org.osaaf.aaf|Application Authorization Framework|org.osaaf|3|3 -org.osaaf|OSAAF Namespace|org|2|2 -org.osaaf.people||org.osaaf||3 -org|Root Namespace|.|1|1 diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat deleted file mode 100644 index 89c726f9ec..0000000000 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat +++ /dev/null @@ -1,547 +0,0 @@ -org|access|*|*|Org Write Access|{'org.admin'} -org|access|*|read,approve|Org Read Access|{'org.owner'} -org|access|*|read|Org Read Access|{'org.owner'} -org.onap.a1p|access|*|*|AAF Namespace Write Access|"{'org.onap.a1p|admin', 'org.onap.a1p|service'}" -org.onap.a1p|access|*|read|AAF Namespace Read Access|"{'org.onap.a1p|owner'}" -org.onap.a1p|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.aaf-sms|access|*|*|AAF Namespace Write Access|"{'org.onap.aaf-sms|admin'}" -org.onap.aaf-sms|access|*|read|AAF Namespace Read Access|"{'org.onap.aaf-sms|owner'}" -org.onap.aaf-sms|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.aai|access|*|*|AAF Namespace Write Access|"{'org.onap.aai|admin'}" -org.onap.aai|access|*|read|AAF Namespace Read Access|"{'org.onap.aai|owner'}" -org.onap.aai|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.aai|resources|*|delete||"{'org.onap.aai|resources_all'}" -org.onap.aai|resources|*|get||"{'org.onap.aai|resources_all', 'org.onap.aai|resources_readonly'}" -org.onap.aai|resources|*|patch||"{'org.onap.aai|resources_all'}" -org.onap.aai|resources|*|post||"{'org.onap.aai|resources_all'}" -org.onap.aai|resources|*|put||"{'org.onap.aai|resources_all'}" -org.onap.aai|traversal|*|advanced||"{'org.onap.aai|traversal_advanced'}" -org.onap.aai|traversal|*|basic||"{'org.onap.aai|traversal_basic'}" -org.onap.aai-resources|access|*|*|AAF Namespace Write Access|"{'org.onap.aai-resources|admin', 'org.onap.aai-resources|service'}" -org.onap.aai-resources|access|*|read|AAF Namespace Read Access|"{'org.onap.aai-resources|owner'}" -org.onap.aai-resources|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.aai-schema-service|access|*|*|AAF Namespace Write Access|"{'org.onap.aai-schema-service|admin', 'org.onap.aai-schema-service|service'}" -org.onap.aai-schema-service|access|*|read|AAF Namespace Read Access|"{'org.onap.aai-schema-service|owner'}" -org.onap.aai-schema-service|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.aai-traversal|access|*|*|AAF Namespace Write Access|"{'org.onap.aai-traversal|admin', 'org.onap.aai-traversal|service'}" -org.onap.aai-traversal|access|*|read|AAF Namespace Read Access|"{'org.onap.aai-traversal|owner'}" -org.onap.aai-traversal|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap|access|*|*|Onap Write Access|{'org.onap.admin'} -org.onap|access|*|read|Onap Read Access|{'org.onap.owner'} -org.onap.appc|access|*|*|AAF Namespace Write Access|"{'org.onap.appc|admin', 'org.onap.appc|service'}" -org.onap.appc|access|*|read|AAF Namespace Read Access|"{'org.onap.appc|owner'}" -org.onap.appc|apidoc|/apidoc/.*|ALL||"{'org.onap.appc|apidoc'}" -org.onap.appc|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.appc|odl|odl-api|*|Appc ODL API Access|"{'org.onap.appc.odl', 'org.onap.appc|admin'}" -org.onap.appc|restconf|/restconf/.*|ALL||"{'org.onap.appc|restconf'}" -org.onap.appc-cdt|access|*|*|AAF Namespace Write Access|"{'org.onap.appc-cdt|admin', 'org.onap.appc-cdt|service'}" -org.onap.appc-cdt|access|*|read|AAF Namespace Read Access|"{'org.onap.appc-cdt|owner'}" -org.onap.appc-cdt|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.cds|access|*|*|AAF Namespace Write Access|"{'org.onap.cds|admin'}" -org.onap.cds|access|*|read|AAF Namespace Read Access|"{'org.onap.cds|owner'}" -org.onap.clamp|access|*|*|AAF Namespace Write Access|"{'org.onap.clamp|admin', 'org.onap.clamp|service'}" -org.onap.clamp|access|*|read|Onap Clamp Read Access|{'org.onap.clamp.owner'} -org.onap.clamp|certman|local|request,ignoreIPs,showpass||"{'org.onap.clamp|admin', 'org.onap.clamp|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.clamp|clds.cl|dev|*||"{'org.onap.clamp|service'}" -org.onap.clamp|clds.cl|dev|read|Onap Clamp Dev Read Access|"{'org.onap.clamp.clds.designer.dev', 'org.onap.clamp|clds.admin.dev'}" -org.onap.clamp|clds.cl|dev|update|Onap Clamp Dev Update Access|"{'org.onap.clamp.clds.designer.dev', 'org.onap.clamp|clds.admin.dev'}" -org.onap.clamp|clds.cl.event|dev|*|Onap Clamp Dev Write Access|{'org.onap.clamp.clds.designer.dev'} -org.onap.clamp|clds.cl.manage|dev|*|Onap Clamp Dev Manage Access|"{'org.onap.clamp.clds.designer.dev', 'org.onap.clamp|service'}" -org.onap.clamp|clds.filter.vf|dev|*|Onap Clamp Filter All Dev Access|"{'org.onap.clamp.clds.vf_filter_all.dev', 'org.onap.clamp|service'}" -org.onap.clamp|clds.template|dev|*||"{'org.onap.clamp|service'}" -org.onap.clamp|clds.template|dev|read|Onap Clamp Dev Read Access|"{'org.onap.clamp.clds.designer.dev', 'org.onap.clamp|clds.admin.dev'}" -org.onap.clamp|clds.template|dev|update|Onap Clamp Dev Update Access|"{'org.onap.clamp.clds.designer.dev', 'org.onap.clamp|clds.admin.dev'}" -org.onap.clamp|clds.tosca|dev|*||"{'org.onap.clamp|service'}" -org.onap.clamp|clds.policies|dev|*||"{'org.onap.clamp|service'}" -org.onap.clampdemo|access|*|*|ClampDemo Write Access|{'org.onap.clampdemo.admin'} -org.onap.clampdemo|access|*|read|ClampDemo Read Access|{'org.onap.clampdemo.owner'} -org.onap.clamptest|access|*|*|Onap Write Access|{'org.onap.clamptest.admin'} -org.onap.clamptest|access|*|read|Onap Read Access|{'org.onap.clamptest.owner'} -org.onap.cli|access|*|*|AAF Namespace Write Access|"{'org.onap.cli|admin', 'org.onap.cli|service'}" -org.onap.cli|access|*|read|AAF Namespace Read Access|"{'org.onap.cli|owner'}" -org.onap.cli|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.dcae|access|*|*|AAF Namespace Write Access|"{'org.onap.dcae|admin', 'org.onap.dmaap-bc-topic-mgr|admin', 'org.onap.dmaap-bc|admin'}" -org.onap.dcae|access|*|read|AAF Namespace Read Access|"{'org.onap.dcae|owner'}" -org.onap.dcae|certman|local|request,ignoreIPs,showpass||"{'org.onap.dcae|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.dcae|dmaap.topicFactory|:com.att.dcae.dmaap.FTL.mr.topic:com.att.dcae.dmaap.FTL|create|| -org.onap.dcae|dmaap.topicFactory|:null.FTL.mr.topic:null.FTL|create|| -org.onap.dmaap|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap|admin'}" -org.onap.dmaap|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap|owner'}" -org.onap.dmaap-bc|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap-bc|admin'}" -org.onap.dmaapbc|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaapbc|admin'}" -org.onap.dmaap.bc|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.bc|admin', 'org.onap.dmaap.bc|service'}" -org.onap.dmaap-bc|access|*|read|AAF Namespace Read Access|"{'org.onap.dcae|admin', 'org.onap.dmaap-bc|owner'}" -org.onap.dmaap.bc|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.bc|owner'}" -org.onap.dmaapbc|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaapbc|owner'}" -org.onap.dmaap-bc.api|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap-bc.api|admin', 'org.onap.dmaap-bc|admin'}" -org.onap.dmaap-bc.api|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap-bc.api|owner', 'org.onap.dmaap-bc|admin', 'org.onap.dmaap-bc|service'}" -org.onap.dmaap-bc.api|bridge|onapdemo|GET||"{'org.onap.dmaap-bc.api|Metrics'}" -org.onap.dmaap-bc.api|dcaeLocations|onapdemo|DELETE||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dcaeLocations|onapdemo|GET||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Inventory', 'org.onap.dmaap-bc.api|Metrics', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dcaeLocations|onapdemo|POST||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dcaeLocations|onapdemo|PUT||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dmaap|boot|DELETE||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dmaap|boot|GET||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dmaap|boot|POST||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dmaap|boot|PUT||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dmaap|onapdemo|DELETE||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dmaap|onapdemo|GET||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Inventory', 'org.onap.dmaap-bc.api|Metrics', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dmaap|onapdemo|POST||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dmaap|onapdemo|PUT||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dr_nodes|onapdemo|DELETE||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dr_nodes|onapdemo|GET||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Inventory', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dr_nodes|onapdemo|POST||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dr_nodes|onapdemo|PUT||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dr_pubs|onapdemo|DELETE||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dr_pubs|onapdemo|GET||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Inventory', 'org.onap.dmaap-bc.api|Metrics', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dr_pubs|onapdemo|POST||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dr_pubs|onapdemo|PUT||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dr_subs|onapdemo|DELETE||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dr_subs|onapdemo|GET||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Inventory', 'org.onap.dmaap-bc.api|Metrics', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dr_subs|onapdemo|POST||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dr_subs|onapdemo|PUT||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|feeds|onapdemo|DELETE||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|feeds|onapdemo|GET||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Inventory', 'org.onap.dmaap-bc.api|Metrics', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|feeds|onapdemo|POST||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|feeds|onapdemo|PUT||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|mr_clients|onapdemo|DELETE||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|mr_clients|onapdemo|GET||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Inventory', 'org.onap.dmaap-bc.api|Metrics', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|mr_clients|onapdemo|POST||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|mr_clients|onapdemo|PUT||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|mr_clusters|onapdemo|DELETE||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|mr_clusters|onapdemo|GET||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Inventory', 'org.onap.dmaap-bc.api|Metrics', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|mr_clusters|onapdemo|POST||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|mr_clusters|onapdemo|PUT||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|topics|onapdemo|DELETE||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator'}" -org.onap.dmaap-bc.api|topics|onapdemo|GET||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Inventory', 'org.onap.dmaap-bc.api|Metrics', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|topics|onapdemo|POST||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator'}" -org.onap.dmaap-bc.api|topics|onapdemo|PUT||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator'}" -org.onap.dmaap-bc|certman|local|request,ignoreIPs,showpass||"{'org.onap.dmaap-bc|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.dmaap-bc-mm-prov|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap-bc-mm-prov|admin'}" -org.onap.dmaap-bc-mm-prov|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap-bc-mm-prov|owner'}" -org.onap.dmaap-bc-mm-prov|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.dmaap-bc-topic-mgr|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap-bc-topic-mgr|admin'}" -org.onap.dmaap-bc-topic-mgr|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap-bc-topic-mgr|owner'}" -org.onap.dmaap-bc-topic-mgr|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.dmaap-dr|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap-dr|admin'}" -org.onap.dmaap-dr|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap-dr|owner'}" -org.onap.dmaap-dr|certman|local|request,ignoreIPs,showpass||"{'org.onap.dmaap-dr|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.dmaap-dr|feed|*|approveSub||"{'org.onap.dmaap-dr|feed.admin'}" -org.onap.dmaap|dr.feed|*|create|| -org.onap.dmaap-dr|feed|*|create||"{'org.onap.dmaap-dr|feed.admin'}" -org.onap.dmaap-dr|feed|*|delete||"{'org.onap.dmaap-dr|feed.admin'}" -org.onap.dmaap-dr|feed|*|edit||"{'org.onap.dmaap-dr|feed.admin'}" -org.onap.dmaap-dr|feed|*|*||"{'org.onap.dmaap-bc|service', 'org.onap.dmaap-dr|feed.admin'}" -org.onap.dmaap-dr|feed|*|publish||"{'org.onap.dmaap-dr|feed.admin'}" -org.onap.dmaap-dr|feed|*|restore||"{'org.onap.dmaap-dr|feed.admin'}" -org.onap.dmaap-dr|feed|*|subscribe||"{'org.onap.dmaap-dr|feed.admin'}" -org.onap.dmaap-dr|feed|*|suspend||"{'org.onap.dmaap-dr|feed.admin'}" -org.onap.dmaap-dr|sub|*|delete||"{'org.onap.dmaap-dr|sub.admin'}" -org.onap.dmaap-dr|sub|*|edit||"{'org.onap.dmaap-dr|sub.admin'}" -org.onap.dmaap-dr|sub|*|*||"{'org.onap.dmaap-bc|service', 'org.onap.dmaap-dr|sub.admin'}" -org.onap.dmaap-dr|sub|*|publish||"{'org.onap.dmaap-dr|sub.admin'}" -org.onap.dmaap-dr|sub|*|restore||"{'org.onap.dmaap-dr|sub.admin'}" -org.onap.dmaap-dr|sub|*|suspend||"{'org.onap.dmaap-dr|sub.admin'}" -org.onap.dmaap.mr|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap-bc|service', 'org.onap.dmaap.mr|admin'}" -org.onap.dmaap-mr|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap-mr|admin'}" -org.onap.dmaap-mr|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap-mr|owner'}" -org.onap.dmaap.mr|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr|owner', 'org.onap.dmaap.mr|service'}" -org.onap.dmaap.mr.aNewTopic-123450|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aNewTopic-123450|admin'}" -org.onap.dmaap.mr.aNewTopic-123450|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aNewTopic-123450|owner'}" -org.onap.dmaap.mr.aNewTopic-123451|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aNewTopic-123451|admin'}" -org.onap.dmaap.mr.aNewTopic-123451|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aNewTopic-123451|owner'}" -org.onap.dmaap.mr.aNewTopic-1547667570|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aNewTopic-1547667570|admin'}" -org.onap.dmaap.mr.aNewTopic-1547667570|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aNewTopic-1547667570|owner'}" -org.onap.dmaap.mr.aNewTopic-|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aNewTopic-|admin'}" -org.onap.dmaap.mr.aNewTopic-|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aNewTopic-|owner'}" -org.onap.dmaap.mr.aTest-1547665517|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTest-1547665517|admin'}" -org.onap.dmaap.mr.aTest-1547665517|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTest-1547665517|owner'}" -org.onap.dmaap.mr.aTest-1547666628|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTest-1547666628|admin'}" -org.onap.dmaap.mr.aTest-1547666628|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTest-1547666628|owner'}" -org.onap.dmaap.mr.aTest-1547666760|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTest-1547666760|admin'}" -org.onap.dmaap.mr.aTest-1547666760|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTest-1547666760|owner'}" -org.onap.dmaap.mr.aTest-1547666950|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTest-1547666950|admin'}" -org.onap.dmaap.mr.aTest-1547666950|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTest-1547666950|owner'}" -org.onap.dmaap.mr.aTest-1547667031|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTest-1547667031|admin'}" -org.onap.dmaap.mr.aTest-1547667031|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTest-1547667031|owner'}" -org.onap.dmaap.mr.aTestTopic-123456|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-123456|admin'}" -org.onap.dmaap.mr.aTestTopic-123456|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-123456|owner'}" -org.onap.dmaap.mr.aTestTopic-123457|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-123457|admin'}" -org.onap.dmaap.mr.aTestTopic-123457|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-123457|owner'}" -org.onap.dmaap.mr.aTestTopic-1547660509|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-1547660509|admin'}" -org.onap.dmaap.mr.aTestTopic-1547660509|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-1547660509|owner'}" -org.onap.dmaap.mr.aTestTopic-1547660861|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-1547660861|admin'}" -org.onap.dmaap.mr.aTestTopic-1547660861|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-1547660861|owner'}" -org.onap.dmaap.mr.aTestTopic-1547661011|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-1547661011|admin'}" -org.onap.dmaap.mr.aTestTopic-1547661011|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-1547661011|owner'}" -org.onap.dmaap.mr.aTestTopic-1547662122|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-1547662122|admin'}" -org.onap.dmaap.mr.aTestTopic-1547662122|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-1547662122|owner'}" -org.onap.dmaap.mr.aTestTopic-1547662451|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-1547662451|admin'}" -org.onap.dmaap.mr.aTestTopic-1547662451|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-1547662451|owner'}" -org.onap.dmaap.mr.aTestTopic-1547664813|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-1547664813|admin'}" -org.onap.dmaap.mr.aTestTopic-1547664813|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-1547664813|owner'}" -org.onap.dmaap.mr.aTestTopic-1547664928|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-1547664928|admin'}" -org.onap.dmaap.mr.aTestTopic-1547664928|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-1547664928|owner'}" -org.onap.dmaap.mr.aTestTopic-1547666068|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-1547666068|admin'}" -org.onap.dmaap.mr.aTestTopic-1547666068|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-1547666068|owner'}" -org.onap.dmaap.mr.aTopic-1547654909|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTopic-1547654909|admin'}" -org.onap.dmaap.mr.aTopic-1547654909|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTopic-1547654909|owner'}" -org.onap.dmaap-mr|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.dmaap.mr|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.dmaap.mr.dgl000|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.dgl000|admin'}" -org.onap.dmaap.mr.dgl000|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.dgl000|owner'}" -org.onap.dmaap.mr.dgl_ready|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.dgl_ready|admin'}" -org.onap.dmaap.mr.dgl_ready|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.dgl_ready|owner'}" -org.onap.dmaap.mr.IdentityTopic-12345|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.IdentityTopic-12345|admin'}" -org.onap.dmaap.mr.IdentityTopic-12345|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.IdentityTopic-12345|owner'}" -org.onap.dmaap.mr.IdentityTopic-1547839476|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.IdentityTopic-1547839476|admin'}" -org.onap.dmaap.mr.IdentityTopic-1547839476|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.IdentityTopic-1547839476|owner'}" -org.onap.dmaap.mr|mirrormaker|*|admin||"{'org.onap.dmaap.mr|mirrormaker.admin'}" -org.onap.dmaap.mr.mirrormakeragent|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.mirrormakeragent|admin'}" -org.onap.dmaap.mr.mirrormakeragent|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.mirrormakeragent|owner'}" -org.onap.dmaap.mr|mirrormaker|*|user||"{'org.onap.dmaap.mr|mirrormaker.user'}" -org.onap.dmaap.mr.partitionTest-1546033194|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.partitionTest-1546033194|admin'}" -org.onap.dmaap.mr.partitionTest-1546033194|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.partitionTest-1546033194|owner'}" -org.onap.dmaap.mr.PM_MAPPER|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.PM_MAPPER|admin'}" -org.onap.dmaap.mr.PM_MAPPER|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.PM_MAPPER|owner'}" -org.onap.dmaap.mr.PNF_READY|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.PNF_READY|admin'}" -org.onap.dmaap.mr.PNF_READY|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.PNF_READY|owner'}" -org.onap.dmaap.mr.PNF_REGISTRATION|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.PNF_REGISTRATION|admin'}" -org.onap.dmaap.mr.PNF_REGISTRATION|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.PNF_REGISTRATION|owner'}" -org.onap.dmaap-mr|saitest|:topic.org.onap.dmaap-bc.mr.dglTest201810100535|pub||"{'org.onap.dmaap-mr|admin', 'org.onap.dmaap-mr|sai'}" -org.onap.dmaap-mr.sunil|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap-mr.sunil|admin'}" -org.onap.dmaap-mr.sunil|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap-mr.sunil|owner'}" -org.onap.dmaap-mr.sunil|test|:topic.org.onap.dmaap-bc.mr.dglTest201810100535|pub||"{'org.onap.dmaap-mr.sunil|admin2'}" -org.onap.dmaap-mr.test|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap-mr.test|admin'}" -org.onap.dmaap-mr.test|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap-mr.test|owner'}" -org.onap.dmaap.mr.topic-000|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.topic-000|admin'}" -org.onap.dmaap.mr.topic-000|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.topic-000|owner'}" -org.onap.dmaap.mr.topic-001|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.topic-001|admin'}" -org.onap.dmaap.mr.topic-001|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.topic-001|owner'}" -org.onap.dmaap.mr.topic-002|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.topic-002|admin'}" -org.onap.dmaap.mr.topic-002|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.topic-002|owner'}" -org.onap.dmaap.mr|topicFactory|:org.onap.dmaap.mr.topic:org.onap.dmaap.mr|create,destroy||"{'org.onap.dmaap-bc|service'}" -org.onap.dmaap.mr|topicFactory|:org.onap.dmaap.mr.topic:org.onap.dmaap.mr|create||"{'org.onap.dmaap-bc-topic-mgr|client', 'org.onap.dmaap.mr|create'}" -org.onap.dmaap.mr|topicFactory|:org.onap.dmaap.mr.topic:org.onap.dmaap.mr|destroy||"{'org.onap.dmaap-bc-topic-mgr|client', 'org.onap.dmaap.mr|destroy'}" -org.onap.dmaap.mr|topic|*|*||"{'org.onap.dmaap-bc|service'}" -org.onap.dmaap.mr|topic|org.onap.dmaap.mr.PM_MAPPER|pub||"{'org.onap.dcae|pnfPublisher'}" -org.onap.dmaap.mr|topic|org.onap.dmaap.mr.PM_MAPPER|sub||"{'org.onap.dcae|pnfPublisher'}" -org.onap.dmaap.mr|topictest|*|view|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.dglk8s.dglTest1539200479|pub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.dglk8s.dglTest1539200479|sub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.dglk8s.dglTest1539200479|view|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.dglk8s.dglTest1539201873|pub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.dglk8s.dglTest1539201873|sub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.dglk8s.dglTest1539201873|view|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539385466|pub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539385466|sub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539385466|view||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539628418|pub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539628418|sub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539628418|view||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aPnfTopic-1540492548|pub||"{'org.onap.dcae|pnfPublisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aPnfTopic-1540492548|sub||"{'org.onap.dcae|pnfSubscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aPnfTopic-1540492548|view||"{'org.onap.dcae|pnfPublisher', 'org.onap.dcae|pnfSubscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic-1540491614|pub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic-1540491614|sub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic-1540491614|view||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic|pub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic|sub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic|view||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dgl_ready|pub||"{'org.onap.dmaap.mr.dgl_ready|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dgl_ready|sub||"{'org.onap.dmaap.mr.dgl_ready|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dgl_ready|view||"{'org.onap.dmaap.mr.dgl_ready|publisher', 'org.onap.dmaap.mr.dgl_ready|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1529190699|pub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539370708|pub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539370708|sub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539370708|view||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539371800|pub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539371800|sub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539371800|view||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539385250|pub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539385250|sub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539385250|view||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest201810100530|pub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-12345|pub||"{'org.onap.dmaap.mr.IdentityTopic-12345|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-12345|sub||"{'org.onap.dmaap.mr.IdentityTopic-12345|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-12345|view||"{'org.onap.dmaap.mr.IdentityTopic-12345|publisher', 'org.onap.dmaap.mr.IdentityTopic-12345|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-1547839476|pub||"{'org.onap.dmaap.mr.IdentityTopic-1547839476|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-1547839476|sub||"{'org.onap.dmaap.mr.IdentityTopic-1547839476|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-1547839476|view||"{'org.onap.dmaap.mr.IdentityTopic-1547839476|publisher', 'org.onap.dmaap.mr.IdentityTopic-1547839476|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mirrormakeragent|pub||"{'org.onap.dmaap.mr.mirrormakeragent|pub', 'org.onap.dmaap.mr.mirrormakeragent|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mirrormakeragent|sub||"{'org.onap.dmaap.mr.mirrormakeragent|sub', 'org.onap.dmaap.mr.mirrormakeragent|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mirrormakeragent|view||"{'org.onap.dmaap.mr.mirrormakeragent|publisher', 'org.onap.dmaap.mr.mirrormakeragent|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mmagent|pub||"{'org.onap.dmaap.mr|mmagent.pub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mmagent|sub||"{'org.onap.dmaap.mr|mmagent.sub', 'org.onap.dmaap.mr|mmagent.sub1'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mrtest|pub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mrtesttopic|pub||"{'org.onap.dmaap.mr|mrtesttopic.pub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mrtesttopic|sub||"{'org.onap.dmaap.mr|mrtesttopic.sub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PM_MAPPER|pub||"{'org.onap.dmaap.mr.PM_MAPPER|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PM_MAPPER|sub||"{'org.onap.dmaap.mr.PM_MAPPER|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PM_MAPPER|view||"{'org.onap.dmaap.mr.PM_MAPPER|publisher', 'org.onap.dmaap.mr.PM_MAPPER|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_READY|pub||"{'org.onap.dmaap.mr.PNF_READY|pub', 'org.onap.dmaap.mr.PNF_READY|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_READY|sub||"{'org.onap.dmaap.mr.PNF_READY|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_READY|view||"{'org.onap.dmaap.mr.PNF_READY|pub', 'org.onap.dmaap.mr.PNF_READY|publisher', 'org.onap.dmaap.mr.PNF_READY|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|pub||"{'org.onap.dmaap.mr.PNF_REGISTRATION|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|sub||"{'org.onap.dmaap.mr.PNF_REGISTRATION|sub', 'org.onap.dmaap.mr.PNF_REGISTRATION|subscriber', 'org.onap.dmaap.mr|PNF_REGISTRATION.sub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|view||"{'org.onap.dmaap.mr.PNF_REGISTRATION|publisher', 'org.onap.dmaap.mr.PNF_REGISTRATION|sub', 'org.onap.dmaap.mr.PNF_REGISTRATION|subscriber', 'org.onap.dmaap.mr|PNF_REGISTRATION.sub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540393649|pub||"{'org.onap.dmaap.mr.PNF_READY|pub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540393649|sub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540393649|view||"{'org.onap.dmaap.mr.PNF_READY|pub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398384|pub||"{'org.onap.dmaap.mr.PNF_READY|pub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398384|sub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398384|view||"{'org.onap.dmaap.mr.PNF_READY|pub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398410|pub||"{'org.onap.dmaap.mr.PNF_READY|pub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398410|sub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398410|view||"{'org.onap.dmaap.mr.PNF_READY|pub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.test1|pub||"{'org.onap.dmaap.mr|test1'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-000|pub||"{'org.onap.dcae|pnfPublisher', 'org.onap.dmaap.mr.topic-000|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-000|sub||"{'org.onap.dmaap.mr.topic-000|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-000|view||"{'org.onap.dcae|pnfPublisher', 'org.onap.dmaap.mr.topic-000|publisher', 'org.onap.dmaap.mr.topic-000|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-001|pub||"{'org.onap.dmaap.mr.topic-001|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-001|sub||"{'org.onap.dmaap.mr.topic-001|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-001|view||"{'org.onap.dmaap.mr.topic-001|publisher', 'org.onap.dmaap.mr.topic-001|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-002|pub||"{'org.onap.dmaap.mr.topic-002|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-002|sub||"{'org.onap.dmaap.mr.topic-002|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-002|view||"{'org.onap.dmaap.mr.topic-002|publisher', 'org.onap.dmaap.mr.topic-002|subscriber'}" -org.onap.dmaap.mr|topic|*|view||"{'org.onap.dmaap-bc|service', 'org.onap.dmaap.mr|view'}" -org.onap.dmaap.mr|viewtest|*|view||"{'org.onap.dmaap.mr|viewtest'}" -org.onap.holmes|access|*|*|AAF Namespace Write Access|"{'org.onap.holmes|admin'}" -org.onap.holmes|access|*|read|AAF Namespace Read Access|"{'org.onap.holmes|owner'}" -org.onap.holmes-engine-mgmt|access|*|*|AAF Namespace Write Access|"{'org.onap.holmes-engine-mgmt|admin', 'org.onap.holmes-engine-mgmt|service'}" -org.onap.holmes-engine-mgmt|access|*|read|AAF Namespace Read Access|"{'org.onap.holmes-engine-mgmt|owner'}" -org.onap.holmes-engine-mgmt|certman|local|request,ignoreIPs,showpass||"{'org.onap.holmes-engine-mgmt|admin', 'org.onap.holmes-engine-mgmt|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.holmes-rule-mgmt|access|*|*|AAF Namespace Write Access|"{'org.onap.holmes-rule-mgmt|admin', 'org.onap.holmes-rule-mgmt|service'}" -org.onap.holmes-rule-mgmt|access|*|read|AAF Namespace Read Access|"{'org.onap.holmes-rule-mgmt|owner'}" -org.onap.holmes-rule-mgmt|certman|local|request,ignoreIPs,showpass||"{'org.onap.holmes-rule-mgmt|admin', 'org.onap.holmes-rule-mgmt|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.msb-eag|access|*|*|AAF Namespace Write Access|"{'org.onap.msb-eag|admin', 'org.onap.msb-eag|service'}" -org.onap.msb-eag|access|*|read|AAF Namespace Read Access|"{'org.onap.msb-eag|owner'}" -org.onap.msb-eag|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.msb-iag|access|*|*|AAF Namespace Write Access|"{'org.onap.msb-iag|admin', 'org.onap.msb-iag|service'}" -org.onap.msb-iag|access|*|read|AAF Namespace Read Access|"{'org.onap.msb-iag|owner'}" -org.onap.msb-iag|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.music|access|*|*|AAF Namespace Write Access|"{'org.onap.music|admin'}" -org.onap.music|access|*|read|AAF Namespace Read Access|"{'org.onap.music|owner'}" -org.onap.music|certman|local|request,ignoreIPs,showpass||"{'org.onap.music|admin', 'org.osaaf.aaf|deploy'}" -org.onap.nbi|access|*|*|AAF Namespace Write Access|"{'org.onap.nbi|admin', 'org.onap.nbi|service'}" -org.onap.nbi|access|*|read|AAF Namespace Read Access|"{'org.onap.nbi|owner'}" -org.onap.nbi|certman|local|request,ignoreIPs,showpass||"{'org.onap.nbi|admin', 'org.onap.nbi|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.ngi|access|*|*|AAF Namespace Write Access|"{'org.onap.ngi|admin'}" -org.onap.ngi|access|*|read|AAF Namespace Read Access|"{'org.onap.ngi|owner'}" -org.onap.oof|access|*|*|AAF Namespace Write Access|"{'org.onap.oof|admin'}" -org.onap.oof|access|*|read|AAF Namespace Read Access|"{'org.onap.oof|owner'}" -org.onap.oof|certman|local|request,ignoreIPs,showpass||"{'org.onap.oof|admin', 'org.onap.sdc|admin', 'org.osaaf.aaf|deploy'}" -org.onap.policy|access|*|*|AAF Namespace Write Access|"{'org.onap.policy|admin', 'org.onap.policy|pdpd.admin'}" -org.onap.policy|access|*|read|AAF Namespace Read Access|"{'org.onap.policy|owner', 'org.onap.policy|pdpd.admin'}" -org.onap.policy|certman|local|request,ignoreIPs,showpass||"{'org.onap.policy|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.policy|menu|menu_admin|*|Admin Menu|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_ajax|*|Ajax Menu|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_concept|*|CoNCEPT| -org.onap.policy|menu|menu_customer_create|*|Customer Create|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_customer|*|Customer Menu|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_doclib|*|Document Library Menu| -org.onap.policy|menu|menu_feedback|*|Feedback Menu|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_help|*|Help Menu|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_home|*|Home Menu|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_itracker|*|iTracker Menu|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_job_create|*|Job Create|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_job_designer|*|Process in Designer view| -org.onap.policy|menu|menu_job|*|Job Menu|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_logout|*|Logout Menu|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_map|*|Map Menu|"{'org.onap.policy|Standard_User'}" -org.onap.policy|menu|menu_notes|*|Notes Menu|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_policy|*|Policy|"{'org.onap.policy|Policy_Admin', 'org.onap.policy|Policy_Editor', 'org.onap.policy|Policy_Guest', 'org.onap.policy|Policy_Super_Admin', 'org.onap.policy|Policy_Super_Guest', 'org.onap.policy|Standard_User'}" -org.onap.policy|menu|menu_process|*|Process List|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_profile_create|*|Profile Create|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_profile_import|*|Profile Import|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_profile|*|Profile Menu|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_reports|*|Reports Menu|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_sample|*|Sample Pages Menu|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_tab|*|Sample Tab Menu|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_task_search|*|Task Search| -org.onap.policy|menu|menu_task|*|Task Menu| -org.onap.policy|menu|menu_test|*|Test Menu|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|pdpd.healthcheck.configuration|*|get||"{'org.onap.policy|pdpd.admin'}" -org.onap.policy|pdpd.healthcheck|*|get||"{'org.onap.policy|pdpd.admin', 'org.onap.policy|pdpd.monitor'}" -org.onap.policy|pdpd.telemetry|*|delete||"{'org.onap.policy|pdpd.admin'}" -org.onap.policy|pdpd.telemetry|*|get||"{'org.onap.policy|pdpd.admin', 'org.onap.policy|pdpd.monitor'}" -org.onap.policy|pdpd.telemetry|*|post||"{'org.onap.policy|pdpd.admin'}" -org.onap.policy|pdpd.telemetry|*|put||"{'org.onap.policy|pdpd.admin'}" -org.onap.policy|pdpx.config|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.createDictionary|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.createPolicy|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.decision|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.getConfigByPolicyName|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.getConfig|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.getDecision|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.getDictionary|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.getMetrics|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.listConfig|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.list|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.listPolicy|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.policyEngineImport|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.pushPolicy|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.sendEvent|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.updateDictionary|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.updatePolicy|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|url|doclib_admin|*|Document Library Admin|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|url|doclib|*|Document Library|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|url|login|*|Login|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|url|policy_admin|*|Policy Admin|"{'org.onap.policy|Policy_Super_Admin', 'org.onap.policy|Standard_User'}" -org.onap.policy|url|policy_dashboard|*|Policy Dashboard|"{'org.onap.policy|Policy_Admin', 'org.onap.policy|Policy_Editor', 'org.onap.policy|Policy_Guest', 'org.onap.policy|Policy_Super_Admin', 'org.onap.policy|Policy_Super_Guest', 'org.onap.policy|Standard_User'}" -org.onap.policy|url|policy_dictionary|*|Policy Dictionary|"{'org.onap.policy|Policy_Admin', 'org.onap.policy|Policy_Super_Admin', 'org.onap.policy|Standard_User'}" -org.onap.policy|url|policy_editor|*|Policy Editor|"{'org.onap.policy|Policy_Admin', 'org.onap.policy|Policy_Editor', 'org.onap.policy|Policy_Guest', 'org.onap.policy|Policy_Super_Admin', 'org.onap.policy|Policy_Super_Guest', 'org.onap.policy|Standard_User'}" -org.onap.policy|url|policy_pdp|*|Policy PDP|"{'org.onap.policy|Policy_Admin', 'org.onap.policy|Policy_Editor', 'org.onap.policy|Policy_Guest', 'org.onap.policy|Policy_Super_Admin', 'org.onap.policy|Policy_Super_Guest', 'org.onap.policy|Standard_User'}" -org.onap.policy|url|policy_push|*|Policy Push|"{'org.onap.policy|Policy_Admin', 'org.onap.policy|Policy_Editor', 'org.onap.policy|Policy_Super_Admin', 'org.onap.policy|Standard_User'}" -org.onap.policy|url|policy_roles|*|Policy Roles|"{'org.onap.policy|Policy_Super_Admin', 'org.onap.policy|Standard_User'}" -org.onap.policy|url|view_reports|*|View Raptor reports| -org.onap.pomba|access|*|*|AAF Namespace Write Access|"{'org.onap.pomba|admin'}" -org.onap.pomba|access|*|read|AAF Namespace Read Access|"{'org.onap.pomba|owner'}" -org.onap.pomba|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.portal|access|*|*|Portal Write Access|{'org.onap.portal.admin'} -org.onap.portal|access|*|read|Portal Read Access| -org.onap.portal|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.portal|menu|menu_acc_admin|*|Admin Account Menu|"{'org.onap.portal|Account_Administrator', 'org.onap.portal|System_Administrator'}" -org.onap.portal|menu|menu_admin|*|Admin Menu|"{'org.onap.portal|System_Administrator', 'org.onap.portal|Usage_Analyst'}" -org.onap.portal|menu|menu_ajax|*|Ajax Menu| -org.onap.portal|menu|menu_customer_create|*|Customer Create| -org.onap.portal|menu|menu_customer|*|Customer Menu| -org.onap.portal|menu|menu_feedback|*|Feedback Menu| -org.onap.portal|menu|menu_help|*|Help Menu| -org.onap.portal|menu|menu_home|*|Home Menu|"{'org.onap.portal|Standard_User', 'org.onap.portal|System_Administrator'}" -org.onap.portal|menu|menu_job_create|*|Job Create| -org.onap.portal|menu|menu_job_designer|*|Process in Designer view| -org.onap.portal|menu|menu_job|*|Job Menu| -org.onap.portal|menu|menu_logout|*|Logout Menu|"{'org.onap.portal|Standard_User', 'org.onap.portal|System_Administrator'}" -org.onap.portal|menu|menu_map|*|Map Menu| -org.onap.portal|menu|menu_notes|*|Notes Menu| -org.onap.portal|menu|menu_process|*|Process List| -org.onap.portal|menu|menu_profile_create|*|Profile Create| -org.onap.portal|menu|menu_profile_import|*|Profile Import| -org.onap.portal|menu|menu_profile|*|Profile Menu| -org.onap.portal|menu|menu_reports|*|Reports Menu| -org.onap.portal|menu|menu_sample|*|Sample Pages Menu| -org.onap.portal|menu|menu_tab|*|Sample Tab Menu| -org.onap.portal|menu|menu_task_search|*|Task Search|"{'org.onap.portal|Usage_Analyst'}" -org.onap.portal|menu|menu_task|*|Task Menu|"{'org.onap.portal|Usage_Analyst'}" -org.onap.portal|menu|menu_web_analytics|*|Web Analytics|"{'org.onap.portal|Portal_Usage_Analyst', 'org.onap.portal|Usage_Analyst'}" -org.onap.portal.test|aaaa|*|write|| -org.onap.portal.test|access1|*|read|| -org.onap.portal.test|access|*|*|AAF Namespace Write Access|"{'org.onap.portal.test|admin'}" -org.onap.portal.test|access|*|read|AAF Namespace Read Access|"{'org.onap.portal.test|owner'}" -org.onap.portal.test|myaccess|*|read|| -org.onap.portal.test|user1.access|*|read|| -org.onap.portal.test|user1.myaccess|*|read|| -org.onap.portal|url|addWebAnalyticsReport|*|Add Web Analytics Report| -org.onap.portal|url|appsFullList|*|Apps Full List| -org.onap.portal|url|centralizedApps|*|Centralized Apps|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|edit_notification|*|User Notification|"{'org.onap.portal|Portal_Notification_Admin'}" -org.onap.portal|url|functionalMenu|*|Functional Menu| -org.onap.portal|url|getAdminNotifications|*|Admin Notifications|"{'org.onap.portal|Account_Administrator', 'org.onap.portal|Portal_Notification_Admin'}" -org.onap.portal|url|getAllWebAnalytics|*|Get All Web Analytics|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|getFunctionalMenuRole|*|Get Functional Menu Role|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|getNotificationAppRoles|*|Get Notification App Roles|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|get_role_functions%2f%2a|*|Get Role Functions|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|get_roles%2f%2a|*|getRolesOfApp|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|getUserAppsWebAnalytics|*|Get User Apps Web Analytics|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|getUserJourneyAnalyticsReport|*|Get User Journey Report|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|login|*|Login|"{'org.onap.portal|Standard_User', 'org.onap.portal|System_Administrator'}" -org.onap.portal|url|notification_code|*|Notification Code|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|role_function_list%2fsaveRoleFunction%2f%2a|*|Save Role Function|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|saveNotification|*|publish notifications|"{'org.onap.portal|Portal_Notification_Admin'}" -org.onap.portal|url|syncRoles|*|SyncRoles|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|url_role.htm|*|role page| -org.onap.portal|url|url_welcome.htm|*|welcome page| -org.onap.portal|url|userAppRoles|*|userAppRoles|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|userApps|*|User Apps|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|view_reports|*|View Raptor reports| -org.onap.refrepo|access|*|*|AAF Namespace Write Access|"{'org.onap.refrepo|admin', 'org.onap.refrepo|service'}" -org.onap.refrepo|access|*|read|AAF Namespace Read Access|"{'org.onap.refrepo|owner'}" -org.onap.refrepo|certman|local|request,ignoreIPs,showpass||"{'org.onap.refrepo|admin', 'org.onap.refrepo|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.sdc|access|*|*|AAF Namespace Write Access|"{'org.onap.sdc|admin'}" -org.onap.sdc|access|*|read|AAF Namespace Read Access|"{'org.onap.sdc|owner'}" -org.onap.sdc|administrator.access|*|*||"{'org.onap.sdc|admin'}" -org.onap.sdc|certman|local|request,ignoreIPs,showpass||"{'org.onap.sdc|admin', 'org.osaaf.aaf|deploy'}" -org.onap.sdc|designer.access|*|*||"{'org.onap.sdc|designer'}" -org.onap.sdc|governance.access|*|*||"{'org.onap.sdc|governor'}" -org.onap.sdc|operations.access|*|*||"{'org.onap.sdc|ops'}" -org.onap.sdc|tester.access|*|*||"{'org.onap.sdc|tester'}" -org.onap.sdnc|access|*|*|AAF Namespace Write Access|"{'org.onap.sdnc|admin'}" -org.onap.sdnc|access|*|read|AAF Namespace Read Access|"{'org.onap.sdnc|owner'}" -org.onap.sdnc-cds|access|*|*|AAF Namespace Write Access|"{'org.onap.sdnc-cds|admin', 'org.onap.sdnc-cds|service'}" -org.onap.sdnc-cds|access|*|read|AAF Namespace Read Access|"{'org.onap.sdnc-cds|owner'}" -org.onap.sdnc-cds|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.sdnc|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.sdnc|odl|odl-api|create||"{'org.onap.sdnc|service'}" -org.onap.sdnc|odl|odl-api|delete||"{'org.onap.sdnc|service'}" -org.onap.sdnc|odl|odl-api|*||"{'org.onap.sdnc|admin', 'org.onap.sdnc|service'}" -org.onap.sdnc|odl|odl-api|read||"{'org.onap.sdnc|service'}" -org.onap.sdnc|odl|odl-api|update||"{'org.onap.sdnc|service'}" -org.onap.so|access|*|*|AAF Namespace Write Access|"{'org.onap.so|admin', 'org.onap.so|app'}" -org.onap.so|access|*|read|AAF Namespace Read Access|"{'org.onap.so|owner'}" -org.onap.so|certman|local|request,ignoreIPs,showpass||"{'org.onap.so|admin', 'org.onap.so|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.vfc|access|*|*|AAF Namespace Write Access|"{'org.onap.vfc|admin', 'org.onap.vfc|service'}" -org.onap.vfc|access|*|read|AAF Namespace Read Access|"{'org.onap.vfc|owner'}" -org.onap.vfc|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.vid1|access|*|*|AAF Namespace Write Access|"{'org.onap.vid1|admin'}" -org.onap.vid1|access|*|read|AAF Namespace Read Access|"{'org.onap.vid1|owner'}" -org.onap.vid1|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.vid2|access|*|*|AAF Namespace Write Access|"{'org.onap.vid2|admin'}" -org.onap.vid2|access|*|read|AAF Namespace Read Access|"{'org.onap.vid2|owner'}" -org.onap.vid2|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.vid|access|*|*|AAF Namespace Write Access|"{'org.onap.vid|admin'}" -org.onap.vid|access|*|read|AAF Namespace Read Access|"{'org.onap.vid|owner'}" -org.onap.vid|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.vid|menu|menu_admin|*|Admin Menu|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_ajax|*|Ajax Menu|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_changemanagement|*|VNF Changes|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_concept|*|CoNCEPT| -org.onap.vid|menu|menu_customer_create|*|Customer Create|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_customer|*|Customer Menu|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_doclib|*|Document Library Menu| -org.onap.vid|menu|menu_feedback|*|Feedback Menu|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_help|*|Help Menu|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_home|*|Home Menu|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_itracker|*|iTracker Menu|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_job_create|*|Job Create|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_job_designer|*|Process in Designer view| -org.onap.vid|menu|menu_job|*|Job Menu|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_logout|*|Logout Menu|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_map|*|Map Menu|"{'org.onap.vid|Standard_User'}" -org.onap.vid|menu|menu_newserinstance|*|Create New Service Instance|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_notes|*|Notes Menu|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_process|*|Process List|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_profile_create|*|Profile Create|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_profile_import|*|Profile Import|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_profile|*|Profile Menu|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_reports|*|Reports Menu|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_sample|*|Sample Pages Menu|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_searchexisting|*|Search for Existing Service Instances|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_servicemodels|*|Browse SDC Service Instances|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_tab|*|Sample Tab Menu|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_task_search|*|Task Search| -org.onap.vid|menu|menu_task|*|Task Menu| -org.onap.vid|menu|menu_test|*|Test Menu|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_viewlog|*|Log Menu|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|url|doclib_admin|*|Document Library Admin|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|url|doclib|*|Document Library|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|url|login|*|Login|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|url|view_reports|*|View Raptor reports| -org.onap.uui|access|*|*|AAF Namespace Write Access|"{'org.onap.uui|admin', 'org.onap.uui|service'}" -org.onap.uui|access|*|read|AAF Namespace Read Access|"{'org.onap.uui|owner'}" -org.onap.uui|certman|local|request,ignoreIPs,showpass||"{'org.onap.uui|admin', 'org.onap.uui|seeCerts', 'org.osaaf.aaf|deploy'}" -org.openecomp|access|*|*|OpenEcomp Write Access|{'org.openecomp.admin'} -org.openecomp|access|*|read|OpenEcomp Read Access|{'org.openecomp.owner'} -org.openecomp.dmaapBC|access|*|*|DMaap Write Access|{'org.openecomp.dmaapBC.admin'} -org.openecomp.dmaapBC|access|*|read|DMaap Read Access|{'org.openecomp.dmaapBC.owner'} -org.osaaf.aaf|access|*|*|AAF Write Access|{'org.osaaf.aaf.admin'} -org.osaaf.aaf|access|*|read,approve|AAF Read Access|{'org.osaaf.aaf.owner'} -org.osaaf.aaf|cache|all|clear||"{'org.osaaf.aaf|admin'}" -org.osaaf.aaf|cache|*|clear||"{'org.osaaf.aaf|admin', 'org.osaaf.aaf|service'}" -org.osaaf.aaf|cache|role|clear||"{'org.osaaf.aaf|admin'}" -org.osaaf.aaf|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.osaaf.aaf|password|*|create,reset||"{'org.osaaf.aaf|admin'}" -org.osaaf|access|*|*|OSAAF Write Access|{'org.osaaf.admin'} -org.osaaf|access|*|read,appove|OSAAF Read Access|{'org.osaaf.owner'} -org.osaaf.people|access|*|*|AAF Namespace Write Access|"{'org.osaaf.people|admin'}" -org.osaaf.people|access|*|read|AAF Namespace Read Access|"{'org.osaaf.people|owner'}" diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat deleted file mode 100644 index 111b94e6a8..0000000000 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat +++ /dev/null @@ -1,352 +0,0 @@ -org|admin|Org Admins|"{'org.access|*|*'}" -org.onap.a1p|admin|AAF Namespace Administrators|"{'org.onap.a1p|access|*|*'}" -org.onap.a1p|owner|AAF Namespace Owners|"{'org.onap.a1p|access|*|read'}" -org.onap.a1p|service||"{'org.onap.a1p|access|*|*'}" -org.onap.aaf-sms|admin|AAF Namespace Administrators|"{'org.onap.aaf-sms|access|*|*'}" -org.onap.aaf-sms|owner|AAF Namespace Owners|"{'org.onap.aaf-sms|access|*|read'}" -org.onap.aaf-sms|service||"{'org.onap.aaf-sms|access|*|read'}" -org.onap.aai|aaiui|| -org.onap.aai|Account_Administrator|| -org.onap.aai|admin|AAF Namespace Administrators|"{'org.onap.aai|access|*|*'}" -org.onap.aai|owner|AAF Namespace Owners|"{'org.onap.aai|access|*|read'}" -org.onap.aai|resources_all|resources_all|"{'org.onap.aai|resources|*|delete', 'org.onap.aai|resources|*|get', 'org.onap.aai|resources|*|patch', 'org.onap.aai|resources|*|post', 'org.onap.aai|resources|*|put'}" -org.onap.aai|resources_readonly|resources_readonly|"{'org.onap.aai|resources|*|get'}" -org.onap.aai|traversal_advanced|traversal_advanced|"{'org.onap.aai|traversal|*|advanced'}" -org.onap.aai|traversal_basic|traversal_basic|"{'org.onap.aai|traversal|*|basic'}" -org.onap.aai-resources|admin|AAF Namespace Administrators|"{'org.onap.aai-resources|access|*|*'}" -org.onap.aai-resources|owner|AAF Namespace Owners|"{'org.onap.aai-resources|access|*|read'}" -org.onap.aai-resources|service||"{'org.onap.aai-resources|access|*|*'}" -org.onap.aai-schema-service|admin|AAF Namespace Administrators|"{'org.onap.aai-schema-service|access|*|*'}" -org.onap.aai-schema-service|owner|AAF Namespace Owners|"{'org.onap.aai-schema-service|access|*|read'}" -org.onap.aai-schema-service|service||"{'org.onap.aai-schema-service|access|*|*'}" -org.onap.aai-traversal|admin|AAF Namespace Administrators|"{'org.onap.aai-traversal|access|*|*'}" -org.onap.aai-traversal|owner|AAF Namespace Owners|"{'org.onap.aai-traversal|access|*|read'}" -org.onap.aai-traversal|service||"{'org.onap.aai-traversal|access|*|*'}" -org.onap|admin|Onap Admins|"{'org.onap.access|*|*'}" -org.onap.appc|admin|AAF Namespace Administrators|"{'org.onap.appc|access|*|*'}" -org.onap.appc|apidoc||"{'org.onap.appc|apidoc|/apidoc/.*|ALL'}" -org.onap.appc|jolokia|| -org.onap.appc|odl|Onap APPC ODL Admins|"{'org.onap.appc.odl|odl-api|*'}" -org.onap.appc|owner|AAF Namespace Owners|"{'org.onap.appc|access|*|read'}" -org.onap.appc|restconf||"{'org.onap.appc|restconf|/restconf/.*|ALL'}" -org.onap.appc|service||"{'org.onap.appc|access|*|*'}" -org.onap.appc-cdt|admin|AAF Namespace Administrators|"{'org.onap.appc-cdt|access|*|*'}" -org.onap.appc-cdt|owner|AAF Namespace Owners|"{'org.onap.appc-cdt|access|*|read'}" -org.onap.appc-cdt|service||"{'org.onap.appc-cdt|access|*|*'}" -org.onap.cds|admin|AAF Namespace Administrators|"{'org.onap.cds|access|*|*'}" -org.onap.cds|owner|AAF Namespace Owners|"{'org.onap.cds|access|*|read'}" -org.onap.clamp|admin|AAF Namespace Administrators|"{'org.onap.clamp|access|*|*', 'org.onap.clamp|certman|local|request,ignoreIPs,showpass'}" -org.onap.clamp|clds.admin.dev|Onap clamp Admin Dev|"{'org.onap.clamp.clds.template|dev|update', 'org.onap.clamp|clds.cl|dev|read', 'org.onap.clamp|clds.cl|dev|update', 'org.onap.clamp|clds.template|dev|read', 'org.onap.clamp|clds.template|dev|update'}" -org.onap.clamp|clds.designer.dev|Onap clamp Designer Dev|"{'org.onap.clamp.clds.template|dev|update'}" -org.onap.clamp|clds.vf_filter_all.dev|Onap clamp Filter All Dev|"{'org.onap.clamp.clds.filter.vf|dev|*'}" -org.onap.clampdemo|admin|Onap Clamp Test Admins|"{'org.onap.clampdemo.access|*|*'}" -org.onap.clampdemo|owner|onap clamp Test Owners|"{'org.onap.clampdemo.access|*|read'}" -org.onap.clamp|owner|AAF Namespace Owners| -org.onap.clamp|seeCerts||"{'org.onap.clamp|certman|local|request,ignoreIPs,showpass'}" -org.onap.clamp|service||"{'org.onap.clamp|access|*|*', 'org.onap.clamp|clds.cl.manage|dev|*', 'org.onap.clamp|clds.cl|dev|*', 'org.onap.clamp|clds.filter.vf|dev|*', 'org.onap.clamp|clds.template|dev|*', 'org.onap.clamp|clds.tosca|dev|*', 'org.onap.clamp|clds.policies|dev|*'}" -org.onap.clamptest|admin|Onap Clamp Test Admins|"{'org.onap.clamptest.access|*|*'}" -org.onap.clamptest|owner|onap clamp Test Owners|"{'org.onap.clamptest.access|*|read'}" -org.onap.cli|admin|AAF Namespace Administrators|"{'org.onap.cli|access|*|*'}" -org.onap.cli|owner|AAF Namespace Owners|"{'org.onap.cli|access|*|read'}" -org.onap.cli|service||"{'org.onap.cli|access|*|*'}" -org.onap.dcae|admin|AAF Namespace Administrators|"{'org.onap.dcae|access|*|*', 'org.onap.dmaap-bc|access|*|read'}" -org.onap.dcae|owner|AAF Namespace Owners|"{'org.onap.dcae|access|*|read'}" -org.onap.dcae|pmPublisher|| -org.onap.dcae|pmSubscriber|| -org.onap.dcae|pnfPublisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aPnfTopic-1540492548|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aPnfTopic-1540492548|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-000|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-000|view', 'org.onap.dmaap.mr|topic|org.onap.dmaap.mr.PM_MAPPER|pub', 'org.onap.dmaap.mr|topic|org.onap.dmaap.mr.PM_MAPPER|sub'}" -org.onap.dcae|pnfSubscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aPnfTopic-1540492548|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aPnfTopic-1540492548|view'}" -org.onap.dcae|seeCerts||"{'org.onap.dcae|certman|local|request,ignoreIPs,showpass'}" -org.onap.dmaap|admin|AAF Namespace Administrators|"{'org.onap.dmaap|access|*|*'}" -org.onap.dmaap-bc|admin|AAF Namespace Administrators|"{'org.onap.dcae|access|*|*', 'org.onap.dmaap-bc.api|access|*|*', 'org.onap.dmaap-bc.api|access|*|read', 'org.onap.dmaap-bc|access|*|*'}" -org.onap.dmaap.bc|admin|AAF Namespace Administrators|"{'org.onap.dmaap.bc|access|*|*'}" -org.onap.dmaapbc|admin|AAF Namespace Administrators|"{'org.onap.dmaapbc|access|*|*'}" -org.onap.dmaap-bc.api|admin|AAF Namespace Administrators|"{'org.onap.dmaap-bc.api|access|*|*'}" -org.onap.dmaap-bc.api|Controller||"{'org.onap.dmaap-bc.api|dcaeLocations|onapdemo|DELETE', 'org.onap.dmaap-bc.api|dcaeLocations|onapdemo|GET', 'org.onap.dmaap-bc.api|dcaeLocations|onapdemo|POST', 'org.onap.dmaap-bc.api|dcaeLocations|onapdemo|PUT', 'org.onap.dmaap-bc.api|dmaap|boot|DELETE', 'org.onap.dmaap-bc.api|dmaap|boot|GET', 'org.onap.dmaap-bc.api|dmaap|boot|POST', 'org.onap.dmaap-bc.api|dmaap|boot|PUT', 'org.onap.dmaap-bc.api|dmaap|onapdemo|DELETE', 'org.onap.dmaap-bc.api|dmaap|onapdemo|GET', 'org.onap.dmaap-bc.api|dmaap|onapdemo|POST', 'org.onap.dmaap-bc.api|dmaap|onapdemo|PUT', 'org.onap.dmaap-bc.api|dr_nodes|onapdemo|DELETE', 'org.onap.dmaap-bc.api|dr_nodes|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_nodes|onapdemo|POST', 'org.onap.dmaap-bc.api|dr_nodes|onapdemo|PUT', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|DELETE', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|POST', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|PUT', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|DELETE', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|POST', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|PUT', 'org.onap.dmaap-bc.api|feeds|onapdemo|DELETE', 'org.onap.dmaap-bc.api|feeds|onapdemo|GET', 'org.onap.dmaap-bc.api|feeds|onapdemo|POST', 'org.onap.dmaap-bc.api|feeds|onapdemo|PUT', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|DELETE', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|GET', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|POST', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|PUT', 'org.onap.dmaap-bc.api|mr_clusters|onapdemo|DELETE', 'org.onap.dmaap-bc.api|mr_clusters|onapdemo|GET', 'org.onap.dmaap-bc.api|mr_clusters|onapdemo|POST', 'org.onap.dmaap-bc.api|mr_clusters|onapdemo|PUT', 'org.onap.dmaap-bc.api|topics|onapdemo|DELETE', 'org.onap.dmaap-bc.api|topics|onapdemo|GET', 'org.onap.dmaap-bc.api|topics|onapdemo|POST', 'org.onap.dmaap-bc.api|topics|onapdemo|PUT'}" -org.onap.dmaap-bc.api|Inventory||"{'org.onap.dmaap-bc.api|dcaeLocations|onapdemo|GET', 'org.onap.dmaap-bc.api|dmaap|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_nodes|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|GET', 'org.onap.dmaap-bc.api|feeds|onapdemo|GET', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|GET', 'org.onap.dmaap-bc.api|mr_clusters|onapdemo|GET', 'org.onap.dmaap-bc.api|topics|onapdemo|GET'}" -org.onap.dmaap-bc.api|Metrics||"{'org.onap.dmaap-bc.api|bridge|onapdemo|GET', 'org.onap.dmaap-bc.api|dcaeLocations|onapdemo|GET', 'org.onap.dmaap-bc.api|dmaap|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|GET', 'org.onap.dmaap-bc.api|feeds|onapdemo|GET', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|GET', 'org.onap.dmaap-bc.api|mr_clusters|onapdemo|GET', 'org.onap.dmaap-bc.api|topics|onapdemo|GET'}" -org.onap.dmaap-bc.api|Orchestrator||"{'org.onap.dmaap-bc.api|dcaeLocations|onapdemo|GET', 'org.onap.dmaap-bc.api|dmaap|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_nodes|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|DELETE', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|POST', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|PUT', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|DELETE', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|POST', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|PUT', 'org.onap.dmaap-bc.api|feeds|onapdemo|GET', 'org.onap.dmaap-bc.api|feeds|onapdemo|POST', 'org.onap.dmaap-bc.api|feeds|onapdemo|PUT', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|DELETE', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|GET', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|POST', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|PUT', 'org.onap.dmaap-bc.api|mr_clusters|onapdemo|GET', 'org.onap.dmaap-bc.api|topics|onapdemo|DELETE', 'org.onap.dmaap-bc.api|topics|onapdemo|GET', 'org.onap.dmaap-bc.api|topics|onapdemo|POST', 'org.onap.dmaap-bc.api|topics|onapdemo|PUT'}" -org.onap.dmaap-bc.api|owner|AAF Namespace Owners|"{'org.onap.dmaap-bc.api|access|*|read'}" -org.onap.dmaap-bc.api|PortalUser||"{'org.onap.dmaap-bc.api|dcaeLocations|onapdemo|GET', 'org.onap.dmaap-bc.api|dmaap|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_nodes|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|DELETE', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|POST', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|PUT', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|DELETE', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|POST', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|PUT', 'org.onap.dmaap-bc.api|feeds|onapdemo|DELETE', 'org.onap.dmaap-bc.api|feeds|onapdemo|GET', 'org.onap.dmaap-bc.api|feeds|onapdemo|POST', 'org.onap.dmaap-bc.api|feeds|onapdemo|PUT', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|DELETE', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|GET', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|POST', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|PUT', 'org.onap.dmaap-bc.api|mr_clusters|onapdemo|GET', 'org.onap.dmaap-bc.api|topics|onapdemo|GET'}" -org.onap.dmaap-bc-mm-prov|admin|AAF Namespace Administrators|"{'org.onap.dmaap-bc-mm-prov|access|*|*'}" -org.onap.dmaap-bc-mm-prov|owner|AAF Namespace Owners|"{'org.onap.dmaap-bc-mm-prov|access|*|read'}" -org.onap.dmaap-bc|owner|AAF Namespace Owners|"{'org.onap.dmaap-bc|access|*|read'}" -org.onap.dmaap.bc|owner|AAF Namespace Owners|"{'org.onap.dmaap.bc|access|*|read'}" -org.onap.dmaapbc|owner|AAF Namespace Owners|"{'org.onap.dmaapbc|access|*|read'}" -org.onap.dmaap-bc|seeCerts||"{'org.onap.dmaap-bc|certman|local|request,ignoreIPs,showpass'}" -org.onap.dmaap.bc|service||"{'org.onap.dmaap.bc|access|*|*'}" -org.onap.dmaap-bc|service||"{'org.onap.dmaap-bc.api|access|*|read', 'org.onap.dmaap-dr|feed|*|*', 'org.onap.dmaap-dr|sub|*|*', 'org.onap.dmaap.mr|access|*|*', 'org.onap.dmaap.mr|topicFactory|:org.onap.dmaap.mr.topic:org.onap.dmaap.mr|create,destroy', 'org.onap.dmaap.mr|topic|*|*', 'org.onap.dmaap.mr|topic|*|view'}" -org.onap.dmaap-bc-topic-mgr|admin|AAF Namespace Administrators|"{'org.onap.dcae|access|*|*', 'org.onap.dmaap-bc-topic-mgr|access|*|*'}" -org.onap.dmaap-bc-topic-mgr|client||"{'org.onap.dmaap.mr|topicFactory|:org.onap.dmaap.mr.topic:org.onap.dmaap.mr|create', 'org.onap.dmaap.mr|topicFactory|:org.onap.dmaap.mr.topic:org.onap.dmaap.mr|destroy'}" -org.onap.dmaap-bc-topic-mgr|owner|AAF Namespace Owners|"{'org.onap.dmaap-bc-topic-mgr|access|*|read'}" -org.onap.dmaap-dr|admin|AAF Namespace Administrators|"{'org.onap.dmaap-dr|access|*|*'}" -org.onap.dmaap-dr|feed.admin||"{'org.onap.dmaap-dr|feed|*|*'}" -org.onap.dmaap-dr|owner|AAF Namespace Owners|"{'org.onap.dmaap-dr|access|*|read'}" -org.onap.dmaap-dr|seeCerts||"{'org.onap.dmaap-dr|certman|local|request,ignoreIPs,showpass'}" -org.onap.dmaap-dr|sub.admin||"{'org.onap.dmaap-dr|sub|*|*'}" -org.onap.dmaap.mr|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr|access|*|*'}" -org.onap.dmaap-mr|admin|AAF Namespace Administrators|"{'org.onap.dmaap-mr|access|*|*', 'org.onap.dmaap-mr|saitest|:topic.org.onap.dmaap-bc.mr.dglTest201810100535|pub'}" -org.onap.dmaap.mr.aNewTopic-123450|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aNewTopic-123450|access|*|*'}" -org.onap.dmaap.mr.aNewTopic-123450|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aNewTopic-123450|access|*|read'}" -org.onap.dmaap.mr.aNewTopic-123450|publisher|| -org.onap.dmaap.mr.aNewTopic-123450|subscriber|| -org.onap.dmaap.mr.aNewTopic-123451|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aNewTopic-123451|access|*|*'}" -org.onap.dmaap.mr.aNewTopic-123451|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aNewTopic-123451|access|*|read'}" -org.onap.dmaap.mr.aNewTopic-123451|publisher|| -org.onap.dmaap.mr.aNewTopic-123451|subscriber|| -org.onap.dmaap.mr.aNewTopic-1547667570|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aNewTopic-1547667570|access|*|*'}" -org.onap.dmaap.mr.aNewTopic-1547667570|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aNewTopic-1547667570|access|*|read'}" -org.onap.dmaap.mr|aNewTopic-1547667571.publisher|| -org.onap.dmaap.mr|aNewTopic-1547667571.subscriber|| -org.onap.dmaap.mr.aNewTopic-|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aNewTopic-|access|*|*'}" -org.onap.dmaap.mr.aNewTopic-|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aNewTopic-|access|*|read'}" -org.onap.dmaap.mr.aNewTopic-|publisher|| -org.onap.dmaap.mr.aNewTopic-|subscriber|| -org.onap.dmaap.mr.aTest-1547665517|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTest-1547665517|access|*|*'}" -org.onap.dmaap.mr.aTest-1547665517|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTest-1547665517|access|*|read'}" -org.onap.dmaap.mr.aTest-1547665517|publisher|| -org.onap.dmaap.mr|aTest-1547665518.subscriber|| -org.onap.dmaap.mr.aTest-1547666628|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTest-1547666628|access|*|*'}" -org.onap.dmaap.mr.aTest-1547666628|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTest-1547666628|access|*|read'}" -org.onap.dmaap.mr|aTest-1547666629.publisher|| -org.onap.dmaap.mr|aTest-1547666629.subscriber|| -org.onap.dmaap.mr.aTest-1547666760|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTest-1547666760|access|*|*'}" -org.onap.dmaap.mr.aTest-1547666760|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTest-1547666760|access|*|read'}" -org.onap.dmaap.mr|aTest-1547666761.publisher|| -org.onap.dmaap.mr|aTest-1547666761.subscriber|| -org.onap.dmaap.mr.aTest-1547666950|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTest-1547666950|access|*|*'}" -org.onap.dmaap.mr.aTest-1547666950|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTest-1547666950|access|*|read'}" -org.onap.dmaap.mr.aTest-1547666950|publisher|| -org.onap.dmaap.mr|aTest-1547666951.subscriber|| -org.onap.dmaap.mr.aTest-1547667031|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTest-1547667031|access|*|*'}" -org.onap.dmaap.mr.aTest-1547667031|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTest-1547667031|access|*|read'}" -org.onap.dmaap.mr|aTest-1547667032.publisher|| -org.onap.dmaap.mr|aTest-1547667032.subscriber|| -org.onap.dmaap.mr.aTestTopic-123456|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-123456|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-123456|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-123456|access|*|read'}" -org.onap.dmaap.mr.aTestTopic-123456|publisher|| -org.onap.dmaap.mr.aTestTopic-123456|subscriber|| -org.onap.dmaap.mr.aTestTopic-123457|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-123457|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-123457|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-123457|access|*|read'}" -org.onap.dmaap.mr.aTestTopic-123457|publisher|| -org.onap.dmaap.mr.aTestTopic-123457|subscriber|| -org.onap.dmaap.mr.aTestTopic-1547660509|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-1547660509|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-1547660509|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-1547660509|access|*|read'}" -org.onap.dmaap.mr.aTestTopic-1547660861|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-1547660861|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-1547660861|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-1547660861|access|*|read'}" -org.onap.dmaap.mr.aTestTopic-1547661011|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-1547661011|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-1547661011|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-1547661011|access|*|read'}" -org.onap.dmaap.mr.aTestTopic-1547661011|publisher|| -org.onap.dmaap.mr.aTestTopic-1547662122|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-1547662122|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-1547662122|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-1547662122|access|*|read'}" -org.onap.dmaap.mr.aTestTopic-1547662122|publisher|| -org.onap.dmaap.mr.aTestTopic-1547662451|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-1547662451|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-1547662451|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-1547662451|access|*|read'}" -org.onap.dmaap.mr|aTestTopic-1547662452.publisher|| -org.onap.dmaap.mr.aTestTopic-1547664813|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-1547664813|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-1547664813|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-1547664813|access|*|read'}" -org.onap.dmaap.mr.aTestTopic-1547664813|publisher|| -org.onap.dmaap.mr.aTestTopic-1547664813|subscriber|| -org.onap.dmaap.mr.aTestTopic-1547664928|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-1547664928|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-1547664928|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-1547664928|access|*|read'}" -org.onap.dmaap.mr.aTestTopic-1547664928|publisher|| -org.onap.dmaap.mr.aTestTopic-1547664928|subscriber|| -org.onap.dmaap.mr.aTestTopic-1547666068|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-1547666068|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-1547666068|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-1547666068|access|*|read'}" -org.onap.dmaap.mr.aTopic-1547654909|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTopic-1547654909|access|*|*'}" -org.onap.dmaap.mr.aTopic-1547654909|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTopic-1547654909|access|*|read'}" -org.onap.dmaap.mr|create||"{'org.onap.dmaap.mr|topicFactory|:org.onap.dmaap.mr.topic:org.onap.dmaap.mr|create'}" -org.onap.dmaap.mr|destroy||"{'org.onap.dmaap.mr|topicFactory|:org.onap.dmaap.mr.topic:org.onap.dmaap.mr|destroy'}" -org.onap.dmaap.mr.dgl000|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.dgl000|access|*|*'}" -org.onap.dmaap.mr.dgl000|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.dgl000|access|*|read'}" -org.onap.dmaap.mr.dgl000|publisher|| -org.onap.dmaap.mr.dgl000|subscriber|| -org.onap.dmaap.mr.dgl_ready|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.dgl_ready|access|*|*'}" -org.onap.dmaap.mr.dgl_ready|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.dgl_ready|access|*|read'}" -org.onap.dmaap.mr.dgl_ready|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dgl_ready|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dgl_ready|view'}" -org.onap.dmaap.mr.dgl_ready|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dgl_ready|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dgl_ready|view'}" -org.onap.dmaap.mr.IdentityTopic-12345|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.IdentityTopic-12345|access|*|*'}" -org.onap.dmaap.mr.IdentityTopic-12345|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.IdentityTopic-12345|access|*|read'}" -org.onap.dmaap.mr.IdentityTopic-12345|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-12345|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-12345|view'}" -org.onap.dmaap.mr.IdentityTopic-12345|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-12345|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-12345|view'}" -org.onap.dmaap.mr.IdentityTopic-1547839476|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.IdentityTopic-1547839476|access|*|*'}" -org.onap.dmaap.mr.IdentityTopic-1547839476|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.IdentityTopic-1547839476|access|*|read'}" -org.onap.dmaap.mr.IdentityTopic-1547839476|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-1547839476|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-1547839476|view'}" -org.onap.dmaap.mr.IdentityTopic-1547839476|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-1547839476|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-1547839476|view'}" -org.onap.dmaap.mr|mirrormaker.admin||"{'org.onap.dmaap.mr|mirrormaker|*|admin'}" -org.onap.dmaap.mr.mirrormakeragent|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.mirrormakeragent|access|*|*'}" -org.onap.dmaap.mr.mirrormakeragent|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.mirrormakeragent|access|*|read'}" -org.onap.dmaap.mr.mirrormakeragent|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mirrormakeragent|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mirrormakeragent|view'}" -org.onap.dmaap.mr.mirrormakeragent|pub||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mirrormakeragent|pub'}" -org.onap.dmaap.mr.mirrormakeragent|sub||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mirrormakeragent|sub'}" -org.onap.dmaap.mr.mirrormakeragent|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mirrormakeragent|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mirrormakeragent|view'}" -org.onap.dmaap.mr|mirrormaker.user||"{'org.onap.dmaap.mr|mirrormaker|*|user'}" -org.onap.dmaap.mr|mmagent.sub|| -org.onap.dmaap.mr|mmagent.sub1||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mmagent|sub'}" -org.onap.dmaap.mr|mrtesttopic.pub||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mrtesttopic|pub'}" -org.onap.dmaap.mr|mrtesttopic.sub||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mrtesttopic|sub'}" -org.onap.dmaap.mr|mrtestt.pub|| -org.onap.dmaap-mr|owner|AAF Namespace Owners|"{'org.onap.dmaap-mr|access|*|read'}" -org.onap.dmaap.mr|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr|access|*|read'}" -org.onap.dmaap.mr.partitionTest-1546033194|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.partitionTest-1546033194|access|*|*'}" -org.onap.dmaap.mr.partitionTest-1546033194|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.partitionTest-1546033194|access|*|read'}" -org.onap.dmaap.mr.PM_MAPPER|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.PM_MAPPER|access|*|*'}" -org.onap.dmaap.mr.PM_MAPPER|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.PM_MAPPER|access|*|read'}" -org.onap.dmaap.mr.PM_MAPPER|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PM_MAPPER|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PM_MAPPER|view'}" -org.onap.dmaap.mr.PM_MAPPER|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PM_MAPPER|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PM_MAPPER|view'}" -org.onap.dmaap.mr.PNF_READY|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.PNF_READY|access|*|*'}" -org.onap.dmaap.mr.PNF_READY|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.PNF_READY|access|*|read'}" -org.onap.dmaap.mr.PNF_READY|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_READY|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_READY|view'}" -org.onap.dmaap.mr.PNF_READY|pub||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_READY|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_READY|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540393649|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540393649|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398384|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398384|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398410|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398410|view'}" -org.onap.dmaap.mr.PNF_READY|sub|| -org.onap.dmaap.mr.PNF_READY|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_READY|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_READY|view'}" -org.onap.dmaap.mr.PNF_REGISTRATION|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.PNF_REGISTRATION|access|*|*'}" -org.onap.dmaap.mr.PNF_REGISTRATION|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.PNF_REGISTRATION|access|*|read'}" -org.onap.dmaap.mr.PNF_REGISTRATION|pub|| -org.onap.dmaap.mr.PNF_REGISTRATION|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|view'}" -org.onap.dmaap.mr.PNF_REGISTRATION|sub||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|view'}" -org.onap.dmaap.mr|PNF_REGISTRATION.sub||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|view'}" -org.onap.dmaap.mr.PNF_REGISTRATION|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|view'}" -org.onap.dmaap-mr|Publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic-1540491614|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic-1540491614|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic-1540491614|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539385466|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539385466|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539385466|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539628418|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539628418|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539628418|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539370708|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539370708|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539371800|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539371800|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539371800|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539385250|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539385250|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539385250|view'}" -org.onap.dmaap-mr|sai||"{'org.onap.dmaap-mr|saitest|:topic.org.onap.dmaap-bc.mr.dglTest201810100535|pub'}" -org.onap.dmaap.mr|service||"{'org.onap.dmaap.mr|access|*|read'}" -org.onap.dmaap-mr.sunil|admin2||"{'org.onap.dmaap-mr.sunil|test|:topic.org.onap.dmaap-bc.mr.dglTest201810100535|pub'}" -org.onap.dmaap-mr.sunil|admin|AAF Namespace Administrators|"{'org.onap.dmaap-mr.sunil|access|*|*'}" -org.onap.dmaap-mr.sunil|owner|AAF Namespace Owners|"{'org.onap.dmaap-mr.sunil|access|*|read'}" -org.onap.dmaap.mr|test1||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.test1|pub'}" -org.onap.dmaap-mr.test|admin|AAF Namespace Administrators|"{'org.onap.dmaap-mr.test|access|*|*'}" -org.onap.dmaap-mr.test|owner|AAF Namespace Owners|"{'org.onap.dmaap-mr.test|access|*|read'}" -org.onap.dmaap.mr.topic-000|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.topic-000|access|*|*'}" -org.onap.dmaap.mr.topic-000|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.topic-000|access|*|read'}" -org.onap.dmaap.mr.topic-000|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-000|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-000|view'}" -org.onap.dmaap.mr.topic-000|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-000|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-000|view'}" -org.onap.dmaap.mr.topic-001|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.topic-001|access|*|*'}" -org.onap.dmaap.mr.topic-001|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.topic-001|access|*|read'}" -org.onap.dmaap.mr.topic-001|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-001|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-001|view'}" -org.onap.dmaap.mr.topic-001|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-001|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-001|view'}" -org.onap.dmaap.mr.topic-002|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.topic-002|access|*|*'}" -org.onap.dmaap.mr.topic-002|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.topic-002|access|*|read'}" -org.onap.dmaap.mr.topic-002|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-002|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-002|view'}" -org.onap.dmaap.mr.topic-002|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-002|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-002|view'}" -org.onap.dmaap.mr|view||"{'org.onap.dmaap.mr|topic|*|view'}" -org.onap.dmaap.mr|viewtest||"{'org.onap.dmaap.mr|viewtest|*|view'}" -org.onap.dmaap|owner|AAF Namespace Owners|"{'org.onap.dmaap|access|*|read'}" -org.onap.holmes|admin|AAF Namespace Administrators|"{'org.onap.holmes|access|*|*'}" -org.onap.holmes|owner|AAF Namespace Owners|"{'org.onap.holmes|access|*|read'}" -org.onap.holmes|service|| -org.onap.holmes-engine-mgmt|admin|AAF Namespace Administrators|"{'org.onap.holmes-engine-mgmt|access|*|*', 'org.onap.holmes-engine-mgmt|certman|local|request,ignoreIPs,showpass'}" -org.onap.holmes-engine-mgmt|owner|AAF Namespace Owners|"{'org.onap.holmes-engine-mgmt|access|*|read'}" -org.onap.holmes-engine-mgmt|seeCerts||"{'org.onap.holmes-engine-mgmt|certman|local|request,ignoreIPs,showpass'}" -org.onap.holmes-engine-mgmt|service||"{'org.onap.holmes-engine-mgmt|access|*|*'}" -org.onap.holmes-rule-mgmt|admin|AAF Namespace Administrators|"{'org.onap.holmes-rule-mgmt|access|*|*', 'org.onap.holmes-rule-mgmt|certman|local|request,ignoreIPs,showpass'}" -org.onap.holmes-rule-mgmt|owner|AAF Namespace Owners|"{'org.onap.holmes-rule-mgmt|access|*|read'}" -org.onap.holmes-rule-mgmt|seeCerts||"{'org.onap.holmes-rule-mgmt|certman|local|request,ignoreIPs,showpass'}" -org.onap.holmes-rule-mgmt|service||"{'org.onap.holmes-rule-mgmt|access|*|*'}" -org.onap.msb-eag|admin|AAF Namespace Administrators|"{'org.onap.msb-eag|access|*|*'}" -org.onap.msb-eag|owner|AAF Namespace Owners|"{'org.onap.msb-eag|access|*|read'}" -org.onap.msb-eag|service||"{'org.onap.msb-eag|access|*|*'}" -org.onap.msb-iag|admin|AAF Namespace Administrators|"{'org.onap.msb-iag|access|*|*'}" -org.onap.msb-iag|owner|AAF Namespace Owners|"{'org.onap.msb-iag|access|*|read'}" -org.onap.msb-iag|service||"{'org.onap.msb-iag|access|*|*'}" -org.onap.music|admin|AAF Namespace Administrators|"{'org.onap.music|access|*|*', 'org.onap.music|certman|local|request,ignoreIPs,showpass'}" -org.onap.music|owner|AAF Namespace Owners|"{'org.onap.music|access|*|read'}" -org.onap.music|service|| -org.onap.nbi|admin|AAF Namespace Administrators|"{'org.onap.nbi|access|*|*', 'org.onap.nbi|certman|local|request,ignoreIPs,showpass'}" -org.onap.nbi|owner|AAF Namespace Owners|"{'org.onap.nbi|access|*|read'}" -org.onap.nbi|seeCerts||"{'org.onap.nbi|certman|local|request,ignoreIPs,showpass'}" -org.onap.nbi|service||"{'org.onap.nbi|access|*|*'}" -org.onap.oof|admin|AAF Namespace Administrators|"{'org.onap.oof|access|*|*', 'org.onap.oof|certman|local|request,ignoreIPs,showpass'}" -org.onap.oof|owner|AAF Namespace Owners|"{'org.onap.oof|access|*|read'}" -org.onap.oof|service||"{'org.onap.oof|access|*|*'}" -org.onap|owner|onap Owners|"{'org.onap.access|*|read'}" -org.onap.policy|Account_Administrator|null| -org.onap.policy|admin||"{'org.onap.policy|access|*|*'}" -org.onap.policy|owner|AAF Namespace Owners|"{'org.onap.policy|access|*|read'}" -org.onap.policy|pdpd.admin|pdpd.admin|"{'org.onap.policy|access|*|*', 'org.onap.policy|access|*|read', 'org.onap.policy|pdpd.healthcheck.configuration|*|get', 'org.onap.policy|pdpd.healthcheck|*|get', 'org.onap.policy|pdpd.telemetry|*|delete', 'org.onap.policy|pdpd.telemetry|*|get', 'org.onap.policy|pdpd.telemetry|*|post', 'org.onap.policy|pdpd.telemetry|*|put'}" -org.onap.policy|pdpd.monitor|pdpd.monitor|"{'org.onap.policy|pdpd.healthcheck|*|get', 'org.onap.policy|pdpd.telemetry|*|get'}" -org.onap.policy|pdpx.admin|pdpx.admin|"{'org.onap.policy|pdpx.config|*|*', 'org.onap.policy|pdpx.createDictionary|*|*', 'org.onap.policy|pdpx.createPolicy|*|*', 'org.onap.policy|pdpx.decision|*|*', 'org.onap.policy|pdpx.getConfigByPolicyName|*|*', 'org.onap.policy|pdpx.getConfig|*|*', 'org.onap.policy|pdpx.getDecision|*|*', 'org.onap.policy|pdpx.getDictionary|*|*', 'org.onap.policy|pdpx.getMetrics|*|*', 'org.onap.policy|pdpx.listConfig|*|*', 'org.onap.policy|pdpx.listPolicy|*|*', 'org.onap.policy|pdpx.list|*|*', 'org.onap.policy|pdpx.policyEngineImport|*|*', 'org.onap.policy|pdpx.pushPolicy|*|*', 'org.onap.policy|pdpx.sendEvent|*|*', 'org.onap.policy|pdpx.updateDictionary|*|*', 'org.onap.policy|pdpx.updatePolicy|*|*'}" -org.onap.policy|pdpx.monitor|pdpx.monitor| -org.onap.policy|Policy_Admin|Policy_Admin|"{'org.onap.policy|menu|menu_policy|*', 'org.onap.policy|url|policy_dashboard|*', 'org.onap.policy|url|policy_dictionary|*', 'org.onap.policy|url|policy_editor|*', 'org.onap.policy|url|policy_pdp|*', 'org.onap.policy|url|policy_push|*'}" -org.onap.policy|Policy_Editor|Policy_Editor|"{'org.onap.policy|menu|menu_policy|*', 'org.onap.policy|url|policy_dashboard|*', 'org.onap.policy|url|policy_editor|*', 'org.onap.policy|url|policy_pdp|*', 'org.onap.policy|url|policy_push|*'}" -org.onap.policy|Policy_Guest|Policy_Guest|"{'org.onap.policy|menu|menu_policy|*', 'org.onap.policy|url|policy_dashboard|*', 'org.onap.policy|url|policy_editor|*', 'org.onap.policy|url|policy_pdp|*'}" -org.onap.policy|Policy_Super_Admin|Policy_Super_Admin|"{'org.onap.policy|menu|menu_policy|*', 'org.onap.policy|url|policy_admin|*', 'org.onap.policy|url|policy_dashboard|*', 'org.onap.policy|url|policy_dictionary|*', 'org.onap.policy|url|policy_editor|*', 'org.onap.policy|url|policy_pdp|*', 'org.onap.policy|url|policy_push|*', 'org.onap.policy|url|policy_roles|*'}" -org.onap.policy|Policy_Super_Guest|Policy_Super_Guest|"{'org.onap.policy|menu|menu_policy|*', 'org.onap.policy|url|policy_dashboard|*', 'org.onap.policy|url|policy_editor|*', 'org.onap.policy|url|policy_pdp|*'}" -org.onap.policy|seeCerts|seeCerts|"{'org.onap.policy|certman|local|request,ignoreIPs,showpass'}" -org.onap.policy|Standard_User|Standard User|"{'org.onap.policy|menu|menu_ajax|*', 'org.onap.policy|menu|menu_customer_create|*', 'org.onap.policy|menu|menu_customer|*', 'org.onap.policy|menu|menu_home|*', 'org.onap.policy|menu|menu_itracker|*', 'org.onap.policy|menu|menu_logout|*', 'org.onap.policy|menu|menu_map|*', 'org.onap.policy|menu|menu_policy|*', 'org.onap.policy|menu|menu_profile|*', 'org.onap.policy|menu|menu_reports|*', 'org.onap.policy|menu|menu_tab|*', 'org.onap.policy|url|login|*', 'org.onap.policy|url|policy_admin|*', 'org.onap.policy|url|policy_dashboard|*', 'org.onap.policy|url|policy_dictionary|*', 'org.onap.policy|url|policy_editor|*', 'org.onap.policy|url|policy_pdp|*', 'org.onap.policy|url|policy_push|*', 'org.onap.policy|url|policy_roles|*'}" -org.onap.policy|System_Administrator|System Administrator|"{'org.onap.policy|menu|menu_admin|*', 'org.onap.policy|menu|menu_ajax|*', 'org.onap.policy|menu|menu_customer_create|*', 'org.onap.policy|menu|menu_customer|*', 'org.onap.policy|menu|menu_feedback|*', 'org.onap.policy|menu|menu_help|*', 'org.onap.policy|menu|menu_home|*', 'org.onap.policy|menu|menu_itracker|*', 'org.onap.policy|menu|menu_job_create|*', 'org.onap.policy|menu|menu_job|*', 'org.onap.policy|menu|menu_logout|*', 'org.onap.policy|menu|menu_notes|*', 'org.onap.policy|menu|menu_process|*', 'org.onap.policy|menu|menu_profile_create|*', 'org.onap.policy|menu|menu_profile_import|*', 'org.onap.policy|menu|menu_profile|*', 'org.onap.policy|menu|menu_reports|*', 'org.onap.policy|menu|menu_sample|*', 'org.onap.policy|menu|menu_tab|*', 'org.onap.policy|menu|menu_test|*', 'org.onap.policy|url|doclib_admin|*', 'org.onap.policy|url|doclib|*', 'org.onap.policy|url|login|*'}" -org.onap.pomba|admin|AAF Namespace Administrators|"{'org.onap.pomba|access|*|*'}" -org.onap.pomba|owner|AAF Namespace Owners|"{'org.onap.pomba|access|*|read'}" -org.onap.portal|Account_Administrator|Account Administrator|"{'org.onap.portal|menu|menu_acc_admin|*', 'org.onap.portal|url|centralizedApps|*', 'org.onap.portal|url|getAdminNotifications|*', 'org.onap.portal|url|getAllWebAnalytics|*', 'org.onap.portal|url|getFunctionalMenuRole|*', 'org.onap.portal|url|getNotificationAppRoles|*', 'org.onap.portal|url|getUserAppsWebAnalytics|*', 'org.onap.portal|url|getUserJourneyAnalyticsReport|*', 'org.onap.portal|url|get_role_functions%2f%2a|*', 'org.onap.portal|url|get_roles%2f%2a|*', 'org.onap.portal|url|notification_code|*', 'org.onap.portal|url|role_function_list%2fsaveRoleFunction%2f%2a|*', 'org.onap.portal|url|syncRoles|*', 'org.onap.portal|url|userAppRoles|*', 'org.onap.portal|url|userApps|*'}" -org.onap.portal|admin|Portal Admins|"{'org.onap.portal.access|*|*'}" -org.onap.portal|owner|Portal Owner|"{'org.onap.portal.access|*|read'}" -org.onap.portal|Portal_Notification_Admin|Portal Notification Admin|"{'org.onap.portal|url|edit_notification|*', 'org.onap.portal|url|getAdminNotifications|*', 'org.onap.portal|url|saveNotification|*'}" -org.onap.portal|Portal_Usage_Analyst|Portal Usage Analyst|"{'org.onap.portal|menu|menu_web_analytics|*'}" -org.onap.portal|Restricted_App_Role|Restricted App Role| -org.onap.portal|Standard_User|Standard User|"{'org.onap.portal|menu|menu_home|*', 'org.onap.portal|menu|menu_logout|*', 'org.onap.portal|url|login|*'}" -org.onap.portal|System_Administrator|System Administrator|"{'org.onap.portal|menu|menu_acc_admin|*', 'org.onap.portal|menu|menu_admin|*', 'org.onap.portal|menu|menu_home|*', 'org.onap.portal|menu|menu_logout|*', 'org.onap.portal|url|login|*'}" -org.onap.portal.test|admin|AAF Namespace Administrators|"{'org.onap.portal.test|access|*|*'}" -org.onap.portal.test|oof-homing|| -org.onap.portal.test|owner|AAF Namespace Owners|"{'org.onap.portal.test|access|*|read'}" -org.onap.portal.test|user1|| -org.onap.portal|Usage_Analyst|Usage Analyst|"{'org.onap.portal|menu|menu_admin|*', 'org.onap.portal|menu|menu_task_search|*', 'org.onap.portal|menu|menu_task|*', 'org.onap.portal|menu|menu_web_analytics|*'}" -org.onap.refrepo|admin|AAF Namespace Administrators|"{'org.onap.refrepo|access|*|*', 'org.onap.refrepo|certman|local|request,ignoreIPs,showpass'}" -org.onap.refrepo|owner|AAF Namespace Owners|"{'org.onap.refrepo|access|*|read'}" -org.onap.refrepo|seeCerts||"{'org.onap.refrepo|certman|local|request,ignoreIPs,showpass'}" -org.onap.refrepo|service||"{'org.onap.refrepo|access|*|*'}" -org.onap.sdc|Account_Administrator|| -org.onap.sdc|admin|AAF Namespace Administrators|"{'org.onap.oof|certman|local|request,ignoreIPs,showpass', 'org.onap.sdc|access|*|*', 'org.onap.sdc|administrator.access|*|*', 'org.onap.sdc|certman|local|request,ignoreIPs,showpass'}" -org.onap.sdc|ADMIN|ADMIN| -org.onap.sdc|app|app| -org.onap.sdc|designer||"{'org.onap.sdc|designer.access|*|*'}" -org.onap.sdc|governor||"{'org.onap.sdc|governance.access|*|*'}" -org.onap.sdc|ops||"{'org.onap.sdc|operations.access|*|*'}" -org.onap.sdc|owner|AAF Namespace Owners|"{'org.onap.sdc|access|*|read'}" -org.onap.sdc|tester||"{'org.onap.sdc|tester.access|*|*'}" -org.onap.sdc|TESTOR|TESTOR| -org.onap.sdnc|admin|AAF Namespace Administrators|"{'org.onap.sdnc|access|*|*', 'org.onap.sdnc|odl|odl-api|*'}" -org.onap.sdnc-cds|admin|AAF Namespace Administrators|"{'org.onap.sdnc-cds|access|*|*'}" -org.onap.sdnc-cds|owner|AAF Namespace Owners|"{'org.onap.sdnc-cds|access|*|read'}" -org.onap.sdnc-cds|service||"{'org.onap.sdnc-cds|access|*|*'}" -org.onap.sdnc|owner|AAF Namespace Owners|"{'org.onap.sdnc|access|*|read'}" -org.onap.sdnc|service||"{'org.onap.sdnc|access|*|*', 'org.onap.sdnc|odl|odl-api|*', 'org.onap.sdnc|odl|odl-api|create', 'org.onap.sdnc|odl|odl-api|delete', 'org.onap.sdnc|odl|odl-api|read', 'org.onap.sdnc|odl|odl-api|update'}" -org.onap.so|admin|AAF Namespace Administrators|"{'org.onap.so|access|*|*', 'org.onap.so|certman|local|request,ignoreIPs,showpass'}" -org.onap.so|app||"{'org.onap.so|access|*|*'}" -org.onap.so|owner|AAF Namespace Owners|"{'org.onap.so|access|*|read'}" -org.onap.so|seeCerts||"{'org.onap.so|certman|local|request,ignoreIPs,showpass'}" -org.onap.vfc|admin|AAF Namespace Administrators|"{'org.onap.vfc|access|*|*'}" -org.onap.vfc|owner|AAF Namespace Owners|"{'org.onap.vfc|access|*|read'}" -org.onap.vfc|service||"{'org.onap.vfc|access|*|*'}" -org.onap.vid1|admin|AAF Namespace Administrators|"{'org.onap.vid1|access|*|*'}" -org.onap.vid1|owner|AAF Namespace Owners|"{'org.onap.vid1|access|*|read'}" -org.onap.vid2|admin|AAF Namespace Administrators|"{'org.onap.vid2|access|*|*'}" -org.onap.vid2|owner|AAF Namespace Owners|"{'org.onap.vid2|access|*|read'}" -org.onap.vid|Account_Administrator|| -org.onap.vid|admin|AAF Namespace Administrators|"{'org.onap.vid|access|*|*'}" -org.onap.vid|Demonstration___gNB|| -org.onap.vid|Demonstration___vCPE|| -org.onap.vid|Demonstration___vFW|| -org.onap.vid|Demonstration___vFWCL|| -org.onap.vid|Demonstration___vIMS|| -org.onap.vid|Demonstration___vLB|| -org.onap.vid|member|member| -org.onap.vid|owner|AAF Namespace Owners|"{'org.onap.vid|access|*|read'}" -org.onap.vid|seeCerts|seeCerts| -org.onap.vid|service|service| -org.onap.vid|Standard_User|Standard User|"{'org.onap.vid|menu|menu_ajax|*', 'org.onap.vid|menu|menu_changemanagement|*', 'org.onap.vid|menu|menu_customer_create|*', 'org.onap.vid|menu|menu_customer|*', 'org.onap.vid|menu|menu_home|*', 'org.onap.vid|menu|menu_itracker|*', 'org.onap.vid|menu|menu_logout|*', 'org.onap.vid|menu|menu_map|*', 'org.onap.vid|menu|menu_newserinstance|*', 'org.onap.vid|menu|menu_profile|*', 'org.onap.vid|menu|menu_reports|*', 'org.onap.vid|menu|menu_searchexisting|*', 'org.onap.vid|menu|menu_servicemodels|*', 'org.onap.vid|menu|menu_tab|*', 'org.onap.vid|menu|menu_viewlog|*', 'org.onap.vid|url|login|*'}" -org.onap.vid|System_Administrator|System Administrator|"{'org.onap.vid|menu|menu_admin|*', 'org.onap.vid|menu|menu_ajax|*', 'org.onap.vid|menu|menu_changemanagement|*', 'org.onap.vid|menu|menu_customer_create|*', 'org.onap.vid|menu|menu_customer|*', 'org.onap.vid|menu|menu_feedback|*', 'org.onap.vid|menu|menu_help|*', 'org.onap.vid|menu|menu_home|*', 'org.onap.vid|menu|menu_itracker|*', 'org.onap.vid|menu|menu_job_create|*', 'org.onap.vid|menu|menu_job|*', 'org.onap.vid|menu|menu_logout|*', 'org.onap.vid|menu|menu_newserinstance|*', 'org.onap.vid|menu|menu_notes|*', 'org.onap.vid|menu|menu_process|*', 'org.onap.vid|menu|menu_profile_create|*', 'org.onap.vid|menu|menu_profile_import|*', 'org.onap.vid|menu|menu_profile|*', 'org.onap.vid|menu|menu_reports|*', 'org.onap.vid|menu|menu_sample|*', 'org.onap.vid|menu|menu_searchexisting|*', 'org.onap.vid|menu|menu_servicemodels|*', 'org.onap.vid|menu|menu_tab|*', 'org.onap.vid|menu|menu_test|*', 'org.onap.vid|menu|menu_viewlog|*', 'org.onap.vid|url|doclib_admin|*', 'org.onap.vid|url|doclib|*', 'org.onap.vid|url|login|*'}" -org.onap.uui|admin|AAF Namespace Administrators|"{'org.onap.uui|access|*|*', 'org.onap.uui|certman|local|request,ignoreIPs,showpass'}" -org.onap.uui|owner|AAF Namespace Owners|"{'org.onap.uui|access|*|read'}" -org.onap.uui|seeCerts||"{'org.onap.uui|certman|local|request,ignoreIPs,showpass'}" -org.onap.uui|service||"{'org.onap.uui|access|*|*'}" -org.openecomp|admin|OpenEcomp Admins|"{'org.openecomp.access|*|*'}" -org.openecomp.dmaapBC|admin|AAF Admins|"{'org.openecomp.dmaapBC.access|*|*', 'org.openecomp.dmaapBC.mr.topic|:topic.org.openecomp.dmaapBC.newtopic|pub', 'org.openecomp.dmaapBC.mr.topic|:topic.org.openecomp.dmaapBC.newtopic|sub', 'org.openecomp.dmaapBC.topicFactory|:org.openecomp.dmaapBC.topic:org.openecomp.dmaapBC|create'}" -org.openecomp.dmaapBC|owner|AAF Owners|"{'org.openecomp.dmaapBC.access|*|read'}" -org.openecomp|owner|OpenEcomp Owners|"{'org.openecomp.access|*|read'}" -org.osaaf.aaf|admin|AAF Admins|"{'org.osaaf.aaf.access|*|*', 'org.osaaf.aaf|cache|all|clear', 'org.osaaf.aaf|cache|role|clear', 'org.osaaf.aaf|password|*|create,reset'}" -org.osaaf.aaf|deploy|ONAP Deployment Role|"{'org.onap.a1p|certman|local|request,ignoreIPs,showpass', 'org.onap.aaf-sms|certman|local|request,ignoreIPs,showpass', 'org.onap.aai|certman|local|request,ignoreIPs,showpass', 'org.onap.aai-resources|certman|local|request,ignoreIPs,showpass', 'org.onap.aai-schema-service|certman|local|request,ignoreIPs,showpass', 'org.onap.aai-traversal|certman|local|request,ignoreIPs,showpass', 'org.onap.appc|certman|local|request,ignoreIPs,showpass', 'org.onap.appc-cdt|certman|local|request,ignoreIPs,showpass', 'org.onap.clamp|certman|local|request,ignoreIPs,showpass', 'org.onap.cli|certman|local|request,ignoreIPs,showpass', 'org.onap.dcae|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-bc-mm-prov|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-bc-topic-mgr|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-bc|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-dr|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-mr|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap.mr|certman|local|request,ignoreIPs,showpass', 'org.onap.holmes-engine-mgmt|certman|local|request,ignoreIPs,showpass', 'org.onap.holmes-rule-mgmt|certman|local|request,ignoreIPs,showpass', 'org.onap.msb-eag|certman|local|request,ignoreIPs,showpass', 'org.onap.msb-iag|certman|local|request,ignoreIPs,showpass', 'org.onap.music|certman|local|request,ignoreIPs,showpass', 'org.onap.nbi|certman|local|request,ignoreIPs,showpass', 'org.onap.oof|certman|local|request,ignoreIPs,showpass', 'org.onap.policy|certman|local|request,ignoreIPs,showpass', 'org.onap.pomba|certman|local|request,ignoreIPs,showpass', 'org.onap.portal|certman|local|request,ignoreIPs,showpass', 'org.onap.refrepo|certman|local|request,ignoreIPs,showpass', 'org.onap.sdc|certman|local|request,ignoreIPs,showpass', 'org.onap.sdnc-cds|certman|local|request,ignoreIPs,showpass', 'org.onap.sdnc|certman|local|request,ignoreIPs,showpass', 'org.onap.so|certman|local|request,ignoreIPs,showpass', 'org.onap.vfc|certman|local|request,ignoreIPs,showpass', 'org.onap.vid1|certman|local|request,ignoreIPs,showpass', 'org.onap.vid2|certman|local|request,ignoreIPs,showpass', 'org.onap.vid|certman|local|request,ignoreIPs,showpass', 'org.onap.uui|certman|local|request,ignoreIPs,showpass', 'org.osaaf.aaf|certman|local|request,ignoreIPs,showpass'}" -org.osaaf.aaf|owner|AAF Owners|"{'org.osaaf.aaf.access|*|read,approve'}" -org.osaaf.aaf|service||"{'org.osaaf.aaf|cache|*|clear'}" -org.osaaf|admin|OSAAF Admins|"{'org.osaaf.access|*|*'}" -org.osaaf|owner|OSAAF Owners|"{'org.osaaf.access|*|read,approve'}" -org.osaaf.people|admin|AAF Namespace Administrators|"{'org.osaaf.people|access|*|*'}" -org.osaaf.people|owner|AAF Namespace Owners|"{'org.osaaf.people|access|*|read'}" -org|owner|Org Owners|"{'org.access|*|read,approve'}" diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/user_role.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/user_role.dat deleted file mode 100644 index bc9f0ec833..0000000000 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/user_role.dat +++ /dev/null @@ -1,430 +0,0 @@ -mmanager@people.osaaf.org|org.onap.a1p.admin|2020-11-26 12:31:54.000+0000|org.onap.a1p|admin -mmanager@people.osaaf.org|org.onap.a1p.owner|2020-11-26 12:31:54.000+0000|org.onap.a1p|owner -mmanager@people.osaaf.org|org.onap.aaf-sms.admin|2020-11-26 12:31:54.000+0000|org.onap.aaf-sms|admin -mmanager@people.osaaf.org|org.onap.aaf-sms.owner|2020-11-26 12:31:54.000+0000|org.onap.aaf-sms|owner -mmanager@people.osaaf.org|org.onap.aai.admin|2020-11-26 12:31:54.000+0000|org.onap.aai|admin -mmanager@people.osaaf.org|org.onap.aai.owner|2020-11-26 12:31:54.000+0000|org.onap.aai|owner -mmanager@people.osaaf.org|org.onap.aai-resources.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-resources|admin -mmanager@people.osaaf.org|org.onap.aai-resources.owner|2020-11-26 12:31:54.000+0000|org.onap.aai-resources|owner -mmanager@people.osaaf.org|org.onap.aai-schema-service.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-schema-service|admin -mmanager@people.osaaf.org|org.onap.aai-schema-service.owner|2020-11-26 12:31:54.000+0000|org.onap.aai-schema-service|owner -mmanager@people.osaaf.org|org.onap.aai-traversal.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-traversal|admin -mmanager@people.osaaf.org|org.onap.aai-traversal.owner|2020-11-26 12:31:54.000+0000|org.onap.aai-traversal|owner -mmanager@people.osaaf.org|org.onap.admin|2020-11-26 12:31:54.000+0000|org.onap|admin -mmanager@people.osaaf.org|org.onap.appc.admin|2020-11-26 12:31:54.000+0000|org.onap.appc|admin -mmanager@people.osaaf.org|org.onap.appc.owner|2020-11-26 12:31:54.000+0000|org.onap.appc|owner -mmanager@people.osaaf.org|org.onap.appc-cdt.admin|2020-11-26 12:31:54.000+0000|org.onap.appc-cdt|admin -mmanager@people.osaaf.org|org.onap.appc-cdt.owner|2020-11-26 12:31:54.000+0000|org.onap.appc-cdt|owner -mmanager@people.osaaf.org|org.onap.cds.admin|2020-11-26 12:31:54.000+0000|org.onap.cds|admin -mmanager@people.osaaf.org|org.onap.cds.owner|2020-11-26 12:31:54.000+0000|org.onap.cds|owner -mmanager@people.osaaf.org|org.onap.clamp.admin|2020-11-26 12:31:54.000+0000|org.onap.clamp|admin -mmanager@people.osaaf.org|org.onap.clamp.owner|2020-11-26 12:31:54.000+0000|org.onap.clamp|owner -mmanager@people.osaaf.org|org.onap.cli.admin|2020-11-26 12:31:54.000+0000|org.onap.cli|admin -mmanager@people.osaaf.org|org.onap.cli.owner|2020-11-26 12:31:54.000+0000|org.onap.cli|owner -mmanager@people.osaaf.org|org.onap.dcae.admin|2020-11-26 12:31:54.000+0000|org.onap.dcae|admin -mmanager@people.osaaf.org|org.onap.dcae.owner|2020-11-26 12:31:54.000+0000|org.onap.dcae|owner -mmanager@people.osaaf.org|org.onap.dmaap.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap|admin -mmanager@people.osaaf.org|org.onap.dmaap-bc.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc|admin -mmanager@people.osaaf.org|org.onap.dmaap-bc.api.Controller|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc.api|Controller -mmanager@people.osaaf.org|org.onap.dmaap-bc-mm-prov.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc-mm-prov|admin -mmanager@people.osaaf.org|org.onap.dmaap-bc-mm-prov.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc-mm-prov|owner -mmanager@people.osaaf.org|org.onap.dmaap-bc.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc|owner -mmanager@people.osaaf.org|org.onap.dmaap-bc-topic-mgr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc-topic-mgr|admin -mmanager@people.osaaf.org|org.onap.dmaap-bc-topic-mgr.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc-topic-mgr|owner -mmanager@people.osaaf.org|org.onap.dmaap-dr.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|owner -mmanager@people.osaaf.org|org.onap.dmaap-mr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr|admin -mmanager@people.osaaf.org|org.onap.dmaap.mr.aNewTopic-123450.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-123450|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aNewTopic-123451.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-123451|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aNewTopic-1547667570.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-1547667570|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aNewTopic-.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTest-1547665517.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547665517|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTest-1547666628.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547666628|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTest-1547666760.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547666760|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTest-1547666950.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547666950|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTest-1547667031.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547667031|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-123456.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-123456|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-123457.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-123457|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-1547660509.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547660509|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-1547660861.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547660861|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-1547661011.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547661011|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-1547662122.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547662122|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-1547662451.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547662451|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-1547664813.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547664813|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-1547664928.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547664928|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-1547666068.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547666068|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTopic-1547654909.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTopic-1547654909|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.dgl000.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.dgl000|owner -mmanager@people.osaaf.org|org.onap.dmaap-mr.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.partitionTest-1546033194.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.partitionTest-1546033194|owner -mmanager@people.osaaf.org|org.onap.dmaap-mr.sunil.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr.sunil|owner -mmanager@people.osaaf.org|org.onap.dmaap-mr.test.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr.test|owner -mmanager@people.osaaf.org|org.onap.dmaap.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap|owner -mmanager@people.osaaf.org|org.onap.holmes.owner|2020-11-26 12:31:54.000+0000|org.onap.holmes|owner -mmanager@people.osaaf.org|org.onap.holmes-engine-mgmt.owner|2020-11-26 12:31:54.000+0000|org.onap.holmes-engine-mgmt|owner -mmanager@people.osaaf.org|org.onap.holmes-rule-mgmt.owner|2020-11-26 12:31:54.000+0000|org.onap.holmes-rule-mgmt|owner -mmanager@people.osaaf.org|org.onap.msb-eag.admin|2020-11-26 12:31:54.000+0000|org.onap.msb-eag|admin -mmanager@people.osaaf.org|org.onap.msb-eag.owner|2020-11-26 12:31:54.000+0000|org.onap.msb-eag|owner -mmanager@people.osaaf.org|org.onap.msb-iag.admin|2020-11-26 12:31:54.000+0000|org.onap.msb-iag|admin -mmanager@people.osaaf.org|org.onap.msb-iag.owner|2020-11-26 12:31:54.000+0000|org.onap.msb-iag|owner -mmanager@people.osaaf.org|org.onap.music.admin|2020-11-26 12:31:54.000+0000|org.onap.music|admin -mmanager@people.osaaf.org|org.onap.music.owner|2020-11-26 12:31:54.000+0000|org.onap.music|owner -mmanager@people.osaaf.org|org.onap.nbi.owner|2020-11-26 12:31:54.000+0000|org.onap.nbi|owner -mmanager@people.osaaf.org|org.onap.ngi.owner|2020-11-26 12:31:54.000+0000|org.onap.ngi|owner -mmanager@people.osaaf.org|org.onap.oof.admin|2020-11-26 12:31:54.000+0000|org.onap.oof|admin -mmanager@people.osaaf.org|org.onap.oof.owner|2020-11-26 12:31:54.000+0000|org.onap.oof|owner -mmanager@people.osaaf.org|org.onap.owner|2020-11-26 12:31:54.000+0000|org.onap|owner -mmanager@people.osaaf.org|org.onap.policy.owner|2020-11-26 12:31:54.000+0000|org.onap.policy|owner -mmanager@people.osaaf.org|org.onap.pomba.admin|2020-11-26 12:31:54.000+0000|org.onap.pomba|admin -mmanager@people.osaaf.org|org.onap.pomba.owner|2020-11-26 12:31:54.000+0000|org.onap.pomba|owner -mmanager@people.osaaf.org|org.onap.portal.admin|2020-11-26 12:31:54.000+0000|org.onap.portal|admin -mmanager@people.osaaf.org|org.onap.portal.owner|2020-11-26 12:31:54.000+0000|org.onap.portal|owner -mmanager@people.osaaf.org|org.onap.refrepo.owner|2020-11-26 12:31:54.000+0000|org.onap.refrepo|owner -mmanager@people.osaaf.org|org.onap.sdc.admin|2020-11-26 12:31:54.000+0000|org.onap.sdc|admin -mmanager@people.osaaf.org|org.onap.sdc.owner|2020-11-26 12:31:54.000+0000|org.onap.sdc|owner -mmanager@people.osaaf.org|org.onap.sdnc.admin|2020-11-26 12:31:54.000+0000|org.onap.sdnc|admin -mmanager@people.osaaf.org|org.onap.sdnc-cds.admin|2020-11-26 12:31:54.000+0000|org.onap.sdnc-cds|admin -mmanager@people.osaaf.org|org.onap.sdnc-cds.owner|2020-11-26 12:31:54.000+0000|org.onap.sdnc-cds|owner -mmanager@people.osaaf.org|org.onap.sdnc.owner|2020-11-26 12:31:54.000+0000|org.onap.sdnc|owner -mmanager@people.osaaf.org|org.onap.so.admin|2020-11-26 12:31:54.000+0000|org.onap.so|admin -mmanager@people.osaaf.org|org.onap.so.owner|2020-11-26 12:31:54.000+0000|org.onap.so|owner -mmanager@people.osaaf.org|org.onap.vfc.admin|2020-11-26 12:31:54.000+0000|org.onap.vfc|admin -mmanager@people.osaaf.org|org.onap.vfc.owner|2020-11-26 12:31:54.000+0000|org.onap.vfc|owner -mmanager@people.osaaf.org|org.onap.vid1.admin|2020-11-26 12:31:54.000+0000|org.onap.vid1|admin -mmanager@people.osaaf.org|org.onap.vid1.owner|2020-11-26 12:31:54.000+0000|org.onap.vid1|owner -mmanager@people.osaaf.org|org.onap.vid2.admin|2020-11-26 12:31:54.000+0000|org.onap.vid2|admin -mmanager@people.osaaf.org|org.onap.vid2.owner|2020-11-26 12:31:54.000+0000|org.onap.vid2|owner -mmanager@people.osaaf.org|org.onap.vid.admin|2020-11-26 12:31:54.000+0000|org.onap.vid|admin -mmanager@people.osaaf.org|org.onap.vid.owner|2020-11-26 12:31:54.000+0000|org.onap.vid|owner -mmanager@people.osaaf.org|org.onap.uui.owner|2020-11-26 12:31:54.000+0000|org.onap.uui|owner -mmanager@people.osaaf.org|org.osaaf.people.owner|2020-11-26 12:31:54.000+0000|org.osaaf.people|owner -portal@portal.onap.org|org.onap.aaf-sms.admin|2020-11-26 12:31:54.000+0000|org.onap.aaf-sms|admin -portal@portal.onap.org|org.onap.aai.admin|2020-11-26 12:31:54.000+0000|org.onap.aai|admin -portal@portal.onap.org|org.onap.aai-resources.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-resources|admin -portal@portal.onap.org|org.onap.appc.admin|2020-11-26 12:31:54.000+0000|org.onap.appc|admin -portal@portal.onap.org|org.onap.appc.apidoc|2020-11-26 12:31:54.000+0000|org.onap.appc|apidoc -portal@portal.onap.org|org.onap.appc.restconf|2020-11-26 12:31:54.000+0000|org.onap.appc|restconf -portal@portal.onap.org|org.onap.cds.admin|2020-11-26 12:31:54.000+0000|org.onap.cds|admin -portal@portal.onap.org|org.onap.clamp.admin|2020-11-26 12:31:54.000+0000|org.onap.clamp|admin -portal@portal.onap.org|org.onap.dcae.admin|2020-11-26 12:31:54.000+0000|org.onap.dcae|admin -portal@portal.onap.org|org.onap.dmaap-bc.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc|admin -portal@portal.onap.org|org.onap.dmaap-bc.api.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc.api|admin -portal@portal.onap.org|org.onap.dmaap-bc.api.Controller|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc.api|Controller -portal@portal.onap.org|org.onap.dmaap-bc-mm-prov.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc-mm-prov|admin -portal@portal.onap.org|org.onap.dmaap-bc-topic-mgr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc-topic-mgr|admin -portal@portal.onap.org|org.onap.dmaap-dr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|admin -portal@portal.onap.org|org.onap.dmaap-mr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr|admin -portal@portal.onap.org|org.onap.dmaap.mr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|admin -portal@portal.onap.org|org.onap.dmaap.mr.dgl_ready.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.dgl_ready|owner -portal@portal.onap.org|org.onap.dmaap.mr.IdentityTopic-12345.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.IdentityTopic-12345|owner -portal@portal.onap.org|org.onap.dmaap.mr.IdentityTopic-1547839476.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.IdentityTopic-1547839476|owner -portal@portal.onap.org|org.onap.dmaap.mr.mirrormakeragent.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|owner -portal@portal.onap.org|org.onap.dmaap.mr.mrtesttopic.sub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|mrtesttopic.sub -portal@portal.onap.org|org.onap.dmaap.mr.PM_MAPPER.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PM_MAPPER|owner -portal@portal.onap.org|org.onap.dmaap.mr.PNF_READY.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PNF_READY|owner -portal@portal.onap.org|org.onap.dmaap.mr.PNF_REGISTRATION.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PNF_REGISTRATION|owner -portal@portal.onap.org|org.onap.dmaap-mr.sunil.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr.sunil|admin -portal@portal.onap.org|org.onap.dmaap.mr.test1|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|test1 -portal@portal.onap.org|org.onap.dmaap-mr.test.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr.test|admin -portal@portal.onap.org|org.onap.dmaap.mr.topic-000.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-000|owner -portal@portal.onap.org|org.onap.dmaap.mr.topic-001.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-001|owner -portal@portal.onap.org|org.onap.dmaap.mr.topic-002.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-002|owner -portal@portal.onap.org|org.onap.holmes.admin|2020-11-26 12:31:54.000+0000|org.onap.holmes|admin -portal@portal.onap.org|org.onap.msb-eag.admin|2020-11-26 12:31:54.000+0000|org.onap.msb-eag|admin -portal@portal.onap.org|org.onap.msb-iag.admin|2020-11-26 12:31:54.000+0000|org.onap.msb-iag|admin -portal@portal.onap.org|org.onap.music.admin|2020-11-26 12:31:54.000+0000|org.onap.music|admin -portal@portal.onap.org|org.onap.music.owner|2020-11-26 12:31:54.000+0000|org.onap.music|owner -portal@portal.onap.org|org.onap.nbi.admin|2020-11-26 12:31:54.000+0000|org.onap.nbi|admin -portal@portal.onap.org|org.onap.ngi.admin|2020-11-26 12:31:54.000+0000|org.onap.ngi|admin -portal@portal.onap.org|org.onap.oof.admin|2020-11-26 12:31:54.000+0000|org.onap.oof|admin -portal@portal.onap.org|org.onap.policy.admin|2020-11-26 12:31:54.000+0000|org.onap.policy|admin -portal@portal.onap.org|org.onap.pomba.admin|2020-11-26 12:31:54.000+0000|org.onap.pomba|admin -portal@portal.onap.org|org.onap.portal.admin|2020-11-26 12:31:54.000+0000|org.onap.portal|admin -portal@portal.onap.org|org.onap.sdc.admin|2020-11-26 12:31:54.000+0000|org.onap.sdc|admin -portal@portal.onap.org|org.onap.sdnc.admin|2020-11-26 12:31:54.000+0000|org.onap.sdnc|admin -portal@portal.onap.org|org.onap.sdnc-cds.admin|2020-11-26 12:31:54.000+0000|org.onap.sdnc-cds|admin -portal@portal.onap.org|org.onap.sdnc.owner|2020-11-26 12:31:54.000+0000|org.onap.sdnc|owner -portal@portal.onap.org|org.onap.so.admin|2020-11-26 12:31:54.000+0000|org.onap.so|admin -portal@portal.onap.org|org.onap.vfc.admin|2020-11-26 12:31:54.000+0000|org.onap.vfc|admin -portal@portal.onap.org|org.onap.vid1.admin|2020-11-26 12:31:54.000+0000|org.onap.vid1|admin -portal@portal.onap.org|org.onap.vid2.admin|2020-11-26 12:31:54.000+0000|org.onap.vid2|admin -portal@portal.onap.org|org.onap.vid.admin|2020-11-26 12:31:54.000+0000|org.onap.vid|admin -portal@portal.onap.org|org.osaaf.aaf.admin|2020-11-26 12:31:54.000+0000|org.osaaf.aaf|admin -portal@portal.onap.org|org.osaaf.people.admin|2020-11-26 12:31:54.000+0000|org.osaaf.people|admin -shi@portal.onap.org|org.onap.portal.admin|2020-11-26 12:31:54.000+0000|org.onap.portal|admin -demo@mr.dmaap.onap.org|org.onap.dmaap.mr.view|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|view -demo@people.osaaf.org|org.onap.aai.aaiui|2020-11-26 12:31:54.000+0000|org.onap.aai|aaiui -demo@people.osaaf.org|org.onap.aai.Account_Administrator|2020-11-26 12:31:54.000+0000|org.onap.aai|Account_Administrator -demo@people.osaaf.org|org.onap.aai.resources_readonly|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_readonly -demo@people.osaaf.org|org.onap.aai.traversal_basic|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_basic -demo@people.osaaf.org|org.onap.clamp.service|2020-11-26 12:31:54.000+0000|org.onap.clamp|service -demo@people.osaaf.org|org.onap.dcae.pnfPublisher|2020-11-26 12:31:54.000+0000|org.onap.dcae|pnfPublisher -demo@people.osaaf.org|org.onap.dcae.pnfSubscriber|2020-11-26 12:31:54.000+0000|org.onap.dcae|pnfSubscriber -demo@people.osaaf.org|org.onap.dmaap-bc.api.Controller|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc.api|Controller -demo@people.osaaf.org|org.onap.dmaap.mr.aNewTopic-123451.publisher|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-123451|publisher -demo@people.osaaf.org|org.onap.dmaap.mr.create|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|create -demo@people.osaaf.org|org.onap.dmaap.mr.destroy|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|destroy -demo@people.osaaf.org|org.onap.dmaap.mr.mirrormakeragent.pub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|pub -demo@people.osaaf.org|org.onap.dmaap.mr.mirrormakeragent.publisher|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|publisher -demo@people.osaaf.org|org.onap.dmaap.mr.mirrormakeragent.sub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|sub -demo@people.osaaf.org|org.onap.dmaap.mr.mirrormakeragent.subscriber|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|subscriber -demo@people.osaaf.org|org.onap.dmaap.mr.mrtesttopic.pub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|mrtesttopic.pub -demo@people.osaaf.org|org.onap.dmaap.mr.mrtesttopic.sub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|mrtesttopic.sub -demo@people.osaaf.org|org.onap.dmaap.mr.view|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|view -demo@people.osaaf.org|org.onap.policy.Account_Administrator|2020-11-26 12:31:54.000+0000|org.onap.policy|Account_Administrator -demo@people.osaaf.org|org.onap.policy.pdpd.admin|2020-11-26 12:31:54.000+0000|org.onap.policy|pdpd.admin -demo@people.osaaf.org|org.onap.policy.pdpx.admin|2020-11-26 12:31:54.000+0000|org.onap.policy|pdpx.admin -demo@people.osaaf.org|org.onap.policy.System_Administrator|2020-11-26 12:31:54.000+0000|org.onap.policy|System_Administrator -demo@people.osaaf.org|org.onap.portal.Account_Administrator|2020-11-26 12:31:54.000+0000|org.onap.portal|Account_Administrator -demo@people.osaaf.org|org.onap.portal.admin|2020-11-26 12:31:54.000+0000|org.onap.portal|admin -demo@people.osaaf.org|org.onap.portal.System_Administrator|2020-11-26 12:31:54.000+0000|org.onap.portal|System_Administrator -demo@people.osaaf.org|org.onap.portal.test.admin|2020-11-26 12:31:54.000+0000|org.onap.portal.test|admin -demo@people.osaaf.org|org.onap.portal.test.owner|2020-11-26 12:31:54.000+0000|org.onap.portal.test|owner -demo@people.osaaf.org|org.onap.portal.test.user1|2020-11-26 12:31:54.000+0000|org.onap.portal.test|user1 -demo@people.osaaf.org|org.onap.sdc.Account_Administrator|2020-11-26 12:31:54.000+0000|org.onap.sdc|Account_Administrator -demo@people.osaaf.org|org.onap.sdc.ADMIN|2020-11-26 12:31:54.000+0000|org.onap.sdc|ADMIN -demo@people.osaaf.org|org.onap.vid.Account_Administrator|2020-11-26 12:31:54.000+0000|org.onap.vid|Account_Administrator -demo@people.osaaf.org|org.onap.vid.Demonstration___gNB|2020-11-26 12:31:54.000+0000|org.onap.vid|Demonstration___gNB -demo@people.osaaf.org|org.onap.vid.Demonstration___vCPE|2020-11-26 12:31:54.000+0000|org.onap.vid|Demonstration___vCPE -demo@people.osaaf.org|org.onap.vid.Demonstration___vFW|2020-11-26 12:31:54.000+0000|org.onap.vid|Demonstration___vFW -demo@people.osaaf.org|org.onap.vid.Demonstration___vFWCL|2020-11-26 12:31:54.000+0000|org.onap.vid|Demonstration___vFWCL -demo@people.osaaf.org|org.onap.vid.Demonstration___vIMS|2020-11-26 12:31:54.000+0000|org.onap.vid|Demonstration___vIMS -demo@people.osaaf.org|org.onap.vid.Demonstration___vLB|2020-11-26 12:31:54.000+0000|org.onap.vid|Demonstration___vLB -demo@people.osaaf.org|org.onap.vid.System_Administrator|2020-11-26 12:31:54.000+0000|org.onap.vid|System_Administrator -jh0003@people.osaaf.org|org.onap.portal.admin|2020-11-26 12:31:54.000+0000|org.onap.portal|admin -jh0003@people.osaaf.org|org.onap.sdc.Account_Administrator|2020-11-26 12:31:54.000+0000|org.onap.sdc|Account_Administrator -jh0003@people.osaaf.org|org.onap.sdc.ADMIN|2020-11-26 12:31:54.000+0000|org.onap.sdc|ADMIN -cs0008@people.osaaf.org|org.onap.sdc.TESTOR|2020-11-26 12:31:54.000+0000|org.onap.sdc|TESTOR -jm0007@people.osaaf.org|org.onap.sdc.TESTOR|2020-11-26 12:31:54.000+0000|org.onap.sdc|TESTOR -op0001@people.osaaf.org|org.onap.sdc.TESTOR|2020-11-26 12:31:54.000+0000|org.onap.sdc|TESTOR -gv0001@people.osaaf.org|org.onap.sdc.TESTOR|2020-11-26 12:31:54.000+0000|org.onap.sdc|TESTOR -pm0001@people.osaaf.org|org.onap.sdc.TESTOR|2020-11-26 12:31:54.000+0000|org.onap.sdc|TESTOR -ps0001@people.osaaf.org|org.onap.sdc.TESTOR|2020-11-26 12:31:54.000+0000|org.onap.sdc|TESTOR -aaf_admin@people.osaaf.org|org.onap.a1p.admin|2020-11-26 12:31:54.000+0000|org.onap.a1p|admin -aaf_admin@people.osaaf.org|org.onap.aaf-sms.admin|2020-11-26 12:31:54.000+0000|org.onap.aaf-sms|admin -aaf_admin@people.osaaf.org|org.onap.aai.admin|2020-11-26 12:31:54.000+0000|org.onap.aai|admin -aaf_admin@people.osaaf.org|org.onap.aai-resources.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-resources|admin -aaf_admin@people.osaaf.org|org.onap.aai-schema-service.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-schema-service|admin -aaf_admin@people.osaaf.org|org.onap.aai-traversal.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-traversal|admin -aaf_admin@people.osaaf.org|org.onap.appc.admin|2020-11-26 12:31:54.000+0000|org.onap.appc|admin -aaf_admin@people.osaaf.org|org.onap.appc.apidoc|2020-11-26 12:31:54.000+0000|org.onap.appc|apidoc -aaf_admin@people.osaaf.org|org.onap.appc.restconf|2020-11-26 12:31:54.000+0000|org.onap.appc|restconf -aaf_admin@people.osaaf.org|org.onap.appc-cdt.admin|2020-11-26 12:31:54.000+0000|org.onap.appc-cdt|admin -aaf_admin@people.osaaf.org|org.onap.cds.admin|2020-11-26 12:31:54.000+0000|org.onap.cds|admin -aaf_admin@people.osaaf.org|org.onap.clamp.admin|2020-11-26 12:31:54.000+0000|org.onap.clamp|admin -aaf_admin@people.osaaf.org|org.onap.cli.admin|2020-11-26 12:31:54.000+0000|org.onap.cli|admin -aaf_admin@people.osaaf.org|org.onap.dcae.admin|2020-11-26 12:31:54.000+0000|org.onap.dcae|admin -aaf_admin@people.osaaf.org|org.onap.dmaap-bc.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc|admin -aaf_admin@people.osaaf.org|org.onap.dmaap-bc.api.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc.api|admin -aaf_admin@people.osaaf.org|org.onap.dmaap-bc.api.Controller|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc.api|Controller -aaf_admin@people.osaaf.org|org.onap.dmaap-bc-mm-prov.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc-mm-prov|admin -aaf_admin@people.osaaf.org|org.onap.dmaap-bc-topic-mgr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc-topic-mgr|admin -aaf_admin@people.osaaf.org|org.onap.dmaap-dr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|admin -aaf_admin@people.osaaf.org|org.onap.dmaap-mr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr|admin -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|admin -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.dgl_ready.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.dgl_ready|owner -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.IdentityTopic-12345.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.IdentityTopic-12345|owner -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.IdentityTopic-1547839476.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.IdentityTopic-1547839476|owner -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.mirrormakeragent.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|owner -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.mrtesttopic.sub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|mrtesttopic.sub -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.PM_MAPPER.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PM_MAPPER|owner -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.PNF_READY.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PNF_READY|owner -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.PNF_REGISTRATION.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PNF_REGISTRATION|owner -aaf_admin@people.osaaf.org|org.onap.dmaap-mr.sunil.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr.sunil|admin -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.test1|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|test1 -aaf_admin@people.osaaf.org|org.onap.dmaap-mr.test.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr.test|admin -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.topic-000.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-000|owner -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.topic-001.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-001|owner -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.topic-002.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-002|owner -aaf_admin@people.osaaf.org|org.onap.holmes.admin|2020-11-26 12:31:54.000+0000|org.onap.holmes|admin -aaf_admin@people.osaaf.org|org.onap.holmes-engine-mgmt.admin|2020-11-26 12:31:54.000+0000|org.onap.holmes-engine-mgmt|admin -aaf_admin@people.osaaf.org|org.onap.holmes-rule-mgmt.admin|2020-11-26 12:31:54.000+0000|org.onap.holmes-rule-mgmt|admin -aaf_admin@people.osaaf.org|org.onap.msb-eag.admin|2020-11-26 12:31:54.000+0000|org.onap.msb-eag|admin -aaf_admin@people.osaaf.org|org.onap.msb-iag.admin|2020-11-26 12:31:54.000+0000|org.onap.msb-iag|admin -aaf_admin@people.osaaf.org|org.onap.music.admin|2020-11-26 12:31:54.000+0000|org.onap.music|admin -aaf_admin@people.osaaf.org|org.onap.music.owner|2020-11-26 12:31:54.000+0000|org.onap.music|owner -aaf_admin@people.osaaf.org|org.onap.nbi.admin|2020-11-26 12:31:54.000+0000|org.onap.nbi|admin -aaf_admin@people.osaaf.org|org.onap.ngi.admin|2020-11-26 12:31:54.000+0000|org.onap.ngi|admin -aaf_admin@people.osaaf.org|org.onap.oof.admin|2020-11-26 12:31:54.000+0000|org.onap.oof|admin -aaf_admin@people.osaaf.org|org.onap.policy.admin|2020-11-26 12:31:54.000+0000|org.onap.policy|admin -aaf_admin@people.osaaf.org|org.onap.pomba.admin|2020-11-26 12:31:54.000+0000|org.onap.pomba|admin -aaf_admin@people.osaaf.org|org.onap.portal.admin|2020-11-26 12:31:54.000+0000|org.onap.portal|admin -aaf_admin@people.osaaf.org|org.onap.refrepo.admin|2020-11-26 12:31:54.000+0000|org.onap.refrepo|admin -aaf_admin@people.osaaf.org|org.onap.sdc.admin|2020-11-26 12:31:54.000+0000|org.onap.sdc|admin -aaf_admin@people.osaaf.org|org.onap.sdnc.admin|2020-11-26 12:31:54.000+0000|org.onap.sdnc|admin -aaf_admin@people.osaaf.org|org.onap.sdnc-cds.admin|2020-11-26 12:31:54.000+0000|org.onap.sdnc-cds|admin -aaf_admin@people.osaaf.org|org.onap.sdnc.owner|2020-11-26 12:31:54.000+0000|org.onap.sdnc|owner -aaf_admin@people.osaaf.org|org.onap.so.admin|2020-11-26 12:31:54.000+0000|org.onap.so|admin -aaf_admin@people.osaaf.org|org.onap.vfc.admin|2020-11-26 12:31:54.000+0000|org.onap.vfc|admin -aaf_admin@people.osaaf.org|org.onap.vid1.admin|2020-11-26 12:31:54.000+0000|org.onap.vid1|admin -aaf_admin@people.osaaf.org|org.onap.vid2.admin|2020-11-26 12:31:54.000+0000|org.onap.vid2|admin -aaf_admin@people.osaaf.org|org.onap.vid.admin|2020-11-26 12:31:54.000+0000|org.onap.vid|admin -aaf_admin@people.osaaf.org|org.onap.uui.admin|2020-11-26 12:31:54.000+0000|org.onap.uui|admin -aaf_admin@people.osaaf.org|org.osaaf.aaf.admin|2020-11-26 12:31:54.000+0000|org.osaaf.aaf|admin -aaf_admin@people.osaaf.org|org.osaaf.people.admin|2020-11-26 12:31:54.000+0000|org.osaaf.people|admin -deployer@people.osaaf.org|org.osaaf.aaf.deploy|2020-11-26 12:31:54.000+0000|org.osaaf.aaf|deploy -portal_admin@people.osaaf.org|org.onap.portal.admin|2020-11-26 12:31:54.000+0000|org.onap.portal|admin -aaf@aaf.osaaf.org|org.admin|2020-11-26 12:31:54.000+0000|org|admin -aaf@aaf.osaaf.org|org.osaaf.aaf.admin|2020-11-26 12:31:54.000+0000|org.osaaf.aaf|admin -aaf@aaf.osaaf.org|org.osaaf.aaf.service|2020-11-26 12:31:54.000+0000|org.osaaf.aaf|service -aaf@aaf.osaaf.org|org.osaaf.people.admin|2020-11-26 12:31:54.000+0000|org.osaaf.people|admin -osaaf@aaf.osaaf.org|org.osaaf.aaf.admin|2020-11-26 12:31:54.000+0000|org.osaaf.aaf|admin -a1p@a1p.onap.org|org.onap.a1p.service|2020-11-26 12:31:54.000+0000|org.onap.a1p|service -aaf-sms@aaf-sms.onap.org|org.onap.aaf-sms.service|2020-11-26 12:31:54.000+0000|org.onap.aaf-sms|service -aai@aai.onap.org|org.onap.aai.admin|2020-11-26 12:31:54.000+0000|org.onap.aai|admin -aai@aai.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -aai@aai.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -aai-resources@aai-resources.onap.org|org.onap.aai-resources.service|2020-11-26 12:31:54.000+0000|org.onap.aai-resources|service -aai-schema-service@aai-schema-service.onap.org|org.onap.aai-schema-service.service|2020-11-26 12:31:54.000+0000|org.onap.aai-schema-service|service -aai-traversal@aai-traversal.onap.org|org.onap.aai-traversal.service|2020-11-26 12:31:54.000+0000|org.onap.aai-traversal|service -appc@appc.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -appc@appc.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -appc@appc.onap.org|org.onap.appc.admin|2020-11-26 12:31:54.000+0000|org.onap.appc|admin -appc@appc.onap.org|org.onap.appc.odl|2020-11-26 12:31:54.000+0000|org.onap.appc|odl -appc@appc.onap.org|org.onap.appc.service|2020-11-26 12:31:54.000+0000|org.onap.appc|service -appc-cdt@appc-cdt.onap.org|org.onap.appc-cdt.service|2020-11-26 12:31:54.000+0000|org.onap.appc-cdt|service -cli@cli.onap.org|org.onap.cli.service|2020-11-26 12:31:54.000+0000|org.onap.cli|service -clamp@clampdemo.onap.org|org.onap.clampdemo.owner|2020-11-26 12:31:54.000+0000|org.onap.clampdemo|owner -clamp@clampdemo.onap.org|org.onap.clampdemo.service|2020-11-26 12:31:54.000+0000|org.onap.clampdemo|admin -clamp@clamp.onap.org|org.onap.clamp.clds.admin.dev|2020-11-26 12:31:54.000+0000|org.onap.clamp|clds.admin.dev -clamp@clamp.onap.org|org.onap.clamp.clds.designer.dev|2020-11-26 12:31:54.000+0000|org.onap.clamp|clds.designer.dev -clamp@clamp.onap.org|org.onap.clamp.clds.vf_filter_all.dev|2020-11-26 12:31:54.000+0000|org.onap.clamp|clds.vf_filter_all.dev -clamp@clamp.onap.org|org.onap.clampdemo.owner|2020-11-26 12:31:54.000+0000|org.onap.clampdemo|owner -clamp@clamp.onap.org|org.onap.clampdemo.service|2020-11-26 12:31:54.000+0000|org.onap.clampdemo|admin -clamp@clamp.onap.org|org.onap.clamp.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.clamp|seeCerts -clamp@clamp.onap.org|org.onap.clamp.service|2020-11-26 12:31:54.000+0000|org.onap.clamp|service -clamp@clamp.onap.org|org.onap.clamptest.owner|2020-11-26 12:31:54.000+0000|org.onap.clamptest|owner -clamp@clamp.onap.org|org.onap.clamptest.service|2020-11-26 12:31:54.000+0000|org.onap.clamptest|admin -clamp@clamp.onap.org|org.onap.dmaap.mr.aNewTopic-123451.subscriber|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-123451|subscriber -clamp@clamp.onap.org|org.onap.dmaap.mr.dgl000.subscriber|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.dgl000|subscriber -clamp@clamp.osaaf.org|org.onap.clamp.service|2020-11-26 12:31:54.000+0000|org.onap.clamp|service -clamp@clamptest.onap.org|org.onap.clamptest.owner|2020-11-26 12:31:54.000+0000|org.onap.clamptest|owner -clamp@clamptest.onap.org|org.onap.clamptest.service|2020-11-26 12:31:54.000+0000|org.onap.clamptest|admin -dcae@dcae.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -dcae@dcae.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -dcae@dcae.onap.org|org.onap.dcae.pmPublisher|2020-11-26 12:31:54.000+0000|org.onap.dcae|pmPublisher -dcae@dcae.onap.org|org.onap.dcae.pmSubscriber|2020-11-26 12:31:54.000+0000|org.onap.dcae|pmSubscriber -dcae@dcae.onap.org|org.onap.dcae.pnfPublisher|2020-11-26 12:31:54.000+0000|org.onap.dcae|pnfPublisher -dcae@dcae.onap.org|org.onap.dcae.pnfSubscriber|2020-11-26 12:31:54.000+0000|org.onap.dcae|pnfSubscriber -dcae@dcae.onap.org|org.onap.dcae.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.dcae|seeCerts -dcae@dcae.onap.org|org.onap.dmaap-dr.feed.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|feed.admin -dcae@dcae.onap.org|org.onap.dmaap-dr.sub.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|sub.admin -dcae@dcae.onap.org|org.onap.dmaap.mr.aNewTopic-123451.subscriber|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-123451|subscriber -dcae@dcae.onap.org|org.onap.dmaap.mr.PM_MAPPER.publisher|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PM_MAPPER|publisher -dcae@dcae.onap.org|org.onap.dmaap.mr.PNF_READY.pub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PNF_READY|pub -dcae@dcae.onap.org|org.onap.dmaap.mr.PNF_REGISTRATION.sub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PNF_REGISTRATION|sub -holmes-engine-mgmt@holmes-engine-mgmt.onap.org|org.onap.holmes-engine-mgmt.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.holmes-engine-mgmt|seeCerts -holmes-engine-mgmt@holmes-engine-mgmt.onap.org|org.onap.holmes-engine-mgmt.service|2020-11-26 12:31:54.000+0000|org.onap.holmes-engine-mgmt|service -holmes-rule-mgmt@holmes-rule-mgmt.onap.org|org.onap.holmes-rule-mgmt.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.holmes-rule-mgmt|seeCerts -holmes-rule-mgmt@holmes-rule-mgmt.onap.org|org.onap.holmes-rule-mgmt.service|2020-11-26 12:31:54.000+0000|org.onap.holmes-rule-mgmt|service -oof@oof.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -oof@oof.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -oof@oof.onap.org|org.onap.oof.admin|2020-11-26 12:31:54.000+0000|org.onap.oof|admin -oof@oof.onap.org|org.onap.oof.service|2020-11-26 12:31:54.000+0000|org.onap.oof|service -so@so.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -so@so.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -so@so.onap.org|org.onap.appc.service|2020-11-26 12:31:54.000+0000|org.onap.appc|service -so@so.onap.org|org.onap.sdnc.service|2020-11-26 12:31:54.000+0000|org.onap.sdnc|service -so@so.onap.org|org.onap.so.admin|2020-11-26 12:31:54.000+0000|org.onap.so|admin -so@so.onap.org|org.onap.so.app|2020-11-26 12:31:54.000+0000|org.onap.so|app -so@so.onap.org|org.onap.so.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.so|seeCerts -sdc@sdc.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -sdc@sdc.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -sdnc@sdnc.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -sdnc@sdnc.onap.org|org.onap.dmaap.mr.aNewTopic-123451.publisher|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-123451|publisher -sdnc@sdnc.onap.org|org.onap.dmaap.mr.dgl000.publisher|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.dgl000|publisher -sdnc@sdnc.onap.org|org.onap.sdnc.admin|2020-11-26 12:31:54.000+0000|org.onap.sdnc|admin -sdnc@sdnc.onap.org|org.onap.sdnc.service|2020-11-26 12:31:54.000+0000|org.onap.sdnc|service -sdnc-cds@sdnc-cds.onap.org|org.onap.sdnc-cds.service|2020-11-26 12:31:54.000+0000|org.onap.sdnc-cds|service -vfc@vfc.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -vfc@vfc.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -vfc@vfc.onap.org|org.onap.dmaap-mr.Publisher|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr|Publisher -vfc@vfc.onap.org|org.onap.vfc.service|2020-11-26 12:31:54.000+0000|org.onap.vfc|service -policy@policy.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -policy@policy.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -policy@policy.onap.org|org.onap.policy.pdpd.admin|2020-11-26 12:31:54.000+0000|org.onap.policy|pdpd.admin -policy@policy.onap.org|org.onap.policy.pdpx.admin|2020-11-26 12:31:54.000+0000|org.onap.policy|pdpx.admin -policy@policy.onap.org|org.onap.policy.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.policy|seeCerts -pomba@pomba.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -pomba@pomba.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -holmes@holmes.onap.org|org.onap.holmes.service|2020-11-26 12:31:54.000+0000|org.onap.holmes|service -msb-eag@msb-eag.onap.org|org.onap.msb-eag.service|2020-11-26 12:31:54.000+0000|org.onap.msb-eag|service -msb-iag@msb-iag.onap.org|org.onap.msb-iag.service|2020-11-26 12:31:54.000+0000|org.onap.msb-iag|service -nbi@nbi.onap.org|org.onap.nbi.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.nbi|seeCerts -nbi@nbi.onap.org|org.onap.nbi.service|2020-11-26 12:31:54.000+0000|org.onap.nbi|service -music@music.onap.org|org.onap.music.service|2020-11-26 12:31:54.000+0000|org.onap.music|service -refrepo@refrepo.onap.org|org.onap.refrepo.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.refrepo|seeCerts -refrepo@refrepo.onap.org|org.onap.refrepo.service|2020-11-26 12:31:54.000+0000|org.onap.refrepo|service -vid@vid.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -vid@vid.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -vid@vid.onap.org|org.onap.vid.service|2020-11-26 12:31:54.000+0000|org.onap.vid|service -vid1@people.osaaf.org|org.onap.vid.System_Administrator|2020-11-26 12:31:54.000+0000|org.onap.vid|System_Administrator -vid2@people.osaaf.org|org.onap.vid.Standard_User|2020-11-26 12:31:54.000+0000|org.onap.vid|Standard_User -vid2@people.osaaf.org|org.onap.vid.System_Administrator|2020-11-26 12:31:54.000+0000|org.onap.vid|System_Administrator -uui@uui.onap.org|org.onap.uui.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.uui|seeCerts -uui@uui.onap.org|org.onap.uui.service|2020-11-26 12:31:54.000+0000|org.onap.uui|service -dmaap-bc@bc.dmaap.onap.org|org.onap.dmaap.bc.service|2020-11-26 12:31:54.000+0000|org.onap.dmaap.bc|service -dmaap-bc@dmaap-bc.onap.org|org.onap.dmaap-bc.api.Controller|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc.api|Controller -dmaap-bc@dmaap-bc.onap.org|org.onap.dmaap-bc.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc|seeCerts -dmaap-bc@dmaap-bc.onap.org|org.onap.dmaap-bc.service|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc|service -dmaap-bc@dmaap-bc.onap.org|org.onap.dmaap.mr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|admin -dmaap-bc@dmaap-bc.onap.org|org.onap.dmaap.mr.dgl000.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.dgl000|admin -dmaap-bc@dmaap-bc.onap.org|org.onap.dmaap.mr.mirrormakeragent.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|admin -dmaap-bc@dmaap-bc.onap.org|org.onap.dmaap.mr.PM_MAPPER.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PM_MAPPER|admin -dmaap-bc@dmaap-bc.onap.org|org.onap.dmaap.mr.topic-001.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-001|admin -dmaap-bc@dmaap-bc.onap.org|org.onap.dmaap.mr.topic-002.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-002|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap-bc-topic-mgr.client|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc-topic-mgr|client -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap-dr.feed.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|feed.admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap-dr.sub.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|sub.admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aNewTopic-123450.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-123450|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aNewTopic-123451.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-123451|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aNewTopic-1547667570.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-1547667570|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aNewTopic-.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTest-1547665517.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547665517|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTest-1547666628.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547666628|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTest-1547666760.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547666760|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTest-1547666950.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547666950|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTest-1547667031.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547667031|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-123456.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-123456|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-123457.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-123457|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-1547660509.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547660509|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-1547660861.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547660861|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-1547661011.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547661011|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-1547662122.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547662122|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-1547662451.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547662451|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-1547664813.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547664813|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-1547664928.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547664928|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-1547666068.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547666068|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTopic-1547654909.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTopic-1547654909|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.create|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|create -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.destroy|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|destroy -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.dgl_ready.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.dgl_ready|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.IdentityTopic-12345.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.IdentityTopic-12345|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.IdentityTopic-1547839476.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.IdentityTopic-1547839476|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.mirrormaker.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|mirrormaker.admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.mirrormakeragent.pub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|pub -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.mirrormakeragent.publisher|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|publisher -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.mirrormakeragent.sub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|sub -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.mirrormakeragent.subscriber|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|subscriber -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.mirrormaker.user|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|mirrormaker.user -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.partitionTest-1546033194.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.partitionTest-1546033194|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.PNF_READY.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PNF_READY|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.PNF_REGISTRATION.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PNF_REGISTRATION|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.topic-000.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-000|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.view|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|view -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|org.onap.dmaap.mr.create|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|create -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|org.onap.dmaap.mr.destroy|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|destroy -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|org.onap.dmaap.mr.mirrormaker.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|mirrormaker.admin -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|org.onap.dmaap.mr.mirrormakeragent.pub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|pub -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|org.onap.dmaap.mr.mirrormakeragent.publisher|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|publisher -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|org.onap.dmaap.mr.mirrormakeragent.sub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|sub -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|org.onap.dmaap.mr.mirrormakeragent.subscriber|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|subscriber -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|org.onap.dmaap.mr.mirrormaker.user|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|mirrormaker.user -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|org.onap.dmaap.mr.view|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|view -dmaap-dr@dmaap-dr.onap.org|org.onap.dmaap-dr.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|seeCerts -dmaap-dr-prov@dmaap-dr.onap.org|org.onap.dmaap-dr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|admin -dmaap-dr-prov@dmaap-dr.onap.org|org.onap.dmaap-dr.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|seeCerts -dmaap-dr-node@dmaap-dr.onap.org|org.onap.dmaap-dr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|admin -dmaap-dr-node@dmaap-dr.onap.org|org.onap.dmaap-dr.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|seeCerts -dmaapmr@mr.dmaap.onap.org|org.onap.dmaap.mr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|admin diff --git a/kubernetes/aaf/components/aaf-cass/templates/NOTES.txt b/kubernetes/aaf/components/aaf-cass/templates/NOTES.txt deleted file mode 100644 index bd74a42cd5..0000000000 --- a/kubernetes/aaf/components/aaf-cass/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-cass/templates/configmap.yaml b/kubernetes/aaf/components/aaf-cass/templates/configmap.yaml deleted file mode 100644 index a10bb8a7a1..0000000000 --- a/kubernetes/aaf/components/aaf-cass/templates/configmap.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{/* -# ============LICENSE_START==================================================== -# org.onap.aaf -# =========================================================================== -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# =========================================================================== -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-cass-init-dats - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/cass-init-dats/*").AsConfig . | indent 2 }} diff --git a/kubernetes/aaf/components/aaf-cass/templates/deployment.yaml b/kubernetes/aaf/components/aaf-cass/templates/deployment.yaml deleted file mode 100644 index 4e18b3b746..0000000000 --- a/kubernetes/aaf/components/aaf-cass/templates/deployment.yaml +++ /dev/null @@ -1,136 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - replicas: {{ .Values.replicaCount }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: - - name: fix-permission - command: - - /bin/sh - args: - - -c - - | - echo "*** Move files from configmap to emptyDir" - cp -L /config-input-dats/* /config-dats/ - echo "*** set righ user to the different folders" - chown -R 1000:1000 /config-dats - chown -R 1000:1000 /var/lib/cassandra - chown -R 1000:1000 /status - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /var/lib/cassandra - name: aaf-cass-vol - - mountPath: /config-input-dats - name: config-cass-init-dats - - mountPath: /config-dats - name: config-cass-dats - - mountPath: /status - name: aaf-status - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 30m - memory: 100Mi - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - # installing with cmd "onap" will not only initialize the DB, but add ONAP bootstrap data as well - command: ["/bin/bash","/opt/app/aaf/cass_init/cmd.sh","onap"] - ports: {{ include "common.containerPorts" . | nindent 10 }} - env: - - name: CASSANDRA_CLUSTER_NAME - value: {{ .Values.config.cluster_name }} - - name: CASSANDRA_DC - value: {{ .Values.config.dc }} - - name: CQLSH - value: "/opt/cassandra/bin/cqlsh" - - name: HEAP_NEWSIZE - value: {{ .Values.config.heap_new_size }} - - name: MAX_HEAP_SIZE - value: {{ .Values.config.max_heap_size }} - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: MY_POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - volumeMounts: - - mountPath: /var/lib/cassandra - name: aaf-cass-vol - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /opt/app/aaf/cass_init/dats - name: config-cass-dats - - mountPath: /opt/app/aaf/status - name: aaf-status - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: tcp-cql - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: tcp-cql - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: {{ include "common.resources" . | nindent 10 }} - {{- if .Values.nodeSelector }} - nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 10 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: aaf-status - emptyDir: {} - - name: aaf-cass-vol - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - {{- else }} - emptyDir: {} - {{- end }} - - name: config-cass-init-dats - configMap: - name: {{ include "common.fullname" . }}-cass-init-dats - - name: config-cass-dats - emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/aaf/components/aaf-cass/templates/pv.yaml b/kubernetes/aaf/components/aaf-cass/templates/pv.yaml deleted file mode 100644 index 187e9b75de..0000000000 --- a/kubernetes/aaf/components/aaf-cass/templates/pv.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.PV" . }} diff --git a/kubernetes/aaf/components/aaf-cass/templates/pvc.yaml b/kubernetes/aaf/components/aaf-cass/templates/pvc.yaml deleted file mode 100644 index e56c98751c..0000000000 --- a/kubernetes/aaf/components/aaf-cass/templates/pvc.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.PVC" . }} diff --git a/kubernetes/aaf/components/aaf-cass/templates/service.yaml b/kubernetes/aaf/components/aaf-cass/templates/service.yaml deleted file mode 100644 index 149a8708a6..0000000000 --- a/kubernetes/aaf/components/aaf-cass/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/aaf/components/aaf-cass/values.yaml b/kubernetes/aaf/components/aaf-cass/values.yaml deleted file mode 100644 index a1a1abe55a..0000000000 --- a/kubernetes/aaf/components/aaf-cass/values.yaml +++ /dev/null @@ -1,96 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -global: - nodePortPrefix: 302 - persistence: - enabled: true - # Standard OOM - pullPolicy: "Always" - -flavor: small - -################################################################# -# Application configuration defaults. -################################################################# -# application configuration -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 120 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: tcp-cql - -image: onap/aaf/aaf_cass:2.1.23 - -config: - cluster_name: osaaf - heap_new_size: 512M - max_heap_size: 1024M - dc: dc1 - -readiness: - initialDelaySeconds: 5 - periodSeconds: 10 - -service: - name: aaf-cass - type: ClusterIP - ports: - - name: tcp-intra - port: 7000 - - name: tls - port: 7001 - - name: tcp-cql - port: 9042 - - name: tcp-thrift - port: 9160 - -ingress: - enabled: false - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 2100m - memory: 1792Mi - requests: - cpu: 30m - memory: 1280Mi - large: - limits: - cpu: 4 - memory: 12000Mi - requests: - cpu: 40m - memory: 9000Mi - unlimited: {} - -persistence: - enabled: true - #existingClaim: - mountPath: /dockerdata-nfs - mountSubPath: "cass" - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - size: 5Gi diff --git a/kubernetes/aaf/components/aaf-cm/.helmignore b/kubernetes/aaf/components/aaf-cm/.helmignore deleted file mode 100644 index daebc7da77..0000000000 --- a/kubernetes/aaf/components/aaf-cm/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/aaf/components/aaf-cm/Chart.yaml b/kubernetes/aaf/components/aaf-cm/Chart.yaml deleted file mode 100644 index d2d0b5e296..0000000000 --- a/kubernetes/aaf/components/aaf-cm/Chart.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T, ZTE -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP AAF Certificate Manager -name: aaf-cm -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: aaf-templates - version: ~11.x-0 - repository: 'file://../aaf-templates' diff --git a/kubernetes/aaf/components/aaf-cm/templates/NOTES.txt b/kubernetes/aaf/components/aaf-cm/templates/NOTES.txt deleted file mode 100644 index bd74a42cd5..0000000000 --- a/kubernetes/aaf/components/aaf-cm/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-cm/templates/deployment.yaml b/kubernetes/aaf/components/aaf-cm/templates/deployment.yaml deleted file mode 100644 index 656aa1746d..0000000000 --- a/kubernetes/aaf/components/aaf-cm/templates/deployment.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "aaf.deployment" . }} diff --git a/kubernetes/aaf/components/aaf-cm/templates/ingress.yaml b/kubernetes/aaf/components/aaf-cm/templates/ingress.yaml deleted file mode 100644 index 40b4bba0ce..0000000000 --- a/kubernetes/aaf/components/aaf-cm/templates/ingress.yaml +++ /dev/null @@ -1,4 +0,0 @@ - -{{ include "common.ingress" . }} - - diff --git a/kubernetes/aaf/components/aaf-cm/templates/service.yaml b/kubernetes/aaf/components/aaf-cm/templates/service.yaml deleted file mode 100644 index ea95e44497..0000000000 --- a/kubernetes/aaf/components/aaf-cm/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Orange -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/aaf/components/aaf-cm/values.yaml b/kubernetes/aaf/components/aaf-cm/values.yaml deleted file mode 100644 index 964b5c1002..0000000000 --- a/kubernetes/aaf/components/aaf-cm/values.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - nodePortPrefix: 302 - persistence: - enabled: true - # Standard OOM - pullPolicy: "Always" - - aaf: - image: onap/aaf/aaf_core:2.1.23 - config: - image: onap/aaf/aaf_config:2.1.23 - - -flavor: small - -################################################################# -# Application configuration defaults. -################################################################# -# application image -replicaCount: 1 - -binary: cm - -sequence_order: - - service - - locate - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: api - -readiness: - initialDelaySeconds: 5 - periodSeconds: 10 - port: api - -service: - name: aaf-cm - type: ClusterIP - ports: - - name: api - protocol: http - port: 8150 - -ingress: - enabled: false - service: - - baseaddr: "aafcm" - name: "aaf-cm" - port: 8150 - config: - ssl: "redirect" - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 400m - memory: 300Mi - requests: - cpu: 1m - memory: 200Mi - large: - limits: - cpu: 400m - memory: 1Gi - requests: - cpu: 40m - memory: 600Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-fs/Chart.yaml b/kubernetes/aaf/components/aaf-fs/Chart.yaml deleted file mode 100644 index 660b8d6dba..0000000000 --- a/kubernetes/aaf/components/aaf-fs/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP AAF File Server -name: aaf-fs -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: aaf-templates - version: ~11.x-0 - repository: 'file://../aaf-templates' diff --git a/kubernetes/aaf/components/aaf-fs/templates/NOTES.txt b/kubernetes/aaf/components/aaf-fs/templates/NOTES.txt deleted file mode 100644 index bd74a42cd5..0000000000 --- a/kubernetes/aaf/components/aaf-fs/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-fs/templates/deployment.yaml b/kubernetes/aaf/components/aaf-fs/templates/deployment.yaml deleted file mode 100644 index 5d40538e49..0000000000 --- a/kubernetes/aaf/components/aaf-fs/templates/deployment.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Orange -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "aaf.deployment" . }} diff --git a/kubernetes/aaf/components/aaf-fs/templates/ingress.yaml b/kubernetes/aaf/components/aaf-fs/templates/ingress.yaml deleted file mode 100644 index 40b4bba0ce..0000000000 --- a/kubernetes/aaf/components/aaf-fs/templates/ingress.yaml +++ /dev/null @@ -1,4 +0,0 @@ - -{{ include "common.ingress" . }} - - diff --git a/kubernetes/aaf/components/aaf-fs/templates/service.yaml b/kubernetes/aaf/components/aaf-fs/templates/service.yaml deleted file mode 100644 index ea95e44497..0000000000 --- a/kubernetes/aaf/components/aaf-fs/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Orange -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/aaf/components/aaf-fs/values.yaml b/kubernetes/aaf/components/aaf-fs/values.yaml deleted file mode 100644 index e911a10828..0000000000 --- a/kubernetes/aaf/components/aaf-fs/values.yaml +++ /dev/null @@ -1,95 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - nodePortPrefix: 302 - persistence: - enabled: true - # Standard OOM - pullPolicy: "Always" - - aaf: - image: onap/aaf/aaf_core:2.1.23 - config: - image: onap/aaf/aaf_config:2.1.23 - -flavor: small - -################################################################# -# Application configuration defaults. -################################################################# -# application image -pullPolicy: Always - -replicaCount: 1 - -binary: fs - -sequence_order: - - service - - locate - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 120 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: api - -readiness: - initialDelaySeconds: 5 - periodSeconds: 10 - port: api - -service: - name: aaf-fs - type: ClusterIP - ports: - - name: api - port: 8096 - protocol: http - -ingress: - enabled: false - service: - - baseaddr: "aaffs" - name: "aaf-fs" - port: 8096 - config: - ssl: "none" - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 200m - memory: 110Mi - requests: - cpu: 1m - memory: 80Mi - large: - limits: - cpu: 500m - memory: 700Mi - requests: - cpu: 100m - memory: 400Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-gui/Chart.yaml b/kubernetes/aaf/components/aaf-gui/Chart.yaml deleted file mode 100644 index 1527051771..0000000000 --- a/kubernetes/aaf/components/aaf-gui/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP AAF GUI -name: aaf-gui -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: aaf-templates - version: ~11.x-0 - repository: 'file://../aaf-templates' diff --git a/kubernetes/aaf/components/aaf-gui/templates/NOTES.txt b/kubernetes/aaf/components/aaf-gui/templates/NOTES.txt deleted file mode 100644 index bd74a42cd5..0000000000 --- a/kubernetes/aaf/components/aaf-gui/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-gui/templates/deployment.yaml b/kubernetes/aaf/components/aaf-gui/templates/deployment.yaml deleted file mode 100644 index 5d40538e49..0000000000 --- a/kubernetes/aaf/components/aaf-gui/templates/deployment.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Orange -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "aaf.deployment" . }} diff --git a/kubernetes/aaf/components/aaf-gui/templates/ingress.yaml b/kubernetes/aaf/components/aaf-gui/templates/ingress.yaml deleted file mode 100644 index 40b4bba0ce..0000000000 --- a/kubernetes/aaf/components/aaf-gui/templates/ingress.yaml +++ /dev/null @@ -1,4 +0,0 @@ - -{{ include "common.ingress" . }} - - diff --git a/kubernetes/aaf/components/aaf-gui/templates/service.yaml b/kubernetes/aaf/components/aaf-gui/templates/service.yaml deleted file mode 100644 index ea95e44497..0000000000 --- a/kubernetes/aaf/components/aaf-gui/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Orange -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/aaf/components/aaf-gui/values.yaml b/kubernetes/aaf/components/aaf-gui/values.yaml deleted file mode 100644 index e239e615ed..0000000000 --- a/kubernetes/aaf/components/aaf-gui/values.yaml +++ /dev/null @@ -1,95 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - nodePortPrefix: 302 - persistence: - enabled: true - # Standard OOM - pullPolicy: "Always" - - aaf: - image: onap/aaf/aaf_core:2.1.23 - config: - image: onap/aaf/aaf_config:2.1.23 - -flavor: small -################################################################# -# Application configuration defaults. -################################################################# -# application image -pullPolicy: Always - -replicaCount: 1 - -binary: gui - -sequence_order: - - service - - locate - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: gui - -readiness: - initialDelaySeconds: 5 - periodSeconds: 10 - port: gui - -service: - name: aaf-gui - type: NodePort - ports: - - name: gui - protocol: http - port: 8200 - nodePort: 51 - -ingress: - enabled: false - service: - - baseaddr: "aafgui" - name: "aaf-gui" - port: 8200 - config: - ssl: "redirect" - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 200m - memory: 280Mi - requests: - cpu: 1m - memory: 170Mi - large: - limits: - cpu: 200m - memory: 1Gi - requests: - cpu: 100m - memory: 500Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-hello/.helmignore b/kubernetes/aaf/components/aaf-hello/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/aaf/components/aaf-hello/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/aaf/components/aaf-hello/Chart.yaml b/kubernetes/aaf/components/aaf-hello/Chart.yaml deleted file mode 100644 index bc4c38de28..0000000000 --- a/kubernetes/aaf/components/aaf-hello/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP AAF Hello -name: aaf-hello -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: aaf-templates - version: ~11.x-0 - repository: 'file://../aaf-templates' diff --git a/kubernetes/aaf/components/aaf-hello/templates/NOTES.txt b/kubernetes/aaf/components/aaf-hello/templates/NOTES.txt deleted file mode 100644 index ef4d8e7d23..0000000000 --- a/kubernetes/aaf/components/aaf-hello/templates/NOTES.txt +++ /dev/null @@ -1,14 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - diff --git a/kubernetes/aaf/components/aaf-hello/templates/deployment.yaml b/kubernetes/aaf/components/aaf-hello/templates/deployment.yaml deleted file mode 100644 index 60e7c6bcc8..0000000000 --- a/kubernetes/aaf/components/aaf-hello/templates/deployment.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - replicas: {{ .Values.replicaCount }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: {{ include "common.aaf-config" (dict "aafRoot" .Values.aaf_init "dot" .) | nindent 6 }} -# CONTAINER Definition - containers: - - name: {{ include "common.name" . }} - command: ["bash","-c","cd /opt/app/aaf && if [ ! -d /opt/app/osaaf/etc ]; then cp -Rf etc logs /opt/app/osaaf; fi && exec bin/hello"] - image: {{ include "repositoryGenerator.repository" . }}/{{.Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 10 }} - volumeMounts: {{ include "common.aaf-config-volume-mountpath" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.liveness.port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{- end }} - readinessProbe: - tcpSocket: - port: {{ .Values.readiness.port }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 10 }} - {{- end }} - volumes: {{ include "common.aaf-config-volumes" (dict "aafRoot" .Values.aaf_init "dot" .) | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/aaf/components/aaf-hello/templates/ingress.yaml b/kubernetes/aaf/components/aaf-hello/templates/ingress.yaml deleted file mode 100644 index 40b4bba0ce..0000000000 --- a/kubernetes/aaf/components/aaf-hello/templates/ingress.yaml +++ /dev/null @@ -1,4 +0,0 @@ - -{{ include "common.ingress" . }} - - diff --git a/kubernetes/aaf/components/aaf-hello/templates/secret.yaml b/kubernetes/aaf/components/aaf-hello/templates/secret.yaml deleted file mode 100644 index 9a3f011e80..0000000000 --- a/kubernetes/aaf/components/aaf-hello/templates/secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/aaf/components/aaf-hello/templates/service.yaml b/kubernetes/aaf/components/aaf-hello/templates/service.yaml deleted file mode 100644 index 149a8708a6..0000000000 --- a/kubernetes/aaf/components/aaf-hello/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/aaf/components/aaf-hello/values.yaml b/kubernetes/aaf/components/aaf-hello/values.yaml deleted file mode 100644 index df3abec67c..0000000000 --- a/kubernetes/aaf/components/aaf-hello/values.yaml +++ /dev/null @@ -1,105 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -global: - aafEnabled: true - -flavor: small - -################################################################# -# Application configuration defaults. -################################################################# -# application image -aaf_init: - # You might want this in your own app. For AAF, we store in global - # replicas: 1 - fqi: aaf@aaf.osaaf.org -# This MUST match what is put in AAF's "Artifact" for Certificates - fqdn: aaf-hello -# What is put in Locator for External Access - public_fqdn: aaf.osaaf.org - cadi_latitude: "38.0" - cadi_longitude: "-72.0" - credsPath: /opt/app/osaaf/local - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - secret_uid: &aaf_secret_uid nbi-aaf-deploy-creds - permission_user: 1000 - permission_group: 999 - -replicaCount: 0 - -image: onap/aaf/aaf_hello:2.1.23 - -service: - name: aaf-hello - type: ClusterIP - ports: - - name: api - protocol: http - port: 8130 - -nodeSelector: {} - -affinity: {} - -secrets: - - uid: *aaf_secret_uid - type: basicAuth - externalSecret: '{{ ternary (tpl (default "" .Values.aaf_init.aafDeployCredsExternalSecret) .) "aafIsDisabled" .Values.global.aafEnabled }}' - login: '{{ .Values.aaf_init.aafDeployFqi }}' - password: '{{ .Values.aaf_init.aafDeployPass }}' - passwordPolicy: required - -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: api - -readiness: - initialDelaySeconds: 5 - periodSeconds: 10 - port: api - -ingress: - enabled: false - service: - - baseaddr: "aafhello" - name: "aaf-hello" - port: 8130 - config: - ssl: "none" - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 200m - memory: 500Mi - requests: - cpu: 10m - memory: 200Mi - large: - limits: - cpu: 400m - memory: 1Gi - requests: - cpu: 20m - memory: 500Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-locate/.helmignore b/kubernetes/aaf/components/aaf-locate/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/aaf/components/aaf-locate/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/aaf/components/aaf-locate/Chart.yaml b/kubernetes/aaf/components/aaf-locate/Chart.yaml deleted file mode 100644 index 629b2e06a9..0000000000 --- a/kubernetes/aaf/components/aaf-locate/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP AAF Locate -name: aaf-locate -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: aaf-templates - version: ~11.x-0 - repository: 'file://../aaf-templates' diff --git a/kubernetes/aaf/components/aaf-locate/templates/NOTES.txt b/kubernetes/aaf/components/aaf-locate/templates/NOTES.txt deleted file mode 100644 index bd74a42cd5..0000000000 --- a/kubernetes/aaf/components/aaf-locate/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-locate/templates/deployment.yaml b/kubernetes/aaf/components/aaf-locate/templates/deployment.yaml deleted file mode 100644 index 656aa1746d..0000000000 --- a/kubernetes/aaf/components/aaf-locate/templates/deployment.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "aaf.deployment" . }} diff --git a/kubernetes/aaf/components/aaf-locate/templates/ingress.yaml b/kubernetes/aaf/components/aaf-locate/templates/ingress.yaml deleted file mode 100644 index 1b33c1f8d1..0000000000 --- a/kubernetes/aaf/components/aaf-locate/templates/ingress.yaml +++ /dev/null @@ -1,2 +0,0 @@ - -{{ include "common.ingress" . }} diff --git a/kubernetes/aaf/components/aaf-locate/templates/service.yaml b/kubernetes/aaf/components/aaf-locate/templates/service.yaml deleted file mode 100644 index ea95e44497..0000000000 --- a/kubernetes/aaf/components/aaf-locate/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Orange -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/aaf/components/aaf-locate/values.yaml b/kubernetes/aaf/components/aaf-locate/values.yaml deleted file mode 100644 index 0a3e4d432b..0000000000 --- a/kubernetes/aaf/components/aaf-locate/values.yaml +++ /dev/null @@ -1,92 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - nodePortPrefix: 302 - persistence: - enabled: true - # Standard OOM - pullPolicy: "Always" - - aaf: - image: onap/aaf/aaf_core:2.1.23 - config: - image: onap/aaf/aaf_config:2.1.23 - - -flavor: small -################################################################# -# Application configuration defaults. -################################################################# -# application image -replicaCount: 1 - -binary: locate - -sequence_order: - - service - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: api - -readiness: - initialDelaySeconds: 5 - periodSeconds: 10 - port: api - -service: - name: aaf-locate - type: ClusterIP - ports: - - name: api - protocol: http - port: 8095 - -ingress: - enabled: false - service: - - baseaddr: "aaflocate" - name: "aaf-locate" - port: 8095 - config: - ssl: "redirect" - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 500m - memory: 320Mi - requests: - cpu: 1m - memory: 210Mi - large: - limits: - cpu: 400m - memory: 1Gi - requests: - cpu: 40m - memory: 500Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-oauth/.helmignore b/kubernetes/aaf/components/aaf-oauth/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/aaf/components/aaf-oauth/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/aaf/components/aaf-oauth/Chart.yaml b/kubernetes/aaf/components/aaf-oauth/Chart.yaml deleted file mode 100644 index b22deca963..0000000000 --- a/kubernetes/aaf/components/aaf-oauth/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP AAF OAuth -name: aaf-oauth -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: aaf-templates - version: ~11.x-0 - repository: 'file://../aaf-templates' diff --git a/kubernetes/aaf/components/aaf-oauth/templates/NOTES.txt b/kubernetes/aaf/components/aaf-oauth/templates/NOTES.txt deleted file mode 100644 index bd74a42cd5..0000000000 --- a/kubernetes/aaf/components/aaf-oauth/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-oauth/templates/deployment.yaml b/kubernetes/aaf/components/aaf-oauth/templates/deployment.yaml deleted file mode 100644 index 656aa1746d..0000000000 --- a/kubernetes/aaf/components/aaf-oauth/templates/deployment.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "aaf.deployment" . }} diff --git a/kubernetes/aaf/components/aaf-oauth/templates/ingress.yaml b/kubernetes/aaf/components/aaf-oauth/templates/ingress.yaml deleted file mode 100644 index 1b33c1f8d1..0000000000 --- a/kubernetes/aaf/components/aaf-oauth/templates/ingress.yaml +++ /dev/null @@ -1,2 +0,0 @@ - -{{ include "common.ingress" . }} diff --git a/kubernetes/aaf/components/aaf-oauth/templates/service.yaml b/kubernetes/aaf/components/aaf-oauth/templates/service.yaml deleted file mode 100644 index ea95e44497..0000000000 --- a/kubernetes/aaf/components/aaf-oauth/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Orange -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/aaf/components/aaf-oauth/values.yaml b/kubernetes/aaf/components/aaf-oauth/values.yaml deleted file mode 100644 index 2e9b6d42fa..0000000000 --- a/kubernetes/aaf/components/aaf-oauth/values.yaml +++ /dev/null @@ -1,95 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - nodePortPrefix: 302 - persistence: - enabled: true - # Standard OOM - pullPolicy: "Always" - - aaf: - image: onap/aaf/aaf_core:2.1.23 - config: - image: onap/aaf/aaf_config:2.1.23 - - -flavor: small - -################################################################# -# Application configuration defaults. -################################################################# -# application image - -replicaCount: 1 - -binary: oauth - -sequence_order: - - service - - locate - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: api - -readiness: - initialDelaySeconds: 5 - periodSeconds: 10 - port: api - -service: - name: aaf-oauth - type: ClusterIP - ports: - - name: api - protocol: http - port: 8140 - -ingress: - enabled: false - service: - - baseaddr: "aafoauth" - name: "aaf-oauth" - port: 8140 - config: - ssl: "redirect" - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 40m - memory: 320Mi - requests: - cpu: 1m - memory: 210Mi - large: - limits: - cpu: 400m - memory: 600Mi - requests: - cpu: 40m - memory: 200Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-service/.helmignore b/kubernetes/aaf/components/aaf-service/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/aaf/components/aaf-service/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/aaf/components/aaf-service/Chart.yaml b/kubernetes/aaf/components/aaf-service/Chart.yaml deleted file mode 100644 index 18813fc6e2..0000000000 --- a/kubernetes/aaf/components/aaf-service/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP AAF Service -name: aaf-service -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: aaf-templates - version: ~11.x-0 - repository: 'file://../aaf-templates' \ No newline at end of file diff --git a/kubernetes/aaf/components/aaf-service/templates/deployment.yaml b/kubernetes/aaf/components/aaf-service/templates/deployment.yaml deleted file mode 100644 index 656aa1746d..0000000000 --- a/kubernetes/aaf/components/aaf-service/templates/deployment.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "aaf.deployment" . }} diff --git a/kubernetes/aaf/components/aaf-service/templates/ingress.yaml b/kubernetes/aaf/components/aaf-service/templates/ingress.yaml deleted file mode 100644 index 40b4bba0ce..0000000000 --- a/kubernetes/aaf/components/aaf-service/templates/ingress.yaml +++ /dev/null @@ -1,4 +0,0 @@ - -{{ include "common.ingress" . }} - - diff --git a/kubernetes/aaf/components/aaf-service/templates/service.yaml b/kubernetes/aaf/components/aaf-service/templates/service.yaml deleted file mode 100644 index ea95e44497..0000000000 --- a/kubernetes/aaf/components/aaf-service/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Orange -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/aaf/components/aaf-service/values.yaml b/kubernetes/aaf/components/aaf-service/values.yaml deleted file mode 100644 index 8d8da0db4a..0000000000 --- a/kubernetes/aaf/components/aaf-service/values.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - nodePortPrefix: 302 - persistence: - enabled: true - # Standard OOM - pullPolicy: "Always" - - aaf: - image: onap/aaf/aaf_core:2.1.23 - config: - image: onap/aaf/aaf_config:2.1.23 - - -flavor: small - -################################################################# -# Application configuration defaults. -################################################################# -# application image - -replicaCount: 1 - -binary: service - -sequence_order: - - cass - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: api - -readiness: - initialDelaySeconds: 5 - periodSeconds: 10 - port: api - -service: - name: aaf-service - type: ClusterIP - ports: - - name: api - port: 8100 - protocol: http - -ingress: - enabled: false - service: - - baseaddr: "aafservice" - name: "aaf-service" - port: 8100 - config: - ssl: "redirect" - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 250m - memory: 360Mi - requests: - cpu: 10m - memory: 250Mi - large: - limits: - cpu: 400m - memory: 1Gi - requests: - cpu: 40m - memory: 300Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-sms/Chart.yaml b/kubernetes/aaf/components/aaf-sms/Chart.yaml deleted file mode 100644 index 769a4df7cb..0000000000 --- a/kubernetes/aaf/components/aaf-sms/Chart.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Secret Management Service -name: aaf-sms -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: certInitializer - version: ~11.x-0 - repository: '@local' - - name: aaf-sms-quorumclient - version: ~11.x-0 - repository: 'file://components/aaf-sms-quorumclient' - - name: aaf-sms-vault - version: ~11.x-0 - repository: 'file://components/aaf-sms-vault' diff --git a/kubernetes/aaf/components/aaf-sms/Makefile b/kubernetes/aaf/components/aaf-sms/Makefile deleted file mode 100644 index 51d7de122c..0000000000 --- a/kubernetes/aaf/components/aaf-sms/Makefile +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts docker -HELM_BIN := helm -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/aaf/components/aaf-sms/components/Makefile b/kubernetes/aaf/components/aaf-sms/components/Makefile deleted file mode 100644 index f4c9784bc4..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/Makefile +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/Chart.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/Chart.yaml deleted file mode 100644 index 96cf7a1b83..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Secret Management Service Quorum Client -name: aaf-sms-quorumclient -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/resources/config/config.json b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/resources/config/config.json deleted file mode 100644 index 3a43f00019..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/resources/config/config.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "url":"https://aaf-sms.{{ include "common.namespace" . }}:10443", - "cafile": "/quorumclient/certs/aaf_root_ca.cer", - "clientcert":"client.cert", - "clientkey":"client.key", - "timeout":"10s" -} \ No newline at end of file diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/templates/configmap.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/templates/configmap.yaml deleted file mode 100644 index 471c9094aa..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/templates/configmap.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} \ No newline at end of file diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/templates/pv.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/templates/pv.yaml deleted file mode 100644 index d855ae6fdf..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/templates/pv.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- $global := . }} -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} -{{- if eq "True" (include "common.needPV" .) }} -{{- range $i := until (int $global.Values.replicaCount)}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" $global }}-data-{{ $i }} - namespace: {{ include "common.namespace" $global }} - labels: - app: {{ include "common.name" $global }} - chart: "{{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" $global }}" - heritage: "{{ $global.Release.Service }}" - name: {{ include "common.fullname" $global }} -spec: - capacity: - storage: {{ $global.Values.persistence.size}} - accessModes: - - {{ $global.Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ $global.Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" $global }}-data" - hostPath: - path: {{ $global.Values.global.persistence.mountPath | default $global.Values.persistence.mountPath }}/{{ include "common.release" $global }}/{{ $global.Values.persistence.mountSubPath }}-{{$i}} -{{if ne $i (int $global.Values.replicaCount) }} ---- -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/templates/statefulset.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/templates/statefulset.yaml deleted file mode 100644 index 0e9e66dc47..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/templates/statefulset.yaml +++ /dev/null @@ -1,112 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# Modifications © 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - serviceName: {{ include "common.servicename" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" -{{- if .Values.persistence.enabled }} - initContainers: - - name: fix-permission - command: - - /bin/sh - args: - - -c - - | - chmod -R 775 /quorumclient/auth - chown -R 100:1000 /quorumclient/auth - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /quorumclient/auth - name: {{ include "common.fullname" . }}-data -{{- end }} - containers: - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - name: {{ include "common.name" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["/quorumclient/bin/quorumclient"] - workingDir: /quorumclient/ - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /quorumclient/config.json - name: {{ include "common.name" .}} - subPath: config.json -{{- if .Values.persistence.enabled }} - - mountPath: /quorumclient/auth - name: {{ include "common.fullname" . }}-data -{{- end }} - resources: -{{ include "common.resources" . | indent 10 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name : {{ include "common.name" . }} - configMap: - name: {{ include "common.fullname" . }} - items: - - key: config.json - path: config.json - mode: 0755 -{{- if .Values.persistence.enabled }} - volumeClaimTemplates: - - metadata: - name: {{ include "common.fullname" . }}-data - labels: - name: {{ include "common.fullname" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - spec: - accessModes: - - {{ .Values.persistence.accessMode | quote }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/values.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/values.yaml deleted file mode 100644 index d41d31ce82..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/values.yaml +++ /dev/null @@ -1,73 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications © 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - persistence: {} - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/aaf/smsquorumclient:4.0.2 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -# Example: -# default number of instances -replicaCount: 3 - -nodeSelector: {} - -affinity: {} - -service: - name: aaf-sms - -persistence: - enabled: true - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - size: 10Mi - mountPath: /dockerdata-nfs - mountSubPath: sms/quorum/data - -ingress: - enabled: false - -flavor: small - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 40m - memory: 40Mi - requests: - cpu: 1m - memory: 10Mi - large: - limits: - cpu: 400m - memory: 700Mi - requests: - cpu: 10m - memory: 100Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/Chart.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/Chart.yaml deleted file mode 100644 index 9f06ec172b..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/Chart.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Chart to launch Vault as SMS backend -name: aaf-sms-vault -appVersion: 0.9.5 -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/configmap.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/configmap.yaml deleted file mode 100644 index 0d09221644..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/configmap.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-vault - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: - config.json: | - {{ .Values.config.vault | toJson }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-consul - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: - config.json: | - {{ .Values.config.consul | toJson }} diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/pv.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/pv.yaml deleted file mode 100644 index d855ae6fdf..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/pv.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- $global := . }} -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} -{{- if eq "True" (include "common.needPV" .) }} -{{- range $i := until (int $global.Values.replicaCount)}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" $global }}-data-{{ $i }} - namespace: {{ include "common.namespace" $global }} - labels: - app: {{ include "common.name" $global }} - chart: "{{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" $global }}" - heritage: "{{ $global.Release.Service }}" - name: {{ include "common.fullname" $global }} -spec: - capacity: - storage: {{ $global.Values.persistence.size}} - accessModes: - - {{ $global.Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ $global.Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" $global }}-data" - hostPath: - path: {{ $global.Values.global.persistence.mountPath | default $global.Values.persistence.mountPath }}/{{ include "common.release" $global }}/{{ $global.Values.persistence.mountSubPath }}-{{$i}} -{{if ne $i (int $global.Values.replicaCount) }} ---- -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/service.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/service.yaml deleted file mode 100644 index b642e39540..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/service.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - - name: {{ .Values.service.portName }} - {{if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default "302" }}{{ .Values.service.nodePort }} - {{- else -}} - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - {{- end}} - protocol: TCP - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/statefulset.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/statefulset.yaml deleted file mode 100644 index 994e1555d3..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/statefulset.yaml +++ /dev/null @@ -1,120 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# Modifications © 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - serviceName: {{ include "common.servicename" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: -{{- if .Values.persistence.enabled }} - initContainers: - - name: fix-permission - command: - - /bin/sh - args: - - -c - - | - chmod -R 775 /consul/data - chown -R 100:1000 /consul/data - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /consul/data - name: {{ include "common.fullname" . }}-data -{{- end }} - containers: - - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.vault }} - name: {{ include "common.name" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - args: ["server"] - ports: - - containerPort: {{ .Values.service.internalPort }} - volumeMounts: - - mountPath: /vault/config/config.json - name: {{ include "common.fullname" . }}-vault - subPath: config.json - - mountPath: /etc/localtime - name: localtime - readOnly: true - resources: -{{ include "common.resources" . | indent 10 }} - - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.consul }} - name: {{ include "common.name" . }}-backend - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - args: ["agent","-server","-bind","0.0.0.0","-bootstrap-expect=1","-config-file","/consul/config/config.json"] - ports: - - name: http - containerPort: 8500 - volumeMounts: -{{- if .Values.persistence.enabled }} - - mountPath: /consul/data - name: {{ include "common.fullname" . }}-data -{{- end }} - - mountPath: /consul/config/config.json - name: {{ include "common.fullname" . }}-consulconfiguration - subPath: config.json - - mountPath: /etc/localtime - name: localtime - readOnly: true - resources: -{{ include "common.resources" . | indent 10 }} - volumes: - - name: {{ include "common.fullname" . }}-consulconfiguration - configMap: - name: {{ include "common.fullname" . }}-consul - - name: {{ include "common.fullname" . }}-vault - configMap: - name: {{ include "common.fullname" . }}-vault - - name: localtime - hostPath: - path: /etc/localtime - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" -{{- if .Values.persistence.enabled }} - volumeClaimTemplates: - - metadata: - name: {{ include "common.fullname" . }}-data - labels: - name: {{ include "common.fullname" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - spec: - accessModes: - - {{ .Values.persistence.accessMode | quote }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/values.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/values.yaml deleted file mode 100644 index e170ce7ef5..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/values.yaml +++ /dev/null @@ -1,109 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications © 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - persistence: {} - -# application image -image: - consul: library/consul:1.7.1 - vault: library/vault:1.3.3 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -################################################################# -# Application configuration defaults. -################################################################# -config: - consul: - server: true - log_level: INFO - data_dir: '/consul/data' - ports: - http: 8500 - https: -1 - - vault: - storage: - consul: - address: localhost:8500 - path: smsvault - listener: - tcp: - address: '[::]:8200' - tls_disable: true - disable_mlock: true - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -persistence: - enabled: true - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - size: 2Gi - mountPath: /dockerdata-nfs - mountSubPath: sms/consul/data - -service: - type: ClusterIP - name: aaf-sms-db - portName: aaf-sms-db - internalPort: 8200 - externalPort: 8200 - -ingress: - enabled: false - -flavor: small - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 400m - memory: 80Mi - requests: - cpu: 40m - memory: 40Mi - large: - limits: - cpu: 400m - memory: 700Mi - requests: - cpu: 40m - memory: 100Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-sms/resources/certs/intermediate_root_ca.pem b/kubernetes/aaf/components/aaf-sms/resources/certs/intermediate_root_ca.pem deleted file mode 100644 index 7939846bf0..0000000000 --- a/kubernetes/aaf/components/aaf-sms/resources/certs/intermediate_root_ca.pem +++ /dev/null @@ -1,26 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEdTCCAl2gAwIBAgIBBzANBgkqhkiG9w0BAQsFADAsMQ4wDAYDVQQLDAVPU0FB -RjENMAsGA1UECgwET05BUDELMAkGA1UEBhMCVVMwHhcNMTgwODE3MTg1MTM3WhcN -MjMwODE3MTg1MTM3WjBHMQswCQYDVQQGEwJVUzENMAsGA1UECgwET05BUDEOMAwG -A1UECwwFT1NBQUYxGTAXBgNVBAMMEGludGVybWVkaWF0ZUNBXzkwggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv0HHUkba3uNtNI3jPKimUcd6RNwmhSCJL -neMWpnjqp5/A+HCKyNsEaT4y177hNLmCm/aMm1u2JIfikc+8wEqLCSBBPz+P0h+d -o+sZ7U+4oeQizdYYpEdzHJ2SieHHa8vtu80rU3nO2NEIkuYC20HcKSEtl8fFKsk3 -nqlhY+tGfYJPTXcDOQAO40BTcgat3C3uIJHkWJJ4RivunE4LEuRv9QyKgAw7rkJV -v+f7guqpZlXy6dzAkuU7XULWcgo55MkZlssoiErMvEZJad5aWKvRY3g7qUjaQ6wO -15wOAUoRBW96eeZZbytgn8kybcBy++Ue49gPtgm1MF/KlAsp0MD5AgMBAAGjgYYw -gYMwHQYDVR0OBBYEFIH3mVsQuciM3vNSXupOaaBDPqzdMB8GA1UdIwQYMBaAFFNV -M/JL69BRscF4msEoMXvv6u1JMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/ -BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B -AQsFAAOCAgEADxNymiCNr2e37iLReoaxKmZvwox0cTiNAaj7iafRzmwIoY3VXO8Q -ix5IYcp4FaQ7fV1jyp/AmaSnyHf6Osl0sx8PxsQkO7ALttxKUrjfbvNSVUA2C/vl -u5m7UVJLIUtFDZBWanzUSmkTsYLHpiANFQKd2c/cU1qXcyzgJVFEFVyyHNkF7Is+ -+pjG9M1hwQHOoTnEuU013P7X1mHek+RXEfhJWwe7UsZnBKZaZKbQZu7hEtqKWYp/ -QsHgnjoLYXsh0WD5rz/mBxdTdDLGpFqWDzDqb8rsYnqBzoowvsasV8X8OSkov0Ht -8Yka0ckFH9yf8j1Cwmbl6ttuonOhky3N/gwLEozuhy7TPcZGVyzevF70kXy7g1CX -kpFGJyEHXoprlNi8FR4I+NFzbDe6a2cFow1JN19AJ9Z5Rk5m7M0mQPaQ4RcikjB3 -aoLsASCJTm1OpOFHfxEKiBW4Lsp3Uc5/Rb9ZNbfLrwqWZRM7buW1e3ekLqntgbky -uKKISHqVJuw/vXHl1jNibEo9+JuQ88VNuAcm7WpGUogeCa2iAlPTckPZei+MwZ8w -tpvxTyYlZEC8DWzY1VC29+W2N5cvh01e2E3Ql08W1zL63dqrgdEZ3VWjzooYi4ep -BmMXTvouW+Flyvcw/0oTcfN0biDIt0mCkZ5CQVjfGL9DTOYteR5hw+k= ------END CERTIFICATE----- diff --git a/kubernetes/aaf/components/aaf-sms/resources/config/has.json b/kubernetes/aaf/components/aaf-sms/resources/config/has.json deleted file mode 100644 index ef42ce98d3..0000000000 --- a/kubernetes/aaf/components/aaf-sms/resources/config/has.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "domain": { - "name": "has", - "secrets": [ - { - "name": "aai", - "values": { - "username": "${AAI_USER}", - "password": "${AAI_PASS}" - } - }, - { - "name": "conductor_api", - "values": { - "username": "${CONDUCTOR_USER}", - "password": "${CONDUCTOR_PASS}" - } - }, - { - "name": "sdnc", - "values": { - "username": "${SDNC_USER}", - "password": "${SDNC_PASS}" - } - }, - { - "name": "music_api", - "values": { - "aafuser": "${MUSIC_USER}", - "aafpass": "${MUSIC_PASS}", - "aafns": "conductor" - } - }, - { - "name": "aaf_api", - "values": { - "username": "${AAF_USER}", - "password": "${AAF_PASS}", - "aaf_conductor_user": "oof@oof.onap.org" - } - }, - { - "name": "sdc", - "values": { - "username": "${SDC_USER}", - "password": "${SDC_PASS}" - } - } - ] - } -} diff --git a/kubernetes/aaf/components/aaf-sms/resources/config/osdf.json b/kubernetes/aaf/components/aaf-sms/resources/config/osdf.json deleted file mode 100644 index c14f7ee4ba..0000000000 --- a/kubernetes/aaf/components/aaf-sms/resources/config/osdf.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "domain": { - "name": "osdf", - "secrets": [ - { - "name": "so", - "values": { - "UserName": "${SO_USER}", - "Password": "${SO_PASS}" - } - }, - { - "name": "conductor", - "values": { - "UserName": "${CONDUCTOR_USER}", - "Password": "${CONDUCTOR_PASS}" - } - }, - { - "name": "policyPlatform", - "values": { - "UserName": "${POLICY_PLAT_USER}", - "Password": "${POLICY_PLAT_PASS}" - } - }, - { - "name": "policyClient", - "values": { - "UserName": "${POLICY_CLI_USER}", - "Password": "${POLICY_CLI_PASS}" - } - }, - { - "name": "dmaap", - "values": { - "UserName": "NA", - "Password": "NA" - } - }, - { - "name": "sdc", - "values": { - "UserName": "NA", - "Password": "NA" - } - }, - { - "name": "osdfPlacement", - "values": { - "UserName": "${OSDF_PLACEMENT_USER}", - "Password": "${OSDF_PLACEMENT_PASS}" - } - }, - { - "name": "osdfPlacementSO", - "values": { - "UserName": "${OSDF_PLACEMENT_SO_USER}", - "Password": "${OSDF_PLACEMENT_SO_PASS}" - } - }, - { - "name": "osdfPlacementVFC", - "values": { - "UserName": "${OSDF_PLACEMENT_VFC_USER}", - "Password": "${OSDF_PLACEMENT_VFC_PASS}" - } - }, - { - "name": "osdfCMScheduler", - "values": { - "UserName": "${OSDF_CM_SCHEDULER_USER}", - "Password": "${OSDF_CM_SCHEDULER_PASS}" - } - }, - { - "name": "configDb", - "values": { - "UserName": "${CONFIG_DB_USER}", - "Password": "${CONFIG_DB_PASS}" - } - }, - { - "name": "pciHMS", - "values": { - "UserName": "", - "Password": "" - } - }, - { - "name": "osdfPCIOpt", - "values": { - "UserName": "${OSDF_PCI_OPT_USER}", - "Password": "${OSDF_PCI_OPT_PASS}" - } - }, - { - "name": "osdfOptEngine", - "values": { - "UserName": "${OSDF_OPT_ENGINE_USER}", - "Password": "${OSDF_OPT_ENGINE_PASS}" - } - }{{ if .Values.cps.enabled }}, - { - "name": "cps", - "values": { - "UserName": "${CPS_USER}", - "Password": "${CPS_PASS}" - } - }{{ end }} - ] - } -} diff --git a/kubernetes/aaf/components/aaf-sms/templates/configmap.yaml b/kubernetes/aaf/components/aaf-sms/templates/configmap.yaml deleted file mode 100644 index a74fe277b7..0000000000 --- a/kubernetes/aaf/components/aaf-sms/templates/configmap.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: - smsconfig.json: | - {{ .Values.config | toJson }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-preload - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-preload - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/aaf/components/aaf-sms/templates/deployment.yaml b/kubernetes/aaf/components/aaf-sms/templates/deployment.yaml deleted file mode 100644 index cfe54cf07b..0000000000 --- a/kubernetes/aaf/components/aaf-sms/templates/deployment.yaml +++ /dev/null @@ -1,149 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# Modifications © 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 8 }} - # Currently intermediate certificate is not given by AAF CM so we need - # to give it "by hand" - {{- if .Values.global.aafEnabled }} - - name: {{ include "common.fullname" . }}-add-intermediate-cert - command: - - /bin/sh - args: - - -c - - | - cat /int-certs/intermediate_root_ca.pem >> {{ .Values.certInitializer.mountPath }}/local/org.onap.aaf-sms.crt - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 12 }} - - mountPath: /int-certs - name: {{ include "common.fullname" . }}-int-certs - readOnly: true - {{- end }} - - name: {{ include "common.fullname" . }}-fix-permission - command: - - /bin/sh - args: - - -c - - | - chmod -R 775 /sms/auth - chown -R 1000:1000 /sms/auth - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /sms/auth - name: {{ include "common.fullname" . }}-auth - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - "aaf-sms-vault" - - --container-name - - "aaf-sms-vault-backend" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }} - command: ["/sms/bin/sms"] - workingDir: /sms/ - ports: - - containerPort: {{ .Values.service.internalPort }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - httpGet: - port: {{ .Values.service.internalPort }} - scheme: HTTPS - path: /v1/sms/quorum/status - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - httpGet: - port: {{ .Values.service.internalPort }} - scheme: HTTPS - path: /v1/sms/quorum/status - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /sms/smsconfig.json - name: {{ include "common.name" .}} - subPath: smsconfig.json - - mountPath: /sms/auth - name: {{ include "common.fullname" . }}-auth - resources: -{{ include "common.resources" . | indent 10 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime - - name : {{ include "common.name" . }} - configMap: - name: {{ include "common.fullname" . }} - {{- if .Values.global.aafEnabled }} - - name: {{ include "common.fullname" . }}-int-certs - secret: - secretName: {{ include "common.fullname" . }}-int-certs - {{- end }} - - name: {{ include "common.fullname" . }}-auth - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - {{- else }} - emptyDir: {} - {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/aaf/components/aaf-sms/templates/job.yaml b/kubernetes/aaf/components/aaf-sms/templates/job.yaml deleted file mode 100644 index 2370cf60de..0000000000 --- a/kubernetes/aaf/components/aaf-sms/templates/job.yaml +++ /dev/null @@ -1,217 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-preload - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - - command: - - sh - args: - - -c - - "export AAI_PASS=${AAI_PASS_PLAIN}; - export CONDUCTOR_PASS=${CONDUCTOR_PASS_PLAIN}; - export SDNC_PASS=${SDNC_PASS_PLAIN}; - export MUSIC_PASS=${MUSIC_PASS_PLAIN}; - export AAF_PASS=${AAF_PASS_PLAIN}; - export POLICY_PLAT_PASS=${POLICY_PLAT_PASS_PLAIN}; - export POLICY_CLI_PASS=${POLICY_CLI_PASS_PLAIN}; - export OSDF_PLACEMENT_PASS=${OSDF_PLACEMENT_PASS_PLAIN}; - export OSDF_PLACEMENT_SO_PASS=${OSDF_PLACEMENT_SO_PASS_PLAIN}; - export OSDF_PLACMENET_VFC_PASS=${OSDF_PLACEMENT_VFC_PASS_PLAIN}; - export OSDF_CM_SCHEDULER_PASS=${OSDF_CM_SCHEDULER_PASS_PLAIN}; - export CONFIG_DB_PASS=${CONFIG_DB_PASS_PLAIN}; - export OSDF_PCI_OPT_PASS=${OSDF_PCI_OPT_PASS_PLAIN}; - export OSDF_OPT_ENGINE_PASS=${OSDF_OPT_ENGINE_PASS_PLAIN}; - export SO_PASS=${SO_PASS_PLAIN}; - export SDC_PASS=${SDC_PASS_PLAIN}; - {{- if .Values.cps.enabled }} - export CPS_PASS=${CPS_PASS_PLAIN}; - {{- end }} - cd /config-input; - for PFILE in `find . -not -type d | grep -v -F ..`; do - envsubst <${PFILE} >/config/${PFILE}; - done" - env: - - name: AAI_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "aai-creds" "key" "login") | indent 10 }} - - name: AAI_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "aai-creds" "key" "password") | indent 10 }} - - - name: CONDUCTOR_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "conductor-creds" "key" "login") | indent 10 }} - - name: CONDUCTOR_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "conductor-creds" "key" "password") | indent 10 }} - - - name: SDNC_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnc-creds" "key" "login") | indent 10 }} - - name: SDNC_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnc-creds" "key" "password") | indent 10 }} - - - name: MUSIC_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "music-creds" "key" "login") | indent 10 }} - - name: MUSIC_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "music-creds" "key" "password") | indent 10 }} - - - name: AAF_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "aaf-creds" "key" "login") | indent 10 }} - - name: AAF_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "aaf-creds" "key" "password") | indent 10 }} - - - name: POLICY_PLAT_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-plat-creds" "key" "login") | indent 10 }} - - name: POLICY_PLAT_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-plat-creds" "key" "password") | indent 10 }} - - - name: POLICY_CLI_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-cli-creds" "key" "login") | indent 10 }} - - name: POLICY_CLI_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-cli-creds" "key" "password") | indent 10 }} - - - name: OSDF_PLACEMENT_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-placement-creds" "key" "login") | indent 10 }} - - name: OSDF_PLACEMENT_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-placement-creds" "key" "password") | indent 10 }} - - - name: OSDF_PLACEMENT_SO_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-placement-so-creds" "key" "login") | indent 10 }} - - name: OSDF_PLACEMENT_SO_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-placement-so-creds" "key" "password") | indent 10 }} - - - name: OSDF_PLACEMENT_VFC_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-placement-vfc-creds" "key" "login") | indent 10 }} - - name: OSDF_PLACEMENT_VFC_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-placement-vfc-creds" "key" "password") | indent 10 }} - - - name: OSDF_CM_SCHEDULER_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-cm-scheduler-creds" "key" "login") | indent 10 }} - - name: OSDF_CM_SCHEDULER_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-cm-scheduler-creds" "key" "password") | indent 10 }} - - - name: CONFIG_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "config-db-creds" "key" "login") | indent 10 }} - - name: CONFIG_DB_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "config-db-creds" "key" "password") | indent 10 }} - - - name: OSDF_PCI_OPT_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-pci-opt-creds" "key" "login") | indent 10 }} - - name: OSDF_PCI_OPT_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-pci-opt-creds" "key" "password") | indent 10 }} - - - name: OSDF_OPT_ENGINE_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-opt-engine-creds" "key" "login") | indent 10 }} - - name: OSDF_OPT_ENGINE_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-opt-engine-creds" "key" "password") | indent 10 }} - - - name: SO_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "so-creds" "key" "login") | indent 10 }} - - name: SO_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "so-creds" "key" "password") | indent 10 }} - - - name: SDC_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdc-creds" "key" "login") | indent 10 }} - - name: SDC_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdc-creds" "key" "password") | indent 10 }} - {{- if .Values.cps.enabled }} - - name: CPS_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-creds" "key" "login") | indent 10 }} - - name: CPS_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-creds" "key" "password") | indent 10 }} - {{- end }} - - volumeMounts: - - mountPath: /config-input - name: {{ include "common.name" . }}-preload-input - - mountPath: /config/ - name: {{ include "common.name" . }}-preload - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --container-name - - "aaf-sms" - - --container-name - - "aaf-sms-quorumclient" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-preload - command: - - "/sms/bin/preload" - - "-cacert" - - "{{ .Values.certInitializer.mountPath }}/local/{{ .Values.certInitializer.root_ca_name }}" - - "-jsondir" - - "/preload/config" - - "-serviceport" - - "{{ .Values.service.internalPort }}" - - "-serviceurl" - - "https://aaf-sms.{{ include "common.namespace" . }}" - workingDir: /sms - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /preload/config - name: {{ include "common.name" . }}-preload - resources: -{{ include "common.resources" . | indent 10 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - {{ include "common.waitForJobContainer" . | indent 6 | trim }} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.name" . }}-preload-input - configMap: - name: {{ include "common.fullname" . }}-preload - - name: {{ include "common.name" . }}-preload - emptyDir: - medium: Memory - restartPolicy: OnFailure - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/aaf/components/aaf-sms/templates/pv.yaml b/kubernetes/aaf/components/aaf-sms/templates/pv.yaml deleted file mode 100644 index d06131feb5..0000000000 --- a/kubernetes/aaf/components/aaf-sms/templates/pv.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -{{- if eq "True" (include "common.needPV" .) }} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: {{ include "common.release" . }} - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.persistence.size}} - accessModes: - - {{ .Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" . }}-data" - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/aaf/components/aaf-sms/templates/pvc.yaml b/kubernetes/aaf/components/aaf-sms/templates/pvc.yaml deleted file mode 100644 index c46d50607c..0000000000 --- a/kubernetes/aaf/components/aaf-sms/templates/pvc.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -{{- if .Values.persistence.annotations }} - annotations: -{{ toYaml .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode }} - resources: - requests: - storage: {{ .Values.persistence.size }} - storageClassName: {{ include "common.storageClass" . }} -{{- end -}} diff --git a/kubernetes/aaf/components/aaf-sms/templates/secret.yaml b/kubernetes/aaf/components/aaf-sms/templates/secret.yaml deleted file mode 100644 index 7a0213f16c..0000000000 --- a/kubernetes/aaf/components/aaf-sms/templates/secret.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{/* -# Copyright © 2020 Samsung Electronics, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} ---- -{{- if .Values.global.aafEnabled }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-int-certs - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/certs/*").AsSecrets . | indent 2 }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-sms/templates/service.yaml b/kubernetes/aaf/components/aaf-sms/templates/service.yaml deleted file mode 100644 index 8f30164fec..0000000000 --- a/kubernetes/aaf/components/aaf-sms/templates/service.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - - name: {{ .Values.service.PortName }} - {{if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default "302" }}{{ .Values.service.nodePort }} - {{- else -}} - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - {{- end}} - protocol: TCP - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/aaf/components/aaf-sms/values.yaml b/kubernetes/aaf/components/aaf-sms/values.yaml deleted file mode 100644 index 114ad23672..0000000000 --- a/kubernetes/aaf/components/aaf-sms/values.yaml +++ /dev/null @@ -1,283 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - persistence: {} - aafEnabled: true - -flavor: small - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: aaf-sms-cert-init - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: aaf-sms - fqi: aaf-sms@aaf-sms.onap.org - public_fqdn: aaf-sms.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - mountPath: /opt/app/osaaf - keystore: truststoreONAPall.jks - keystore_pass: changeit - root_ca_alias: onaptestca - root_ca_name: aaf_root_ca.cer - permission_user: 1000 - permission_group: 1000 - aaf_add_config: > - cd {{ .Values.mountPath }}/local; - keytool -exportcert -rfc -file {{ .Values.root_ca_name }} -keystore {{ .Values.keystore }} - -alias {{ .Values.root_ca_alias }} -storepass {{ .Values.keystore_pass }}; - chown -R {{.Values.permission_user}}:{{.Values.permission_group}} - {{ .Values.mountPath }}; - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/aaf/sms:4.0.2 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -# Example: -config: - smsdbaddress: "http://aaf-sms-db:8200" - cafile: "/opt/app/osaaf/local/aaf_root_ca.cer" - servercert: "/opt/app/osaaf/local/org.onap.aaf-sms.crt" - serverkey: "/opt/app/osaaf/local/org.onap.aaf-sms.key" - password: "c2VjcmV0bWFuYWdlbWVudHNlcnZpY2VzZWNyZXRwYXNzd29yZA==" - -# subchart configuration -vault: - nameOverride: smsdb - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 30 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 30 - -service: - type: ClusterIP - name: aaf-sms - portName: aaf-sms - internalPort: 10443 - externalPort: 10443 - -#define value for aaf-sms-quorumclient subchart -aaf-sms-quorumclient: - service: - name: aaf-sms - -persistence: - enabled: true - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - size: 1Gi - mountPath: /dockerdata-nfs - mountSubPath: sms/auth - -ingress: - enabled: false - -cps: - enabled: true - -secrets: - - uid: aai-creds - type: basicAuth - login: '{{ .Values.oofCreds.aaiUsername }}' - password: '{{ .Values.oofCreds.aaiPassword }}' - passwordPolicy: required - - uid: conductor-creds - type: basicAuth - login: '{{ .Values.oofCreds.conductorUsername }}' - password: '{{ .Values.oofCreds.conductorPassword }}' - passwordPolicy: required - - uid: sdnc-creds - type: basicAuth - login: '{{ .Values.oofCreds.sdncUsername }}' - password: '{{ .Values.oofCreds.sdncPassword }}' - passwordPolicy: required - - uid: music-creds - type: basicAuth - login: '{{ .Values.oofCreds.musicUsername }}' - password: '{{ .Values.oofCreds.musicPassword }}' - passwordPolicy: required - - uid: aaf-creds - type: basicAuth - login: '{{ .Values.oofCreds.aafUsername }}' - password: '{{ .Values.oofCreds.aafPassword }}' - passwordPolicy: required - - uid: policy-plat-creds - type: basicAuth - login: '{{ .Values.oofCreds.policyPlatUsername }}' - password: '{{ .Values.oofCreds.policyPlatPassword }}' - passwordPolicy: required - - uid: policy-cli-creds - type: basicAuth - login: '{{ .Values.oofCreds.policyCliUsername }}' - password: '{{ .Values.oofCreds.policyCliPassword }}' - passwordPolicy: required - - uid: osdf-placement-creds - type: basicAuth - login: '{{ .Values.oofCreds.osdfPlacementUsername }}' - password: '{{ .Values.oofCreds.osdfPlacementPassword }}' - passwordPolicy: required - - uid: osdf-placement-so-creds - type: basicAuth - login: '{{ .Values.oofCreds.osdfPlacementSOUsername }}' - password: '{{ .Values.oofCreds.osdfPlacementSOPassword }}' - passwordPolicy: required - - uid: osdf-placement-vfc-creds - type: basicAuth - login: '{{ .Values.oofCreds.osdfPlacementVFCUsername }}' - password: '{{ .Values.oofCreds.osdfPlacementVFCPassword }}' - passwordPolicy: required - - uid: osdf-cm-scheduler-creds - type: basicAuth - login: '{{ .Values.oofCreds.osdfCMSchedulerUsername }}' - password: '{{ .Values.oofCreds.osdfCMSchedulerPassword }}' - passwordPolicy: required - - uid: config-db-creds - type: basicAuth - login: '{{ .Values.oofCreds.configDbUsername }}' - password: '{{ .Values.oofCreds.configDbPassword }}' - passwordPolicy: required - - uid: osdf-pci-opt-creds - type: basicAuth - login: '{{ .Values.oofCreds.osdfPCIOptUsername }}' - password: '{{ .Values.oofCreds.osdfPCIOptPassword }}' - passwordPolicy: required - - uid: osdf-opt-engine-creds - type: basicAuth - login: '{{ .Values.oofCreds.osdfOptEngineUsername }}' - password: '{{ .Values.oofCreds.osdfOptEnginePassword }}' - passwordPolicy: required - - uid: so-creds - type: basicAuth - login: '{{ .Values.oofCreds.soUsername }}' - password: '{{ .Values.oofCreds.soPassword }}' - passwordPolicy: required - - uid: sdc-creds - type: basicAuth - login: '{{ .Values.oofCreds.sdcUsername }}' - password: '{{ .Values.oofCreds.sdcPassword }}' - passwordPolicy: required - - uid: cps-creds - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.oofCreds.cpsUserExternalSecret) . }}' - login: '{{ .Values.oofCreds.cpsUsername }}' - password: '{{ .Values.oofCreds.cpsPassword }}' - passwordPolicy: required -oofCreds: - aaiUsername: oof@oof.onap.org - aaiPassword: demo123456! - - conductorUsername: admin1 - conductorPassword: plan.15 - - sdncUsername: admin - sdncPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U - - musicUsername: conductor - musicPassword: c0nduct0r - - aafUsername: aaf_admin@people.osaaf.org - aafPassword: demo123456! - - policyPlatUsername: healthcheck - policyPlatPassword: zb!XztG34 - - policyCliUsername: healthcheck - policyCliPassword: zb!XztG34 - - osdfPlacementUsername: test - osdfPlacementPassword: testpwd - - osdfPlacementSOUsername: so_test - osdfPlacementSOPassword: so_testpwd - - osdfPlacementVFCUsername: vfc_test - osdfPlacementVFCPassword: vfc_testpwd - - osdfCMSchedulerUsername: test1 - osdfCMSchedulerPassword: testpwd1 - - configDbUsername: osdf - configDbPassword: passwd - - osdfPCIOptUsername: pci_test - osdfPCIOptPassword: pci_testpwd - - osdfOptEngineUsername: opt_test - osdfOptEnginePassword: opt_testpwd - - soUsername: apihBpmn - soPassword: password1$ - - sdcUsername: aai - sdcPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U - - cpsUsername: '' - cpsPassword: '' - cpsUserExternalSecret: '{{ include "common.release" . }}-cps-core-app-user-creds' - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 100m - memory: 400Mi - requests: - cpu: 25m - memory: 10Mi - large: - limits: - cpu: 400m - memory: 1Gi - requests: - cpu: 25m - memory: 100Mi - unlimited: {} - -wait_for_job_container: - containers: - - '{{ include "common.name" . }}-preload' - diff --git a/kubernetes/aaf/components/aaf-sshsm/Chart.yaml b/kubernetes/aaf/components/aaf-sshsm/Chart.yaml deleted file mode 100644 index 2cd0cf4671..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/Chart.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Hardware Security Components -name: aaf-sshsm -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: aaf-sshsm-abrmd - version: ~11.x-0 - repository: 'file://components/aaf-sshsm-abrmd' - condition: aaf-sshsm-abrmd.enabled - - name: aaf-sshsm-distcenter - version: ~11.x-0 - repository: 'file://components/aaf-sshsm-distcenter' - condition: aaf-sshsm-distcenter.enabled - - name: aaf-sshsm-testca - version: ~11.x-0 - repository: 'file://components/aaf-sshsm-testca' - condition: aaf-sshsm-testca.testca.enabled diff --git a/kubernetes/aaf/components/aaf-sshsm/Makefile b/kubernetes/aaf/components/aaf-sshsm/Makefile deleted file mode 100644 index 51d7de122c..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/Makefile +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts docker -HELM_BIN := helm -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/aaf/components/aaf-sshsm/README.md b/kubernetes/aaf/components/aaf-sshsm/README.md deleted file mode 100644 index a6f2e62cb9..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/README.md +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Helm Chart for ONAP Hardware Security Components - -This includes the following Kubernetes services: - -1. dist-center - A service that is used to create and distribute private keys -2. abrmd - A service that manages access to the TPM device - -# Service Dependencies - -All services depend on AAF \ No newline at end of file diff --git a/kubernetes/aaf/components/aaf-sshsm/components/Makefile b/kubernetes/aaf/components/aaf-sshsm/components/Makefile deleted file mode 100644 index f4c9784bc4..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/Makefile +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/Chart.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/Chart.yaml deleted file mode 100644 index 2149739897..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Trusted Platform Module Resource Manager -name: aaf-sshsm-abrmd -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/templates/configmap.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/templates/configmap.yaml deleted file mode 100644 index 8555a3c153..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/templates/configmap.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if .Values.global.tpm.enabled -}} - -apiVersion: v1 -kind: ConfigMap -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} - -{{- end -}} diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/templates/deployment.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/templates/deployment.yaml deleted file mode 100644 index a2df4e53b9..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/templates/deployment.yaml +++ /dev/null @@ -1,89 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if .Values.global.tpm.enabled -}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - replicas: {{ .Values.replicaCount }} - serviceName: - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: - - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-job-complete - command: - - /app/ready.py - args: - - -j - - "{{ include "common.fullname" . }}-init" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi - containers: - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - name: {{ include "common.name" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["/abrmd/bin/run_abrmd.sh"] - workingDir: /abrmd/bin - securityContext: - privileged: true - volumeMounts: - - name: {{ include "common.fullname" . }}-dbus - mountPath: /var/run/dbus - - name: {{ include "common.fullname" . }}-tpm-device - mountPath: /dev/tpm0 - - mountPath: /etc/localtime - name: localtime - readOnly: true - resources: {{ include "common.resources" . | nindent 10 }} - nodeSelector: - {{- if .Values.nodeSelector }} - {{ toYaml .Values.nodeSelector | indent 8 | trim }} - {{- end }} - {{- if .Values.global.tpm.enabled }} - {{ (printf "%s: \"%s\"" .Values.global.tpm.nodeLabel .Values.global.tpm.nodeLabelValue) }} - {{- end }} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 8 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-dbus - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-sshsm-dbus - - name: {{ include "common.fullname" . }}-tpm-device - hostPath: - path: /dev/tpm0 - -{{- end -}} diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/templates/job.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/templates/job.yaml deleted file mode 100644 index 8a8b6bd8fe..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/templates/job.yaml +++ /dev/null @@ -1,74 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if .Values.global.tpm.enabled -}} - -apiVersion: batch/v1 -kind: Job -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - backoffLimit: 2 - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - restartPolicy: Never - containers: - - name: {{ include "common.name" . }}-job - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["/abrmd/bin/initialize_tpm.sh"] - workingDir: /abrmd/bin - securityContext: - privileged: true - env: - - name: TPM_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ABRMD_DATA - value: /abrmd/data - volumeMounts: - - name: {{ include "common.fullname" . }}-data - mountPath: /abrmd/data - - name: {{ include "common.fullname" . }}-tpm-device - mountPath: /dev/tpm0 - - name: {{ include "common.fullname" . }}-tpmconfig - mountPath: "/abrmd/cred/" - readOnly: true - resources: {{ include "common.resources" . | nindent 10 }} - {{- if .Values.nodeSelector }} - nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} - {{- if .Values.global.tpm.enabled }} - {{ (printf "%s: \"%s\"" .Values.global.tpm.nodeLabel .Values.global.tpm.nodeLabelValue) }} - {{- end -}} - {{- end -}} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 8 }} - {{- end }} - volumes: - - name: {{ include "common.fullname" . }}-data - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-sshsm-data - - name: {{ include "common.fullname" . }}-tpm-device - hostPath: - path: /dev/tpm0 - - name: {{ include "common.fullname" . }}-tpmconfig - secret: - secretName: {{ include "common.release" . }}-aaf-sshsm - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - -{{- end -}} diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/values.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/values.yaml deleted file mode 100644 index e97519aa3e..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/values.yaml +++ /dev/null @@ -1,66 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - tpm: - enabled: true - # if enabled, nodeselector will use the below - # values in the nodeselector section of the pod - nodeLabel: "tpm-node" - nodeLabelValue: "true" - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/aaf/abrmd:4.0.0 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -# Example: -# default number of instances -replicaCount: 1 - -# TPM specific node selection is done at parent chart aaf-sshsm -nodeSelector: {} - -affinity: {} - -ingress: - enabled: false - -# Configure resource requests and limits -flavor: small -resources: - small: - limits: - cpu: 20m - memory: 50Mi - requests: - cpu: 10m - memory: 10Mi - large: - limits: - cpu: 400m - memory: 1Gi - requests: - cpu: 10m - memory: 100Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/Chart.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/Chart.yaml deleted file mode 100644 index b0a9b9a05f..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Trusted Platform Module Distribution Center -name: aaf-sshsm-distcenter -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/configmap.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/configmap.yaml deleted file mode 100644 index 2e82f5bd26..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/configmap.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} \ No newline at end of file diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/job.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/job.yaml deleted file mode 100644 index f74b5c8f2d..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/job.yaml +++ /dev/null @@ -1,101 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: batch/v1 -kind: Job -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - serviceName: - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - restartPolicy: Never - initContainers: -{{- if .Values.global.tpm.enabled }} - - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - -j - - "{{ include "common.release" . }}-aaf-sshsm-abrmd-init" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi -{{ else }} - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-gen-passphrase - command: ["sh", "-c", "/usr/bin/openssl rand -base64 12 >/distcenter/data/passphrase"] - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: {{ include "common.fullname" . }}-data - mountPath: /distcenter/data - resources: - limits: - cpu: 1 - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi -{{- end }} - containers: - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - name: {{ include "common.name" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["/entrypoint.sh"] - workingDir: /distcenter - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: {{ include "common.fullname" . }}-data - mountPath: /distcenter/data - resources: {{ include "common.resources" . | nindent 10 }} - {{- if .Values.nodeSelector }} - nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 8 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-data - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-sshsm - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/pv.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/pv.yaml deleted file mode 100644 index 22acb2a609..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/pv.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.PV" . }} diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/pvc.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/pvc.yaml deleted file mode 100644 index 1c7f6ffe4a..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/pvc.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.PVC" . }} diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/values.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/values.yaml deleted file mode 100644 index fb42843cb7..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/values.yaml +++ /dev/null @@ -1,70 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - persistence: {} - tpm: - enabled: true - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/aaf/distcenter:4.0.0 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -# Example: -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -persistence: - enabled: true - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - size: 10Mi - mountPath: /dockerdata-nfs - mountSubPath: sshsm/distcenter/data - -ingress: - enabled: false - -# Configure resource requests and limits -flavor: small -resources: - small: - limits: - cpu: 20m - memory: 50Mi - requests: - cpu: 10m - memory: 10Mi - large: - limits: - cpu: 400m - memory: 1Gi - requests: - cpu: 10m - memory: 100Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-testca/Chart.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-testca/Chart.yaml deleted file mode 100644 index 617c742048..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-testca/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Trusted Platform Module Test CA Service -name: aaf-sshsm-testca -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-testca/templates/job.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-testca/templates/job.yaml deleted file mode 100644 index 71e7c299bc..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-testca/templates/job.yaml +++ /dev/null @@ -1,126 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: batch/v1 -kind: Job -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - restartPolicy: Never - initContainers: - - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-distcenter-ready - command: - - /app/ready.py - args: - - -j - - "{{ include "common.release" . }}-aaf-sshsm-distcenter" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi -{{- if .Values.global.tpm.enabled }} - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-abrmd-ready - command: ["sh", "/sshsm/bin/abrmd_ready.sh", "300"] - workingDir: /testca/bin - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - volumeMounts: - - name: {{ include "common.fullname" . }}-dbus - mountPath: /var/run/dbus - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi -{{- end }} - containers: - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - name: {{ include "common.name" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["./import.sh"] - workingDir: /testca/bin - env: -{{- if .Values.global.tpm.enabled }} - - name: TPM_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: DATA_FOLDER - value: /testca/data/host_$(TPM_NODE_NAME) -{{ else }} - - name: DATA_FOLDER - value: /testca/data -{{- end }} - - name: SECRETS_FOLDER - value: /testca/secrets - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: {{ include "common.fullname" . }}-data - mountPath: /testca/data - - name: {{ include "common.fullname" . }}-dbus - mountPath: /var/run/dbus - - name: {{ include "common.fullname" . }}-secrets - mountPath: /testca/secrets - readOnly: true - resources: {{ include "common.resources" . | nindent 10 }} - nodeSelector: - {{- if .Values.nodeSelector }} - {{ toYaml .Values.nodeSelector | indent 8 | trim }} - {{- end -}} - {{- if .Values.global.tpm.enabled }} - {{ (printf "%s: \"%s\"" .Values.global.tpm.nodeLabel .Values.global.tpm.nodeLabelValue) }} - {{- end -}} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 8 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-data - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-sshsm - - name: {{ include "common.fullname" . }}-dbus - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-sshsm-dbus - - name: {{ include "common.fullname" . }}-secrets - secret: - secretName: {{ include "common.release" . }}-aaf-sshsm - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-testca/values.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-testca/values.yaml deleted file mode 100644 index f116c6d5e9..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-testca/values.yaml +++ /dev/null @@ -1,66 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# - -global: - tpm: - enabled: true - # if enabled, nodeselector will use the below - # values in the nodeselector section of the pod - nodeLabel: "tpm-node" - nodeLabelValue: "true" - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/aaf/testcaservice:4.0.0 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -# Example: -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -ingress: - enabled: false - -# Configure resource requests and limits -flavor: small -resources: - small: - limits: - cpu: 50m - memory: 100Mi - requests: - cpu: 10m - memory: 10Mi - large: - limits: - cpu: 400m - memory: 1Gi - requests: - cpu: 10m - memory: 100Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-sshsm/resources/config/prk_passwd b/kubernetes/aaf/components/aaf-sshsm/resources/config/prk_passwd deleted file mode 100644 index 640b325898..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/resources/config/prk_passwd +++ /dev/null @@ -1 +0,0 @@ -cHJpbWFyeXBhc3N3b3JkCg== diff --git a/kubernetes/aaf/components/aaf-sshsm/resources/config/srk_handle b/kubernetes/aaf/components/aaf-sshsm/resources/config/srk_handle deleted file mode 100644 index b8b9d8ddb0..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/resources/config/srk_handle +++ /dev/null @@ -1 +0,0 @@ -MHg4MTAwMDAyMwo= diff --git a/kubernetes/aaf/components/aaf-sshsm/templates/pv-data.yaml b/kubernetes/aaf/components/aaf-sshsm/templates/pv-data.yaml deleted file mode 100644 index b566b11458..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/templates/pv-data.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.PV" (dict "dot" . "persistenceInfos" .Values.persistence.data) }} diff --git a/kubernetes/aaf/components/aaf-sshsm/templates/pv-dbus.yaml b/kubernetes/aaf/components/aaf-sshsm/templates/pv-dbus.yaml deleted file mode 100644 index b3e7f9fabd..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/templates/pv-dbus.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.PV" (dict "dot" . "suffix" "dbus" "persistenceInfos" .Values.persistence.dbus) }} diff --git a/kubernetes/aaf/components/aaf-sshsm/templates/pvc-data.yaml b/kubernetes/aaf/components/aaf-sshsm/templates/pvc-data.yaml deleted file mode 100644 index b8971cc03c..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/templates/pvc-data.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.PVC" (dict "dot" . "persistenceInfos" .Values.persistence.data) }} diff --git a/kubernetes/aaf/components/aaf-sshsm/templates/pvc-dbus.yaml b/kubernetes/aaf/components/aaf-sshsm/templates/pvc-dbus.yaml deleted file mode 100644 index 7297d6f81d..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/templates/pvc-dbus.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.PVC" (dict "dot" . "suffix" "dbus" "persistenceInfos" .Values.persistence.dbus) }} diff --git a/kubernetes/aaf/components/aaf-sshsm/templates/secret.yaml b/kubernetes/aaf/components/aaf-sshsm/templates/secret.yaml deleted file mode 100644 index 4be63fa18b..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/templates/secret.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} -type: Opaque -data: -{{ (.Files.Glob "resources/config/*").AsSecrets | indent 2 }} \ No newline at end of file diff --git a/kubernetes/aaf/components/aaf-sshsm/values.yaml b/kubernetes/aaf/components/aaf-sshsm/values.yaml deleted file mode 100644 index 7e8d4f1352..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/values.yaml +++ /dev/null @@ -1,72 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - # Standard OOM - pullPolicy: "Always" - - tpm: - enabled: false - # if enabled, nodeselector will use the below - # values in the nodeselector section of the pod - nodeLabel: "tpm-node" - nodeLabelValue: "true" - persistence: {} - -aaf-sshsm-abrmd: - enabled: true -aaf-sshsm-distcenter: - enabled: true -aaf-sshsm-testca: - enabled: true - -persistence: - enabled: true - data: - enabled: true - size: 10Mi - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - mountSubPath: sshsm/data - dbus: - enabled: true - size: 10Mi - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - mountSubPath: sshsm/dbus - - - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 20m - memory: 50Mi - requests: - cpu: 10m - memory: 10Mi - large: - limits: - cpu: 400m - memory: 1Gi - requests: - cpu: 10m - memory: 100Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-templates/Chart.yaml b/kubernetes/aaf/components/aaf-templates/Chart.yaml deleted file mode 100644 index b4b01b06d6..0000000000 --- a/kubernetes/aaf/components/aaf-templates/Chart.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright © 2020-2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Application Authorization Framework Templates -name: aaf-templates -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/aaf/components/aaf-templates/templates/_deployment.tpl b/kubernetes/aaf/components/aaf-templates/templates/_deployment.tpl deleted file mode 100644 index c0614b255e..0000000000 --- a/kubernetes/aaf/components/aaf-templates/templates/_deployment.tpl +++ /dev/null @@ -1,84 +0,0 @@ -{*/ -# Copyright © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/} - -{{- define "aaf.deployment" -}} -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - replicas: {{ .Values.replicaCount }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - {{- if (include "common.onServiceMesh" .) }} - annotations: - sidecar.istio.io/inject: "false" - {{- end }} - spec: {{ include "aaf.initContainers" . | nindent 6 }} - containers: - - name: {{ include "common.name" . }} - workingDir: /opt/app/aaf - command: ["bin/{{ .Values.binary }}"] - image: {{ include "repositoryGenerator.repository" . }}/{{.Values.global.aaf.image}} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 10 }} - volumeMounts: - - mountPath: "/opt/app/osaaf" - name: aaf-config-vol - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /opt/app/osaaf/etc/org.osaaf.aaf.log4j.props - name: aaf-log - subPath: org.osaaf.aaf.log4j.props - - mountPath: /opt/app/osaaf/data/ - name: config-identity - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{.Values.liveness.port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.readiness.port }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 10 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: aaf-config-vol - emptyDir: {} - - name: aaf-log - configMap: - name: {{ include "common.release" . }}-aaf-log - - name: config-init-identity - configMap: - name: {{ include "common.release" . }}-aaf-identity - - name: config-identity - emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" -{{- end -}} diff --git a/kubernetes/aaf/components/aaf-templates/templates/_initContainers.tpl b/kubernetes/aaf/components/aaf-templates/templates/_initContainers.tpl deleted file mode 100644 index 755315296d..0000000000 --- a/kubernetes/aaf/components/aaf-templates/templates/_initContainers.tpl +++ /dev/null @@ -1,130 +0,0 @@ -{*/ -# Copyright © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/} - -{{- define "aaf.permissionFixer" -}} -- name: onboard-identity-and-fix-permission - command: - - /bin/sh - args: - - -c - - | - echo "*** Move files from configmap to emptyDir" - cp -L /config-input-identity/* /config-identity/ - echo "*** set righ user to the different folders" - chown -R 1000:1000 /config-identity - chown -R 1000:1000 /opt/app/aaf - chown -R 1000:1000 /opt/app/osaaf - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /opt/app/osaaf - name: aaf-config-vol - - mountPath: /config-input-identity - name: config-init-identity - - mountPath: /config-identity - name: config-identity - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi -{{- end -}} - -{{- define "aaf.podConfiguration" }} -- name: {{ include "common.name" . }}-config-container - image: {{ include "repositoryGenerator.repository" . }}/{{.Values.global.aaf.config.image}} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /bin/bash - args: - - -c - - | - cd /opt/app/aaf_config - bin/agent.sh - volumeMounts: - - mountPath: "/opt/app/osaaf" - name: aaf-config-vol - env: - - name: aaf_env - value: "{{ .Values.global.aaf.aaf_env }}" - - name: cadi_latitude - value: "{{ .Values.global.aaf.cadi_latitude }}" - - name: cadi_longitude - value: "{{ .Values.global.aaf.cadi_longitude }}" - - name: cadi_x509_issuers - value: "{{ .Values.global.aaf.cadi_x509_issuers }}" - - name: aaf_locate_url - value: "https://aaf-locate.{{ .Release.Namespace}}:8095" - - name: aaf_locator_container - value: "oom" - - name: aaf_release - value: "{{ .Values.global.aaf.aaf_release }}" - - name: aaf_locator_container_ns - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: aaf_locator_public_fqdn - value: "{{.Values.global.aaf.public_fqdn}}" - - name: aaf_locator_name - value: "{{.Values.global.aaf.aaf_locator_name}}" - - name: aaf_locator_name_oom - value: "{{.Values.global.aaf.aaf_locator_name_oom}}" - - name: cm_always_ignore_ips - value: "true" - - name: CASSANDRA_CLUSTER - value: "aaf-cass.{{ .Release.Namespace }}" - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi -{{- end -}} - -{{- define "aaf.initContainers" -}} -initContainers: -{{ include "aaf.permissionFixer" . }} -{{- if .Values.sequence_order }} -- name: {{ include "common.name" . }}-aaf-readiness - command: - - /app/ready.py - args: - {{- range $container := .Values.sequence_order }} - - --container-name - - aaf-{{ $container}} - {{- end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi -{{- end }} -{{ include "aaf.podConfiguration" . }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-templates/values.yaml b/kubernetes/aaf/components/aaf-templates/values.yaml deleted file mode 100644 index 73efdc6132..0000000000 --- a/kubernetes/aaf/components/aaf-templates/values.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. diff --git a/kubernetes/aaf/resources/data/identities.dat b/kubernetes/aaf/resources/data/identities.dat deleted file mode 100644 index 4813cc19fc..0000000000 --- a/kubernetes/aaf/resources/data/identities.dat +++ /dev/null @@ -1,94 +0,0 @@ -{{/* -# -# Sample Identities.dat -# This file is for use with the "Default Organization". It is a simple mechanism to have a basic ILM structure to use with -# out-of-the-box tire-kicking, or even for Small companies -# -# For Larger Companies, you will want to create a new class implementing the "Organization" interface, making calls to your ILM, or utilizing -# batch feeds, as is appropriate for your company. -# -# Example Field Layout. note, in this example, Application IDs and People IDs are mixed. You may want to split -# out AppIDs, choose your own status indicators, or whatever you use. -# 0 - unique ID -# 1 - full name -# 2 - first name -# 3 - last name -# 4 - phone -# 5 - official email -# 6 - employment status e=employee, c=contractor, a=application, n=no longer with company -# 7 - responsible to (i.e Supervisor for People, or AppOwner, if it's an App ID) -# -*/}} - -iowna|Ima D. Owner|Ima|Owner|314-123-2000|ima.d.owner@people.osaaf.com|e| -mmanager|Mark D. Manager|Mark|Manager|314-123-1234|mark.d.manager@people.osaaf.com|e|iowna -bdevl|Robert D. Developer|Bob|Developer|314-123-1235|bob.d.developer@people.osaaf.com|e|mmanager -mmarket|Mary D. Marketer|Mary|Marketer|314-123-1236|mary.d.marketer@people.osaaf.com|e|mmanager -ccontra|Clarice D. Contractor|Clarice|Contractor|314-123-1237|clarice.d.contractor@people.osaaf.com|c|mmanager -iretired|Ira Lee M. Retired|Ira|Retired|314-123-1238|clarice.d.contractor@people.osaaf.com|n|mmanager - -# Portal Identities -portal|ONAP Portal Application|PORTAL|ONAP Application|314-123-1234|portal@people.osaaf.com|a|aaf_admin -shi|ONAP SHI Portal Identity|shi|Portal Application|314-123-1234|shi@people.osaaf.com|a|aaf_admin -demo|PORTAL DEMO|demo|PORTAL|DEMO|314-123-1234|demo@people.osaaf.com|e|aaf_admin -jh0003|PORTAL ADMIN|jh|PORTAL ADMIN|314-123-1234|jh0003@people.osaaf.com|e|aaf_admin -cs0008|PORTAL DESIGNER|cs|PORTAL DESIGNER|314-123-1234|cs0008@people.osaaf.com|e|aaf_admin -jm0007|PORTAL TESTER|jm|PORTAL TESTER|314-123-1234|jm0007@people.osaaf.com|e|aaf_admin -op0001|PORTAL OPS|op|PORTAL OPS|314-123-1234|op0001@people.osaaf.com|e|aaf_admin -gv0001|GV PORTAL|gv|PORTAL|314-123-1234|gv0001@people.osaaf.com|e|aaf_admin -pm0001|PM PORTAL|pm|PORTAL|314-123-1234|pm0001@people.osaaf.com|e|aaf_admin -gs0001|GS PORTAL|gs|PORTAL|314-123-1234|gs0001@people.osaaf.com|e|aaf_admin -ps0001|PS PORTAL|ps|PORTAL|314-123-1234|ps0001@people.osaaf.com|e|aaf_admin - -# AAF Defined Users -aaf_admin|AAF Administrator|Mr AAF|AAF Admin|314-123-1234|aaf_admin@people.osaaf.com|e|mmanager -deployer|Deployer|Deployer|Depoyer|314-123-1234|deployer@people.osaaf.com|e|aaf_admin - -# Requested Users -portal_admin|Portal Admin|Portal|Admin|314-123-1234|portal_admin@people.osaaf.com|e|mmanager - -# ONAP App IDs -a1p|A1 Policy Mangement|A1P|Application|314-123-1234|no_reply@people.osaaf.com|a|aaf_admin -aaf|AAF Application|AAF|Application|314-123-1234|no_reply@people.osaaf.com|a|aaf_admin -aaf-sms|AAF SMS Application|AAF SMS|Application|314-123-1234|no_reply@people.osaaf.com|a|aaf_admin -clamp|ONAP CLAMP Application|CLAMP|Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -aai|ONAP AAI Application|AAI|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -aai-resources|ONAP AAI Resources Application|AAI Resources|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -aai-schema-service|ONAP AAI Schema Service Application|AAI Schema Service|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -aai-traversal|ONAP AAI Traversal Application|AAI Resources|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -appc|ONAP APPC Application|APPC|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -appc-cdt|ONAP APPC CDT Application|APPC|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -cli|ONAP CLI Application|SDNC-CDS|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -dcae|ONAP DCAE Application|CLAMP|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -oof|ONAP OOF Application|OOF|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -so|ONAP SO Application|SO|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -sdc|ONAP SDC Application|SDC|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -sdnc|ONAP SDNC Application|SDNC|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -sdnc-cds|ONAP SDNC CDS Application|SDNC-CDS|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -vfc|ONAP VFC Application|VNC|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -policy|ONAP Policy Application|POLICY|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -pomba|ONAP Pomba Application|POMBA|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -holmes|ONAP Holmes Application|HOLMES|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -holmes-engine-mgmt|ONAP Holmes Engine Management Application|HOLMES-ENGINE|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -holmes-rule-mgmt|ONAP Holmes Rules Management Application|HOLMES-RULES|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -nbi|ONAP NBI Application|NBI|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -msb-eag|ONAP MSB EAG Application|MSB EAG|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -msb-iag|ONAP MSB IAG Application|MSB IAG|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -music|ONAP MUSIC Application|MUSIC|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -refrepo|ONAP REFREPO Application|REFREPO|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -uui|ONAP UUI Application|UUI|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -# VID Identities -vid|ONAP VID Application|VID|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -vid1|ONAP VID Application 1|VID 1|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -vid2|ONAP VID Application 2|VID 2|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -# DMAAP Identities -dmaap-bc|ONAP DMaap BC Application|DMaap BC|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -dmaap-bc-topic-mgr|ONAP DMaap BC Topic Manager|DMaap BC Topic Manager|DMaap BC|314-123-1234|no_reply@people.osaaf.com|a|mmanager -dmaap-bc-mm-prov|ONAP DMaap BC Provisioning Manager|DMaap BC Provision Manager|DMaap BC|314-123-1234|no_reply@people.osaaf.com|a|mmanager -dmaap-dr|ONAP DMaap DR|Prov|DMaap DR|314-123-1234|no_reply@people.osaaf.com|a|mmanager -dmaap-dr-prov|ONAP DMaap DR Prov|Prov|DMaap MR|314-123-1234|no_reply@people.osaaf.com|a|mmanager -dmaap-dr-node|ONAP DMaap DR Node|Node|DMaap MR|314-123-1234|no_reply@people.osaaf.com|a|mmanager -dmaap-mr|ONAP DMaap MR Application|DMaap MR|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -#deprecate these in El Alto -dmaapmr|ONAP DMaap MR Application|DMaap MR|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -#dmaap.mr|ONAP DMaap MR Application|DMaap MR|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager diff --git a/kubernetes/aaf/resources/log/org.osaaf.aaf.log4j.props b/kubernetes/aaf/resources/log/org.osaaf.aaf.log4j.props deleted file mode 100644 index 4120913d99..0000000000 --- a/kubernetes/aaf/resources/log/org.osaaf.aaf.log4j.props +++ /dev/null @@ -1,53 +0,0 @@ -######### -# ============LICENSE_START==================================================== -# org.onap.aaf -# =========================================================================== -# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. -# Copyright (c) 2020 Orange Intellectual Property. All rights reserved. -# =========================================================================== -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END==================================================== -# - -log4j.appender.INIT=org.apache.log4j.DailyRollingFileAppender -log4j.appender.INIT.File=${LOG4J_FILENAME_init} -log4j.appender.INIT.DatePattern='.'yyyy-MM-dd -log4j.appender.INIT.layout=org.apache.log4j.PatternLayout -log4j.appender.INIT.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss,SSSZ} %m %n - -log4j.appender.SRVR=org.apache.log4j.DailyRollingFileAppender -log4j.appender.SRVR.File=${LOG4J_FILENAME_service} -log4j.appender.SRVR.DatePattern='.'yyyy-MM-dd -log4j.appender.SRVR.layout=org.apache.log4j.PatternLayout -log4j.appender.SRVR.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss,SSSZ} %p [%c] %m %n - -log4j.appender.AUDIT=org.apache.log4j.DailyRollingFileAppender -log4j.appender.AUDIT.File=${LOG4J_FILENAME_audit} -log4j.appender.AUDIT.DatePattern='.'yyyy-MM-dd -log4j.appender.AUDIT.layout=org.apache.log4j.PatternLayout -log4j.appender.AUDIT.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss,SSSZ} %m %n - -log4j.appender.stdout=org.apache.log4j.ConsoleAppender -log4j.appender.stdout.layout=org.apache.log4j.PatternLayout -log4j.appender.stdout.layout.ConversionPattern=%d %p [%c] %m %n - -# General Apache libraries -log4j.rootLogger=WARN.SRVR -log4j.logger.org.apache=WARN,SRVR -log4j.logger.com.datastax=WARN,SRVR -log4j.logger.init=INFO,INIT,stdout -log4j.logger.service=${LOGGING_LEVEL},SRVR,stdout -log4j.logger.audit=INFO,AUDIT -# Additional configs, not caugth with Root Logger -log4j.logger.io.netty=INFO,SRVR -log4j.logger.org.eclipse=INFO,SRVR \ No newline at end of file diff --git a/kubernetes/aaf/templates/configmap.yaml b/kubernetes/aaf/templates/configmap.yaml deleted file mode 100644 index 969046551b..0000000000 --- a/kubernetes/aaf/templates/configmap.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-log - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/log/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-identity - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/data/*").AsConfig . | indent 2 }} \ No newline at end of file diff --git a/kubernetes/aaf/values.yaml b/kubernetes/aaf/values.yaml deleted file mode 100644 index ee86a2f0ca..0000000000 --- a/kubernetes/aaf/values.yaml +++ /dev/null @@ -1,107 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 AT&T -# Modifications Copyright © 2020 Nokia -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# - -global: - nodePortPrefix: 302 - persistence: - enabled: true - # Standard OOM - pullPolicy: "Always" - - cmpv2Enabled: true - addTestingComponents: false - aaf: - readiness: false - image: onap/aaf/aaf_core:2.1.23 - aaf_env: "DEV" - public_fqdn: "aaf.osaaf.org" - aaf_release: "Frankfurt" - # DUBLIN ONLY - for M4 compatibility with Casablanca - # aaf_locator_name: "public.%NS.%N" - # aaf_locator_name_oom: "%NS.%N" - # EL ALTO and Beyond - aaf_locator_name: "%NS.%N" - aaf_locator_name_oom: "%CNS.%NS.%N" - cadi_latitude: "38.0" - cadi_longitude: "-72.0" - cadi_x509_issuers: "CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US" - - config: - image: onap/aaf/aaf_config:2.1.23 - - service: - fqdn: "aaf-service" - internal_port: 8100 - public_port: 31110 - locate: - fqdn: "aaf-locate" - internal_port: 8095 - public_port: 31111 - oauth: - fqdn: "aaf-oauth" - internal_port: 8140 - public_port: 31112 -# Note: as hello is a sample app, find values in charts/aaf-hello/values.yaml - -################################################################# -# Application configuration defaults. -################################################################# - -flavor: small -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 350 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 150 - periodSeconds: 10 - -ingress: - enabled: false - service: - - baseaddr: "aaf.api" - name: "aaf-service" - port: 8100 - config: - ssl: "none" - -persistence: {} - -resources: {} - -aaf-authz: - enabled: true -aaf-hello: - enabled: false -aaf-sms: - enabled: true -aaf-sshsm: - enabled: false diff --git a/kubernetes/aai/Chart.yaml b/kubernetes/aai/Chart.yaml index 9bab1ee1ab..7f00c2f002 100644 --- a/kubernetes/aai/Chart.yaml +++ b/kubernetes/aai/Chart.yaml @@ -1,7 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,56 +18,50 @@ apiVersion: v2 description: ONAP Active and Available Inventory name: aai -version: 11.0.0 +version: 13.0.1 dependencies: - name: common - version: ~11.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) + version: ~13.x-0 repository: '@local' - name: cassandra - version: ~11.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' condition: global.cassandra.localCluster - - name: certInitializer - version: ~11.x-0 - repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: aai-babel - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/aai-babel' condition: aai-babel.enabled - name: aai-graphadmin - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/aai-graphadmin' condition: aai-graphadmin.enabled - name: aai-modelloader - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/aai-modelloader' condition: aai-modelloader.enabled - name: aai-resources - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/aai-resources' condition: aai-resources.enabled - name: aai-schema-service - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/aai-schema-service' condition: aai-schema-service.enabled - name: aai-sparky-be - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/aai-sparky-be' condition: aai-sparky-be.enabled - name: aai-traversal - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/aai-traversal' condition: aai-traversal.enabled - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/aai/Makefile b/kubernetes/aai/Makefile index c0253952aa..c483a02eab 100644 --- a/kubernetes/aai/Makefile +++ b/kubernetes/aai/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := dist resources templates charts docker HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -36,12 +42,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/aai/components/Makefile b/kubernetes/aai/components/Makefile index 8674687e7d..fa3c4b9af9 100644 --- a/kubernetes/aai/components/Makefile +++ b/kubernetes/aai/components/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -36,12 +42,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/aai/components/aai-babel/Chart.yaml b/kubernetes/aai/components/aai-babel/Chart.yaml index 5f36a0e94f..447b59f573 100644 --- a/kubernetes/aai/components/aai-babel/Chart.yaml +++ b/kubernetes/aai/components/aai-babel/Chart.yaml @@ -1,7 +1,7 @@ # Copyright © 2018 Amdocs, AT&T # Modifications Copyright © 2018 Bell Canada # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,21 +18,15 @@ apiVersion: v2 description: Babel microservice name: aai-babel -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: certInitializer - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/aai/components/aai-babel/resources/config/application.properties b/kubernetes/aai/components/aai-babel/resources/config/application.properties index 6a3a74c0a6..96f1a3eb89 100644 --- a/kubernetes/aai/components/aai-babel/resources/config/application.properties +++ b/kubernetes/aai/components/aai-babel/resources/config/application.properties @@ -1,6 +1,7 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T # Copyright © 2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,17 +16,8 @@ # limitations under the License. */}} server.port=9516 -{{ if ( include "common.needTLS" .) }} -server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -server.ssl.key-store-password=${KEYSTORE_PASSWORD} -server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} -server.ssl.client-auth=need -server.ssl.key-store-type=PKCS12 -{{ else }} security.require-ssl=false server.ssl.enabled=false -{{ end }} spring.main.allow-bean-definition-overriding=true server.servlet.context-path=/services/babel-service diff --git a/kubernetes/aai/components/aai-babel/templates/authorizationpolicy.yaml b/kubernetes/aai/components/aai-babel/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/aai/components/aai-babel/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/aai/components/aai-babel/templates/deployment.yaml b/kubernetes/aai/components/aai-babel/templates/deployment.yaml index 38a4e484c3..24d34e861c 100644 --- a/kubernetes/aai/components/aai-babel/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-babel/templates/deployment.yaml @@ -2,6 +2,7 @@ # Copyright © 2018 Amdocs, AT&T # Modifications Copyright © 2018 Bell Canada # Modifications Copyright © 2020,2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,43 +19,25 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} + strategy: + type: {{ .Values.updateStrategy.type }} + {{- if (eq "RollingUpdate" .Values.updateStrategy.type) }} + rollingUpdate: + maxUnavailable: {{ .Values.updateStrategy.maxUnavailable }} + maxSurge: {{ .Values.updateStrategy.maxSurge }} + {{- end }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) - echo "*** actual launch of AAI Babel" - /bin/bash /opt/app/babel/bin/start.sh - {{- end }} - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{ if .Values.liveness.enabled }} @@ -70,16 +53,11 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: - {{- if not (include "common.needTLS" .) }} - name: KEY_STORE_PASSWORD value: NotUsed - {{- end }} - name: CONFIG_HOME value: /opt/app/babel/config - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + volumeMounts: - mountPath: /opt/app/babel/config/application.properties name: config subPath: application.properties @@ -99,8 +77,7 @@ spec: - mountPath: /opt/app/babel/config/logback.xml name: config subPath: logback.xml - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} @@ -113,10 +90,7 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 8 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: - name: config configMap: name: {{ include "common.fullname" . }}-configmap @@ -127,5 +101,4 @@ spec: emptyDir: {} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/components/aai-babel/templates/service.yaml b/kubernetes/aai/components/aai-babel/templates/service.yaml index 87a29db457..86141abe90 100644 --- a/kubernetes/aai/components/aai-babel/templates/service.yaml +++ b/kubernetes/aai/components/aai-babel/templates/service.yaml @@ -16,29 +16,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{- if eq .Values.service.type "NodePort" }} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- else }} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- end }} - - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} diff --git a/kubernetes/aai/components/aai-babel/values.yaml b/kubernetes/aai/components/aai-babel/values.yaml index f6009af391..e058d82e46 100644 --- a/kubernetes/aai/components/aai-babel/values.yaml +++ b/kubernetes/aai/components/aai-babel/values.yaml @@ -1,6 +1,7 @@ # Copyright © 2018 Amdocs, AT&T # Modifications Copyright © 2018 Bell Canada # Modifications Copyright © 2020, 2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,47 +20,12 @@ ################################################################# global: {} -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: aai-babel-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: aai - fqi: aai@aai.onap.org - public_fqdn: aai.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - fqi_namespace: org.onap.aai - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** writing passwords into prop file" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop - echo "KEY_STORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop - echo "KEY_MANAGER_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 {{ .Values.credsPath }} - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/babel:1.9.5 +image: onap/babel:1.12.3 flavor: small flavorOverride: small @@ -67,6 +33,11 @@ flavorOverride: small # default number of instances replicaCount: 1 +updateStrategy: + type: RollingUpdate + maxUnavailable: 0 + maxSurge: 1 + nodeSelector: {} affinity: {} @@ -85,35 +56,43 @@ readiness: service: type: NodePort - portName: http - externalPort: 9516 internalPort: 9516 - nodePort: 79 + ports: + - name: http + port: 9516 + nodePort: 79 ingress: enabled: false service: - - baseaddr: "aaibabel" + - baseaddr: "aai-babel-api" name: "aai-babel" port: 9516 config: ssl: "redirect" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: aai-modelloader-read + - serviceAccount: istio-ingress + namespace: istio-ingress + resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 0.5 - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "4" + memory: "8Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/aai/components/aai-graphadmin/Chart.yaml b/kubernetes/aai/components/aai-graphadmin/Chart.yaml index d5d0851552..69abea193f 100644 --- a/kubernetes/aai/components/aai-graphadmin/Chart.yaml +++ b/kubernetes/aai/components/aai-graphadmin/Chart.yaml @@ -4,7 +4,7 @@ # ================================================================================ # Copyright © 2018 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021-2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,21 +22,15 @@ apiVersion: v2 description: ONAP AAI GraphAdmin name: aai-graphadmin -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: certInitializer - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties b/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties index f768338d99..8f63ac85ab 100644 --- a/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties +++ b/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties @@ -5,6 +5,7 @@ # ================================================================================ # Copyright © 2018 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -24,16 +25,9 @@ aai.config.checktime=1000 # this could come from siteconfig.pl? aai.config.nodename=AutomaticallyOverwritten - -{{ if ( include "common.needTLS" .) }} -aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/ -aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/ -aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/ -{{ else }} aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/ aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/ aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/ -{{ end }} {{ if or (.Values.global.config.basic.auth.enabled) ( include "common.onServiceMesh" .) }} aai.tools.enableBasicAuth=true @@ -41,13 +35,6 @@ aai.tools.username={{ .Values.global.config.basic.auth.username }} aai.tools.password={{ .Values.global.config.basic.auth.passwd }} {{ end }} -{{ if ( include "common.needTLS" .) }} -aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD} -aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -aai.keystore.passwd.x=${KEYSTORE_PASSWORD} -{{ end }} - aai.notification.current.version={{ .Values.global.config.schema.version.api.default }} aai.notificationEvent.default.status=UNPROCESSED aai.notificationEvent.default.eventType={{ .Values.global.config.notification.eventType }} diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties b/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties index 27606021ef..b63cd83158 100644 --- a/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties +++ b/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties @@ -5,6 +5,7 @@ # ================================================================================ # Copyright � 2018 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2021 Orange +# Modifications Copyright � 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -34,7 +35,7 @@ server.servlet.context-path=/ spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration -spring.profiles.active={{ .Values.config.profiles.active }}{{ (eq "true" (include "common.needTLS" .)) | ternary ",one-way-ssl" "" }} +spring.profiles.active={{ .Values.config.profiles.active }} spring.jersey.application-path=${schema.uri.base.path} #The max number of active threads in this pool server.tomcat.max-threads=200 @@ -49,23 +50,13 @@ server.local.startpath=/opt/app/aai-graphadmin/resources/ server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties server.port=8449 -{{ if ( include "common.needTLS" .) }} -server.ssl.enabled-protocols=TLSv1.1,TLSv1.2 -server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks -server.ssl.key-store-password=password(${KEYSTORE_JKS_PASSWORD}) -server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -server.ssl.trust-store-password=password(${TRUSTSTORE_PASSWORD}) -server.ssl.client-auth=want -server.ssl.key-store-type=JKS -{{ else }} security.require-ssl=false server.ssl.enabled=false -{{ end }} # JMS bind address host port jms.bind.address=tcp://localhost:61649 -dmaap.ribbon.listOfServers=message-router.{{.Release.Namespace}}:{{ (eq "true" (include "common.needTLS" .)) | ternary 3905 3904 }} -dmaap.ribbon.transportType={{ include "common.scheme" . }} +dmaap.ribbon.listOfServers=message-router.{{ include "common.namespace" . }}:3904 +dmaap.ribbon.transportType=http # Schema related attributes for the oxm and edges # Any additional schema related attributes should start with prefix schema @@ -101,24 +92,19 @@ schema.service.base.url={{ include "common.scheme" . }}://aai-schema-service.{{ schema.service.nodes.endpoint=nodes?version= schema.service.edges.endpoint=edgerules?version= schema.service.versions.endpoint=versions -schema.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }} +schema.service.client=no-auth -{{ if ( include "common.needTLS" .) }} -schema.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks -schema.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -schema.service.ssl.key-store-password=password(${KEYSTORE_JKS_PASSWORD}) -schema.service.ssl.trust-store-password=password(${TRUSTSTORE_PASSWORD}) -{{ end }} aperture.rdbmsname=aai_relational -aperture.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }} +aperture.service.client=no-auth aperture.service.base.url=http://localhost:8457/aai/aperture -{{ if ( include "common.needTLS" .) }} -aperture.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks -aperture.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -aperture.service.ssl.key-store-password=password(${KEYSTORE_JKS_PASSWORD}) -aperture.service.ssl.trust-store-password=password(${TRUSTSTORE_PASSWORD}) -{{ end }} aperture.service.timeout-in-milliseconds=300000 + +#To Expose the Prometheus scraping endpoint +management.server.port=8448 +management.endpoints.enabled-by-default=true +management.endpoints.web.exposure.include=info,health,prometheus +endpoints.enabled=false +management.security.enabled=false \ No newline at end of file diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/localhost-access-logback.xml b/kubernetes/aai/components/aai-graphadmin/resources/config/localhost-access-logback.xml index 449ea3032c..8e1bf21c95 100644 --- a/kubernetes/aai/components/aai-graphadmin/resources/config/localhost-access-logback.xml +++ b/kubernetes/aai/components/aai-graphadmin/resources/config/localhost-access-logback.xml @@ -19,20 +19,36 @@ ============LICENSE_END========================================================= */}} --> - + - - ${AJSC_HOME}/logs/ajsc-jetty/localhost_access.log - - ${AJSC_HOME}/logs/ajsc-jetty/localhost_access.log.%d{yyyy-MM-dd} - - + + + + + + + ${AJSC_HOME}/logs/ajsc-jetty/localhost_access.log + + ${AJSC_HOME}/logs/ajsc-jetty/localhost_access.log.%d{yyyy-MM-dd} + + ${maxHistory} + ${totalSizeCap} + + + %a %u %z [%t] "%m %U%q" %s %b %y %i{X-TransactionId} %i{X-FromAppId} %i{X-Forwarded-For} %i{X-AAI-SSL-Client-CN} %i{X-AAI-SSL-Client-OU} %i{X-AAI-SSL-Client-O} %i{X-AAI-SSL-Client-L} %i{X-AAI-SSL-Client-ST} %i{X-AAI-SSL-Client-C} %i{X-AAI-SSL-Client-NotBefore} %i{X-AAI-SSL-Client-NotAfter} %i{X-AAI-SSL-Client-DN} %D + + + + + + + - %a %u %z [%t] "%m %U%q" %s %b %y %i{X-TransactionId} %i{X-FromAppId} %i{X-Forwarded-For} %i{X-AAI-SSL-Client-CN} %i{X-AAI-SSL-Client-OU} %i{X-AAI-SSL-Client-O} %i{X-AAI-SSL-Client-L} %i{X-AAI-SSL-Client-ST} %i{X-AAI-SSL-Client-C} %i{X-AAI-SSL-Client-NotBefore} %i{X-AAI-SSL-Client-NotAfter} %i{X-AAI-SSL-Client-DN} %D + %a %u %z [%t] "%m %U%q" %s %b %y %i{X-TransactionId} %i{X-FromAppId} %i{X-Forwarded-For} %i{X-AAI-SSL-Client-CN} %i{X-AAI-SSL-Client-OU} %i{X-AAI-SSL-Client-O} %i{X-AAI-SSL-Client-L} %i{X-AAI-SSL-Client-ST} %i{X-AAI-SSL-Client-C} %i{X-AAI-SSL-Client-NotBefore} %i{X-AAI-SSL-Client-NotAfter} %i{X-AAI-SSL-Client-DN} %D - "logType": "access" - + - - - WARN - - ${logDirectory}/dataGrooming/error.log - - ${logDirectory}/dataGrooming/error.log.%d{yyyy-MM-dd} - - - ${errorPattern} - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/dataGrooming/debug.log - - ${logDirectory}/dataGrooming/debug.log.%d{yyyy-MM-dd} - - - ${debugPattern} - - - - - INFO - ACCEPT - DENY - - ${logDirectory}/dataGrooming/audit.log - - ${logDirectory}/dataGrooming/audit.log.%d{yyyy-MM-dd} - - - ${auditPattern} - - - - - - - WARN - - ${logDirectory}/dataSnapshot/error.log - - ${logDirectory}/dataSnapshot/error.log.%d{yyyy-MM-dd} - - - ${errorPattern} - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/dataSnapshot/debug.log - - ${logDirectory}/dataSnapshot/debug.log.%d{yyyy-MM-dd} - - - ${debugPattern} - - - - - INFO - ACCEPT - DENY - - ${logDirectory}/dataSnapshot/audit.log - - ${logDirectory}/dataSnapshot/audit.log.%d{yyyy-MM-dd} - - - ${auditPattern} - - - - - - - WARN - - ${logDirectory}/historyTruncate/error.log - - ${logDirectory}/historyTruncate/error.log.%d{yyyy-MM-dd} - - - ${errorPattern} - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/historyTruncate/debug.log - - ${logDirectory}/historyTruncate/debug.log.%d{yyyy-MM-dd} - - - ${debugPattern} - - - - - INFO - ACCEPT - DENY - - ${logDirectory}/historyTruncate/audit.log - - ${logDirectory}/historyTruncate/audit.log.%d{yyyy-MM-dd} - - - ${auditPattern} - - - - - - - WARN - - ${logDirectory}/createDBSchema/error.log - - ${logDirectory}/createDBSchema/error.log.%d{yyyy-MM-dd} - - - ${"errorPattern"} - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/createDBSchema/debug.log - - ${logDirectory}/createDBSchema/debug.log.%d{yyyy-MM-dd} - - - ${debugPattern} - - - - - INFO - ACCEPT - DENY - - ${logDirectory}/createDBSchema/metrics.log - - ${logDirectory}/createDBSchema/metrics.log.%d{yyyy-MM-dd} - - - ${metricPattern} - - - - - - - WARN - - ${logDirectory}/misc/error.log - - ${logDirectory}/misc/error.log.%d{yyyy-MM-dd} - - - ${"errorPattern"} - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/misc/debug.log - - ${logDirectory}/misc/debug.log.%d{yyyy-MM-dd} - - - ${debugPattern} - - - - - INFO - ACCEPT - DENY - - ${logDirectory}/misc/audit.log - - ${logDirectory}/misc/audit.log.%d{yyyy-MM-dd} - - - ${auditPattern} - - - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/dupetool/debug.log - - ${logDirectory}/dupetool/debug.log.%d{yyyy-MM-dd} - - - ${debugPattern} - - - - - WARN - ACCEPT - DENY - - ${logDirectory}/dupeTool/error.log - - ${logDirectory}/dupeTool/error.log.%d{yyyy-MM-dd} - - - ${errorPattern} - - - - - - - WARN - - ${logDirectory}/dynamicPayloadGenerator/error.log - - ${logDirectory}/dynamicPayloadGenerator/error.log.%d{yyyy-MM-dd} - - - ${errorPattern} - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/dynamicPayloadGenerator/debug.log - - ${logDirectory}/dynamicPayloadGenerator/debug.log.%d{yyyy-MM-dd} - - - ${debugPattern} - - - - - INFO - ACCEPT - DENY - - ${logDirectory}/dataExport/audit.log - - ${logDirectory}/dynamicPayloadGenerator/audit.log.%d{yyyy-MM-dd} - - - ${auditPattern} - - - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/forceDelete/debug.log - - ${logDirectory}/forceDelete/debug.log.%d{yyyy-MM-dd} - - - ${debugPattern} - - - - - WARN - ACCEPT - DENY - - ${logDirectory}/forceDelete/error.log - - ${logDirectory}/forceDelete/error.log.%d{yyyy-MM-dd} - - - ${errorPattern} - - - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/migration/debug.log - - ${logDirectory}/migration/debug.log.%d{yyyy-MM-dd} - - - ${debugPattern} - - - - - WARN - ACCEPT - DENY - - ${logDirectory}/migration/error.log - - ${logDirectory}/migration/error.log.%d{yyyy-MM-dd} - - - ${errorPattern} - - - - - - - WARN - - ${logDirectory}/dataExport/error.log - - ${logDirectory}/dataExport/error.log.%d{yyyy-MM-dd} - - - ${errorPattern} - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/dataExport/debug.log - - ${logDirectory}/dataExport/debug.log.%d{yyyy-MM-dd} - - - ${debugPattern} - - - - - INFO - ACCEPT - DENY - - ${logDirectory}/dataExport/audit.log - - ${logDirectory}/dataExport/audit.log.%d{yyyy-MM-dd} - - - ${auditPattern} - - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/schemaMod/debug.log - - ${logDirectory}/schemaMod/debug.log.%d{yyyy-MM-dd} - - - ${debugPattern} - - - - - WARN - ACCEPT - DENY - - ${logDirectory}/schemaMod/error.log - - ${logDirectory}/schemaMod/error.log.%d{yyyy-MM-dd} - - - ${errorPattern} - - - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/uniquePropertyCheck/debug.log - - ${logDirectory}/uniquePropertyCheck/debug.log.%d{yyyy-MM-dd} - - - ${debugPattern} - - - - - INFO - ACCEPT - DENY - - ${logDirectory}/uniquePropertyCheck/metrics.log - - ${logDirectory}/uniquePropertyCheck/metrics.log.%d{yyyy-MM-dd} - - - ${metricPattern} - - - - - WARN - ACCEPT - DENY - - ${logDirectory}/uniquePropertyCheck/error.log - - ${logDirectory}/uniquePropertyCheck/error.log.%d{yyyy-MM-dd} - - - ${errorPattern} - - - - - - - WARN - - ${logDirectory}/dynamicPayloadGenerator/error.log - - ${logDirectory}/dynamicPayloadGenerator/error.log.%d{yyyy-MM-dd} - - - ${errorPattern} - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/dynamicPayloadGenerator/debug.log - - ${logDirectory}/dynamicPayloadGenerator/debug.log.%d{yyyy-MM-dd} - - - ${debugPattern} - - - - - INFO - ACCEPT - DENY - - ${logDirectory}/dataExport/audit.log - - ${logDirectory}/dynamicPayloadGenerator/audit.log.%d{yyyy-MM-dd} - - - ${auditPattern} - - - + ${maxHistory} + ${totalSizeCap} + + + ${debugPattern} + + + + + + WARN + + ${logDirectory}/dataGrooming/error.log + + ${logDirectory}/dataGrooming/error.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${errorPattern} + + + + + DEBUG + ACCEPT + DENY + + ${logDirectory}/dataGrooming/debug.log + + ${logDirectory}/dataGrooming/debug.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${debugPattern} + + + + + INFO + ACCEPT + DENY + + ${logDirectory}/dataGrooming/audit.log + + ${logDirectory}/dataGrooming/audit.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${auditPattern} + + + + + + + WARN + + ${logDirectory}/dataSnapshot/error.log + + ${logDirectory}/dataSnapshot/error.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${errorPattern} + + + + + DEBUG + ACCEPT + DENY + + ${logDirectory}/dataSnapshot/debug.log + + ${logDirectory}/dataSnapshot/debug.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${debugPattern} + + + + + INFO + ACCEPT + DENY + + ${logDirectory}/dataSnapshot/audit.log + + ${logDirectory}/dataSnapshot/audit.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${auditPattern} + + + + + + + WARN + + ${logDirectory}/historyTruncate/error.log + + ${logDirectory}/historyTruncate/error.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${errorPattern} + + + + + DEBUG + ACCEPT + DENY + + ${logDirectory}/historyTruncate/debug.log + + ${logDirectory}/historyTruncate/debug.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${debugPattern} + + + + + INFO + ACCEPT + DENY + + ${logDirectory}/historyTruncate/audit.log + + ${logDirectory}/historyTruncate/audit.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${auditPattern} + + + + + + + WARN + + ${logDirectory}/createDBSchema/error.log + + ${logDirectory}/createDBSchema/error.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${"errorPattern"} + + + + + DEBUG + ACCEPT + DENY + + ${logDirectory}/createDBSchema/debug.log + + ${logDirectory}/createDBSchema/debug.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${debugPattern} + + + + + INFO + ACCEPT + DENY + + ${logDirectory}/createDBSchema/metrics.log + + ${logDirectory}/createDBSchema/metrics.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${metricPattern} + + + + + + + WARN + + ${logDirectory}/misc/error.log + + ${logDirectory}/misc/error.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${"errorPattern"} + + + + + DEBUG + ACCEPT + DENY + + ${logDirectory}/misc/debug.log + + ${logDirectory}/misc/debug.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${debugPattern} + + + + + INFO + ACCEPT + DENY + + ${logDirectory}/misc/audit.log + + ${logDirectory}/misc/audit.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${auditPattern} + + + + + + + DEBUG + ACCEPT + DENY + + ${logDirectory}/dupetool/debug.log + + ${logDirectory}/dupetool/debug.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${debugPattern} + + + + + WARN + ACCEPT + DENY + + ${logDirectory}/dupeTool/error.log + + ${logDirectory}/dupeTool/error.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${errorPattern} + + + + + + + WARN + + ${logDirectory}/dynamicPayloadGenerator/error.log + + ${logDirectory}/dynamicPayloadGenerator/error.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${errorPattern} + + + + + DEBUG + ACCEPT + DENY + + ${logDirectory}/dynamicPayloadGenerator/debug.log + + ${logDirectory}/dynamicPayloadGenerator/debug.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${debugPattern} + + + + + INFO + ACCEPT + DENY + + ${logDirectory}/dataExport/audit.log + + ${logDirectory}/dynamicPayloadGenerator/audit.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${auditPattern} + + + + + + + DEBUG + ACCEPT + DENY + + ${logDirectory}/forceDelete/debug.log + + ${logDirectory}/forceDelete/debug.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${debugPattern} + + + + + WARN + ACCEPT + DENY + + ${logDirectory}/forceDelete/error.log + + ${logDirectory}/forceDelete/error.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${errorPattern} + + + + + + + DEBUG + ACCEPT + DENY + + ${logDirectory}/migration/debug.log + + ${logDirectory}/migration/debug.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${debugPattern} + + + + + WARN + ACCEPT + DENY + + ${logDirectory}/migration/error.log + + ${logDirectory}/migration/error.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${errorPattern} + + + + + + + WARN + + ${logDirectory}/dataExport/error.log + + ${logDirectory}/dataExport/error.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${errorPattern} + + + + + DEBUG + ACCEPT + DENY + + ${logDirectory}/dataExport/debug.log + + ${logDirectory}/dataExport/debug.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${debugPattern} + + + + + INFO + ACCEPT + DENY + + ${logDirectory}/dataExport/audit.log + + ${logDirectory}/dataExport/audit.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${auditPattern} + + + + + + DEBUG + ACCEPT + DENY + + ${logDirectory}/schemaMod/debug.log + + ${logDirectory}/schemaMod/debug.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${debugPattern} + + + + + WARN + ACCEPT + DENY + + ${logDirectory}/schemaMod/error.log + + ${logDirectory}/schemaMod/error.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${errorPattern} + + + + + + + DEBUG + ACCEPT + DENY + + ${logDirectory}/uniquePropertyCheck/debug.log + + ${logDirectory}/uniquePropertyCheck/debug.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${debugPattern} + + + + + INFO + ACCEPT + DENY + + ${logDirectory}/uniquePropertyCheck/metrics.log + + ${logDirectory}/uniquePropertyCheck/metrics.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${metricPattern} + + + + + WARN + ACCEPT + DENY + + ${logDirectory}/uniquePropertyCheck/error.log + + ${logDirectory}/uniquePropertyCheck/error.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${errorPattern} + + + + + + + WARN + + ${logDirectory}/dynamicPayloadGenerator/error.log + + ${logDirectory}/dynamicPayloadGenerator/error.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${errorPattern} + + + + + DEBUG + ACCEPT + DENY + + ${logDirectory}/dynamicPayloadGenerator/debug.log + + ${logDirectory}/dynamicPayloadGenerator/debug.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${debugPattern} + + + + + INFO + ACCEPT + DENY + + ${logDirectory}/dataExport/audit.log + + ${logDirectory}/dynamicPayloadGenerator/audit.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${auditPattern} + + + + + + - - + + + + + + @@ -780,161 +911,262 @@ - - - ${logDirectory}/perf-audit/Audit-${lrmRVer}-${lrmRO}-${Pid}.log - - ${logDirectory}/perf-audit/Audit-${lrmRVer}-${lrmRO}-${Pid}.%i.log.zip - 1 - 9 - - - 5MB - - - auditPattern - - - - - ${logDirectory}/perf-audit/Perform-${lrmRVer}-${lrmRO}-${Pid}.log - - ${logDirectory}/perf-audit/Perform-${lrmRVer}-${lrmRO}-${Pid}.%i.log.zip - 1 - 9 - - - 5MB - - - "%d [%thread] %-5level %logger{1024} - %msg%n" - - - - - DEBUG - - ${logDirectory}/auth/auth.log - - ${logDirectory}/auth/auth.log.%d{yyyy-MM-dd} - - - %d{yyyy-MM-dd'T'HH:mm:ss.SSSZ, UTC}[%thread] %-5level %logger{1024} - %msg%n - - - - 1000 - true - - + + + + + ${logDirectory}/perf-audit/Audit-${lrmRVer}-${lrmRO}-${Pid}.log + + ${logDirectory}/perf-audit/Audit-${lrmRVer}-${lrmRO}-${Pid}.%i.log.zip + 1 + 9 + + + 5MB + + + auditPattern + + + + + ${logDirectory}/perf-audit/Perform-${lrmRVer}-${lrmRO}-${Pid}.log + + ${logDirectory}/perf-audit/Perform-${lrmRVer}-${lrmRO}-${Pid}.%i.log.zip + 1 + 9 + + + 5MB + + + "%d [%thread] %-5level %logger{1024} - %msg%n" + + + + + DEBUG + + ${logDirectory}/auth/auth.log + + ${logDirectory}/auth/auth.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + %d{yyyy-MM-dd'T'HH:mm:ss.SSSZ, UTC}[%thread] %-5level %logger{1024} - %msg%n + + + + ${queueSize} + true + + + + + - + + + + + + - + + + + + + - + + + + + + - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - + + + + + - + + + + + - - - + + + + + + + - - - + + + + + + + - - - + + + + + + + + - - - + + + + + + + - - - + + + + + + + + - - + + + + + + + - - - + + + + + + + + - - - + + + + + + + + - - - + + + + + + + - - + + + + + + + - - + + + + + + + - - + + + + + + + - - - + + + + + + + + + + + + + @@ -944,13 +1176,21 @@ - - - + + + + + + + - + + + + + diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/realm.properties b/kubernetes/aai/components/aai-graphadmin/resources/config/realm.properties index ccd9864fb6..40dc674e8b 100644 --- a/kubernetes/aai/components/aai-graphadmin/resources/config/realm.properties +++ b/kubernetes/aai/components/aai-graphadmin/resources/config/realm.properties @@ -26,8 +26,6 @@ SDNC:OBF:1itr1i0l1i151isv,admin DCAE:OBF:1g8u1f9d1f991g8w,admin POLICY:OBF:1mk61i171ima1im41i0j1mko,admin ASDC:OBF:1f991j0u1j001f9d,admin -VID:OBF:1jm91i0v1jl9,admin -APPC:OBF:1f991ksf1ksf1f9d,admin ModelLoader:OBF:1qvu1v2h1sov1sar1wfw1j7j1wg21saj1sov1v1x1qxw,admin AaiUI:OBF:1gfr1p571unz1p4j1gg7,admin OOF:OBF:1img1ke71ily,admin @@ -37,8 +35,6 @@ sdnc@sdnc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin dcae@dcae.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin policy@policy.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin sdc@sdc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -vid@vid.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -appc@appc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin oof@oof.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin pomba@pomba.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin vfc@vfc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin diff --git a/kubernetes/aai/components/aai-graphadmin/templates/authorizationpolicy.yaml b/kubernetes/aai/components/aai-graphadmin/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/aai/components/aai-graphadmin/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml index 5241c6edf2..cad213ab9e 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml @@ -6,6 +6,7 @@ # Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. # Copyright (c) 2020 Nokia Intellectual Property. All rights reserved. # Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved. +# Modifications Copyright © 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,6 +28,12 @@ metadata: namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} + app.kubernetes.io/name: {{ include "common.name" . }} + {{- if .Chart.AppVersion }} + version: "{{ .Chart.AppVersion | replace "+" "_" }}" + {{- else }} + version: "{{ .Chart.Version | replace "+" "_" }}" + {{- end }} chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} @@ -46,6 +53,12 @@ spec: labels: app: {{ include "common.name" . }} release: {{ include "common.release" . }} + app.kubernetes.io/name: {{ include "common.name" . }} + {{- if .Chart.AppVersion }} + version: "{{ .Chart.AppVersion | replace "+" "_" }}" + {{- else }} + version: "{{ .Chart.Version | replace "+" "_" }}" + {{- end }} name: {{ include "common.name" . }} annotations: checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} @@ -53,50 +66,7 @@ spec: hostname: aai-graphadmin terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }} {{ if .Values.global.initContainers.enabled }} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - {{- if .Values.global.aafEnabled }} - - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - echo "*** obfuscate them " - export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar") - export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export KEYSTORE_JKS_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - image: {{ include "repositoryGenerator.image.jetty" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-obfuscate - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - securityContext: - runAsUser: {{ .Values.securityContext.user_id }} - - command: - - sh - args: - - -c - - | - echo "*** Set obfuscated Truststore and Keystore password into configuration file" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - cd /config-input - for PFILE in `ls -1` - do - envsubst <${PFILE} >/config/${PFILE} - done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /config-input - name: properties-input - - mountPath: /config - name: properties - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - {{- end }} + initContainers: - command: {{ if .Values.global.jobs.migration.enabled }} - /app/ready.py @@ -111,13 +81,9 @@ spec: {{ else }} - /app/ready.py args: - - --container-name - {{- if .Values.global.cassandra.localCluster }} - - aai-cassandra - {{- else }} - - cassandra - {{- end }} - - --container-name + - --service-name + - {{ .Values.global.cassandra.serviceName }} + - --service-name - aai-schema-service {{ end }} env: @@ -129,6 +95,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" {{ end }} containers: - name: {{ include "common.name" . }} @@ -143,10 +116,9 @@ spec: value: {{ .Values.service.internalPort | quote }} - name: INTERNAL_PORT_2 value: {{ .Values.service.internalPort2 | quote }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + - name: INTERNAL_PORT_3 + value: {{ .Values.service.internalPort3 | quote }} + volumeMounts: - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties name: config subPath: janusgraph-realtime.properties @@ -172,7 +144,11 @@ spec: subPath: application.properties ports: - containerPort: {{ .Values.service.internalPort }} + name: {{ .Values.service.portName }} - containerPort: {{ .Values.service.internalPort2 }} + name: {{ .Values.service.portName2 }} + - containerPort: {{ .Values.service.internalPort3 }} + name: {{ .Values.service.portName3 }} lifecycle: # wait for active requests (long-running tasks) to be finished # Before the SIGTERM is invoked, Kubernetes exposes a preStop hook in the Pod. @@ -199,8 +175,7 @@ spec: port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} @@ -213,10 +188,7 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: - name: logs emptyDir: {} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} @@ -224,13 +196,7 @@ spec: configMap: name: {{ include "common.fullname" . }} - name: properties - {{- if .Values.global.aafEnabled }} - emptyDir: - medium: Memory - - name: properties-input - {{- end }} configMap: name: {{ include "common.fullname" . }}-properties restartPolicy: {{ .Values.restartPolicy }} - imagePullSecrets: - - name: {{ include "common.namespace" . }}-docker-registry-key + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml index a93c6107e7..c949f7dbf8 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml @@ -6,6 +6,7 @@ # Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. # Copyright (c) 2020 Nokia Intellectual Property. All rights reserved. # Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved. +# Modifications Copyright © 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -58,55 +59,12 @@ spec: release: {{ include "common.release" . }} name: {{ include "common.name" . }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - {{- if .Values.global.aafEnabled }} - - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - echo "*** obfuscate them " - export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar") - export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export KEYSTORE_JKS_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - image: {{ include "repositoryGenerator.image.jetty" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-obfuscate - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - securityContext: - runAsUser: {{ .Values.securityContext.user_id }} - - command: - - sh - args: - - -c - - | - echo "*** Set obfuscated Truststore and Keystore password into configuration file" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - cd /config-input - for PFILE in `ls -1` - do - envsubst <${PFILE} >/config/${PFILE} - done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /config-input - name: properties-input - - mountPath: /config - name: properties - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - {{- end }} + initContainers: {{ if eq .Values.global.jobs.migration.remoteCassandra.enabled false }} - command: - /bin/bash - -c - - /app/ready.py --container-name aai-cassandra --timeout 1 || /app/ready.py --container-name cassandra + - /app/ready.py --service-name {{ .Values.global.cassandra.serviceName }} env: - name: NAMESPACE valueFrom: @@ -116,6 +74,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-db-backup-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" {{- end }} containers: - name: {{ include "common.name" . }}-db-backup-job @@ -135,10 +100,7 @@ spec: value: {{ .Values.securityContext.user_id | quote }} - name: LOCAL_GROUP_ID value: {{ .Values.securityContext.group_id | quote }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + volumeMounts: - mountPath: /opt/app/aai-graphadmin/logs/data/dataSnapshots name: snapshots - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties @@ -168,21 +130,14 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: - name: logs emptyDir: {} - name: config configMap: name: {{ include "common.fullname" . }} - name: properties - {{- if .Values.global.aafEnabled }} - emptyDir: - medium: Memory - - name: properties-input - {{- end }} configMap: name: {{ include "common.fullname" . }}-properties - name: migration @@ -192,6 +147,5 @@ spec: persistentVolumeClaim: claimName: {{ include "common.fullname" . }}-migration restartPolicy: Never - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} {{ end }} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml index a9349028f4..5046b0c06b 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml @@ -6,6 +6,7 @@ # Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. # Copyright (c) 2020 Nokia Intellectual Property. All rights reserved. # Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved. +# Modifications Copyright © 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -53,60 +54,13 @@ spec: release: {{ include "common.release" . }} name: {{ include "common.name" . }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - {{- if .Values.global.aafEnabled }} - - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - echo "*** obfuscate them " - export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar") - export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export KEYSTORE_JKS_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - image: {{ include "repositoryGenerator.image.jetty" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-obfuscate - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - securityContext: - runAsUser: {{ .Values.securityContext.user_id }} - - command: - - sh - args: - - -c - - | - echo "*** Set obfuscated Truststore and Keystore password into configuration file" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - cd /config-input - for PFILE in `ls -1` - do - envsubst <${PFILE} >/config/${PFILE} - done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /config-input - name: properties-input - - mountPath: /config - name: properties - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - {{- end }} + initContainers: - command: - /app/ready.py args: - - --container-name - {{- if .Values.global.cassandra.localCluster }} - - aai-cassandra - {{- else }} - - cassandra - {{- end }} - - --container-name + - --service-name + - {{ .Values.global.cassandra.serviceName }} + - --service-name - aai-schema-service env: - name: NAMESPACE @@ -117,6 +71,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }}-job image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -135,10 +96,7 @@ spec: value: {{ .Values.securityContext.user_id | quote }} - name: LOCAL_GROUP_ID value: {{ .Values.securityContext.group_id | quote }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + volumeMounts: - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties name: config subPath: janusgraph-realtime.properties @@ -166,10 +124,8 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: logs emptyDir: {} @@ -177,14 +133,8 @@ spec: configMap: name: {{ include "common.fullname" . }} - name: properties - {{- if .Values.global.aafEnabled }} - emptyDir: - medium: Memory - - name: properties-input - {{- end }} configMap: name: {{ include "common.fullname" . }}-properties restartPolicy: Never - imagePullSecrets: - - name: {{ include "common.namespace" . }}-docker-registry-key + {{- include "common.imagePullSecrets" . | nindent 6 }} {{ end }} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml index 10b8255c50..92474032b1 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml @@ -6,6 +6,7 @@ # Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. # Copyright (c) 2020 Nokia Intellectual Property. All rights reserved. # Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved. +# Modifications Copyright © 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -58,60 +59,13 @@ spec: release: {{ include "common.release" . }} name: {{ include "common.name" . }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - {{- if .Values.global.aafEnabled }} - - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - echo "*** obfuscate them " - export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar") - export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export KEYSTORE_JKS_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - image: {{ include "repositoryGenerator.image.jetty" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-obfuscate - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - securityContext: - runAsUser: {{ .Values.securityContext.user_id }} - - command: - - sh - args: - - -c - - | - echo "*** Set obfuscated Truststore and Keystore password into configuration file" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - cd /config-input - for PFILE in `ls -1` - do - envsubst <${PFILE} >/config/${PFILE} - done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /config-input - name: properties-input - - mountPath: /config - name: properties - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - {{- end }} + initContainers: - command: - /app/ready.py args: - - --container-name - {{- if .Values.global.cassandra.localCluster }} - - aai-cassandra - {{- else }} - - cassandra - {{- end }} - - --container-name + - --service-name + - {{ .Values.global.cassandra.serviceName }} + - --service-name - aai-schema-service env: - name: NAMESPACE @@ -122,6 +76,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" - command: - sh args: @@ -133,10 +94,7 @@ spec: value: {{ .Values.securityContext.user_id | quote }} - name: LOCAL_GROUP_ID value: {{ .Values.securityContext.group_id | quote }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + volumeMounts: - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties name: config subPath: janusgraph-realtime.properties @@ -180,10 +138,7 @@ spec: value: {{ .Values.securityContext.user_id | quote }} - name: LOCAL_GROUP_ID value: {{ .Values.securityContext.group_id | quote }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + volumeMounts: - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties name: config subPath: janusgraph-realtime.properties @@ -211,10 +166,8 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 8 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} @@ -225,16 +178,10 @@ spec: persistentVolumeClaim: claimName: {{ include "common.fullname" . }}-migration - name: properties - {{- if .Values.global.aafEnabled }} - emptyDir: - medium: Memory - - name: properties-input - {{- end }} configMap: name: {{ include "common.fullname" . }}-properties restartPolicy: Never - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} --- apiVersion: batch/v1 kind: Job @@ -259,55 +206,12 @@ spec: release: {{ include "common.release" . }} name: {{ include "common.name" . }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - {{- if .Values.global.aafEnabled }} - - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - echo "*** obfuscate them " - export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar") - export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export KEYSTORE_JKS_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - image: {{ include "repositoryGenerator.image.jetty" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-obfuscate - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - securityContext: - runAsUser: {{ .Values.securityContext.user_id }} - - command: - - sh - args: - - -c - - | - echo "*** Set obfuscated Truststore and Keystore password into configuration file" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - cd /config-input - for PFILE in `ls -1` - do - envsubst <${PFILE} >/config/${PFILE} - done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /config-input - name: properties-input - - mountPath: /config - name: properties - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - {{- end }} + initContainers: {{ if eq .Values.global.jobs.migration.remoteCassandra.enabled false }} - command: - /bin/bash - -c - - /app/ready.py --container-name aai-cassandra --timeout 1 || /app/ready.py --container-name cassandra + - /app/ready.py --service-name {{ .Values.global.cassandra.serviceName }} env: - name: NAMESPACE valueFrom: @@ -317,6 +221,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-db-backup-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" {{- end }} containers: - name: {{ include "common.name" . }}-db-backup-job @@ -336,10 +247,7 @@ spec: value: {{ .Values.securityContext.user_id | quote }} - name: LOCAL_GROUP_ID value: {{ .Values.securityContext.group_id | quote }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + volumeMounts: - mountPath: /opt/app/aai-graphadmin/logs/data/dataSnapshots name: snapshots - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties @@ -369,10 +277,8 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: {{ include "common.resources" . | nindent 10 }} - - name: localtime - hostPath: - path: /etc/localtime - name: logs emptyDir: {} - name: config @@ -391,6 +297,5 @@ spec: persistentVolumeClaim: claimName: {{ include "common.fullname" . }}-migration restartPolicy: Never - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} {{ end }} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/service.yaml b/kubernetes/aai/components/aai-graphadmin/templates/service.yaml index cf4655361d..e3f7569767 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/service.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/service.yaml @@ -27,6 +27,7 @@ metadata: namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} + app.kubernetes.io/name: {{ include "common.name" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} @@ -36,15 +37,26 @@ spec: {{if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} + name: {{ .Values.service.portName }} + targetPort: {{ .Values.service.portName }} - port: {{ .Values.service.internalPort2 }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} name: {{ .Values.service.portName2 }} + targetPort: {{ .Values.service.portName2 }} + - port: {{ .Values.service.internalPort3 }} + nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort3 }} + name: {{ .Values.service.portName3 }} + targetPort: {{ .Values.service.portName3 }} {{- else -}} - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} + name: {{ .Values.service.portName }} + targetPort: {{ .Values.service.portName }} - port: {{ .Values.service.internalPort2 }} name: {{ .Values.service.portName2 }} + targetPort: {{ .Values.service.portName2 }} + - port: {{ .Values.service.internalPort3 }} + name: {{ .Values.service.portName3 }} + targetPort: {{ .Values.service.portName }} {{- end}} selector: app: {{ include "common.name" . }} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/servicemonitor.yaml b/kubernetes/aai/components/aai-graphadmin/templates/servicemonitor.yaml new file mode 100644 index 0000000000..c0d9f212b4 --- /dev/null +++ b/kubernetes/aai/components/aai-graphadmin/templates/servicemonitor.yaml @@ -0,0 +1,3 @@ +{{- if .Values.metrics.serviceMonitor.enabled }} +{{ include "common.serviceMonitor" . }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/aai/components/aai-graphadmin/values.yaml b/kubernetes/aai/components/aai-graphadmin/values.yaml index 83da0bf91e..8b6b5f906a 100644 --- a/kubernetes/aai/components/aai-graphadmin/values.yaml +++ b/kubernetes/aai/components/aai-graphadmin/values.yaml @@ -5,6 +5,7 @@ # Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. # Copyright (c) 2020 Nokia Intellectual Property. All rights reserved. # Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved. +# Modifications Copyright © 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,6 +28,8 @@ global: # global defaults cassandra: #This will instantiate AAI cassandra cluster, default:shared cassandra. localCluster: false + # flag to enable the DB creation via k8ssandra-operator + useOperator: true initContainers: enabled: true jobs: @@ -61,7 +64,7 @@ global: # global defaults # Specifies if the connection should be one way ssl, two way ssl or no auth # will be set to no-auth if tls is disabled service: - client: one-way-ssl + client: no-auth # Specifies which translator to use if it has schema-service, then it will # make a rest request to schema service translator: @@ -76,11 +79,11 @@ global: # global defaults version: # Current version of the REST API api: - default: v26 + default: v28 # Specifies which version the depth parameter is configurable depth: v11 # List of all the supported versions of the API - list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24,v25,v26 + list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24,v25,v26,v27,v28 # Specifies from which version related link should appear related: link: v11 @@ -96,55 +99,10 @@ global: # global defaults # Specifies which clients should always default to realtime graph connection realtime: - clients: SDNC,MSO,SO,robot-ete - -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: aai-graphadmin-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: aai - fqi: aai@aai.onap.org - public_fqdn: aai.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - fqi_namespace: org.onap.aai - user_id: &user_id 1000 - group_id: &group_id 1000 - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export KEYSTORE_JKS_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PLAIN_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSTORE_PLAIN_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - keytool -storepasswd -new "${KEYSTORE_JKS_PLAIN_PASSWORD}" \ - -storepass "${cadi_keystore_password_jks}" \ - -keystore {{ .Values.fqi_namespace }}.jks - echo "*** set key password as same password as keystore password" - keytool -keypasswd -new "${KEYSTORE_JKS_PLAIN_PASSWORD}" \ - -keystore {{ .Values.fqi_namespace }}.jks \ - -keypass "${cadi_keystore_password_jks}" \ - -storepass "${KEYSTORE_JKS_PLAIN_PASSWORD}" -alias {{ .Values.fqi }} - echo "*** writing passwords into prop file" - echo "KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop - echo "KEYSTORE_JKS_PLAIN_PASSWORD=${KEYSTORE_JKS_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop - echo "TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R {{ .Values.user_id }}:{{ .Values.group_id }} {{ .Values.credsPath }} + clients: SDNC,-1|MSO,-1|SO,-1|robot-ete,-1 # application image -image: onap/aai-graphadmin:1.9.4 +image: onap/aai-graphadmin:1.12.3 pullPolicy: Always restartPolicy: Always flavor: small @@ -165,9 +123,8 @@ config: # Specify the profiles for the graphadmin microservice profiles: - # one way ssl profile will be set unless tlsEnabled is set to false or serviceMesh is enabled and - # serviceMesh.tls is set to tru - active: dmaap #,one-way-ssl" + + active: dmaap # Specifies the timeout limit for the REST API requests timeout: @@ -240,11 +197,18 @@ service: internalPort: 8449 portName2: tcp-5005 internalPort2: 5005 + portName3: http-graphadmin + internalPort3: 8448 terminationGracePeriodSeconds: 120 ingress: enabled: false +# No inbound communications. +serviceMesh: + authorizationPolicy: + authorizedPrincipals: [] + persistence: enabled: true ## A manually managed Persistent Volume and Claim @@ -267,27 +231,57 @@ persistence: mountSubPath: aai/aai-graphadmin mountSubPath1: aai/migration +# To make logback capping values configurable +logback: + logToFileEnabled: false + maxHistory: 7 + totalSizeCap: 6GB + queueSize: 1000 + +accessLogback: + logToFileEnabled: false + maxHistory: 7 + totalSizeCap: 6GB + resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 0.5 - memory: 1536Mi + cpu: "0.5" + memory: "1.6Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "3.2Gi" unlimited: {} +metrics: + serviceMonitor: + enabled: false + targetPort: 8448 + path: /actuator/prometheus + basicAuth: + enabled: false + + selector: + app: '{{ include "common.name" . }}' + chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + release: '{{ include "common.release" . }}' + heritage: '{{ .Release.Service }}' + + relabelings: [] + + metricRelabelings: [] + # Not fully used for now securityContext: - user_id: *user_id - group_id: *group_id + user_id: 1000 + group_id: 1000 #Pods Service Account serviceAccount: diff --git a/kubernetes/aai/components/aai-modelloader/Chart.yaml b/kubernetes/aai/components/aai-modelloader/Chart.yaml index 468b41b757..123da099a5 100644 --- a/kubernetes/aai/components/aai-modelloader/Chart.yaml +++ b/kubernetes/aai/components/aai-modelloader/Chart.yaml @@ -1,6 +1,6 @@ # Copyright © 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,21 +17,15 @@ apiVersion: v2 description: ONAP AAI modelloader name: aai-modelloader -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: certInitializer - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/aai/components/aai-modelloader/resources/application.properties b/kubernetes/aai/components/aai-modelloader/resources/application.properties new file mode 100644 index 0000000000..f910af1cae --- /dev/null +++ b/kubernetes/aai/components/aai-modelloader/resources/application.properties @@ -0,0 +1,31 @@ +# Note that the start.sh script sets the following System Properties +# We provide default values here for testing purposes +AJSC_HOME=. +CONFIG_HOME=appconfig-local +com.att.eelf.logging.path=src/main/resources +com.att.eelf.logging.file=logback.xml +logback.configurationFile=${com.att.eelf.logging.path}/${com.att.eelf.logging.file} + +server.port=9500 +#server.ssl.key-store= +#server.ssl.key-store-password= +#server.ssl.keyStoreType= +#server.ssl.keyAlias= + +spring.application.name=aai-model-loader + +spring.sleuth.enabled={{ .Values.tracing.enabled }} +spring.zipkin.baseUrl={{ .Values.tracing.collector.baseUrl }} +spring.sleuth.messaging.jms.enabled=false +spring.sleuth.trace-id128=true +spring.sleuth.sampler.probability={{ .Values.tracing.sampling.probability }} +spring.sleuth.propagation.type=w3c,b3 +spring.sleuth.supports-join=false +spring.sleuth.web.skip-pattern={{ join "," .Values.tracing.ignorePatterns }} + +server.tomcat.threads.max=200 +# The minimum number of threads always kept alive +server.tomcat.threads.min-spare=25 + +# Spring Boot logging +logging.config=${logback.configurationFile} diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/auth/aai-os-cert.p12 b/kubernetes/aai/components/aai-modelloader/resources/config/auth/aai-os-cert.p12 deleted file mode 100644 index ee57120fa0..0000000000 Binary files a/kubernetes/aai/components/aai-modelloader/resources/config/auth/aai-os-cert.p12 and /dev/null differ diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties b/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties index 2d7cf7f98c..e32f48f77f 100644 --- a/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties +++ b/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties @@ -1,6 +1,7 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,36 +18,24 @@ # Model Loader Distribution Client Configuration */}} ml.distribution.ACTIVE_SERVER_TLS_AUTH=false -{{ if ( include "common.needTLS" .) }} -ml.distribution.ASDC_ADDRESS=sdc-be.{{.Release.Namespace}}:8443 -ml.distribution.ASDC_USE_HTTPS=true -ml.distribution.KEYSTORE_PASSWORD= -ml.distribution.KEYSTORE_FILE= -ml.distribution.PASSWORD=OBF:1ks51l8d1o3i1pcc1r2r1e211r391kls1pyj1z7u1njf1lx51go21hnj1y0k1mli1sop1k8o1j651vu91mxw1vun1mze1vv11j8x1k5i1sp11mjc1y161hlr1gm41m111nkj1z781pw31kku1r4p1e391r571pbm1o741l4x1ksp -{{ else }} ml.distribution.ASDC_ADDRESS=sdc-be.{{.Release.Namespace}}:8080 ml.distribution.ASDC_USE_HTTPS=false ml.distribution.KEYSTORE_PASSWORD= ml.distribution.KEYSTORE_FILE= ml.distribution.PASSWORD=OBF:1ks51l8d1o3i1pcc1r2r1e211r391kls1pyj1z7u1njf1lx51go21hnj1y0k1mli1sop1k8o1j651vu91mxw1vun1mze1vv11j8x1k5i1sp11mjc1y161hlr1gm41m111nkj1z781pw31kku1r4p1e391r571pbm1o741l4x1ksp -{{ end }} -ml.distribution.CONSUMER_GROUP=aai-ml-group -ml.distribution.CONSUMER_ID=aai-ml +{{- with (first .Values.kafkaUser.acls) }} +ml.distribution.CONSUMER_GROUP={{ .name }} +ml.distribution.CONSUMER_ID={{ .name }}-model-loader ml.distribution.ENVIRONMENT_NAME=AUTO ml.distribution.POLLING_INTERVAL=30 ml.distribution.POLLING_TIMEOUT=20 -ml.distribution.USER=aai +ml.distribution.USER={{ .name }} +{{- end }} ml.distribution.ARTIFACT_TYPES=MODEL_QUERY_SPEC,TOSCA_CSAR -ml.distribution.MSG_BUS_ADDRESSES=message-router.{{.Release.Namespace}} # Model Loader AAI REST Client Configuration -{{ if ( include "common.needTLS" .) }} -ml.aai.BASE_URL=https://aai.{{.Release.Namespace}}:8443 -ml.aai.KEYSTORE_FILE=aai-os-cert.p12 -ml.aai.KEYSTORE_PASSWORD=OBF:1i9a1u2a1unz1lr61wn51wn11lss1unz1u301i6o -{{ else }} -ml.aai.BASE_URL=http://aai.{{.Release.Namespace}}:8080 -{{ end }} +ml.aai.BASE_URL=http://aai.{{.Release.Namespace}}:80 +ml.aai.USE_HTTPS= false ml.aai.MODEL_URL=/aai/v*/service-design-and-creation/models/model/ ml.aai.NAMED_QUERY_URL=/aai/v*/service-design-and-creation/named-queries/named-query/ ml.aai.VNF_IMAGE_URL=/aai/v*/service-design-and-creation/vnf-images @@ -57,9 +46,8 @@ ml.aai.AUTH_PASSWORD=OBF:1qvu1v2h1sov1sar1wfw1j7j1wg21saj1sov1v1x1qxw # Model Loader Babel REST Client Configuration\r ml.babel.BASE_URL={{ include "common.scheme" . }}://aai-babel.{{.Release.Namespace}}:9516 ml.babel.GENERATE_ARTIFACTS_URL=/services/babel-service/v1/app/generateArtifacts -{{ if ( include "common.needTLS" .) }} -ml.babel.KEYSTORE_FILE=aaf/local/{{ .Values.certInitializer.fqi_namespace }}.p12 -ml.babel.KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD} -ml.babel.TRUSTSTORE_FILE=aaf/local/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -ml.babel.TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD} -{{ end }} +ml.babel.KEYSTORE_FILE= +ml.babel.KEYSTORE_PASSWORD= +ml.babel.TRUSTSTORE_FILE= +ml.babel.TRUSTSTORE_PASSWORD= +ml.babel.USE_HTTPS= false diff --git a/kubernetes/aai/components/aai-modelloader/templates/configmap.yaml b/kubernetes/aai/components/aai-modelloader/templates/configmap.yaml index 534fd021da..d3fd509dcd 100644 --- a/kubernetes/aai/components/aai-modelloader/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-modelloader/templates/configmap.yaml @@ -26,6 +26,7 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/model-loader.properties").AsConfig . | indent 2 }} +{{ tpl (.Files.Glob "resources/application.properties").AsConfig . | indent 2 }} --- apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml index 47c13af86e..8dee92f77e 100644 --- a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml @@ -2,6 +2,7 @@ # Copyright © 2018 Amdocs, AT&T # Modifications Copyright © 2018 Bell Canada # Modifications Copyright © 2020-2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,11 +24,24 @@ metadata: namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} + app.kubernetes.io/name: {{ include "common.name" . }} + {{- if .Chart.AppVersion }} + version: "{{ .Chart.AppVersion | replace "+" "_" }}" + {{- else }} + version: "{{ .Chart.Version | replace "+" "_" }}" + {{- end }} chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} spec: replicas: {{ .Values.replicaCount }} + strategy: + type: {{ .Values.updateStrategy.type }} + {{- if (eq "RollingUpdate" .Values.updateStrategy.type) }} + rollingUpdate: + maxUnavailable: {{ .Values.updateStrategy.maxUnavailable }} + maxSurge: {{ .Values.updateStrategy.maxSurge }} + {{- end }} selector: matchLabels: app: {{ include "common.name" . }} @@ -36,6 +50,12 @@ spec: labels: app: {{ include "common.name" . }} release: {{ include "common.release" . }} + app.kubernetes.io/name: {{ include "common.name" . }} + {{- if .Chart.AppVersion }} + version: "{{ .Chart.AppVersion | replace "+" "_" }}" + {{- else }} + version: "{{ .Chart.Version | replace "+" "_" }}" + {{- end }} name: {{ include "common.name" . }} spec: {{- if .Values.nodeSelector }} @@ -44,50 +64,6 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} - {{- if .Values.global.aafEnabled }} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - echo "*** obfuscate them " - export KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD} - export TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD} - export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar") - export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - image: {{ include "repositoryGenerator.image.jetty" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-obfuscate - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - securityContext: - runAsUser: {{ .Values.securityContext.user_id }} - - command: - - sh - args: - - -c - - | - echo "*** Set obfuscated Truststore and Keystore password into configuration file" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - cd /config-input - for PFILE in `ls -1` - do - envsubst <${PFILE} >/config/${PFILE} - done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /config-input - name: prop-config-input - - mountPath: /config - name: prop-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - {{- end }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -95,15 +71,18 @@ spec: env: - name: CONFIG_HOME value: /opt/app/model-loader/config/ - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + volumeMounts: - mountPath: /opt/app/model-loader/config/model-loader.properties subPath: model-loader.properties name: prop-config - - mountPath: /opt/app/model-loader/config/auth/ - name: auth-config + - mountPath: /opt/app/model-loader/application.properties + subPath: application.properties + name: prop-config - mountPath: {{ .Values.log.path }} name: logs - mountPath: /opt/app/model-loader/logback.xml @@ -113,21 +92,10 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: - name: prop-config - {{- if .Values.global.aafEnabled }} - emptyDir: - medium: Memory - - name: prop-config-input - {{- end }} configMap: name: {{ include "common.fullname" . }}-prop - - name: auth-config - secret: - secretName: {{ include "common.fullname" . }} - name: logs emptyDir: {} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} @@ -135,5 +103,4 @@ spec: configMap: name: {{ include "common.fullname" . }}-log restartPolicy: {{ .Values.global.restartPolicy | default .Values.restartPolicy }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/components/aai-modelloader/templates/kafkauser.yaml b/kubernetes/aai/components/aai-modelloader/templates/kafkauser.yaml new file mode 100644 index 0000000000..324a068cf0 --- /dev/null +++ b/kubernetes/aai/components/aai-modelloader/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2022-23 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/aai/components/aai-modelloader/templates/secret.yaml b/kubernetes/aai/components/aai-modelloader/templates/secret.yaml deleted file mode 100644 index d6013c832e..0000000000 --- a/kubernetes/aai/components/aai-modelloader/templates/secret.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: -{{ tpl (.Files.Glob "resources/config/auth/*").AsSecrets . | indent 2 }} diff --git a/kubernetes/aai/components/aai-modelloader/values.yaml b/kubernetes/aai/components/aai-modelloader/values.yaml index 3b7d79e4a3..ab3d8646c2 100644 --- a/kubernetes/aai/components/aai-modelloader/values.yaml +++ b/kubernetes/aai/components/aai-modelloader/values.yaml @@ -1,5 +1,6 @@ # Copyright © 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2020-2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,54 +20,32 @@ global: # global defaults nodePortPrefix: 302 -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: aai-ml-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: aai - fqi: aai@aai.onap.org - public_fqdn: aai.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - appMountPath: /opt/app/model-loader/config/auth/aaf - fqi_namespace: org.onap.aai - user_id: &user_id 1000 - group_id: &group_id 1000 - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PLAIN_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSTORE_PLAIN_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** writing passwords into prop file" - echo "KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop - echo "TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R {{ .Values.user_id }}:{{ .Values.group_id }} {{ .Values.credsPath }} - # application image -image: onap/model-loader:1.9.4 +image: onap/model-loader:1.13.6 pullPolicy: Always restartPolicy: Always flavor: small flavorOverride: small -# application configuration -config: {} + +# Strimzi KafkaUser config +kafkaUser: + acls: + - name: aai + type: group + operations: [Read] + - name: SDC-DISTR + type: topic + patternType: prefix + operations: [Read, Write] # default number of instances replicaCount: 1 +updateStrategy: + type: RollingUpdate + maxUnavailable: 0 + maxSurge: 1 + nodeSelector: {} affinity: {} @@ -86,20 +65,29 @@ readiness: resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 0.5 - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 1 - memory: 1536Mi + cpu: "1" + memory: "2Gi" unlimited: {} +tracing: + enabled: true + collector: + baseUrl: http://jaeger-collector.istio-system:9411 + sampling: + probability: 1.0 # percentage of requests that are sampled (between 0-1/0%-100%) + ignorePatterns: + - /aai/util.* + #Pods Service Account serviceAccount: nameOverride: aai-modelloader @@ -108,8 +96,8 @@ serviceAccount: # Not fully used for now securityContext: - user_id: *user_id - group_id: *group_id + user_id: 1000 + group_id: 1000 #Log configuration log: diff --git a/kubernetes/aai/components/aai-resources/Chart.yaml b/kubernetes/aai/components/aai-resources/Chart.yaml index 729d8087a7..3594492675 100644 --- a/kubernetes/aai/components/aai-resources/Chart.yaml +++ b/kubernetes/aai/components/aai-resources/Chart.yaml @@ -1,6 +1,6 @@ # Copyright © 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,21 +18,15 @@ apiVersion: v2 description: ONAP AAI resources name: aai-resources -version: 11.0.0 +version: 13.0.1 dependencies: - name: common - version: ~11.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: certInitializer - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/aai/components/aai-resources/resources/config/aaf/bath_config.csv b/kubernetes/aai/components/aai-resources/resources/config/aaf/bath_config.csv deleted file mode 100644 index 60a8fb5f0b..0000000000 --- a/kubernetes/aai/components/aai-resources/resources/config/aaf/bath_config.csv +++ /dev/null @@ -1,33 +0,0 @@ -# AAI -> aai@aai.onap.org -Basic QUFJOkFBSQ==,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# ModelLoader -> aai@aai.onap.org -Basic TW9kZWxMb2FkZXI6TW9kZWxMb2FkZXI=,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# AaiUI -> aai@aai.onap.org, -Basic QWFpVUk6QWFpVUk=,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# MSO -> so@so.onap.org -Basic TVNPOk1TTw==,Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1NiE=,2050-03-03 - -# SDNC -> sdnc@sdnc.onap.org -Basic U0ROQzpTRE5D,Basic c2RuY0BzZG5jLm9uYXAub3JnOmRlbW8xMjM0NTYh,2050-03-03 - -# DCAE -> dcae@dcae.onap.org -Basic RENBRTpEQ0FF,Basic ZGNhZUBkY2FlLm9uYXAub3JnOmRlbW8xMjM0NTYh,2050-03-03 - -# POLICY -> policy@policy.onap.org -Basic UE9MSUNZOlBPTElDWQ==,Basic cG9saWN5QHBvbGljeS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# ASDC -> sdc@sdc.onap.org -Basic QVNEQzpBU0RD,Basic c2RjQHNkYy5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# VID -> vid@vid.onap.org -Basic VklEOlZJRA==,Basic dmlkQHZpZC5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# APPC -> appc@appc.onap.org -Basic QVBQQzpBUFBD,Basic YXBwY0BhcHBjLm9uYXAub3JnOmRlbW8xMjM0NTYh,2050-03-03 - -# OOF -> oof@oof.onap.org -Basic T09GOk9PRg==,Basic b29mQG9vZi5vbmFwLm9yZzpkZW1vMTIzNDQ2IQ==,2050-03-03 - diff --git a/kubernetes/aai/components/aai-resources/resources/config/aaf/cadi.properties b/kubernetes/aai/components/aai-resources/resources/config/aaf/cadi.properties deleted file mode 100644 index ec5fd55e06..0000000000 --- a/kubernetes/aai/components/aai-resources/resources/config/aaf/cadi.properties +++ /dev/null @@ -1,8 +0,0 @@ - -cadi_loglevel=INFO -cadi_prop_files=/opt/app/aai-resources/resources/aaf/org.osaaf.location.props:/opt/app/aai-resources/resources/aaf/org.onap.aai.props - -# OAuth2 -aaf_oauth2_token_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.token:2.1/token -aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.introspect:2.1/introspect - diff --git a/kubernetes/aai/components/aai-resources/resources/config/aaf/org.onap.aai.props b/kubernetes/aai/components/aai-resources/resources/config/aaf/org.onap.aai.props deleted file mode 100644 index f4bb9ee89c..0000000000 --- a/kubernetes/aai/components/aai-resources/resources/config/aaf/org.onap.aai.props +++ /dev/null @@ -1,15 +0,0 @@ -############################################################ -# Properties Generated by AT&T Certificate Manager -# @copyright 2016, AT&T -# Modifications Copyright © 2020 Orange -############################################################ -cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US -cadi_keyfile={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.keyfile -cadi_keystore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -cadi_keystore_password=${KEYSTORE_PASSWORD} - -cadi_alias=aai@aai.onap.org -cadi_truststore={{ .Values.certInitializer.credsPath }}/truststoreONAPall.jks -cadi_truststore_password=${TRUSTSTORE_ALL_PASSWORD} -cadi_loglevel=INFO -cadi_bath_convert=/opt/app/aai-resources/resources/aaf/bath_config.csv diff --git a/kubernetes/aai/components/aai-resources/resources/config/aaf/org.osaaf.location.props b/kubernetes/aai/components/aai-resources/resources/config/aaf/org.osaaf.location.props deleted file mode 100644 index 8ae66aaf79..0000000000 --- a/kubernetes/aai/components/aai-resources/resources/config/aaf/org.osaaf.location.props +++ /dev/null @@ -1,24 +0,0 @@ -## -## org.osaaf.location.props -## -## Localized Machine Information -## -# Almeda California ? -cadi_latitude=37.78187 -cadi_longitude=-122.26147 - -# Locate URL (which AAF Env) -aaf_locate_url=https://aaf-locate.{{.Release.Namespace}}:8095 - - -# AAF URL -aaf_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1 - -# AAF Environment Designation -aaf_env=DEV - -# OAuth2 Endpoints -aaf_oauth2_token_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.token:2.1/token -aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.introspect:2.1/introspect - - diff --git a/kubernetes/aai/components/aai-resources/resources/config/aaf/permissions.properties b/kubernetes/aai/components/aai-resources/resources/config/aaf/permissions.properties deleted file mode 100644 index 4234121a2d..0000000000 --- a/kubernetes/aai/components/aai-resources/resources/config/aaf/permissions.properties +++ /dev/null @@ -1,2 +0,0 @@ -permission.type=org.onap.aai.resources -permission.instance=* \ No newline at end of file diff --git a/kubernetes/aai/components/aai-resources/resources/config/aaiconfig.properties b/kubernetes/aai/components/aai-resources/resources/config/aaiconfig.properties index 2e6fd25c2b..adabae3ac7 100644 --- a/kubernetes/aai/components/aai-resources/resources/config/aaiconfig.properties +++ b/kubernetes/aai/components/aai-resources/resources/config/aaiconfig.properties @@ -5,6 +5,7 @@ # ================================================================================ # Copyright © 2017 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2020 Orange +# Modifications Copyright © 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -38,15 +39,9 @@ aai.config.checktime=1000 # this could come from siteconfig.pl? aai.config.nodename=AutomaticallyOverwritten -{{ if ( include "common.needTLS" .) }} -aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/ -aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/ -aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/ -{{ else }} aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/ aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/ aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/ -{{ end }} {{ if .Values.global.config.basic.auth.enabled }} aai.tools.enableBasicAuth=true @@ -54,13 +49,6 @@ aai.tools.username={{ .Values.global.config.basic.auth.username }} aai.tools.password={{ .Values.global.config.basic.auth.passwd }} {{ end }} -{{ if ( include "common.needTLS" .) }} -aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD} -aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -aai.keystore.passwd.x=${KEYSTORE_PASSWORD} -{{ end }} - aai.notification.current.version={{ .Values.global.config.schema.version.api.default }} aai.notificationEvent.default.status=UNPROCESSED aai.notificationEvent.default.eventType={{ .Values.global.config.notification.eventType }} @@ -97,3 +85,16 @@ aai.bulkconsumer.payloadlimit={{ .Values.config.bulk.limit }} #uncomment and use header X-OverrideLimit with the value to override the bulk api limit aai.bulkconsumer.payloadoverride={{ .Values.config.bulk.override }} + +# +# AAI Graph DB checker task +# + +# Indicator to enable or disable scheduled task (true/false) +aai.graph.checker.task.enabled=true + +# Delay, in seconds, before the scheduled task is started, if enabled +aai.graph.checker.task.delay=5 + +# Period, in seconds, between two consecutive executions of the scheduled task, if enabled +aai.graph.checker.task.period=10 \ No newline at end of file diff --git a/kubernetes/aai/components/aai-resources/resources/config/application.properties b/kubernetes/aai/components/aai-resources/resources/config/application.properties index 78a07f2a0f..1b7bdf8ff6 100644 --- a/kubernetes/aai/components/aai-resources/resources/config/application.properties +++ b/kubernetes/aai/components/aai-resources/resources/config/application.properties @@ -1,6 +1,7 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2020 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,9 +28,17 @@ spring.jersey.type=filter spring.main.allow-bean-definition-overriding=true server.servlet.context-path=/ +spring.zipkin.baseUrl={{ .Values.tracing.collector.baseUrl }} +spring.sleuth.messaging.jms.enabled = false +spring.sleuth.trace-id128=true +spring.sleuth.sampler.probability={{ .Values.tracing.sampling.probability }} +spring.sleuth.propagation.type=w3c, b3 +spring.sleuth.supports-join=false +spring.sleuth.web.skip-pattern={{ join "," .Values.tracing.ignorePatterns }} + spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,org.keycloak.adapters.springboot.KeycloakAutoConfiguration,org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration,org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration -spring.profiles.active={{ .Values.global.config.profiles.active }}{{ .Values.global.aafEnabled | ternary ",aaf-auth" "" }} +spring.profiles.active={{ .Values.global.config.profiles.active }} spring.jersey.application-path=${schema.uri.base.path} #The max number of active threads in this pool server.tomcat.max-threads=200 @@ -44,23 +53,13 @@ server.local.startpath=aai-resources/src/main/resources/ server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties server.port=8447 -{{ if ( include "common.needTLS" .) }} -server.ssl.enabled-protocols=TLSv1.1,TLSv1.2 -server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -server.ssl.key-store-password=${KEYSTORE_PASSWORD} -server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} -server.ssl.client-auth=want -server.ssl.key-store-type=JKS -{{ else }} security.require-ssl=false server.ssl.enabled=false -{{ end }} # JMS bind address host port jms.bind.address=tcp://localhost:61647 -dmaap.ribbon.listOfServers=message-router.{{.Release.Namespace}}:{{ (eq "true" (include "common.needTLS" .)) | ternary 3905 3904 }} -dmaap.ribbon.transportType={{ include "common.scheme" . }} +dmaap.ribbon.listOfServers=message-router.{{ include "common.namespace" . }}:3904 +dmaap.ribbon.transportType=http # Schema related attributes for the oxm and edges # Any additional schema related attributes should start with prefix schema @@ -96,11 +95,20 @@ schema.service.base.url={{ include "common.scheme" . }}://aai-schema-service.{{ schema.service.nodes.endpoint=nodes?version= schema.service.edges.endpoint=edgerules?version= schema.service.versions.endpoint=versions -schema.service.client={{ (eq "true" ( include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }} - -{{ if ( include "common.needTLS" .) }} -schema.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -schema.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -schema.service.ssl.key-store-password=${KEYSTORE_PASSWORD} -schema.service.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} -{{ end }} +schema.service.client=no-auth + +#to expose the Prometheus scraping endpoint +management.server.port=8448 +management.endpoints.enabled-by-default=true +management.endpoints.web.exposure.include=info,health,prometheus +endpoints.enabled={{ .Values.endpoints.enabled }} +endpoints.info.enabled={{ .Values.endpoints.info.enabled }} +endpoints.prometheus.enabled={{ .Values.metrics.serviceMonitor.enabled }} +endpoints.health.enabled={{ .Values.endpoints.health.enabled }} +management.metrics.web.server.auto-time-requests=false +management.metrics.distribution.percentiles-histogram[http.server.requests]=true +management.metrics.distribution.sla[http.server.requests]=20ms, 30ms, 40ms, 50ms, 60ms, 70ms, 80ms, 90ms, 100ms, 500ms, 1000ms, 5000ms, 7000ms +#Add common tag for grouping all aai related metrics +management.metrics.tags.group_id=aai +#It is not advisable to use labels to store dimensions with high cardinality. Enable this option only for debug purposes. For more information: https://github.com/micrometer-metrics/micrometer/issues/1584 +scrape.uri.metrics=false \ No newline at end of file diff --git a/kubernetes/aai/components/aai-resources/resources/config/janusgraph-realtime.properties b/kubernetes/aai/components/aai-resources/resources/config/janusgraph-realtime.properties index 836dc7b176..4835560665 100644 --- a/kubernetes/aai/components/aai-resources/resources/config/janusgraph-realtime.properties +++ b/kubernetes/aai/components/aai-resources/resources/config/janusgraph-realtime.properties @@ -90,7 +90,17 @@ log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} {{ end }} storage.lock.wait-time=300 -# Setting db-cache to false ensure the fastest propagation of changes across servers -cache.db-cache = false + +# https://docs.janusgraph.org/operations/cache/#database-level-caching +# Setting db-cache to false will ensure the fastest propagation of changes across servers +# Setting db-cache to true will ensure fastest response times +cache.db-cache={{ .Values.config.janusgraph.caching.enabled }} +{{ if .Values.config.janusgraph.caching.enabled }} +# cache-time in milliseconds +cache.db-cache-time={{ .Values.config.janusgraph.caching.dbCacheTime }} +cache.db-cache-size={{ .Values.config.janusgraph.caching.dbCacheSize }} +cache.db-cache-clean-wait={{ .Values.config.janusgraph.caching.dbCacheCleanWait }} +{{ end }} + #load graphson file on startup load.snapshot.file=false diff --git a/kubernetes/aai/components/aai-resources/resources/config/localhost-access-logback.xml b/kubernetes/aai/components/aai-resources/resources/config/localhost-access-logback.xml index f5829a1dac..07919a97a2 100644 --- a/kubernetes/aai/components/aai-resources/resources/config/localhost-access-logback.xml +++ b/kubernetes/aai/components/aai-resources/resources/config/localhost-access-logback.xml @@ -26,18 +26,60 @@ */}} - - ${AJSC_HOME}/logs/ajsc-jetty/localhost_access.log - - ${AJSC_HOME}/logs/ajsc-jetty/localhost_access.log.%d{yyyy-MM-dd} - - + + + + + + + + + + + ${AJSC_HOME}/logs/ajsc-jetty/localhost_access.log + + ${AJSC_HOME}/logs/ajsc-jetty/localhost_access.log.%d{yyyy-MM-dd}.zip + + ${maxHistory} + ${totalSizeCap} + + + %a %u %z [%t] "%m %U%q" %s %b %y %i{X-TransactionId} %i{X-FromAppId} + %i{X-Forwarded-For} %i{X-AAI-SSL-Client-CN} %i{X-AAI-SSL-Client-OU} + %i{X-AAI-SSL-Client-O} %i{X-AAI-SSL-Client-L} %i{X-AAI-SSL-Client-ST} + %i{X-AAI-SSL-Client-C} %i{X-AAI-SSL-Client-NotBefore} %i{X-AAI-SSL-Client-NotAfter} + %i{X-AAI-SSL-Client-DN} %D + + + + + + + - %a %u %z [%t] "%m %U%q" %s %b %y %i{X-TransactionId} %i{X-FromAppId} %i{X-Forwarded-For} %i{X-AAI-SSL-Client-CN} %i{X-AAI-SSL-Client-OU} %i{X-AAI-SSL-Client-O} %i{X-AAI-SSL-Client-L} %i{X-AAI-SSL-Client-ST} %i{X-AAI-SSL-Client-C} %i{X-AAI-SSL-Client-NotBefore} %i{X-AAI-SSL-Client-NotAfter} %i{X-AAI-SSL-Client-DN} %D + %a %u %z [%t] "%m %U%q" %s %b %y %i{X-TransactionId} %i{X-FromAppId} + %i{X-Forwarded-For} %i{X-AAI-SSL-Client-CN} %i{X-AAI-SSL-Client-OU} %i{X-AAI-SSL-Client-O} + %i{X-AAI-SSL-Client-L} %i{X-AAI-SSL-Client-ST} %i{X-AAI-SSL-Client-C} + %i{X-AAI-SSL-Client-NotBefore} %i{X-AAI-SSL-Client-NotAfter} %i{X-AAI-SSL-Client-DN} %D - + "logType": "access" + + + + + /aai/util/echo + + NEUTRAL + DENY + + + - + + + {{/* -*/}} - +*/}} \ No newline at end of file diff --git a/kubernetes/aai/components/aai-resources/resources/config/logback.xml b/kubernetes/aai/components/aai-resources/resources/config/logback.xml index 287b59f535..b52318500d 100644 --- a/kubernetes/aai/components/aai-resources/resources/config/logback.xml +++ b/kubernetes/aai/components/aai-resources/resources/config/logback.xml @@ -29,6 +29,12 @@ + + + + + + @@ -57,229 +63,285 @@ - - - - - - %clr(%d{yyyy-MM-dd HH:mm:ss.SSS}){faint} %clr(${LOG_LEVEL_PATTERN:-%5p}) %clr(${PID:- }){magenta} %clr(---){faint} %clr([%15.15t]){faint} %clr(%-40.40logger{39}){cyan} %clr(:){faint} %m%n${LOG_EXCEPTION_CONVERSION_WORD:-%wEx} - - - + + - - ${logDirectory}/rest/sane.log - - ${logDirectory}/rest/sane.log.%d{yyyy-MM-dd} - - - %d{HH:mm:ss.SSS} [%thread] %-5level %logger{1024} - %msg%n - - - + + + + ${logDirectory}/rest/sane.log + + ${logDirectory}/rest/sane.log.%d{yyyy-MM-dd}.zip + ${maxHistory} + ${totalSizeCap} + + + %d{HH:mm:ss.SSS} [%thread] %-5level %logger{1024} - %msg%n + + + - - 1000 - true - - - - ${logDirectory}/rest/metrics.log - - ${logDirectory}/rest/metrics.log.%d{yyyy-MM-dd} - - - ${metricPattern} - - + + ${queueSize} + true + + + + ${logDirectory}/rest/metrics.log + + ${logDirectory}/rest/metrics.log.%d{yyyy-MM-dd}.zip + ${maxHistory} + ${totalSizeCap} + + + ${metricPattern} + + - - 1000 - true - - + + ${queueSize} + true + + - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/rest/debug.log - - ${logDirectory}/rest/debug.log.%d{yyyy-MM-dd} - - - ${debugPattern} - - + + + DEBUG + ACCEPT + DENY + + ${logDirectory}/rest/debug.log + + ${logDirectory}/rest/debug.log.%d{yyyy-MM-dd}.zip + ${maxHistory} + ${totalSizeCap} + + + ${debugPattern} + + - - 1000 - - true - - - ${logDirectory}/rest/error.log - - ${logDirectory}/rest/error.log.%d{yyyy-MM-dd} - - - WARN - - - ${errorPattern} - - + + ${queueSize} + + true + + + ${logDirectory}/rest/error.log + + ${logDirectory}/rest/error.log.%d{yyyy-MM-dd}.zip + ${maxHistory} + ${totalSizeCap} + + + WARN + + + ${errorPattern} + + - - 1000 - - + + ${queueSize} + + - - ${logDirectory}/rest/audit.log - - ${logDirectory}/rest/audit.log.%d{yyyy-MM-dd} - - - - ${auditPattern} - - + + ${logDirectory}/rest/audit.log + + ${logDirectory}/rest/audit.log.%d{yyyy-MM-dd}.zip + + ${maxHistory} + ${totalSizeCap} + + + ${auditPattern} + + - - 1000 - true - - + + ${queueSize} + true + + - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/rest/translog.log - - ${logDirectory}/rest/translog.log.%d{yyyy-MM-dd} - - - - ${transLogPattern} - - + + + DEBUG + ACCEPT + DENY + + ${logDirectory}/rest/translog.log + + ${logDirectory}/rest/translog.log.%d{yyyy-MM-dd}.zip + + ${maxHistory} + ${totalSizeCap} + + + ${transLogPattern} + + - - 1000 - true - - + + ${queueSize} + true + + - - - WARN - - ${logDirectory}/dmaapAAIEventConsumer/error.log - - ${logDirectory}/dmaapAAIEventConsumer/error.log.%d{yyyy-MM-dd} - - - - ${errorPattern} - + + + WARN + + ${logDirectory}/dmaapAAIEventConsumer/error.log + + ${logDirectory}/dmaapAAIEventConsumer/error.log.%d{yyyy-MM-dd}.zip + + ${maxHistory} + ${totalSizeCap} + + + ${errorPattern} + - + - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/dmaapAAIEventConsumer/debug.log - - ${logDirectory}/dmaapAAIEventConsumer/debug.log.%d{yyyy-MM-dd} - - - - ${debugPattern} - - - - - INFO - ACCEPT - DENY - - ${logDirectory}/dmaapAAIEventConsumer/dmaap-transaction.log - - ${logDirectory}/dmaapAAIEventConsumer/dmaap-transaction.log.%d{yyyy-MM-dd} - - - - ${auditPattern} - - - - - INFO - ACCEPT - DENY - - ${logDirectory}/dmaapAAIEventConsumer/metrics.log - - ${logDirectory}/dmaapAAIEventConsumer/metrics.log.%d{yyyy-MM-dd} - - - - ${metricPattern} - - - - - WARN - - ${logDirectory}/external/external.log - - ${logDirectory}/external/external.log.%d{yyyy-MM-dd} - - - - ${debugPattern} - - - - - DEBUG - - ${logDirectory}/auth/auth.log - - ${logDirectory}/auth/auth.log.%d{yyyy-MM-dd} - - - - %d{yyyy-MM-dd'T'HH:mm:ss.SSSZ, UTC}[%thread] %-5level %logger{1024} - %msg%n + + + DEBUG + ACCEPT + DENY + + ${logDirectory}/dmaapAAIEventConsumer/debug.log + + ${logDirectory}/dmaapAAIEventConsumer/debug.log.%d{yyyy-MM-dd}.zip + + ${maxHistory} + ${totalSizeCap} + + + ${debugPattern} + + + + + INFO + ACCEPT + DENY + + ${logDirectory}/dmaapAAIEventConsumer/dmaap-transaction.log + + ${logDirectory}/dmaapAAIEventConsumer/dmaap-transaction.log.%d{yyyy-MM-dd}.zip + + ${maxHistory} + ${totalSizeCap} + + + ${auditPattern} + + + + + INFO + ACCEPT + DENY + + ${logDirectory}/dmaapAAIEventConsumer/metrics.log + + ${logDirectory}/dmaapAAIEventConsumer/metrics.log.%d{yyyy-MM-dd}.zip + + ${maxHistory} + ${totalSizeCap} + + + ${metricPattern} + + + + + WARN + + ${logDirectory}/external/external.log + + ${logDirectory}/external/external.log.%d{yyyy-MM-dd}.zip + + ${maxHistory} + ${totalSizeCap} + + + ${debugPattern} + + + + + DEBUG + + ${logDirectory}/auth/auth.log + + ${logDirectory}/auth/auth.log.%d{yyyy-MM-dd}.zip + + ${maxHistory} + ${totalSizeCap} + + + %d{yyyy-MM-dd'T'HH:mm:ss.SSSZ, UTC}[%thread] %-5level %logger{1024} - %msg%n + + + + ${queueSize} + true + + + + + + + + + timestamp + + + context + ServerIPAddress + EntryTimestamp + InvokeTimestamp + ErrorCode + ErrorDesc + + + exception + + ^sun\.reflect\..*\.invoke + ^net\.sf\.cglib\.proxy\.MethodProxy\.invoke + true + + + thread + + logger + 36 + + + + {"logType":"app"} + + - - 1000 - true - - + @@ -302,45 +364,73 @@ - - - + + + + + + + - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + + + + + + - - - - - - + + + + + + + - - + + + + + + - + \ No newline at end of file diff --git a/kubernetes/aai/components/aai-resources/resources/config/realm.properties b/kubernetes/aai/components/aai-resources/resources/config/realm.properties index 9fbd122492..f254d03631 100644 --- a/kubernetes/aai/components/aai-resources/resources/config/realm.properties +++ b/kubernetes/aai/components/aai-resources/resources/config/realm.properties @@ -21,8 +21,6 @@ SDNC:OBF:1itr1i0l1i151isv,admin DCAE:OBF:1g8u1f9d1f991g8w,admin POLICY:OBF:1mk61i171ima1im41i0j1mko,admin ASDC:OBF:1f991j0u1j001f9d,admin -VID:OBF:1jm91i0v1jl9,admin -APPC:OBF:1f991ksf1ksf1f9d,admin ModelLoader:OBF:1qvu1v2h1sov1sar1wfw1j7j1wg21saj1sov1v1x1qxw,admin AaiUI:OBF:1gfr1p571unz1p4j1gg7,admin OOF:OBF:1img1ke71ily,admin @@ -32,8 +30,6 @@ sdnc@sdnc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin dcae@dcae.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin policy@policy.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin sdc@sdc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -vid@vid.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -appc@appc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin oof@oof.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin pomba@pomba.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin vfc@vfc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin diff --git a/kubernetes/aai/components/aai-resources/templates/authorizationpolicy.yaml b/kubernetes/aai/components/aai-resources/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/aai/components/aai-resources/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/aai/components/aai-resources/templates/configmap.yaml b/kubernetes/aai/components/aai-resources/templates/configmap.yaml index 99973565f8..eccc4ba491 100644 --- a/kubernetes/aai/components/aai-resources/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-resources/templates/configmap.yaml @@ -34,19 +34,3 @@ data: {{ tpl (.Files.Glob "resources/config/application.properties").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/application-keycloak.properties").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/realm.properties").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-aaf-props - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/aaf/org.osaaf.location.props").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/aaf/permissions.properties").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/aaf/org.onap.aai.props").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/aaf/cadi.properties").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-resources/templates/deployment.yaml b/kubernetes/aai/components/aai-resources/templates/deployment.yaml index 021f0946ed..122e522bb1 100644 --- a/kubernetes/aai/components/aai-resources/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-resources/templates/deployment.yaml @@ -3,6 +3,7 @@ # Modifications Copyright (c) 2018 AT&T # Modifications Copyright (c) 2020 Nokia # Modifications Copyright (c) 2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -24,6 +25,12 @@ metadata: namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} + app.kubernetes.io/name: {{ include "common.name" . }} + {{- if .Chart.AppVersion }} + version: "{{ .Chart.AppVersion | replace "+" "_" }}" + {{- else }} + version: "{{ .Chart.Version | replace "+" "_" }}" + {{- end }} chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} @@ -43,6 +50,12 @@ spec: labels: app: {{ include "common.name" . }} release: {{ include "common.release" . }} + app.kubernetes.io/name: {{ include "common.name" . }} + {{- if .Chart.AppVersion }} + version: "{{ .Chart.AppVersion | replace "+" "_" }}" + {{- else }} + version: "{{ .Chart.Version | replace "+" "_" }}" + {{- end }} name: {{ include "common.name" . }} annotations: checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} @@ -79,7 +92,7 @@ spec: spec: hostname: aai-resources terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: - name: {{ include "common.name" . }}-readiness command: - /app/ready.py @@ -92,13 +105,9 @@ spec: - --job-name - {{ include "common.release" . }}-aai-graphadmin-create-db-schema {{- else }} - - --container-name - {{- if .Values.global.cassandra.localCluster }} - - aai-cassandra - {{- else }} - - cassandra - {{- end }} - - --container-name + - --service-name + - {{ .Values.global.cassandra.serviceName }} + - --service-name - aai-schema-service {{- end }} {{- end }} @@ -110,6 +119,13 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -119,27 +135,34 @@ spec: args: - -c - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) echo "*** actual launch of AAI Resources" /bin/bash /opt/app/aai-resources/docker-entrypoint.sh env: + {{- if .Values.config.env }} + {{- range $key,$value := .Values.config.env }} + - name: {{ $key | upper | quote}} + value: {{ $value | quote}} + {{- end }} + {{- end }} + {{- if .Values.config.profiling.enabled }} + - name: PRE_JVM_ARGS + value: '{{ join " " .Values.config.profiling.args }}' + {{- end }} + {{- if .Values.config.debug.enabled }} + - name: POST_JVM_ARGS + value: {{ .Values.config.debug.args | quote }} + {{- end }} - name: LOCAL_USER_ID value: {{ .Values.global.config.userId | quote }} - name: LOCAL_GROUP_ID value: {{ .Values.global.config.groupId | quote }} - - name: POST_JAVA_OPTS - value: '-Djavax.net.ssl.trustStore={{ .Values.certInitializer.credsPath }}/truststoreONAPall.jks -Djavax.net.ssl.trustStorePassword={{ .Values.certInitializer.truststorePassword }}' - - name: TRUSTORE_ALL_PASSWORD - value: {{ .Values.certInitializer.truststorePassword }} - name: INTERNAL_PORT_1 value: {{ .Values.service.internalPort | quote }} - name: INTERNAL_PORT_2 value: {{ .Values.service.internalPort2 | quote }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + - name: INTERNAL_PORT_3 + value: {{ .Values.service.internalPort3 | quote }} + volumeMounts: - mountPath: /opt/app/aai-resources/resources/etc/appprops/janusgraph-realtime.properties name: {{ include "common.fullname" . }}-config subPath: janusgraph-realtime.properties @@ -160,21 +183,6 @@ spec: - mountPath: /opt/app/aai-resources/resources/etc/auth/realm.properties name: {{ include "common.fullname" . }}-config subPath: realm.properties - - mountPath: /opt/app/aai-resources/resources/aaf/bath_config.csv - name: {{ include "common.fullname" . }}-aaf-certs - subPath: bath_config.csv - - mountPath: /opt/app/aai-resources/resources/aaf/org.onap.aai.props - name: {{ include "common.fullname" . }}-aaf-properties - subPath: org.onap.aai.props - - mountPath: /opt/app/aai-resources/resources/aaf/org.osaaf.location.props - name: {{ include "common.fullname" . }}-aaf-properties - subPath: org.osaaf.location.props - - mountPath: /opt/app/aai-resources/resources/aaf/permissions.properties - name: {{ include "common.fullname" . }}-aaf-properties - subPath: permissions.properties - - mountPath: /opt/app/aai-resources/resources/cadi.properties - name: {{ include "common.fullname" . }}-aaf-properties - subPath: cadi.properties - mountPath: /opt/app/aai-resources/resources/application.properties name: {{ include "common.fullname" . }}-config subPath: application.properties @@ -183,7 +191,18 @@ spec: subPath: application-keycloak.properties ports: - containerPort: {{ .Values.service.internalPort }} + name: {{ .Values.service.portName }} + {{- if .Values.config.debug.enabled }} - containerPort: {{ .Values.service.internalPort2 }} + name: {{ .Values.service.portName2 }} + {{- end }} + - containerPort: {{ .Values.service.internalPort3 }} + name: {{ .Values.service.portName3 }} + {{- if .Values.config.profiling.enabled }} + - containerPort: {{ .Values.service.internalPort4 }} + name: {{ .Values.service.portName4 }} + {{- end }} + lifecycle: # wait for active requests (long-running tasks) to be finished # Before the SIGTERM is invoked, Kubernetes exposes a preStop hook in the Pod. @@ -200,17 +219,35 @@ spec: # so K8s doesn't restart unresponsive container {{- if .Values.liveness.enabled }} livenessProbe: - tcpSocket: + httpGet: + path: /aai/util/echo?action=checkDB port: {{ .Values.service.internalPort }} + scheme: HTTP + httpHeaders: + - name: X-FromAppId + value: LivenessCheck + - name: X-TransactionId + value: LiveCheck_TID + - name: Accept + value: application/json initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{- end }} readinessProbe: - tcpSocket: + httpGet: + path: /aai/util/echo?action=checkDB port: {{ .Values.service.internalPort }} + scheme: HTTP + httpHeaders: + - name: X-FromAppId + value: ReadinessCheck + - name: X-TransactionId + value: ReadinessCheck_TID + - name: Accept + value: application/json initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: {{ include "common.resources" . | nindent 12 }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} {{- end }} @@ -220,22 +257,12 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: - name: logs emptyDir: {} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: {{ include "common.fullname" . }}-config configMap: name: {{ include "common.fullname" . }} - - name: {{ include "common.fullname" . }}-aaf-properties - configMap: - name: {{ include "common.fullname" . }}-aaf-props - - name: {{ include "common.fullname" . }}-aaf-certs - secret: - secretName: {{ include "common.fullname" . }}-aaf-keys restartPolicy: {{ .Values.restartPolicy }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/components/aai-resources/templates/secret.yaml b/kubernetes/aai/components/aai-resources/templates/secret.yaml deleted file mode 100644 index a0d8629459..0000000000 --- a/kubernetes/aai/components/aai-resources/templates/secret.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{/* -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-aaf-keys - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: -{{ tpl (.Files.Glob "resources/config/aaf/bath_config.csv").AsSecrets . | indent 2 }} ---- -{{ include "common.secretFast" . }} diff --git a/kubernetes/aai/components/aai-resources/templates/service.yaml b/kubernetes/aai/components/aai-resources/templates/service.yaml index 46118461d1..0613129aac 100644 --- a/kubernetes/aai/components/aai-resources/templates/service.yaml +++ b/kubernetes/aai/components/aai-resources/templates/service.yaml @@ -21,6 +21,7 @@ metadata: namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} + app.kubernetes.io/name: {{ include "common.name" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} @@ -30,16 +31,29 @@ spec: {{ if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} + name: {{ .Values.service.portName }} + targetPort: {{ .Values.service.portName }} - port: {{ .Values.service.internalPort2 }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} name: {{ .Values.service.portName2 }} + targetPort: {{ .Values.service.portName2 }} + - port: {{ .Values.service.internalPort3 }} + nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort3 }} + name: {{ .Values.service.portName3 }} + targetPort: {{ .Values.service.portName3 }} {{- else -}} - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} + name: {{ .Values.service.portName }} + targetPort: {{ .Values.service.portName }} - port: {{ .Values.service.internalPort2 }} name: {{ .Values.service.portName2 }} + targetPort: {{ .Values.service.portName2 }} + - port: {{ .Values.service.internalPort3 }} + name: {{ .Values.service.portName3 }} + targetPort: {{ .Values.service.portName3 }} {{- end }} selector: app: {{ include "common.name" . }} release: {{ include "common.release" . }} + clusterIP: None + sessionAffinity: {{ .Values.service.sessionAffinity }} diff --git a/kubernetes/aai/components/aai-resources/templates/servicemonitor.yaml b/kubernetes/aai/components/aai-resources/templates/servicemonitor.yaml new file mode 100644 index 0000000000..c0d9f212b4 --- /dev/null +++ b/kubernetes/aai/components/aai-resources/templates/servicemonitor.yaml @@ -0,0 +1,3 @@ +{{- if .Values.metrics.serviceMonitor.enabled }} +{{ include "common.serviceMonitor" . }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/aai/components/aai-resources/values.yaml b/kubernetes/aai/components/aai-resources/values.yaml index 4952535ea5..b1d32028c2 100644 --- a/kubernetes/aai/components/aai-resources/values.yaml +++ b/kubernetes/aai/components/aai-resources/values.yaml @@ -1,6 +1,7 @@ # Copyright (c) 2018 Amdocs, Bell Canada, AT&T # Copyright (c) 2020 Nokia, Orange # Modifications Copyright (c) 2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -33,8 +34,6 @@ global: # global defaults migration: enabled: false - aafEnabled: false - config: # Specifies that the cluster connected to a dynamic # cluster being spinned up by kubernetes deployment @@ -51,8 +50,7 @@ global: # global defaults # Active spring profiles for the resources microservice profiles: - # aaf-auth profile will be automatically set if aaf enabled is set to true - active: production,dmaap #,aaf-auth + active: production,dmaap # Notification event specific properties notification: @@ -63,7 +61,7 @@ global: # global defaults schema: # Specifies if the connection should be one way ssl, two way ssl or no auth service: - client: one-way-ssl + client: no-auth # Specifies which translator to use if it has schema-service, then it will make a rest request to schema service translator: list: schema-service @@ -77,11 +75,11 @@ global: # global defaults version: # Current version of the REST API api: - default: v26 + default: v28 # Specifies which version the depth parameter is configurable depth: v11 # List of all the supported versions of the API - list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24,v25,v26 + list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24,v25,v26,v27,v28 # Specifies from which version related link should appear related: link: v11 @@ -123,41 +121,9 @@ aai_enpoints: url: network - name: aai-externalSystem url: external-system -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: aai-resources-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: aai-resources - fqi: aai-resources@aai-resources.onap.org - public_fqdn: aai-resources.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - fqi_namespace: org.onap.aai-resources - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** save the generated passwords" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 {{ .Values.credsPath }} # application image -image: onap/aai-resources:1.9.5 +image: onap/aai-resources:1.13.0 pullPolicy: Always restartPolicy: Always flavor: small @@ -188,6 +154,18 @@ config: # to the user in keycloak multiTenancy: enabled: true + janusgraph: + caching: + # enable when running read-heavy workloads + # modifications to graph done by this service/janusgraph instance will immediately invalidate the cache + # modifications to graph done by other services (traversal) will only be visible + # after time specified in db-cache-time + enabled: false + # Documentation: https://docs.janusgraph.org/operations/cache/#database-level-caching + dbCacheTime: 180000 # in milliseconds + dbCacheSize: 0.1 # percentage (expressed as a decimal between 0 and 1) of the total heap space available to the JVM running + dbCacheCleanWait: 20 # in milliseconds + # Specifies crud related operation timeouts and overrides crud: @@ -209,6 +187,33 @@ config: # Specifies if the bulk can be override and if it can the value override: false + # environment variables added to the launch of the image in deployment + env: + MIN_HEAP_SIZE: "512m" + MAX_HEAP_SIZE: "1024m" + MAX_METASPACE_SIZE: "512m" + + # adds jvm args for remote debugging the application + debug: + enabled: false + args: "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005" + + # adds jvm args for remote profiling the application + # port-forward, i.e: + # $ PODNAME=traversal + # $ kubectl -n ${NAMESPACE:=onap} port-forward pod/$(kubectl -n ${NAMESPACE:=onap} + # get pods | awk '{print $1}' | grep -m1 -e "$PODNAME") 9999:9999 + profiling: + enabled: false + args: + - "-Dcom.sun.management.jmxremote" + - "-Dcom.sun.management.jmxremote.ssl=false" + - "-Dcom.sun.management.jmxremote.authenticate=false" + - "-Dcom.sun.management.jmxremote.local.only=false" + - "-Dcom.sun.management.jmxremote.port=9999" + - "-Dcom.sun.management.jmxremote.rmi.port=9999" + - "-Djava.rmi.server.hostname=127.0.0.1" + nodeSelector: {} affinity: {} @@ -231,11 +236,20 @@ service: internalPort: 8447 portName2: tcp-5005 internalPort2: 5005 + portName3: http-resources + internalPort3: 8448 terminationGracePeriodSeconds: 120 + sessionAffinity: None ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: aai-read + - serviceAccount: consul-read + # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following @@ -248,28 +262,95 @@ ingress: # Minimum memory for production is 4 CPU cores and 8GB memory #resources: # limits: -# cpu: 2 -# memory: 4Gi +# cpu: "2" +# memory: "4Gi" # requests: -# cpu: 2 -# memory: 4Gi +# cpu: "2" +# memory: "4Gi" resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" requests: - cpu: 1 - memory: 3Gi + cpu: "1" + memory: "3Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "4" + memory: "8Gi" requests: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "6Gi" unlimited: {} +tracing: + collector: + baseUrl: http://jaeger-collector.istio-system:9411 + sampling: + probability: 1.0 # percentage of requests that are sampled (between 0-1/0%-100%) + ignorePatterns: + - /aai/util.* + +endpoints: + enabled: true + health: + enabled: true + info: + enabled: true + +metrics: + serviceMonitor: + enabled: false + targetPort: 8448 + path: /actuator/prometheus + basicAuth: + enabled: false + externalSecretName: mysecretname + externalSecretUserKey: login + externalSecretPasswordKey: password + + ## Namespace in which Prometheus is running + ## + # namespace: monitoring + + ## Interval at which metrics should be scraped. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + #interval: 30s + + ## Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + # scrapeTimeout: 10s + + ## ServiceMonitor selector labels + ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration + ## + selector: + app: '{{ include "common.name" . }}' + chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + release: '{{ include "common.release" . }}' + heritage: '{{ .Release.Service }}' + + ## RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + ## + relabelings: [] + + ## MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + ## + metricRelabelings: [] + # - sourceLabels: + # - "__name__" + # targetLabel: "__name__" + # action: replace + # regex: '(.*)' + # replacement: 'example_prefix_$1' + #Pods Service Account serviceAccount: nameOverride: aai-resources @@ -280,3 +361,16 @@ serviceAccount: log: path: /var/log/onap logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +# To make logback capping values configurable +logback: + logToFileEnabled: false + maxHistory: 7 + totalSizeCap: 1GB + queueSize: 1000 + +accessLogback: + livenessAccessLogEnabled: false # false: do not log kubernetes liveness probes + logToFileEnabled: false + maxHistory: 7 + totalSizeCap: 1GB diff --git a/kubernetes/aai/components/aai-schema-service/Chart.yaml b/kubernetes/aai/components/aai-schema-service/Chart.yaml index f608b7596f..3860826d1b 100644 --- a/kubernetes/aai/components/aai-schema-service/Chart.yaml +++ b/kubernetes/aai/components/aai-schema-service/Chart.yaml @@ -1,6 +1,6 @@ # Copyright © 2019 AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,21 +18,15 @@ apiVersion: v2 description: ONAP AAI Schema Service name: aai-schema-service -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: certInitializer - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties b/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties index a2abaf3785..4c620a0028 100644 --- a/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties +++ b/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties @@ -4,6 +4,7 @@ # org.onap.aai # ================================================================================ # Copyright © 2019 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright © 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,15 +20,9 @@ # ============LICENSE_END========================================================= */}} -{{ if ( include "common.needTLS" .) }} -aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/ -aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/ -aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/ -{{ else }} aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/ aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/ aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/ -{{ end }} {{ if or (.Values.global.config.basic.auth.enabled) ( include "common.onServiceMesh" .) }} aai.tools.enableBasicAuth=true @@ -35,12 +30,6 @@ aai.tools.username={{ .Values.global.config.basic.auth.username }} aai.tools.password={{ .Values.global.config.basic.auth.passwd }} {{ end }} -{{ if ( include "common.needTLS" .) }} -aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD} -aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -aai.keystore.passwd.x=${KEYSTORE_PASSWORD} -{{ end }} aai.default.api.version={{ .Values.global.config.schema.version.api.default }} diff --git a/kubernetes/aai/components/aai-schema-service/config/application.properties b/kubernetes/aai/components/aai-schema-service/config/application.properties index a3f7998a8f..20dc6bc520 100644 --- a/kubernetes/aai/components/aai-schema-service/config/application.properties +++ b/kubernetes/aai/components/aai-schema-service/config/application.properties @@ -1,5 +1,6 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -37,18 +38,8 @@ server.local.startpath=aai-schema-service/src/main/resources/ server.basic.auth.location=${server.local.startpath}/etc/auth/realm.properties server.port=8452 -{{ if ( include "common.needTLS" .) }} -server.ssl.enabled-protocols=TLSv1.1,TLSv1.2 -server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -server.ssl.key-store-password=${KEYSTORE_PASSWORD} -server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} -server.ssl.client-auth=want -server.ssl.key-store-type=PKCS12 -{{ else }} security.require-ssl=false server.ssl.enabled=false -{{ end }} schema.configuration.location=N/A schema.source.name={{ .Values.global.config.schema.source.name }} diff --git a/kubernetes/aai/components/aai-schema-service/config/realm.properties b/kubernetes/aai/components/aai-schema-service/config/realm.properties index 7c8539dbe7..8ed63174df 100644 --- a/kubernetes/aai/components/aai-schema-service/config/realm.properties +++ b/kubernetes/aai/components/aai-schema-service/config/realm.properties @@ -4,8 +4,6 @@ SDNC:OBF:1itr1i0l1i151isv,admin DCAE:OBF:1g8u1f9d1f991g8w,admin POLICY:OBF:1mk61i171ima1im41i0j1mko,admin ASDC:OBF:1f991j0u1j001f9d,admin -VID:OBF:1jm91i0v1jl9,admin -APPC:OBF:1f991ksf1ksf1f9d,admin ModelLoader:OBF:1qvu1v2h1sov1sar1wfw1j7j1wg21saj1sov1v1x1qxw,admin AaiUI:OBF:1gfr1p571unz1p4j1gg7,admin OOF:OBF:1img1ke71ily,admin @@ -16,8 +14,6 @@ sdnc@sdnc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin dcae@dcae.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin policy@policy.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin sdc@sdc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -vid@vid.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -appc@appc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin oof@oof.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin pomba@pomba.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin vfc@vfc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin diff --git a/kubernetes/aai/components/aai-schema-service/templates/authorizationpolicy.yaml b/kubernetes/aai/components/aai-schema-service/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/aai/components/aai-schema-service/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml b/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml index cd58b959ad..0ecc2b2d80 100644 --- a/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml @@ -2,6 +2,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T # Modifications Copyright © 2020 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,11 +24,24 @@ metadata: namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} + app.kubernetes.io/name: {{ include "common.name" . }} + {{- if .Chart.AppVersion }} + version: "{{ .Chart.AppVersion | replace "+" "_" }}" + {{- else }} + version: "{{ .Chart.Version | replace "+" "_" }}" + {{- end }} chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} spec: replicas: {{ .Values.replicaCount }} + strategy: + type: {{ .Values.updateStrategy.type }} + {{- if (eq "RollingUpdate" .Values.updateStrategy.type) }} + rollingUpdate: + maxUnavailable: {{ .Values.updateStrategy.maxUnavailable }} + maxSurge: {{ .Values.updateStrategy.maxSurge }} + {{- end }} selector: matchLabels: app: {{ include "common.name" . }} @@ -36,58 +50,26 @@ spec: labels: app: {{ include "common.name" . }} release: {{ include "common.release" . }} + app.kubernetes.io/name: {{ include "common.name" . }} + {{- if .Chart.AppVersion }} + version: "{{ .Chart.AppVersion | replace "+" "_" }}" + {{- else }} + version: "{{ .Chart.Version | replace "+" "_" }}" + {{- end }} name: {{ include "common.name" . }} annotations: checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} spec: - {{- if .Values.global.aafEnabled }} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - echo "*** obfuscate them " - export KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD} - export TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD} - export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar") - export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - image: {{ include "repositoryGenerator.image.jetty" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-obfuscate - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - securityContext: - runAsUser: {{ .Values.securityContext.user_id }} - {{- end }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) - echo "*** actual launch of AAI Schema Service" - /bin/bash /opt/app/aai-schema-service/docker-entrypoint.sh - {{- end }} env: - name: LOCAL_USER_ID value: {{ .Values.securityContext.user_id | quote }} - name: LOCAL_GROUP_ID value: {{ .Values.securityContext.group_id | quote }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + volumeMounts: - mountPath: /opt/app/aai-schema-service/resources/etc/appprops/aaiconfig.properties name: aaiconfig-conf subPath: aaiconfig.properties @@ -107,7 +89,9 @@ spec: subPath: application.properties ports: - containerPort: {{ .Values.service.internalPort }} + name: {{ .Values.service.portName }} - containerPort: {{ .Values.service.internalPort2 }} + name: {{ .Values.service.portName2 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{ if .Values.liveness.enabled }} @@ -122,8 +106,7 @@ spec: port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} @@ -136,13 +119,10 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} + volumes: - name: aai-common-aai-auth-mount secret: secretName: aai-common-aai-auth - - name: localtime - hostPath: - path: /etc/localtime - name: logs emptyDir: {} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} @@ -162,5 +142,4 @@ spec: configMap: name: {{ include "common.fullname" . }}-realm restartPolicy: {{ .Values.restartPolicy }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/components/aai-schema-service/templates/service.yaml b/kubernetes/aai/components/aai-schema-service/templates/service.yaml index b54b6be644..79f01d6638 100644 --- a/kubernetes/aai/components/aai-schema-service/templates/service.yaml +++ b/kubernetes/aai/components/aai-schema-service/templates/service.yaml @@ -21,6 +21,7 @@ metadata: namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} + app.kubernetes.io/name: {{ include "common.name" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} @@ -30,15 +31,19 @@ spec: {{if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} + name: {{ .Values.service.portName }} + targetPort: {{ .Values.service.portName }} - port: {{ .Values.service.internalPort2 }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} name: {{ .Values.service.portName2 }} + targetPort: {{ .Values.service.portName2 }} {{- else -}} - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} + name: {{ .Values.service.portName }} + targetPort: {{ .Values.service.portName }} - port: {{ .Values.service.internalPort2 }} name: {{ .Values.service.portName2 }} + targetPort: {{ .Values.service.portName2 }} {{- end }} selector: app: {{ include "common.name" . }} diff --git a/kubernetes/aai/components/aai-schema-service/values.yaml b/kubernetes/aai/components/aai-schema-service/values.yaml index b15f6d936f..ccda86dc0d 100644 --- a/kubernetes/aai/components/aai-schema-service/values.yaml +++ b/kubernetes/aai/components/aai-schema-service/values.yaml @@ -1,5 +1,6 @@ # Copyright © 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2020 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -40,11 +41,11 @@ global: # global defaults version: # Current version of the REST API api: - default: v26 + default: v28 # Specifies which version the depth parameter is configurable depth: v11 # List of all the supported versions of the API - list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24,v25,v26 + list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24,v25,v26,v27,v28 # Specifies from which version related link should appear related: link: v11 @@ -58,49 +59,19 @@ global: # global defaults edge: label: v12 -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: aai-schema-service-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: aai-schema-service - fqi: aai-schema-service@aai-schema-service.onap.org - public_fqdn: aai-schema-service.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - fqi_namespace: org.onap.aai-schema-service - user_id: &user_id 1000 - group_id: &group_id 1000 - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PLAIN_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSTORE_PLAIN_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** writing passwords into prop file" - echo "KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop - echo "TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R {{ .Values.user_id }}:{{ .Values.group_id }} {{ .Values.credsPath }} - # application image -image: onap/aai-schema-service:1.9.6 +image: onap/aai-schema-service:1.12.3 pullPolicy: Always restartPolicy: Always flavorOverride: small # default number of instances replicaCount: 1 +updateStrategy: + type: RollingUpdate + maxUnavailable: 0 + maxSurge: 1 + nodeSelector: {} affinity: {} @@ -127,6 +98,13 @@ service: ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: aai-graphadmin-read + - serviceAccount: aai-resources-read + - serviceAccount: aai-traversal-read + # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following @@ -139,26 +117,26 @@ ingress: # Minimum memory for production is 4 CPU cores and 8GB memory #resources: # limits: -# cpu: 2 -# memory: 4Gi +# cpu: "2" +# memory: "4Gi" # requests: -# cpu: 2 -# memory: 4Gi +# cpu: "2" +# memory: "4Gi" resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" requests: - cpu: 1 - memory: 3Gi + cpu: "1" + memory: "3Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "4" + memory: "8Gi" requests: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" unlimited: {} #Pods Service Account @@ -169,8 +147,8 @@ serviceAccount: # Not fully used for now securityContext: - user_id: *user_id - group_id: *group_id + user_id: 1000 + group_id: 1000 #Log configuration log: diff --git a/kubernetes/aai/components/aai-sparky-be/Chart.yaml b/kubernetes/aai/components/aai-sparky-be/Chart.yaml index 0a2c028721..a057002f57 100644 --- a/kubernetes/aai/components/aai-sparky-be/Chart.yaml +++ b/kubernetes/aai/components/aai-sparky-be/Chart.yaml @@ -1,6 +1,6 @@ # Copyright © 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,21 +17,15 @@ apiVersion: v2 description: ONAP AAI sparky-be name: aai-sparky-be -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: certInitializer - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-schema-prod.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-schema-prod.properties index ee1341751f..178adb80b3 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-schema-prod.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-schema-prod.properties @@ -1,5 +1,6 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,15 +19,9 @@ oxm.schemaNodeDir=/opt/app/sparky/onap/oxm #schemaServiceTranslator is used to define whether to retreive the oxm from schema service microservice or read from the disk, possible values are schema-service/config oxm.schemaServiceTranslatorList=config # The end point for onap is https://:/onap/schema-service/v1/ -{{ if ( include "common.needTLS" .) }} -oxm.schemaServiceBaseUrl=https:///aai/schema-service/v1/ -oxm.schemaServiceKeystore=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -oxm.schemaServiceTruststore=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -oxm.schemaServiceKeystorePassword=${KEYSTORE_PASSWORD} -oxm.schemaServiceTruststorePassword=${TRUSTSTORE_PASSWORD} -{{ else }} + oxm.schemaServiceBaseUrl=http:///aai/schema-service/v1/ -{{ end }} + # Schema Service need this variable for the time being diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties index 8bd4494a2b..e9ed63e76e 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties @@ -1,5 +1,6 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,16 +16,7 @@ */}} resources.hostname=aai -{{ if ( include "common.needTLS" .) }} -resources.port=8443 -resources.authType=SSL_BASIC -resources.basicAuthUserName=aai@aai.onap.org -resources.basicAuthPassword=1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek -resources.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -resources.trust-store-password=${TRUSTSTORE_PASSWORD} -resources.client-cert={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -resources.client-cert-password=${KEYSTORE_PASSWORD} -{{ else }} -resources.port=8080 + +resources.port=80 resources.authType=HTTP_NOAUTH -{{ end }} + diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-ssl.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-ssl.properties index 422e7ce150..c6e1baac2a 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-ssl.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-ssl.properties @@ -1,4 +1,5 @@ # Copyright © 2018 Amdocs, Bell Canada, AT&T +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,13 +14,6 @@ # limitations under the License. server.port=8000 -{{ if ( include "common.needTLS" .) }} -server.ssl.key-store=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -server.ssl.key-store-password=${KEYSTORE_PASSWORD} -server.ssl.enabled-protocols=TLSv1.1,TLSv1.2 -server.ssl.trust-store=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} -{{ else }} security.require-ssl=false server.ssl.enabled=false -{{ end }} + diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application.properties index 90cb00069e..b5ad6b3f4a 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application.properties @@ -1,4 +1,5 @@ # Copyright © 2018 Amdocs, Bell Canada, AT&T +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,16 +23,10 @@ spring.mvc.favicon.enabled=false # and in the values.yaml change the internalPort to 9517 # -spring.profiles.active=camel,fe-prod,oxm-schema-prod,oxm-default,resources,aai-proxy,{{ ( eq "true" ( include "common.needTLS" .)) | ternary "ssl" "http" }} +spring.profiles.active=camel,fe-prod,oxm-schema-prod,oxm-default,resources,aai-proxy,http portal.cadiFileLocation={{.Values.config.cadiFileLocation}} searchservice.hostname={{.Values.global.searchData.serviceName}} searchservice.port=9509 -{{ if ( include "common.needTLS" .) }} -searchservice.client-cert={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -searchservice.client-cert-password=${KEYSTORE_PASSWORD} -searchservice.truststore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -searchservice.truststore-password=${TRUSTSTORE_PASSWORD} -{{ end }} schema.ingest.file=${CONFIG_HOME}/schemaIngest.properties diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/key.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/key.properties deleted file mode 100644 index 67268e33e2..0000000000 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/key.properties +++ /dev/null @@ -1 +0,0 @@ -cipher.enc.key=AGLDdG4D04BKm2IxIWEr8o==! diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/portal.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/portal.properties deleted file mode 100644 index 7a0fb8250b..0000000000 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/portal.properties +++ /dev/null @@ -1,49 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -################################################################################ -############################## Portal properties ############################### -################################################################################ - -# Java class that implements the ECOMP role and user mgt API -*/}} -portal.api.impl.class = org.onap.aai.sparky.security.portal.PortalRestAPICentralServiceImpl - -# Instance of ECOMP Portal where the app has been on-boarded -# use insecure http for dev purposes to avoid self-signed certificate -ecomp_rest_url = https://portal-app:8443/ONAPPORTAL/auxapi - -# Standard global logon page -ecomp_redirect_url = https://portal.api.simpledemo.onap.org:30225/ONAPPORTAL/login.htm - -# Name of cookie to extract on login request -csp_cookie_name = EPService -# Alternate values: DEVL, V_DEVL, V_PROD -csp_gate_keeper_prod_key = PROD - -# Toggles use of UEB -ueb_listeners_enable = false -# IDs application withing UEB flow -ueb_app_key=ueb_key_7 -# Use this tag if the app is centralized -role_access_centralized=remote - -# Connection and Read timeout values -ext_req_connection_timeout=15000 -ext_req_read_timeout=20000 - -#Add AAF namespace if the app is centralized -auth_namespace={{ .Values.certInitializer.fqi_namespace }} diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/cadi.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/portal/cadi.properties deleted file mode 100644 index baefd9806b..0000000000 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/cadi.properties +++ /dev/null @@ -1,49 +0,0 @@ -# Configure AAF -aaf_locate_url=https://aaf-locate.{{.Release.Namespace}}:8095 -aaf_url=<%=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1 - -#aaf_url=https://DME2RESOLVE/service=com.att.authz.AuthorizationService/version=2.0/envContext=TEST/routeOffer=BAU_SE -# AAF Environment Designation - -#if you are running aaf service from a docker image you have to use aaf service IP and port number -aaf_id={{ .Values.certInitializer.fqi }} -#Encrypt the password using AAF Jar -aaf_password={{ .Values.certInitializer.aafDeployPass }} -# Sample CADI Properties, from CADI 1.4.2 -#hostname=org.onap.aai.orr -csp_domain=PROD -# Add Absolute path to Keyfile -cadi_keyfile={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.keyfile -cadi_keystore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -cadi_keystore_password=${KEYSTORE_PASSWORD} - -cadi_alias={{ .Values.certInitializer.fqi }} - -# This is required to accept Certificate Authentication from Certman certificates. -# can be TEST, IST or PROD -aaf_env=DEV - -# DEBUG prints off all the properties. Use to get started. -cadi_loglevel=DEBUG - -# Add Absolute path to truststore2018.jks -cadi_truststore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -# Note: This is the ONLY password that doesn't have to be encrypted. All Java's TrustStores are this passcode by default, because they are public certs -cadi_truststore_password=${TRUSTSTORE_PASSWORD} - -# how to turn on SSL Logging -#javax.net.debug=ssl - -# Use "maps.bing.com" to get Lat and Long for an Address -AFT_LATITUDE=32.780140 -AFT_LONGITUDE=-96.800451 -AFT_ENVIRONMENT=AFTUAT -AFT_DME2_CLIENT_IGNORE_SSL_CONFIG=true -DME2.DEBUG=true -AFT_DME2_HTTP_EXCHANGE_TRACE_ON=true - -cadi_latitude=32.780140 -cadi_longitude=-96.800451 - -aaf_root_ns=com.att.aaf -aaf_api_version=2.0 diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/keyFile b/kubernetes/aai/components/aai-sparky-be/resources/config/portal/keyFile deleted file mode 100644 index 921ce6714a..0000000000 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/keyFile +++ /dev/null @@ -1,27 +0,0 @@ -77E_fh-8gTjeg8egAo-JgNkXYm1FGEBPMo44vKPgKyGCJj9Dn0xJqIBct2Ko35X4_HSU3wPq3I2q -YHIvJCjmzXTVu2zvu4rIGTlwycTtLGDkgPyhOYFytv4GgazbpSs9331MPUeVVrdpkDCQmjtHSB4m -DThhfEe2lkbZ35ljX3sVSf3JDy4ngRot0ktQwnnY4vxFdgVUl7LzVinXWgFLoqMyXmKh_bGw9aUH -VMgqFsF_YmqLZY5ZARAraeywktvrU5kXYh5SnfXoJy7XIk0TBjHKqO-1mW-TcIgS3_v6GIGkZnpq -e1FyE8cS21gTPFlc1KDoWUZE2yoEsQKJc4RFWfjid_mE6nckxym1TOsEn3G2_TlkZvliN_QMDB_c -RuFLDB9HCChm4YYHpSn-RBqtJFz29bMTHQX8VNVfZ_Zhh-4dWOlEfpSzJvAqm_boo-8y8YDGIusx -mvKyPXEKVCuBOljHaKhYg0d43nAXIFsssKpjmtQizA2L_TP1Mo_lDFIlCsPcRlHKTvzkTstEAhRj -JnepzA--olBMwBkPxjm1Y5XQBGZH72i_o4Hr7_NqHb9sP486I2Nd1-owjHkhacGrLO1oORnuBUxp -_SnaXYywe9tTz3BcfFupXSoDv4Sj7g9B53yPIWmjGggigidql3SNJsui6qOtwDHOejzEDFm23Lj7 -fXD6sb52U_ul9ahi4CoLTzpvMsPRYOqyRCk8K8FVBauZbG5D42oaFPn0S0rCSHOCU1TXbRdTF-Cs -I2R0pEHNgb33yx6vtInaTSYIQ5cxa3XDA_50AQearV5SuYSlp8dK0BkpVCKgvSQdTn-2WiaV_hvO -KzG7D2adT1kYY6TjYMXIaUiJ33y1XSNDG0s6r4NG5dNE6Jj7thdpnV-AAZoi0uZh1_bsHKLVmHRr -NCXAc6DZm1D4N9y5lOJwUprUlJisZXLFTQThGMRY5dtiY_eK9Xjj4FQygXXhuhFXHz2-e4YApORv -lXDcT29IZuuI1j26bxdNdhNr1wZsqqievBN6l6OQMiP21eIrxAUu1BEmiVOrfOzaEjxldDN2gFum -4-zf9gsQT9UT8KEuOje64wVeHr09JpWuddV9HOAMvqc6mKTWmvUv_QiLgtK_b39QccMrOfOA1usM -biRJ9wuTYIr584Q9CjHEcm5e2YufcbF-IDZ4IDui8gNXyYJuusTYdspeKzrtiLKfgI56ZWA3it9G -SOkN18YyUmhk7HFkx9qEifb4UEbUQPb0dyXBRotf-91c5CPkct-36uV4sZBA_AR1tX3-aRKKB_SQ -B0zaG-eaEdEqKv-ZYHqk23ZxiEsCX3ZdY7VSMWztE3_D5n8UgEl4et5LVfnjvU-arVVO93WUbXk0 -zi2QrOwytOZ0StAvFdF1nVwWllPg4EYcn8qLJIaaBRvLMlpHixtwRhltwJeMmJl3ExImOxNhVbhF -6LxVXW6JK8JfMIwb_TE4EShDBjemq76BojQOwrO4OAyPG7B5iUtefdY-Zu1EtjXPhrUgljI_A1tg -5_2WNjNTCT7Bvig3saFsIRi3cvgIcMAF2H7kJYw3UDvCFnx4LIom2u6vSeyatPxEOhRfpP0KvgEU -koM9DFJW7VWQ11mB_DcU2NoYHdFKFy_cM62kIvoRwZTADGryEtkLSWEDT8MLpVrGXP2RjSZ3HHqC -vVpVqQHC2VIqNKi2uHtYCiTEfj81Z0rCrnH3hYIRoOSe5W6m17xyb0RloG0G44uK0oNCfDYLwK0L -TJaBdWSIBYI__ISsKx8o8r-3XLtbwQPPhv4-LpGwJYd7sIcqnpTYAyNGSrbEM4ECzHCH9Hwf9Duy -cAQGWqXIbTV9i8ryw8OhcCZPTf3noPZyhzzdegiv6KNT-BBbxsgtDehtP-jvpd9eAhjlfUV_hoFJ -rBUVMFrIOEDnnItVqBDmnavRdhn6N9ObVjVMv_4inhkvtpBCEVxtVQT2kFuBmZvPu_uHHbXi7_g8 -SVs3AjJ2ya3pZraK6gH3IOYoGtTAH3rKl7XdTMjqWnUCbhepuJqeEOF-DhpsEW7Oo0Lqzbjg \ No newline at end of file diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/portal-authentication.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/portal/portal-authentication.properties deleted file mode 100644 index e1ddd326f9..0000000000 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/portal-authentication.properties +++ /dev/null @@ -1,36 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -##################################################################################### -############################## Portal Auth Properties ############################## -##################################################################################### - -############################## Auth ############################## -*/}} -username={{.Values.config.portalUsername}} -password={{.Values.config.portalPassword}} - -{{/* -############################## ############################## -# -# ONAP Cookie Processing - During initial development, this flag, if true, will -# prevent the portal interface's login processing from searching for a user -# specific cookie, and will instead allow passage if a valid session cookie is -# discovered. -*/}} -onap_enabled={{.Values.config.portalOnapEnabled}} -onap.user_id_cookie_name={{.Values.config.portalCookieName}} -cookie_decryptor_classname={{.Values.config.cookieDecryptorClass}} -app_roles={{.Values.config.portalAppRoles}} diff --git a/kubernetes/aai/components/aai-sparky-be/templates/authorizationpolicy.yaml b/kubernetes/aai/components/aai-sparky-be/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/aai/components/aai-sparky-be/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml b/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml index fee07d8acf..7c958fa410 100644 --- a/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml @@ -27,29 +27,3 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/application/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-portal - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/portal/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-portal-props - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/portal/BOOT-INF/classes/*").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml b/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml index d23d9cf6a8..f8813cdf69 100644 --- a/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml @@ -2,6 +2,7 @@ # Copyright (c) 2017 Amdocs, Bell Canada # Modifications Copyright (c) 2018 AT&T # Modifications Copyright (c) 2020 Nokia +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,62 +19,25 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} + strategy: + type: {{ .Values.updateStrategy.type }} + {{- if (eq "RollingUpdate" .Values.updateStrategy.type) }} + rollingUpdate: + maxUnavailable: {{ .Values.updateStrategy.maxUnavailable }} + maxSurge: {{ .Values.updateStrategy.maxSurge }} + {{- end }} template: - metadata: - annotations: - sidecar.istio.io/rewriteAppHTTPProbers: "false" - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - {{- if ( include "common.needTLS" .) }} - - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop \ - | xargs -0) - if [ -z "$KEYSTORE_PASSWORD" ] - then - echo " /!\ certificates retrieval failed" - exit 1 - fi - echo "*** write them in portal part" - cd /config-input - for PFILE in `ls -1 .` - do - envsubst <${PFILE} >/config/${PFILE} - done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /config-input - name: portal-config-input - - mountPath: /config - name: portal-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - {{- end }} + initContainers: - command: - /app/ready.py args: - - --container-name + - --service-name - aai env: - name: NAMESPACE @@ -84,6 +48,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -93,22 +64,9 @@ spec: args: - -c - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop \ - | xargs -0) echo "*** actual launch of AAI Sparky BE" /opt/app/sparky/bin/start.sh - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /opt/app/sparky/config/auth/csp-cookie-filter.properties - name: auth-config - subPath: csp-cookie-filter.properties - - mountPath: /opt/app/sparky/config/portal/ - name: portal-config - - mountPath: /opt/app/sparky/config/portal/BOOT-INF/classes/ - name: portal-config-props + volumeMounts: - mountPath: {{ .Values.log.path }} name: logs - mountPath: /opt/app/sparky/config/application.properties @@ -138,8 +96,7 @@ spec: - mountPath: /opt/app/sparky/config/logging/logback.xml name: config subPath: logback.xml - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 10 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if eq .Values.liveness.enabled true }} @@ -154,8 +111,7 @@ spec: port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} @@ -168,32 +124,14 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: - name: config configMap: name: {{ include "common.fullname" . }} - - name: portal-config - {{- if .Values.global.aafEnabled }} - emptyDir: - medium: Memory - - name: portal-config-input - {{- end }} - configMap: - name: {{ include "common.fullname" . }}-portal - - name: portal-config-props - configMap: - name: {{ include "common.fullname" . }}-portal-props - - name: auth-config - secret: - secretName: {{ include "common.fullname" . }} - name: logs emptyDir: {} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: modeldir emptyDir: {} restartPolicy: {{ .Values.global.restartPolicy | default .Values.restartPolicy }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/components/aai-sparky-be/templates/secret.yaml b/kubernetes/aai/components/aai-sparky-be/templates/secret.yaml deleted file mode 100644 index d6013c832e..0000000000 --- a/kubernetes/aai/components/aai-sparky-be/templates/secret.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: -{{ tpl (.Files.Glob "resources/config/auth/*").AsSecrets . | indent 2 }} diff --git a/kubernetes/aai/components/aai-sparky-be/templates/service.yaml b/kubernetes/aai/components/aai-sparky-be/templates/service.yaml index 457b3576a0..10d9e2a07d 100644 --- a/kubernetes/aai/components/aai-sparky-be/templates/service.yaml +++ b/kubernetes/aai/components/aai-sparky-be/templates/service.yaml @@ -14,27 +14,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- else -}} - - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ ternary "s" "" (eq "true" (include "common.needTLS" .)) }} - {{- end }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} diff --git a/kubernetes/aai/components/aai-sparky-be/values.yaml b/kubernetes/aai/components/aai-sparky-be/values.yaml index 5c540c9b96..0a9de51e54 100644 --- a/kubernetes/aai/components/aai-sparky-be/values.yaml +++ b/kubernetes/aai/components/aai-sparky-be/values.yaml @@ -1,5 +1,6 @@ # Copyright (c) 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright (c) 2020 Nokia, Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,40 +28,6 @@ global: # global defaults searchData: serviceName: aai-search-data - -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: aai-sparky-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: "aai" - app_ns: "org.osaaf.aaf" - fqi_namespace: "org.onap.aai" - fqi: "aai@aai.onap.org" - public_fqdn: "aaf.osaaf.org" - cadi_longitude: "0.0" - cadi_latitude: "0.0" - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "*** changing passwords into shell safe ones" - export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** save the generated passwords" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 {{ .Values.credsPath }} - # application image image: onap/sparky-be:2.0.3 pullPolicy: Always @@ -78,7 +45,6 @@ config: portalPassword: OBF:1t2v1vfv1unz1vgz1t3b # aaiui portalCookieName: UserId portalAppRoles: ui_view - cadiFileLocation: /opt/app/sparky/config/portal/cadi.properties cookieDecryptorClass: org.onap.aai.sparky.security.BaseCookieDecryptor # ONAP Cookie Processing - During initial development, the following flag, if true, will @@ -87,14 +53,14 @@ config: portalOnapEnabled: true # -# override chart name (sparky-be) to share a common namespace -# suffix with parent chart (aai) -nsSuffix: aai - - # default number of instances replicaCount: 1 +updateStrategy: + type: RollingUpdate + maxUnavailable: 0 + maxSurge: 1 + nodeSelector: {} affinity: {} @@ -113,36 +79,48 @@ readiness: service: type: NodePort - portName: http - internalPort: 8000 - nodePort: 20 + internalPort: 9517 + ports: + - name: http + port: 8000 + internal_port: 9517 + nodePort: 20 ingress: enabled: false service: - - baseaddr: "aaisparkybe" + - baseaddr: "aai-sparkybe-api" name: "aai-sparky-be" port: 8000 config: ssl: "redirect" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: istio-ingress + namespace: istio-ingress + +podAnnotations: + sidecar.istio.io/rewriteAppHTTPProbers: "false" + # Configure resource requests and limits # ref: http://kubernetes.io/docs/user-guide/compute-resources/ resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "0.5" + memory: "4Gi" requests: - cpu: 0.25 - memory: 1Gi + cpu: "0.25" + memory: "1Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "1" + memory: "8Gi" requests: - cpu: 0.5 - memory: 2Gi + cpu: "0.5" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/aai/components/aai-traversal/Chart.yaml b/kubernetes/aai/components/aai-traversal/Chart.yaml index 13cda281f4..8c77848368 100644 --- a/kubernetes/aai/components/aai-traversal/Chart.yaml +++ b/kubernetes/aai/components/aai-traversal/Chart.yaml @@ -1,6 +1,6 @@ # Copyright © 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,21 +17,15 @@ apiVersion: v2 description: ONAP AAI traversal name: aai-traversal -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: certInitializer - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/aai/components/aai-traversal/resources/config/aaf/bath_config.csv b/kubernetes/aai/components/aai-traversal/resources/config/aaf/bath_config.csv deleted file mode 100644 index 60a8fb5f0b..0000000000 --- a/kubernetes/aai/components/aai-traversal/resources/config/aaf/bath_config.csv +++ /dev/null @@ -1,33 +0,0 @@ -# AAI -> aai@aai.onap.org -Basic QUFJOkFBSQ==,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# ModelLoader -> aai@aai.onap.org -Basic TW9kZWxMb2FkZXI6TW9kZWxMb2FkZXI=,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# AaiUI -> aai@aai.onap.org, -Basic QWFpVUk6QWFpVUk=,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# MSO -> so@so.onap.org -Basic TVNPOk1TTw==,Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1NiE=,2050-03-03 - -# SDNC -> sdnc@sdnc.onap.org -Basic U0ROQzpTRE5D,Basic c2RuY0BzZG5jLm9uYXAub3JnOmRlbW8xMjM0NTYh,2050-03-03 - -# DCAE -> dcae@dcae.onap.org -Basic RENBRTpEQ0FF,Basic ZGNhZUBkY2FlLm9uYXAub3JnOmRlbW8xMjM0NTYh,2050-03-03 - -# POLICY -> policy@policy.onap.org -Basic UE9MSUNZOlBPTElDWQ==,Basic cG9saWN5QHBvbGljeS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# ASDC -> sdc@sdc.onap.org -Basic QVNEQzpBU0RD,Basic c2RjQHNkYy5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# VID -> vid@vid.onap.org -Basic VklEOlZJRA==,Basic dmlkQHZpZC5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# APPC -> appc@appc.onap.org -Basic QVBQQzpBUFBD,Basic YXBwY0BhcHBjLm9uYXAub3JnOmRlbW8xMjM0NTYh,2050-03-03 - -# OOF -> oof@oof.onap.org -Basic T09GOk9PRg==,Basic b29mQG9vZi5vbmFwLm9yZzpkZW1vMTIzNDQ2IQ==,2050-03-03 - diff --git a/kubernetes/aai/components/aai-traversal/resources/config/aaf/cadi.properties b/kubernetes/aai/components/aai-traversal/resources/config/aaf/cadi.properties deleted file mode 100644 index 2b19da9f6f..0000000000 --- a/kubernetes/aai/components/aai-traversal/resources/config/aaf/cadi.properties +++ /dev/null @@ -1,8 +0,0 @@ - -cadi_loglevel=INFO -cadi_prop_files=/opt/app/aai-traversal/resources/aaf/org.osaaf.location.props:/opt/app/aai-traversal/resources/aaf/org.onap.aai.props - -# OAuth2 -aaf_oauth2_token_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.token:2.1/token -aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.introspect:2.1/introspect - diff --git a/kubernetes/aai/components/aai-traversal/resources/config/aaf/org.onap.aai.props b/kubernetes/aai/components/aai-traversal/resources/config/aaf/org.onap.aai.props deleted file mode 100644 index b46defa6b7..0000000000 --- a/kubernetes/aai/components/aai-traversal/resources/config/aaf/org.onap.aai.props +++ /dev/null @@ -1,16 +0,0 @@ -############################################################ -# Properties Generated by AT&T Certificate Manager -# @copyright 2016, AT&T -# Modifications Copyright (c) 2020 Orange -############################################################ -cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US -cadi_keyfile={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.keyfile -cadi_keystore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -cadi_keystore_password=${KEYSTORE_PASSWORD} - -#cadi_key_password=enc:9xs_lJ9QQRDoMcHqLbGg40-gefGrw-sLMjWL40ejbyqdC7Jt_pQfY6ajBLGcbLuL -cadi_alias=aai@aai.onap.org -cadi_truststore={{ .Values.certInitializer.credsPath }}/truststoreONAPall.jks -cadi_truststore_password=${TRUSTSTORE_ALL_PASSWORD} -cadi_loglevel=INFO -cadi_bath_convert=/opt/app/aai-traversal/resources/aaf/bath_config.csv diff --git a/kubernetes/aai/components/aai-traversal/resources/config/aaf/org.osaaf.location.props b/kubernetes/aai/components/aai-traversal/resources/config/aaf/org.osaaf.location.props deleted file mode 100644 index b9ec6b4641..0000000000 --- a/kubernetes/aai/components/aai-traversal/resources/config/aaf/org.osaaf.location.props +++ /dev/null @@ -1,23 +0,0 @@ -## -## org.osaaf.location.props -## -## Localized Machine Information -## -# Almeda California ? -cadi_latitude=37.78187 -cadi_longitude=-122.26147 - -# Locate URL (which AAF Env) -aaf_locate_url=https://aaf-locate.{{.Release.Namespace}}:8095 - -# AAF URL -aaf_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1 - -# AAF Environment Designation -aaf_env=DEV - -# OAuth2 Endpoints -aaf_oauth2_token_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.token:2.1/token -aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.introspect:2.1/introspect - - diff --git a/kubernetes/aai/components/aai-traversal/resources/config/aaf/permissions.properties b/kubernetes/aai/components/aai-traversal/resources/config/aaf/permissions.properties deleted file mode 100644 index d4956f577c..0000000000 --- a/kubernetes/aai/components/aai-traversal/resources/config/aaf/permissions.properties +++ /dev/null @@ -1,2 +0,0 @@ -permission.type=org.onap.aai.traversal -permission.instance=* \ No newline at end of file diff --git a/kubernetes/aai/components/aai-traversal/resources/config/aaiconfig.properties b/kubernetes/aai/components/aai-traversal/resources/config/aaiconfig.properties index b8a2b5fe03..559166ba8e 100644 --- a/kubernetes/aai/components/aai-traversal/resources/config/aaiconfig.properties +++ b/kubernetes/aai/components/aai-traversal/resources/config/aaiconfig.properties @@ -5,6 +5,7 @@ # ================================================================================ # Copyright © 2017 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2020 Orange +# Modifications Copyright © 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,16 +28,9 @@ aai.config.checktime=1000 # this could come from siteconfig.pl? aai.config.nodename=AutomaticallyOverwritten - -{{ if ( include "common.needTLS" .) }} -aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/ -aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/ -aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/ -{{else}} aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/ aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/ aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/ -{{ end }} {{ if or (.Values.global.config.basic.auth.enabled) ( include "common.onServiceMesh" .) }} aai.tools.enableBasicAuth=true @@ -44,13 +38,6 @@ aai.tools.username={{ .Values.global.config.basic.auth.username }} aai.tools.password={{ .Values.global.config.basic.auth.passwd }} {{ end }} -{{ if ( include "common.needTLS" .) }} -aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD} -aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -aai.keystore.passwd.x=${KEYSTORE_PASSWORD} -{{ end }} - aai.notification.current.version={{ .Values.global.config.schema.version.api.default }} aai.notificationEvent.default.status=UNPROCESSED aai.notificationEvent.default.eventType={{ .Values.global.config.notification.eventType }} diff --git a/kubernetes/aai/components/aai-traversal/resources/config/application.properties b/kubernetes/aai/components/aai-traversal/resources/config/application.properties index 24a5241fe2..276dbfe6d7 100644 --- a/kubernetes/aai/components/aai-traversal/resources/config/application.properties +++ b/kubernetes/aai/components/aai-traversal/resources/config/application.properties @@ -1,6 +1,7 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2020 Orange +# Modifications Copyright � 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -28,7 +29,7 @@ spring.main.allow-bean-definition-overriding=true server.servlet.context-path=/ spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,org.keycloak.adapters.springboot.KeycloakAutoConfiguration,org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration,org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration -spring.profiles.active={{ .Values.global.config.profiles.active }}{{ (eq "true" (include "common.needTLS" .)) | ternary ",one-way-ssl" "" }} +spring.profiles.active={{ .Values.global.config.profiles.active }} spring.jersey.application-path=${schema.uri.base.path} #The max number of active threads in this pool server.tomcat.max-threads=200 @@ -43,23 +44,13 @@ server.local.startpath=aai-traversal/src/main/resources/ server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties server.port=8446 -{{ if ( include "common.needTLS" .) }} -server.ssl.enabled-protocols=TLSv1.1,TLSv1.2 -server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -server.ssl.key-store-password=${KEYSTORE_PASSWORD} -server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} -server.ssl.client-auth=want -server.ssl.key-store-type=JKS -{{ else }} security.require-ssl=false server.ssl.enabled=false -{{ end }} # JMS bind address host port jms.bind.address=tcp://localhost:61647 -dmaap.ribbon.listOfServers=message-router.{{ include "common.namespace" . }}:{{ (eq "true" (include "common.needTLS" .)) | ternary 3905 3904 }} -dmaap.ribbon.transportType={{ include "common.scheme" . }} +dmaap.ribbon.listOfServers=message-router.{{ include "common.namespace" . }}:3904 +dmaap.ribbon.transportType=http # Schema related attributes for the oxm and edges # Any additional schema related attributes should start with prefix schema @@ -98,11 +89,20 @@ schema.service.nodes.endpoint=nodes?version= schema.service.edges.endpoint=edgerules?version= schema.service.versions.endpoint=versions schema.service.custom.queries.endpoint=stored-queries -schema.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }} +schema.service.client=no-auth -{{ if ( include "common.needTLS" .) }} -schema.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -schema.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -schema.service.ssl.key-store-password=${KEYSTORE_PASSWORD} -schema.service.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} -{{ end }} +#to expose the Prometheus scraping endpoint +management.server.port=8448 +management.endpoints.enabled-by-default=true +management.endpoints.web.exposure.include=info,health,prometheus +endpoints.enabled={{ .Values.endpoints.enabled }} +endpoints.info.enabled={{ .Values.endpoints.info.enabled }} +endpoints.prometheus.enabled={{ .Values.metrics.serviceMonitor.enabled }} +endpoints.health.enabled={{ .Values.endpoints.health.enabled }} +management.metrics.web.server.auto-time-requests=false +management.metrics.distribution.percentiles-histogram[http.server.requests]=true +management.metrics.distribution.sla[http.server.requests]=20ms, 30ms, 40ms, 50ms, 60ms, 70ms, 80ms, 90ms, 100ms, 500ms, 1000ms, 5000ms, 7000ms +#Add common tag for grouping all aai related metrics +management.metrics.tags.group_id=aai +#It is not advisable to use labels to store dimensions with high cardinality. Enable this option only for debug purposes. For more information: https://github.com/micrometer-metrics/micrometer/issues/1584 +scrape.uri.metrics=false \ No newline at end of file diff --git a/kubernetes/aai/components/aai-traversal/resources/config/janusgraph-realtime.properties b/kubernetes/aai/components/aai-traversal/resources/config/janusgraph-realtime.properties index 836dc7b176..4835560665 100644 --- a/kubernetes/aai/components/aai-traversal/resources/config/janusgraph-realtime.properties +++ b/kubernetes/aai/components/aai-traversal/resources/config/janusgraph-realtime.properties @@ -90,7 +90,17 @@ log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} {{ end }} storage.lock.wait-time=300 -# Setting db-cache to false ensure the fastest propagation of changes across servers -cache.db-cache = false + +# https://docs.janusgraph.org/operations/cache/#database-level-caching +# Setting db-cache to false will ensure the fastest propagation of changes across servers +# Setting db-cache to true will ensure fastest response times +cache.db-cache={{ .Values.config.janusgraph.caching.enabled }} +{{ if .Values.config.janusgraph.caching.enabled }} +# cache-time in milliseconds +cache.db-cache-time={{ .Values.config.janusgraph.caching.dbCacheTime }} +cache.db-cache-size={{ .Values.config.janusgraph.caching.dbCacheSize }} +cache.db-cache-clean-wait={{ .Values.config.janusgraph.caching.dbCacheCleanWait }} +{{ end }} + #load graphson file on startup load.snapshot.file=false diff --git a/kubernetes/aai/components/aai-traversal/resources/config/localhost-access-logback.xml b/kubernetes/aai/components/aai-traversal/resources/config/localhost-access-logback.xml index b801a7ae5f..5e3a15c66a 100644 --- a/kubernetes/aai/components/aai-traversal/resources/config/localhost-access-logback.xml +++ b/kubernetes/aai/components/aai-traversal/resources/config/localhost-access-logback.xml @@ -19,20 +19,60 @@ limitations under the License. ============LICENSE_END========================================================= --> -*/}} - - +*/}} + + + + + + + + + + ${AJSC_HOME}/logs/ajsc-jetty/localhost_access.log - ${AJSC_HOME}/logs/ajsc-jetty/localhost_access.log.%d{yyyy-MM-dd} - + ${AJSC_HOME}/logs/ajsc-jetty/localhost_access.log.%d{yyyy-MM-dd} + + ${maxHistory} + ${totalSizeCap} - %a %u %z [%t] "%m %U%q" %s %b %y %i{X-TransactionId} %i{X-FromAppId} %i{X-Forwarded-For} %i{X-AAI-SSL-Client-CN} %i{X-AAI-SSL-Client-OU} %i{X-AAI-SSL-Client-O} %i{X-AAI-SSL-Client-L} %i{X-AAI-SSL-Client-ST} %i{X-AAI-SSL-Client-C} %i{X-AAI-SSL-Client-NotBefore} %i{X-AAI-SSL-Client-NotAfter} %i{X-AAI-SSL-Client-DN} %D + %a %u %z [%t] "%m %U%q" %s %b %y %i{X-TransactionId} %i{X-FromAppId} + %i{X-Forwarded-For} %i{X-AAI-SSL-Client-CN} %i{X-AAI-SSL-Client-OU} + %i{X-AAI-SSL-Client-O} %i{X-AAI-SSL-Client-L} %i{X-AAI-SSL-Client-ST} + %i{X-AAI-SSL-Client-C} %i{X-AAI-SSL-Client-NotBefore} %i{X-AAI-SSL-Client-NotAfter} + %i{X-AAI-SSL-Client-DN} %D - - -{{/* -*/}} +*/}} + - + + + + + + @@ -54,216 +60,259 @@ - - - - %clr(%d{yyyy-MM-dd HH:mm:ss.SSS}){faint} %clr(${LOG_LEVEL_PATTERN:-%5p}) %clr(${PID:- }){magenta} %clr(---){faint} %clr([%15.15t]){faint} %clr(%-40.40logger{39}){cyan} %clr(:){faint} %m%n${LOG_EXCEPTION_CONVERSION_WORD:-%wEx} - - - - - - ${logDirectory}/rest/sane.log - - ${logDirectory}/rest/sane.log.%d{yyyy-MM-dd} - - - %d{HH:mm:ss.SSS} [%thread] %-5level %logger{1024} - %msg%n - - - - - - 1000 - true - - - - ${logDirectory}/rest/metrics.log - - ${logDirectory}/rest/metrics.log.%d{yyyy-MM-dd} - - - ${metricPattern} - - - - - 1000 - true - - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/rest/debug.log - - ${logDirectory}/rest/debug.log.%d{yyyy-MM-dd} - - - ${debugPattern} - - - - - 1000 - - true - - - ${logDirectory}/rest/error.log - - ${logDirectory}/rest/error.log.%d{yyyy-MM-dd} - - - WARN - - - ${errorPattern} - - - - - 1000 - - - - ${logDirectory}/rest/audit.log - - ${logDirectory}/rest/audit.log.%d{yyyy-MM-dd} - - - - ${auditPattern} - - - - - 1000 - true - - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/rest/translog.log - - ${logDirectory}/rest/translog.log.%d{yyyy-MM-dd} - - - - ${transLogPattern} + + + + timestamp + + + context + ServerIPAddress + EntryTimestamp + InvokeTimestamp + ErrorCode + ErrorDesc + + + exception + + ^sun\.reflect\..*\.invoke + ^net\.sf\.cglib\.proxy\.MethodProxy\.invoke + true + + + thread + + logger + 36 + + + + {"logType":"app"} + + - - 1000 - true - - + + + + ${logDirectory}/rest/sane.log + + ${logDirectory}/rest/sane.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + %d{HH:mm:ss.SSS} [%thread] %-5level %logger{1024} - %msg%n + + + + + ${queueSize} + true + + + + ${logDirectory}/rest/metrics.log + + ${logDirectory}/rest/metrics.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${metricPattern} + + + + ${queueSize} + true + + + + + DEBUG + ACCEPT + DENY + + ${logDirectory}/rest/debug.log + + ${logDirectory}/rest/debug.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + ${debugPattern} + + + + ${queueSize} + + true + + + ${logDirectory}/rest/error.log + + ${logDirectory}/rest/error.log.%d{yyyy-MM-dd} + ${maxHistory} + ${totalSizeCap} + + + WARN + + + ${errorPattern} + + + + ${queueSize} + + + + ${logDirectory}/rest/audit.log + + ${logDirectory}/rest/audit.log.%d{yyyy-MM-dd} + + ${maxHistory} + ${totalSizeCap} + + + ${auditPattern} + + + + ${queueSize} + true + + + + + DEBUG + ACCEPT + DENY + + ${logDirectory}/rest/translog.log + + ${logDirectory}/rest/translog.log.%d{yyyy-MM-dd} + + ${maxHistory} + ${totalSizeCap} + + + ${transLogPattern} + + + + ${queueSize} + true + + + + + WARN + + ${logDirectory}/dmaapAAIEventConsumer/error.log + + ${logDirectory}/dmaapAAIEventConsumer/error.log.%d{yyyy-MM-dd} + + ${maxHistory} + ${totalSizeCap} + + + ${errorPattern} + + + + + DEBUG + ACCEPT + DENY + + ${logDirectory}/dmaapAAIEventConsumer/debug.log + + ${logDirectory}/dmaapAAIEventConsumer/debug.log.%d{yyyy-MM-dd} + + ${maxHistory} + ${totalSizeCap} + + + ${debugPattern} + + + + + INFO + ACCEPT + DENY + + ${logDirectory}/dmaapAAIEventConsumer/dmaap-transaction.log + + ${logDirectory}/dmaapAAIEventConsumer/dmaap-transaction.log.%d{yyyy-MM-dd} + + ${maxHistory} + ${totalSizeCap} + + + ${auditPattern} + + + + + INFO + ACCEPT + DENY + + ${logDirectory}/dmaapAAIEventConsumer/metrics.log + + ${logDirectory}/dmaapAAIEventConsumer/metrics.log.%d{yyyy-MM-dd} + + ${maxHistory} + ${totalSizeCap} + + + ${metricPattern} + + + + + WARN + + ${logDirectory}/external/external.log + + ${logDirectory}/external/external.log.%d{yyyy-MM-dd} + + ${maxHistory} + ${totalSizeCap} + + + ${debugPattern} + + + + + DEBUG + + ${logDirectory}/auth/auth.log + + ${logDirectory}/auth/auth.log.%d{yyyy-MM-dd} + + ${maxHistory} + ${totalSizeCap} + + + %d{yyyy-MM-dd'T'HH:mm:ss.SSSZ, UTC}[%thread] %-5level %logger{1024} - %msg%n + + + + ${queueSize} + true + + + + - - - WARN - - ${logDirectory}/dmaapAAIEventConsumer/error.log - - ${logDirectory}/dmaapAAIEventConsumer/error.log.%d{yyyy-MM-dd} - - - - ${errorPattern} - - - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/dmaapAAIEventConsumer/debug.log - - ${logDirectory}/dmaapAAIEventConsumer/debug.log.%d{yyyy-MM-dd} - - - - ${debugPattern} - - - - - INFO - ACCEPT - DENY - - ${logDirectory}/dmaapAAIEventConsumer/dmaap-transaction.log - - ${logDirectory}/dmaapAAIEventConsumer/dmaap-transaction.log.%d{yyyy-MM-dd} - - - - ${auditPattern} - - - - - INFO - ACCEPT - DENY - - ${logDirectory}/dmaapAAIEventConsumer/metrics.log - - ${logDirectory}/dmaapAAIEventConsumer/metrics.log.%d{yyyy-MM-dd} - - - - ${metricPattern} - - - - - WARN - - ${logDirectory}/external/external.log - - ${logDirectory}/external/external.log.%d{yyyy-MM-dd} - - - - ${debugPattern} - - - - - DEBUG - - ${logDirectory}/auth/auth.log - - ${logDirectory}/auth/auth.log.%d{yyyy-MM-dd} - - - - %d{yyyy-MM-dd'T'HH:mm:ss.SSSZ, UTC}[%thread] %-5level %logger{1024} - %msg%n - - - - 1000 - true - - - @@ -284,45 +333,103 @@ - - + + + + + + + - + + + + + - - + + + + + + + + - - + + + + + + + + - - + + + + + + + + - - + + + + + + + + - - + + + + + + + + + - + + + + + - - + + + + + + + - + + + + + + - + + + + + \ No newline at end of file diff --git a/kubernetes/aai/components/aai-traversal/resources/config/realm.properties b/kubernetes/aai/components/aai-traversal/resources/config/realm.properties index 9fbd122492..f254d03631 100644 --- a/kubernetes/aai/components/aai-traversal/resources/config/realm.properties +++ b/kubernetes/aai/components/aai-traversal/resources/config/realm.properties @@ -21,8 +21,6 @@ SDNC:OBF:1itr1i0l1i151isv,admin DCAE:OBF:1g8u1f9d1f991g8w,admin POLICY:OBF:1mk61i171ima1im41i0j1mko,admin ASDC:OBF:1f991j0u1j001f9d,admin -VID:OBF:1jm91i0v1jl9,admin -APPC:OBF:1f991ksf1ksf1f9d,admin ModelLoader:OBF:1qvu1v2h1sov1sar1wfw1j7j1wg21saj1sov1v1x1qxw,admin AaiUI:OBF:1gfr1p571unz1p4j1gg7,admin OOF:OBF:1img1ke71ily,admin @@ -32,8 +30,6 @@ sdnc@sdnc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin dcae@dcae.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin policy@policy.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin sdc@sdc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -vid@vid.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -appc@appc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin oof@oof.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin pomba@pomba.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin vfc@vfc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin diff --git a/kubernetes/aai/components/aai-traversal/templates/authorizationpolicy.yaml b/kubernetes/aai/components/aai-traversal/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/aai/components/aai-traversal/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/aai/components/aai-traversal/templates/configmap.yaml b/kubernetes/aai/components/aai-traversal/templates/configmap.yaml index 8f1bd2ddc8..e3d7299c3a 100644 --- a/kubernetes/aai/components/aai-traversal/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/configmap.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T # Copyright © 2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -34,19 +35,3 @@ data: {{ tpl (.Files.Glob "resources/config/application.properties").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/application-keycloak.properties").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/realm.properties").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-aaf-props - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/aaf/org.osaaf.location.props").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/aaf/permissions.properties").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/aaf/org.onap.aai.props").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/aaf/cadi.properties").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-traversal/templates/deployment.yaml b/kubernetes/aai/components/aai-traversal/templates/deployment.yaml index ed8cde7a88..6627a801b3 100644 --- a/kubernetes/aai/components/aai-traversal/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/deployment.yaml @@ -3,6 +3,7 @@ # Modifications Copyright (c) 2018 AT&T # Modifications Copyright (c) 2020 Nokia, Orange # Modifications Copyright (c) 2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -24,6 +25,12 @@ metadata: namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} + app.kubernetes.io/name: {{ include "common.name" . }} + {{- if .Chart.AppVersion }} + version: "{{ .Chart.AppVersion | replace "+" "_" }}" + {{- else }} + version: "{{ .Chart.Version | replace "+" "_" }}" + {{- end }} chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} @@ -43,6 +50,12 @@ spec: labels: app: {{ include "common.name" . }} release: {{ include "common.release" . }} + app.kubernetes.io/name: {{ include "common.name" . }} + {{- if .Chart.AppVersion }} + version: "{{ .Chart.AppVersion | replace "+" "_" }}" + {{- else }} + version: "{{ .Chart.Version | replace "+" "_" }}" + {{- end }} name: {{ include "common.name" . }} annotations: checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} @@ -98,7 +111,7 @@ spec: spec: hostname: aai-traversal terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: - command: - /app/ready.py args: @@ -110,13 +123,9 @@ spec: - --job-name - {{ include "common.release" . }}-aai-graphadmin-create-db-schema {{- else }} - - --container-name - {{- if .Values.global.cassandra.localCluster }} - - aai-cassandra - {{- else }} - - cassandra - {{- end }} - - --container-name + - --service-name + - {{ .Values.global.cassandra.serviceName }} + - --service-name - aai-schema-service {{- end }} {{- end }} @@ -129,6 +138,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -138,13 +154,23 @@ spec: args: - -c - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) echo "*** actual launch of AAI Resources" /bin/bash /opt/app/aai-traversal/docker-entrypoint.sh env: - - name: TRUSTORE_ALL_PASSWORD - value: {{ .Values.certInitializer.truststorePassword }} + {{- if .Values.config.env }} + {{- range $key,$value := .Values.config.env }} + - name: {{ $key | upper | quote}} + value: {{ $value | quote}} + {{- end }} + {{- end }} + {{- if .Values.config.profiling.enabled }} + - name: PRE_JVM_ARGS + value: '{{ join " " .Values.config.profiling.args }}' + {{- end }} + {{- if .Values.config.debug.enabled }} + - name: POST_JVM_ARGS + value: {{ .Values.config.debug.args | quote }} + {{- end }} - name: DISABLE_UPDATE_QUERY value: {{ .Values.config.disableUpdateQuery | quote }} - name: LOCAL_USER_ID @@ -155,10 +181,9 @@ spec: value: {{ .Values.service.internalPort | quote }} - name: INTERNAL_PORT_2 value: {{ .Values.service.internalPort2 | quote }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + - name: INTERNAL_PORT_3 + value: {{ .Values.service.internalPort3 | quote }} + volumeMounts: - mountPath: /opt/app/aai-traversal/resources/etc/appprops/janusgraph-realtime.properties name: {{ include "common.fullname" . }}-config subPath: janusgraph-realtime.properties @@ -181,21 +206,6 @@ spec: - mountPath: /opt/app/aai-traversal/resources/etc/auth/realm.properties name: {{ include "common.fullname" . }}-config subPath: realm.properties - - mountPath: /opt/app/aai-traversal/resources/aaf/bath_config.csv - name: {{ include "common.fullname" . }}-aaf-certs - subPath: bath_config.csv - - mountPath: /opt/app/aai-traversal/resources/aaf/org.onap.aai.props - name: {{ include "common.fullname" . }}-aaf-properties - subPath: org.onap.aai.props - - mountPath: /opt/app/aai-traversal/resources/aaf/org.osaaf.location.props - name: {{ include "common.fullname" . }}-aaf-properties - subPath: org.osaaf.location.props - - mountPath: /opt/app/aai-traversal/resources/aaf/permissions.properties - name: {{ include "common.fullname" . }}-aaf-properties - subPath: permissions.properties - - mountPath: /opt/app/aai-traversal/resources/cadi.properties - name: {{ include "common.fullname" . }}-aaf-properties - subPath: cadi.properties - mountPath: /opt/app/aai-traversal/resources/application.properties name: {{ include "common.fullname" . }}-config subPath: application.properties @@ -204,7 +214,19 @@ spec: subPath: application-keycloak.properties ports: - containerPort: {{ .Values.service.internalPort }} + name: {{ .Values.service.portName }} + + {{- if .Values.config.debug.enabled }} - containerPort: {{ .Values.service.internalPort2 }} + name: {{ .Values.service.portName2 }} + {{- end }} + - containerPort: {{ .Values.service.internalPort3 }} + name: {{ .Values.service.portName3 }} + {{- if .Values.config.profiling.enabled }} + - containerPort: {{ .Values.service.internalPort4 }} + name: {{ .Values.service.portName4 }} + {{- end }} + lifecycle: # wait for active requests (long-running tasks) to be finished # Before the SIGTERM is invoked, Kubernetes exposes a preStop hook in the Pod. @@ -221,18 +243,35 @@ spec: # so K8s doesn't restart unresponsive container {{ if .Values.liveness.enabled }} livenessProbe: - tcpSocket: + httpGet: + path: /aai/util/echo?action=checkDB port: {{ .Values.service.internalPort }} + scheme: HTTP + httpHeaders: + - name: X-FromAppId + value: LivenessCheck + - name: X-TransactionId + value: LiveCheck_TID + - name: Accept + value: application/json initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end }} readinessProbe: - tcpSocket: + httpGet: + path: /aai/util/echo?action=checkDB port: {{ .Values.service.internalPort }} + scheme: HTTP + httpHeaders: + - name: X-FromAppId + value: ReadinessCheck + - name: X-TransactionId + value: ReadinessCheck_TID + - name: Accept + value: application/json initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} @@ -245,10 +284,7 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: - name: logs emptyDir: {} - name: {{ include "common.fullname" . }}-logs-misc @@ -257,15 +293,5 @@ spec: - name: {{ include "common.fullname" . }}-config configMap: name: {{ include "common.fullname" . }} - - name: {{ include "common.fullname" . }}-aaf-properties - configMap: - name: {{ include "common.fullname" . }}-aaf-props - - name: {{ include "common.fullname" . }}-aaf-certs - secret: - secretName: {{ include "common.fullname" . }}-aaf - - name: aai-common-aai-auth-mount - secret: - secretName: aai-common-aai-auth restartPolicy: {{ .Values.global.restartPolicy | default .Values.restartPolicy }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/components/aai-traversal/templates/job.yaml b/kubernetes/aai/components/aai-traversal/templates/job.yaml index ddd325d7a0..88fbe4788a 100644 --- a/kubernetes/aai/components/aai-traversal/templates/job.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/job.yaml @@ -2,6 +2,7 @@ # Copyright (c) 2017-2018 AT&T # Modifications Copyright (c) 2018 Amdocs, Bell Canada # Modifications Copyright (c) 2020 Nokia, Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -46,12 +47,8 @@ spec: - command: - /app/ready.py args: - - --container-name + - --service-name - aai - {{ if eq .Values.global.aafEnabled true }} - - --container-name - - aaf-locate - {{ end }} env: - name: NAMESPACE valueFrom: @@ -61,6 +58,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }}-job image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -71,25 +75,17 @@ spec: - | set -x if [ ! -d /opt/aai/logroot/AAI-GQ/misc ]; then mkdir -p /opt/aai/logroot/AAI-GQ/misc; fi - {{- if (include "common.needTLS" .) }} - until nc -w10 -z -v aai.{{.Release.Namespace}} 8443; do echo "Retrying to reach aai on port 8443"; done; - bash -x /opt/app/aai-traversal/docker-entrypoint.sh install/updateQueryData.sh - {{- else }} until nc -w10 -z -v aai.{{.Release.Namespace}} 80; do echo "Retrying to reach aai on port 80"; done; bash -x /opt/app/aai-traversal/docker-entrypoint.sh install/updateQueryData.sh ; {{ include "common.serviceMesh.killSidecar" . | indent 11 | trim }} - {{- end }} + env: - name: LOCAL_USER_ID value: {{ .Values.global.config.userId | quote }} - name: LOCAL_GROUP_ID value: {{ .Values.global.config.groupId | quote }} - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 10 }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/aai-traversal/resources/etc/appprops/janusgraph-realtime.properties name: {{ include "common.fullname" . }}-config subPath: janusgraph-realtime.properties @@ -114,10 +110,8 @@ spec: subPath: application.properties # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: {{ include "common.fullname" . }}-logs emptyDir: {} - name: {{ include "common.fullname" . }}-logs-misc @@ -127,6 +121,5 @@ spec: configMap: name: {{ include "common.fullname" . }} restartPolicy: OnFailure - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} {{ end }} diff --git a/kubernetes/aai/components/aai-traversal/templates/secret.yaml b/kubernetes/aai/components/aai-traversal/templates/secret.yaml deleted file mode 100644 index 8e022fe6b0..0000000000 --- a/kubernetes/aai/components/aai-traversal/templates/secret.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-aaf - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: -{{ tpl (.Files.Glob "resources/config/aaf/bath_config.csv").AsSecrets . | indent 2 }} \ No newline at end of file diff --git a/kubernetes/aai/components/aai-traversal/templates/service.yaml b/kubernetes/aai/components/aai-traversal/templates/service.yaml index b54b6be644..2fac1e5a42 100644 --- a/kubernetes/aai/components/aai-traversal/templates/service.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/service.yaml @@ -21,6 +21,7 @@ metadata: namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} + app.kubernetes.io/name: {{ include "common.name" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} @@ -30,16 +31,29 @@ spec: {{if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} + name: {{ .Values.service.portName }} + targetPort: {{ .Values.service.portName }} - port: {{ .Values.service.internalPort2 }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} name: {{ .Values.service.portName2 }} + targetPort: {{ .Values.service.portName2 }} + - port: {{ .Values.service.internalPort3 }} + nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort3 }} + name: {{ .Values.service.portName3 }} + targetPort: {{ .Values.service.portName3 }} {{- else -}} - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} + name: {{ .Values.service.portName }} + targetPort: {{ .Values.service.portName }} - port: {{ .Values.service.internalPort2 }} name: {{ .Values.service.portName2 }} + targetPort: {{ .Values.service.portName2 }} + - port: {{ .Values.service.internalPort3 }} + name: {{ .Values.service.portName3 }} + targetPort: {{ .Values.service.portName3 }} {{- end }} selector: app: {{ include "common.name" . }} release: {{ include "common.release" . }} + clusterIP: None + sessionAffinity: {{ .Values.service.sessionAffinity }} diff --git a/kubernetes/aai/components/aai-traversal/templates/servicemonitor.yaml b/kubernetes/aai/components/aai-traversal/templates/servicemonitor.yaml new file mode 100644 index 0000000000..c0d9f212b4 --- /dev/null +++ b/kubernetes/aai/components/aai-traversal/templates/servicemonitor.yaml @@ -0,0 +1,3 @@ +{{- if .Values.metrics.serviceMonitor.enabled }} +{{ include "common.serviceMonitor" . }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/aai/components/aai-traversal/values.yaml b/kubernetes/aai/components/aai-traversal/values.yaml index 339e3b428c..aca1ec7731 100644 --- a/kubernetes/aai/components/aai-traversal/values.yaml +++ b/kubernetes/aai/components/aai-traversal/values.yaml @@ -1,6 +1,7 @@ # Copyright (c) 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright (c) 2020 Nokia # Modifications Copyright (c) 2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,7 +20,6 @@ # Declare variables to be passed into your templates. global: # global defaults nodePortPrefix: 302 - aafEnabled: true cassandra: #Service Name of the cassandra cluster to connect to. @@ -59,7 +59,7 @@ global: # global defaults # Active spring profiles for the resources microservice profiles: - active: production,dmaap #,aaf-auth ,keycloak + active: production,dmaap # Notification event specific properties notification: @@ -70,7 +70,7 @@ global: # global defaults schema: # Specifies if the connection should be one way ssl, two way ssl or no auth service: - client: one-way-ssl + client: no-auth # Specifies which translator to use if it has schema-service, then it will make a rest request to schema service translator: list: schema-service @@ -84,11 +84,11 @@ global: # global defaults version: # Current version of the REST API api: - default: v26 + default: v28 # Specifies which version the depth parameter is configurable depth: v11 # List of all the supported versions of the API - list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24,v25,v26 + list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24,v25,v26,v27,v28 # Specifies from which version related link should appear related: link: v11 @@ -106,41 +106,8 @@ global: # global defaults realtime: clients: SDNC,MSO,SO,robot-ete -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: aai-traversal-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: aai-traversal - fqi: aai-traversal@aai-traversal.onap.org - public_fqdn: aai-traversal.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - fqi_namespace: org.onap.aai-traversal - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** save the generated passwords" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 {{ .Values.credsPath }} - # application image -image: onap/aai-traversal:1.9.5 +image: onap/aai-traversal:1.12.3 pullPolicy: Always restartPolicy: Always flavor: small @@ -175,7 +142,6 @@ aai_enpoints: # application configuration config: - # configure keycloak according to your environment. # don't forget to add keycloak in active profiles above (global.config.profiles) keycloak: @@ -189,6 +155,18 @@ config: # the data-owner property with the given role to the user in keycloak multiTenancy: enabled: true + janusgraph: + caching: + # enable when running read-heavy workloads + # modifications to graph done by this service/janusgraph instance will immediately invalidate the cache + # modifications to graph done by other services (resources) will only be visible + # after time specified in db-cache-time + enabled: false + # Documentation: https://docs.janusgraph.org/operations/cache/#database-level-caching + dbCacheTime: 180000 # in milliseconds + dbCacheSize: 0.1 # percentage (expressed as a decimal between 0 and 1) of the total heap space available to the JVM running + dbCacheCleanWait: 20 # in milliseconds + # Specifies timeout information such as application specific and limits timeout: @@ -199,6 +177,29 @@ config: # Specifies how long should it wait before timing out the REST request limit: 180000 + # environment variables added to the launch of the image in deployment + env: + MIN_HEAP_SIZE: "512m" + MAX_HEAP_SIZE: "1024m" + MAX_METASPACE_SIZE: "512m" + + # adds jvm args for remote debugging the application + debug: + enabled: false + args: "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005" + + # adds jvm args for remote profiling the application + profiling: + enabled: false + args: + - "-Dcom.sun.management.jmxremote" + - "-Dcom.sun.management.jmxremote.ssl=false" + - "-Dcom.sun.management.jmxremote.authenticate=false" + - "-Dcom.sun.management.jmxremote.local.only=false" + - "-Dcom.sun.management.jmxremote.port=9999" + - "-Dcom.sun.management.jmxremote.rmi.port=9999" + - "-Djava.rmi.server.hostname=127.0.0.1" + # Disables the updateQueryData script to run as part of traversal disableUpdateQuery: true @@ -253,30 +254,111 @@ service: internalPort: 8446 portName2: tcp-5005 internalPort2: 5005 + portName3: http-traversal + internalPort3: 8448 terminationGracePeriodSeconds: 120 + sessionAffinity: None ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: aai-read + - serviceAccount: consul-read + +# To make logback capping values configurable +logback: + logToFileEnabled: false + maxHistory: 7 + totalSizeCap: 6GB + queueSize: 1000 + +accessLogback: + livenessAccessLogEnabled: false # false: do not log kubernetes liveness probes + logToFileEnabled: false + maxHistory: 7 + totalSizeCap: 6GB + # Configure resource requests and limits # ref: http://kubernetes.io/docs/user-guide/compute-resources/ resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" requests: - cpu: 1 - memory: 3Gi + cpu: "1" + memory: "3Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "4" + memory: "8Gi" requests: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" unlimited: {} +endpoints: + enabled: true + health: + enabled: true + info: + enabled: true + +metrics: + serviceMonitor: + enabled: false + targetPort: 8448 + path: /actuator/prometheus + basicAuth: + enabled: false + externalSecretName: mysecretname + externalSecretUserKey: login + externalSecretPasswordKey: password + + ## Namespace in which Prometheus is running + ## + # namespace: monitoring + + ## Interval at which metrics should be scraped. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + #interval: 30s + + ## Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + # scrapeTimeout: 10s + + ## ServiceMonitor selector labels + ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration + ## + selector: + app: '{{ include "common.name" . }}' + chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + release: '{{ include "common.release" . }}' + heritage: '{{ .Release.Service }}' + + ## RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + ## + relabelings: [] + + ## MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + ## + metricRelabelings: [] + # - sourceLabels: + # - "__name__" + # targetLabel: "__name__" + # action: replace + # regex: '(.*)' + # replacement: 'example_prefix_$1' + #Pods Service Account serviceAccount: nameOverride: aai-traversal diff --git a/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg index 6e7acef17f..307260e766 100644 --- a/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg +++ b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg @@ -1,5 +1,6 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,8 +18,10 @@ global log /dev/log local0 stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin stats timeout 30s - user root - group root + # it is required else pod will not come up + maxconn 50000 + user haproxy + group haproxy daemon ################################# # Default SSL material locations# @@ -38,7 +41,8 @@ defaults mode http option httplog option ssl-hello-chk - option httpchk GET /aai/util/echo HTTP/1.1\r\nHost:\ aai\r\nX-TransactionId:\ haproxy-0111\r\nX-FromAppId:\ haproxy\r\nAccept:\ application/json\r\nAuthorization:\ Basic\ YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ== + option httpchk + http-check send meth GET uri /aai/util/echo ver HTTP/1.1 hdr Host aai hdr X-TransactionId haproxy-0111 hdr X-FromAppId haproxy hdr Accept application/json hdr Authorization 'Basic QUFJOkFBSQ==' default-server init-addr none # option dontlognull # errorfile 400 /etc/haproxy/errors/400.http @@ -59,6 +63,12 @@ defaults timeout server 480000 timeout http-keep-alive 30000 +frontend stats + bind *:8448 + http-request use-service prometheus-exporter if { path /metrics } + stats enable + stats uri /stats + stats refresh 10s frontend IST_8443 mode http @@ -73,6 +83,10 @@ frontend IST_8443 capture response header Host len 100 option log-separate-errors option forwardfor + + http-request set-header X-Forwarded-Proto https + http-request add-header X-Forwarded-Port 8443 + http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used } http-request set-header X-AAI-SSL %[ssl_fc] @@ -97,9 +111,6 @@ frontend IST_8443 {{- end }} {{- end }} - reqadd X-Forwarded-Proto:\ https - reqadd X-Forwarded-Port:\ 8443 - ####################### #ACLS FOR PORT 8446#### ####################### @@ -107,9 +118,10 @@ frontend IST_8443 acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$ acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$ acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$ + acl is_dsl path_reg -i ^/aai/v[0-9]+/dsl$ acl is_named-query path_beg -i /aai/search/named-query acl is_search-model path_beg -i /aai/search/model - use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model + use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model or is_dsl default_backend IST_Default_8447 @@ -120,9 +132,11 @@ frontend IST_8443 backend IST_Default_8447 balance roundrobin + stick-table type string len 100 size 200k expire 2m + stick on path http-request set-header X-Forwarded-Port %[src_port] http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; - server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none + server-template aai-resources.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiResources}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none ####################### @@ -131,9 +145,11 @@ backend IST_Default_8447 backend IST_AAI_8446 balance roundrobin + stick-table type string len 100 size 200k expire 2m + stick on path http-request set-header X-Forwarded-Port %[src_port] http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; - server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none + server-template aai-traversal.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiTraversal}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none listen IST_AAI_STATS mode http diff --git a/kubernetes/aai/resources/config/haproxy/haproxy.cfg b/kubernetes/aai/resources/config/haproxy/haproxy.cfg index 1accff9935..a953a508bf 100644 --- a/kubernetes/aai/resources/config/haproxy/haproxy.cfg +++ b/kubernetes/aai/resources/config/haproxy/haproxy.cfg @@ -1,5 +1,6 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,6 +18,10 @@ global log /dev/log local0 stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin stats timeout 30s + # it is required else pod will not come up + maxconn 50000 + user haproxy + group haproxy daemon ################################# # Default SSL material locations# @@ -35,10 +40,8 @@ defaults log global mode http option httplog -{{- if ( include "common.needTLS" .) }} - option ssl-hello-chk -{{- end }} - option httpchk GET /aai/util/echo HTTP/1.1\r\nHost:\ aai\r\nX-TransactionId:\ haproxy-0111\r\nX-FromAppId:\ haproxy\r\nAccept:\ application/json\r\nAuthorization:\ Basic\ QUFJOkFBSQ== + option httpchk + http-check send meth GET uri /aai/util/echo ver HTTP/1.1 hdr Host aai hdr X-TransactionId haproxy-0111 hdr X-FromAppId haproxy hdr Accept application/json hdr Authorization 'Basic QUFJOkFBSQ==' default-server init-addr none # option dontlognull # errorfile 400 /etc/haproxy/errors/400.http @@ -59,6 +62,12 @@ defaults timeout server 480000 timeout http-keep-alive 30000 +frontend stats + bind *:8448 + http-request use-service prometheus-exporter if { path /metrics } + stats enable + stats uri /stats + stats refresh 10s frontend IST_8080 mode http @@ -73,8 +82,8 @@ frontend IST_8080 option log-separate-errors option forwardfor http-request set-header X-Forwarded-Proto http - reqadd X-Forwarded-Proto:\ http - reqadd X-Forwarded-Port:\ 8080 + http-request set-header X-Forwarded-Proto http + http-request add-header X-Forwarded-Port 8080 ####################### #ACLS FOR PORT 8446#### @@ -90,48 +99,6 @@ frontend IST_8080 default_backend IST_Default_8447 -{{- if ( include "common.needTLS" .) }} -frontend IST_8443 - mode http - bind 0.0.0.0:8443 name https ssl crt /opt/app/osaaf/local/certs/fullchain.pem -# log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r - log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" - option httplog - log global - option logasap - option forwardfor - capture request header Host len 100 - capture response header Host len 100 - option log-separate-errors - option forwardfor - http-request set-header X-Forwarded-Proto https if { ssl_fc } - http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used } - http-request set-header X-AAI-SSL %[ssl_fc] - http-request set-header X-AAI-SSL-Client-Verify %[ssl_c_verify] - http-request set-header X-AAI-SSL-Client-DN %{+Q}[ssl_c_s_dn] - http-request set-header X-AAI-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)] - http-request set-header X-AAI-SSL-Issuer %{+Q}[ssl_c_i_dn] - http-request set-header X-AAI-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore] - http-request set-header X-AAI-SSL-Client-NotAfter %{+Q}[ssl_c_notafter] - http-request set-header X-AAI-SSL-ClientCert-Base64 %{+Q}[ssl_c_der,base64] - http-request set-header X-AAI-SSL-Client-OU %{+Q}[ssl_c_s_dn(OU)] - http-request set-header X-AAI-SSL-Client-L %{+Q}[ssl_c_s_dn(L)] - http-request set-header X-AAI-SSL-Client-ST %{+Q}[ssl_c_s_dn(ST)] - http-request set-header X-AAI-SSL-Client-C %{+Q}[ssl_c_s_dn(C)] - http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)] -####################################### -## Request blocking configuration ### -####################################### - {{- if eq $.Values.haproxy.requestBlocking.enabled true }} - {{- range $custom_config := $.Values.haproxy.requestBlocking.customConfigs }} - {{ $custom_config }} - {{- end }} - {{- end }} - - reqadd X-Forwarded-Proto:\ https - reqadd X-Forwarded-Port:\ 8443 -{{- end }} - ####################### #ACLS FOR PORT 8446#### ####################### @@ -152,13 +119,11 @@ frontend IST_8443 backend IST_Default_8447 balance roundrobin + stick-table type string len 100 size 200k expire 2m + stick on path http-request set-header X-Forwarded-Port %[src_port] http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; -{{- if ( include "common.needTLS" .) }} - server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none -{{- else }} - server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check port 8447 -{{- end }} + server-template aai-resources.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiResources}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check port 8447 ####################### # BACKEND 8446######### @@ -166,10 +131,8 @@ backend IST_Default_8447 backend IST_AAI_8446 balance roundrobin + stick-table type string len 100 size 200k expire 2m + stick on path http-request set-header X-Forwarded-Port %[src_port] http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; -{{- if ( include "common.needTLS" .) }} - server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none -{{- else }} - server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check port 8446 -{{- end }} + server-template aai-traversal.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiTraversal}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check port 8446 diff --git a/kubernetes/aai/templates/authorizationpolicy.yaml b/kubernetes/aai/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..fa59f52f35 --- /dev/null +++ b/kubernetes/aai/templates/authorizationpolicy.yaml @@ -0,0 +1,100 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipals := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipals -}} +{{- $authorizedPrincipalsMetrics := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsMetrics -}} +{{- $defaultOperationMethods := list "GET" "POST" "PUT" "PATCH" "DELETE" -}} +{{- $relName := include "common.release" . -}} + +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ include "common.fullname" (dict "suffix" "authz" "dot" . )}} + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ include "common.name" . }} + action: ALLOW + rules: +{{- if $authorizedPrincipals }} +{{- range $principal := $authorizedPrincipals }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + methods: +{{- if $principal.allowedOperationMethods }} +{{- range $method := $principal.allowedOperationMethods }} + - {{ $method }} +{{- end }} +{{- else }} +{{- range $method := $defaultOperationMethods }} + - {{ $method }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ include "common.fullname" (dict "suffix" "metrics-authz" "dot" . )}} + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ include "common.name" . }}-metrics + action: ALLOW + rules: +{{- if $authorizedPrincipalsMetrics }} +{{- range $principal := $authorizedPrincipalsMetrics }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + methods: +{{- if $principal.allowedOperationMethods }} +{{- range $method := $principal.allowedOperationMethods }} + - {{ $method }} +{{- end }} +{{- else }} +{{- range $method := $defaultOperationMethods }} + - {{ $method }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/aai/templates/deployment.yaml b/kubernetes/aai/templates/deployment.yaml index 80fcebbef7..d64410ceea 100644 --- a/kubernetes/aai/templates/deployment.yaml +++ b/kubernetes/aai/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # Copyright (c) 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright (c) 2020 Nokia, Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,6 +23,12 @@ metadata: namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} + app.kubernetes.io/name: {{ include "common.name" . }} + {{- if .Chart.AppVersion }} + version: "{{ .Chart.AppVersion | replace "+" "_" }}" + {{- else }} + version: "{{ .Chart.Version | replace "+" "_" }}" + {{- end }} chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} @@ -30,24 +37,38 @@ spec: matchLabels: app: {{ include "common.name" . }} replicas: {{ .Values.replicaCount }} + strategy: + type: {{ .Values.updateStrategy.type }} + {{- if (eq "RollingUpdate" .Values.updateStrategy.type) }} + rollingUpdate: + maxUnavailable: {{ .Values.updateStrategy.maxUnavailable }} + maxSurge: {{ .Values.updateStrategy.maxSurge }} + {{- end }} template: metadata: labels: app: {{ include "common.name" . }} release: {{ include "common.release" . }} + app.kubernetes.io/name: {{ include "common.name" . }} + {{- if .Chart.AppVersion }} + version: "{{ .Chart.AppVersion | replace "+" "_" }}" + {{- else }} + version: "{{ .Chart.Version | replace "+" "_" }}" + {{- end }} name: {{ include "common.release" . }} annotations: checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }} + initContainers: - command: - /app/ready.py args: - - --container-name + - --service-name - aai-resources - - --container-name + - --service-name - aai-traversal - - --container-name + - --service-name - aai-graphadmin env: - name: NAMESPACE @@ -58,16 +79,18 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + requests: + memory: {{ .Values.haproxy.initContainers.resources.memory }} + cpu: {{ .Values.haproxy.initContainers.resources.cpu }} + limits: + memory: {{ .Values.haproxy.initContainers.resources.memory }} + cpu: {{ .Values.haproxy.initContainers.resources.cpu }} containers: - name: {{ include "common.name" . }} image: "{{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /dev/log - name: aai-service-log - mountPath: /usr/local/etc/haproxy/haproxy.cfg {{ if .Values.global.installSidecarSecurity }} subPath: haproxy-pluggable-security.cfg @@ -75,25 +98,25 @@ spec: subPath: haproxy.cfg {{ end }} name: haproxy-cfg - {{- include "common.certInitializer.volumeMount" . | nindent 8 }} ports: - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPlainPort }} + name: {{ .Values.service.portName }} + - containerPort: {{ .Values.metricsService.internalPort }} + name: {{ .Values.metricsService.portName }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end -}} readinessProbe: httpGet: path: /aai/util/echo - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} - #scheme: HTTPS - scheme: {{ (eq "true" (include "common.needTLS" .)) | ternary "HTTPS" "HTTP" }} + port: {{ .Values.service.internalPort }} + scheme: HTTP httpHeaders: - name: X-FromAppId value: OOM_ReadinessCheck @@ -107,8 +130,7 @@ spec: value: application/json initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} @@ -119,15 +141,7 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: aai-service-log - hostPath: - path: "/dev/log" - name: haproxy-cfg configMap: name: aai-deployment-configmap - {{ include "common.certInitializer.volumes" . | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/templates/service.yaml b/kubernetes/aai/templates/service.yaml index 750e1babc3..ecbab26439 100644 --- a/kubernetes/aai/templates/service.yaml +++ b/kubernetes/aai/templates/service.yaml @@ -21,17 +21,62 @@ metadata: namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} + app.kubernetes.io/name: {{ include "common.name" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} spec: ports: - - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.externalPort .Values.service.externalPlainPort }} - targetPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + - name: {{ .Values.service.portName }} + port: {{ .Values.service.externalPort }} + targetPort: {{ .Values.service.internalPort }} {{- if eq .Values.service.type "NodePort" }} + {{ if not (include "common.ingressEnabled" .) }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} + {{ end }} {{- end }} - type: {{ .Values.service.type }} + type: {{ if (include "common.ingressEnabled" .) }}ClusterIP{{ else }}{{ .Values.service.type }}{{ end }} selector: app: {{ include "common.name" . }} + sessionAffinity: {{ .Values.service.sessionAffinity }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "common.servicename" . }}-internal + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + app.kubernetes.io/name: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + ports: + - name: {{ .Values.service.portName }} + port: {{ .Values.service.externalPort }} + targetPort: {{ .Values.service.internalPort }} + type: ClusterIP + selector: + app: {{ include "common.name" . }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "common.servicename" . }}-metrics + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }}-metrics + app.kubernetes.io/name: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + ports: + - port: {{ .Values.metricsService.externalPort }} + targetPort: {{ .Values.metricsService.internalPort }} + name: {{ .Values.metricsService.portName }} + type: {{ .Values.metricsService.type }} + selector: + app: {{ include "common.name" . }} + clusterIP: None \ No newline at end of file diff --git a/kubernetes/aai/templates/servicemonitor.yaml b/kubernetes/aai/templates/servicemonitor.yaml new file mode 100644 index 0000000000..c0d9f212b4 --- /dev/null +++ b/kubernetes/aai/templates/servicemonitor.yaml @@ -0,0 +1,3 @@ +{{- if .Values.metrics.serviceMonitor.enabled }} +{{ include "common.serviceMonitor" . }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/aai/values.yaml b/kubernetes/aai/values.yaml index ebbf8b688c..523cd8cc38 100644 --- a/kubernetes/aai/values.yaml +++ b/kubernetes/aai/values.yaml @@ -2,6 +2,7 @@ # Modifications Copyright (c) 2018 AT&T # Modifications Copyright (c) 2020 Nokia, Orange # Modifications Copyright (c) 2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -24,30 +25,42 @@ global: # global defaults dockerhubRepository: docker.io busyboxImage: busybox - readinessImage: onap/oom/readiness:3.0.1 + readinessImage: onap/oom/readiness:6.0.3 loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 restartPolicy: Always - aafEnabled: true - msbEnabled: true - centralizedLoggingEnabled: true + msbEnabled: false + centralizedLoggingEnabled: false cassandra: #This will instantiate AAI cassandra cluster, default:shared cassandra. localCluster: false + # in case of a local cassandra cluster + # flag to enable the DB creation via k8ssandra-operator + useOperator: true + # if useOperator set to "true", set "enableServiceAccount to "false" + # as the SA is created by the Operator + enableServiceAccount: false + #Service Name of the cassandra cluster to connect to. #Override it to aai-cassandra if localCluster is enabled. - serviceName: cassandra + #in case of using k8ssandra-operator in the common cassandra installation + #the service name is: + serviceName: cassandra-dc1-service + #in case of local k8ssandra-operator instance it is + #serviceName: aai-cassandra-dc1-service + #in case the older cassandra installation is used: + #serviceName: cassandra #This should be same as shared cassandra instance or if localCluster is enabled #then it should be same as aai-cassandra replicaCount replicas: 3 - #Cassanara login details + #Cassandra login details username: cassandra password: cassandra @@ -61,10 +74,6 @@ global: # global defaults serviceName: aai-resources sparkyBe: serviceName: aai-sparky-be - dataRouter: - serviceName: aai-data-router - gizmo: - serviceName: aai-gizmo modelloader: serviceName: aai-modelloader searchData: @@ -73,8 +82,6 @@ global: # global defaults serviceName: aai-traversal graphadmin: serviceName: aai-graphadmin - spike: - serviceName: aai-spike initContainers: enabled: true @@ -217,7 +224,7 @@ global: # global defaults # Specifies if the connection should be one way ssl, two way ssl or no auth # will be set to no-auth if tls is disabled service: - client: one-way-ssl + client: no-auth # Specifies which translator to use if it has schema-service, then it will make a rest request to schema service translator: list: schema-service @@ -231,11 +238,11 @@ global: # global defaults version: # Current version of the REST API api: - default: v26 + default: v28 # Specifies which version the depth parameter is configurable depth: v11 # List of all the supported versions of the API - list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24,v25,v26 + list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24,v25,v26,v27,v28 # Specifies from which version related link should appear related: link: v11 @@ -292,43 +299,9 @@ aai-sparky-be: aai-traversal: logConfigMapNamePrefix: '{{ include "common.release" . }}-aai' -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: aai-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: "aai" - app_ns: "org.osaaf.aaf" - fqi_namespace: "org.onap.aai" - fqi: "aai@aai.onap.org" - public_fqdn: "aaf.osaaf.org" - cadi_longitude: "0.0" - cadi_latitude: "0.0" - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "*** transform AAF certs into pem files" - mkdir -p {{ .Values.credsPath }}/certs - keytool -exportcert -rfc -file {{ .Values.credsPath }}/certs/cacert.pem \ - -keystore {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.trust.jks \ - -alias ca_local_0 \ - -storepass $cadi_truststore_password - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** generating needed file" - cat {{ .Values.credsPath }}/certs/cert.pem \ - {{ .Values.credsPath }}/certs/cacert.pem \ - {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \ - > {{ .Values.credsPath }}/certs/fullchain.pem; - chown 1001 {{ .Values.credsPath }}/certs/* - # application image dockerhubRepository: registry.hub.docker.com -image: aaionap/haproxy:1.4.2 +image: onap/aai-haproxy:1.11.0 pullPolicy: Always flavor: small @@ -345,15 +318,27 @@ config: # default number of instances replicaCount: 1 +updateStrategy: + type: RollingUpdate + maxUnavailable: 0 + maxSurge: 1 + nodeSelector: {} affinity: {} # HAProxy configuration to block HTTP requests to AAI based on configurable URL patterns haproxy: + initContainers: + resources: + cpu: "50m" + memory: "500Mi" requestBlocking: enabled: false customConfigs: [] + replicas: + aaiResources: 1 + aaiTraversal: 1 # probe configuration parameters liveness: @@ -378,6 +363,9 @@ cassandra: persistence: mountSubPath: aai/cassandra enabled: true + k8ssandraOperator: + config: + clusterName: aai-cassandra readiness: initialDelaySeconds: 10 @@ -386,37 +374,87 @@ readiness: service: type: NodePort portName: http - externalPort: 8443 - internalPort: 8443 + externalPort: 80 + internalPort: 8080 nodePort: 33 - externalPlainPort: 80 - internalPlainPort: 8080 - nodeport: 33 + sessionAffinity: None + +metricsService: + type: ClusterIP + portName: http-pro + externalPort: 8448 + internalPort: 8448 + +metrics: + serviceMonitor: + enabled: false + targetPort: 8448 + path: /metrics + basicAuth: + enabled: false + + selector: + app: '{{ include "common.name" . }}-metrics' + chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + release: '{{ include "common.release" . }}' + heritage: '{{ .Release.Service }}' + + relabelings: [] + + metricRelabelings: [] ingress: enabled: false service: - - baseaddr: "aai.api" + - baseaddr: "aai-api" name: "aai" - port: 8443 + port: 80 config: ssl: "redirect" +serviceMesh: + authorizationPolicy: + authorizedPrincipalsMetrics: [] + authorizedPrincipals: + - serviceAccount: aai-graphadmin-read + - serviceAccount: aai-modelloader-read + - serviceAccount: aai-resources-read + - serviceAccount: aai-schema-service-read + - serviceAccount: aai-traversal-read + - serviceAccount: cds-blueprints-processor-read + - serviceAccount: consul-read + - serviceAccount: dcae-prh-read + - serviceAccount: dcae-slice-analysis-ms-read + - serviceAccount: dcae-tcagen2 + - serviceAccount: nbi-read + - serviceAccount: sdnc-read + - serviceAccount: so-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-cnf-adapter-read + - serviceAccount: so-nssmf-adapter-read + - serviceAccount: so-etsi-nfvo-ns-lcm-read + - serviceAccount: so-etsi-sol003-adapter-read + - serviceAccount: so-openstack-adapter-read + - serviceAccount: so-sdc-controller-read + - serviceAccount: so-ve-vnfm-adapter + - serviceAccount: istio-ingress + namespace: istio-ingress + resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1.2Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "4" + memory: "8Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2.4Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/appc/.helmignore b/kubernetes/appc/.helmignore deleted file mode 100644 index 7ddbad7ef4..0000000000 --- a/kubernetes/appc/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -components/ diff --git a/kubernetes/appc/Chart.yaml b/kubernetes/appc/Chart.yaml deleted file mode 100644 index d65bbfbcbc..0000000000 --- a/kubernetes/appc/Chart.yaml +++ /dev/null @@ -1,43 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Application Controller -name: appc -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: mariadb-galera - version: ~11.x-0 - repository: '@local' - - name: dgbuilder - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: appc-ansible-server - version: ~11.x-0 - repository: 'file://components/appc-ansible-server' - condition: appc-ansible-server.enabled - - name: appc-cdt - version: ~11.x-0 - repository: 'file://components/appc-cdt' - condition: appc-cdt.enabled diff --git a/kubernetes/appc/Makefile b/kubernetes/appc/Makefile deleted file mode 100644 index 51d7de122c..0000000000 --- a/kubernetes/appc/Makefile +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts docker -HELM_BIN := helm -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/appc/components/Makefile b/kubernetes/appc/components/Makefile deleted file mode 100644 index 1ea8433a9c..0000000000 --- a/kubernetes/appc/components/Makefile +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := soHelpers -HELM_BIN := helm -HELM_CHARTS := soHelpers $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/appc/components/appc-ansible-server/.helmignore b/kubernetes/appc/components/appc-ansible-server/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/appc/components/appc-ansible-server/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/appc/components/appc-ansible-server/Chart.yaml b/kubernetes/appc/components/appc-ansible-server/Chart.yaml deleted file mode 100644 index 6daa29ca4f..0000000000 --- a/kubernetes/appc/components/appc-ansible-server/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP APPC Ansible Server -name: appc-ansible-server -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/appc/components/appc-ansible-server/resources/config/RestServer_config b/kubernetes/appc/components/appc-ansible-server/resources/config/RestServer_config deleted file mode 100644 index 090aa557f5..0000000000 --- a/kubernetes/appc/components/appc-ansible-server/resources/config/RestServer_config +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -# Host definition -ip: 0.0.0.0 -port: {{.Values.service.internalPort}} - -# Security (controls use of TLS encrypton and RestServer authentication) -tls: no -auth: no - -# TLS certificates (must be built on application host) -priv: provide_privated_key.pem -pub: provide_public_key.pem - -# Mysql -host: {{.Values.config.mariadbGaleraSVCName}} - -# Playbooks -from_files: yes -ansible_path: /opt/onap/ccsdk/Playbooks -ansible_inv: Ansible_inventory -ansible_temp: PlaybooksTemp -timeout_seconds: 60 - -# Blocking on GetResults -getresults_block: yes diff --git a/kubernetes/appc/components/appc-ansible-server/templates/configmap.yaml b/kubernetes/appc/components/appc-ansible-server/templates/configmap.yaml deleted file mode 100644 index 3bfe84c6e7..0000000000 --- a/kubernetes/appc/components/appc-ansible-server/templates/configmap.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/appc/components/appc-ansible-server/templates/pv.yaml b/kubernetes/appc/components/appc-ansible-server/templates/pv.yaml deleted file mode 100644 index b2acf37393..0000000000 --- a/kubernetes/appc/components/appc-ansible-server/templates/pv.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, AT&T, Bell Canada -# # -# # Licensed under the Apache License, Version 2.0 (the "License"); -# # you may not use this file except in compliance with the License. -# # You may obtain a copy of the License at -# # -# # http://www.apache.org/licenses/LICENSE-2.0 -# # -# # Unless required by applicable law or agreed to in writing, software -# # distributed under the License is distributed on an "AS IS" BASIS, -# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# # See the License for the specific language governing permissions and -# # limitations under the License. -*/}} -{{- $global := . }} -{{- if and $global.Values.persistence.enabled (not $global.Values.persistence.existingClaim) -}} -{{- if eq "True" (include "common.needPV" .) -}} -{{- range $i, $t := until (int $global.Values.replicaCount)}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" $global }}-playbook-{{$i}} - namespace: {{ include "common.namespace" $global }} - labels: - app: {{ include "common.fullname" $global }} - chart: "{{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" $global }}" - heritage: "{{ $global.Release.Service }}" - name: {{ include "common.fullname" $global }} -spec: - capacity: - storage: {{ $global.Values.persistence.size}} - accessModes: - - {{ $global.Values.persistence.accessMode }} - storageClassName: "{{ include "common.fullname" $global }}-data" - persistentVolumeReclaimPolicy: {{ $global.Values.persistence.volumeReclaimPolicy }} - hostPath: - path: {{ $global.Values.global.persistence.mountPath | default $global.Values.persistence.mountPath }}/{{ include "common.release" $global }}/{{ $global.Values.persistence.mountSubPath }}{{$i}} -{{if ne $i (int $global.Values.replicaCount) }} ---- -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/appc/components/appc-ansible-server/templates/service.yaml b/kubernetes/appc/components/appc-ansible-server/templates/service.yaml deleted file mode 100644 index e952357c4c..0000000000 --- a/kubernetes/appc/components/appc-ansible-server/templates/service.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{/* -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} \ No newline at end of file diff --git a/kubernetes/appc/components/appc-ansible-server/templates/statefulset.yaml b/kubernetes/appc/components/appc-ansible-server/templates/statefulset.yaml deleted file mode 100644 index 0e9e60ab5f..0000000000 --- a/kubernetes/appc/components/appc-ansible-server/templates/statefulset.yaml +++ /dev/null @@ -1,114 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - serviceName: {{ include "common.servicename" . }} - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: {{ include "common.name" . }}-chown - image: {{ include "repositoryGenerator.image.busybox" . }} - command: ["sh", "-c", "chown -R {{ .Values.config.ansibleUid }}:{{ .Values.config.ansibleGid}} {{ .Values.persistence.playbookPath }}"] - volumeMounts: - - mountPath: {{ .Values.persistence.playbookPath }} - name: {{ include "common.fullname" . }}-playbook - containers: - - name: {{ include "common.name" . }} - command: ["/bin/bash"] - args: ["-c", "cd /opt/onap/ccsdk && ./startAnsibleServer.sh"] - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if .Values.liveness.enabled }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: {{ .Values.config.configDir }}/RestServer_config - name: config - subPath: RestServer_config - - mountPath: {{ .Values.persistence.playbookPath }} - name: {{ include "common.fullname" . }}-playbook - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: config - configMap: - name: {{ include "common.fullname" . }} - defaultMode: 0644 -{{ if not .Values.persistence.enabled }} - - name: {{ include "common.fullname" . }}-playbook - emptyDir: {} -{{ else }} - volumeClaimTemplates: - - metadata: - name: {{ include "common.fullname" . }}-playbook - labels: - name: {{ include "common.fullname" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - spec: - accessModes: - - {{ .Values.persistence.accessMode }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size }} -{{ end }} diff --git a/kubernetes/appc/components/appc-ansible-server/values.yaml b/kubernetes/appc/components/appc-ansible-server/values.yaml deleted file mode 100644 index 076cf6b5f2..0000000000 --- a/kubernetes/appc/components/appc-ansible-server/values.yaml +++ /dev/null @@ -1,110 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - persistence: {} - -################################################################# -# Application configuration defaults. -################################################################# -flavor: small - -# application image -image: onap/ccsdk-ansible-server-image:0.4.4 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -config: - ansibleUid: 100 - ansibleGid: 101 - appcChartName: appc - mysqlServiceName: appc-db - configDir: /opt/onap/ccsdk - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 180 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 60 - periodSeconds: 10 - -service: - type: ClusterIP - name: appc-ansible-server - portName: appc-ansible-server - internalPort: 8000 - externalPort: 8000 - nfsprovisionerPrefix: appc - disableNfsProvisioner: true - -## Persist data to a persitent volume -persistence: - enabled: true - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - volumeReclaimPolicy: Retain - - ## database data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - accessMode: ReadWriteOnce - size: 1Gi - mountPath: /dockerdata-nfs - mountSubPath: appc/ansible - playbookPath: /home/ansible - -ingress: - enabled: false - -resources: - small: - limits: - cpu: 1 - memory: 1Gi - requests: - cpu: 0.5 - memory: 0.5Mi - large: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - unlimited: {} diff --git a/kubernetes/appc/components/appc-cdt/.helmignore b/kubernetes/appc/components/appc-cdt/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/appc/components/appc-cdt/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/appc/components/appc-cdt/Chart.yaml b/kubernetes/appc/components/appc-cdt/Chart.yaml deleted file mode 100644 index faabb71acf..0000000000 --- a/kubernetes/appc/components/appc-cdt/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP APPC Self Service Controller Design Tool -name: appc-cdt -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: certInitializer - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/appc/components/appc-cdt/resources/entrypoint/startCdt.sh b/kubernetes/appc/components/appc-cdt/resources/entrypoint/startCdt.sh deleted file mode 100755 index b5fa5248fa..0000000000 --- a/kubernetes/appc/components/appc-cdt/resources/entrypoint/startCdt.sh +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/sh - -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2018-2019 AT&T Intellectual Property. All rights reserved. -# Copyright (C) 2021 Orange Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### - -if [ -z "$CDT_PORT" ] -then - CDT_PORT="30232" -fi -echo "Setting CDT port to $CDT_PORT" -sed -i -e "s/30290/$CDT_PORT/" /opt/cdt/main.bundle.js - -CDT_HOME=/opt/cdt; export CDT_HOME -LOG_DIR=/opt/cdt/logs; export LOG_DIR -MaxLogSize=3000000; export MaxLogSize -PORT=18080; export PORT -if [ -z "$HTTPS_KEY_FILE" ] -then - HTTPS_KEY_FILE=/opt/cert/cdt-key.pem - export HTTPS_KEY_FILE -fi -if [ -z "$HTTPS_CERT_FILE" ] -then - HTTPS_CERT_FILE=/opt/cert/cdt-cert.pem - export HTTPS_CERT_FILE -fi -echo "*** cert file: ${HTTPS_CERT_FILE}" -echo "*** key file : ${HTTPS_KEY_FILE}" -node $CDT_HOME/app/ndserver.js \ No newline at end of file diff --git a/kubernetes/appc/components/appc-cdt/templates/NOTES.txt b/kubernetes/appc/components/appc-cdt/templates/NOTES.txt deleted file mode 100644 index 1a7dbc5d13..0000000000 --- a/kubernetes/appc/components/appc-cdt/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.fullname" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/appc/components/appc-cdt/templates/configmap.yaml b/kubernetes/appc/components/appc-cdt/templates/configmap.yaml deleted file mode 100644 index fea0ec2f7a..0000000000 --- a/kubernetes/appc/components/appc-cdt/templates/configmap.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{/* -# Copyright © 2021 Orange. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-entrypoint - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/entrypoint/*").AsConfig . | indent 2 }} diff --git a/kubernetes/appc/components/appc-cdt/templates/deployment.yaml b/kubernetes/appc/components/appc-cdt/templates/deployment.yaml deleted file mode 100644 index fb15897ae1..0000000000 --- a/kubernetes/appc/components/appc-cdt/templates/deployment.yaml +++ /dev/null @@ -1,98 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /opt/startCdt.sh - ports: - - containerPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - # This sets the port that CDT will use to connect to the main appc container. - # The 11 is the node port suffix that is used in the main appc oom templates - # for nodePort3. This value will be configured in appc main chart in appc-cdt section. - - name: CDT_PORT - value: "{{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.nodePort3 }}" - - name: HTTPS_KEY_FILE - value: {{ .Values.certInitializer.credsPath }}/certs/key.pem - - name: HTTPS_CERT_FILE - value: {{ .Values.certInitializer.credsPath }}/certs/cert.pem - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /opt/startCdt.sh - name: entrypoint - subPath: startCdt.sh - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - - name: entrypoint - configMap: - name: {{ include "common.fullname" . }}-entrypoint - defaultMode: 0755 - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/appc/components/appc-cdt/templates/ingress.yaml b/kubernetes/appc/components/appc-cdt/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/appc/components/appc-cdt/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/appc/components/appc-cdt/templates/service.yaml b/kubernetes/appc/components/appc-cdt/templates/service.yaml deleted file mode 100644 index 54e239ebc5..0000000000 --- a/kubernetes/appc/components/appc-cdt/templates/service.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.name }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/appc/components/appc-cdt/values.yaml b/kubernetes/appc/components/appc-cdt/values.yaml deleted file mode 100644 index 5765d3482d..0000000000 --- a/kubernetes/appc/components/appc-cdt/values.yaml +++ /dev/null @@ -1,118 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - - -################################################################# -# AAF part -################################################################# - -# dependency / sub-chart configuration -certInitializer: - nameOverride: appc-cdt-cert-initializer - truststoreMountpath: /opt/onap/appc/data/stores - fqdn: "appc-cdt" - app_ns: "org.osaaf.aaf" - fqi: "appc-cdt@appc-cdt.onap.org" - fqi_namespace: org.onap.appc-cdt - public_fqdn: "appc-cdt.onap.org" - aafDeployFqi: "deployer@people.osaaf.org" - aafDeployPass: demo123456! - cadi_latitude: "38.0" - cadi_longitude: "-72.0" - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "*** transform AAF certs into pem files" - mkdir -p {{ .Values.credsPath }}/certs - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** copy key file" - cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \ - {{ .Values.credsPath }}/certs/key.pem - echo "*** change ownership of certificates to targeted user" - chown -R 1000 {{ .Values.credsPath }} - -################################################################# -# Application configuration defaults. -################################################################# - -flavor: small - -# application image -image: onap/appc-cdt-image:1.7.2 -pullPolicy: Always - -# application configuration -config: {} - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: NodePort - name: appc-cdt - externalPort: 18080 - internalPort: 18080 - nodePort: 89 - -ingress: - enabled: false - service: - - baseaddr: appccdt - name: "appc-cdt" - port: 18080 - config: - ssl: "redirect" - -# Configure resource requests and limits -# ref: http://kubernetes.io/docs/user-guide/compute-resources/ -resources: - small: - limits: - cpu: 1 - memory: 1Gi - requests: - cpu: 0.5 - memory: 500Mi - large: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - unlimited: {} diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/health_check.sh b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/health_check.sh deleted file mode 100755 index 424074aa8c..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/health_check.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/sh -x - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -waiting_bundles=$(/opt/opendaylight/current/bin/client bundle:list | grep Waiting | wc -l) -run_level=$(/opt/opendaylight/current/bin/client system:start-level) - - if [ "$run_level" = "Level 100" ] && [ "$waiting_bundles" -lt "1" ] - then - echo APPC is healthy. - else - echo APPC is not healthy. - exit 1 - fi - -exit 0 diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/installAppcDb.sh b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/installAppcDb.sh deleted file mode 100755 index 830708bb39..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/installAppcDb.sh +++ /dev/null @@ -1,59 +0,0 @@ -#!/bin/sh - -{{/* -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### -*/}} - -SDNC_HOME=${SDNC_HOME:-/opt/onap/ccsdk} -APPC_HOME=${APPC_HOME:-/opt/onap/appc} -MYSQL_PASSWD=${MYSQL_ROOT_PASSWORD} - -APPC_DB_USER=${APPC_DB_USER} -APPC_DB_PASSWD=${APPC_DB_PASSWD} -APPC_DB_DATABASE={{.Values.config.appcdb.dbName}} -SDNC_DB_DATABASE={{.Values.config.sdncdb.dbName}} - - -# Create tablespace and user account -mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql <<-END -CREATE DATABASE ${APPC_DB_DATABASE}; -CREATE USER '${APPC_DB_USER}'@'localhost' IDENTIFIED BY '${APPC_DB_PASSWD}'; -CREATE USER '${APPC_DB_USER}'@'%' IDENTIFIED BY '${APPC_DB_PASSWD}'; -GRANT ALL PRIVILEGES ON ${APPC_DB_DATABASE}.* TO '${APPC_DB_USER}'@'localhost' WITH GRANT OPTION; -GRANT ALL PRIVILEGES ON ${APPC_DB_DATABASE}.* TO '${APPC_DB_USER}'@'%' WITH GRANT OPTION; -commit; -END - -if [ -f ${APPC_HOME}/data/appcctl.dump ] -then - mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} ${APPC_DB_DATABASE} < ${APPC_HOME}/data/appcctl.dump -fi - -if [ -f ${APPC_HOME}/data/sdnctl.dump ] -then - mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} ${SDNC_DB_DATABASE} < ${APPC_HOME}/data/sdnctl.dump -fi - -if [ -f ${APPC_HOME}/data/sqlData.dump ] -then - mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} ${SDNC_DB_DATABASE} < ${APPC_HOME}/data/sqlData.dump -fi diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh deleted file mode 100755 index 789f1b38a1..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh +++ /dev/null @@ -1,201 +0,0 @@ -#!/bin/sh -x - -{{/* -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2017-2019 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -# ECOMP is a trademark and service mark of AT&T Intellectual Property. -### - -# -# This script takes care of installing the SDNC & APPC platform components -# if not already installed, and starts the APPC Docker Container -# -#set -x -*/}} - -enable_odl_cluster () { - if [ -z $APPC_REPLICAS ]; then - echo "APPC_REPLICAS is not configured in Env field" - exit - fi - - echo "Update cluster information statically" - hm=$(hostname) - echo "Get current Hostname ${hm}" - - node=($(echo ${hm} | sed 's/-[0-9]*$//g')) - node_index=($(echo ${hm} | awk -F"-" '{print $NF}')) - node_list="${node}-0.{{ .Values.service.name }}-cluster.{{.Release.Namespace}}"; - - for i in $(seq 1 $((${APPC_REPLICAS}-1))); - do - node_list="${node_list} ${node}-$i.{{ .Values.service.name }}-cluster.{{.Release.Namespace}}" - done - - /opt/opendaylight/current/bin/configure_cluster.sh $((node_index+1)) ${node_list} -} - -ODL_HOME=${ODL_HOME:-/opt/opendaylight/current} -SDNC_HOME=${SDNC_HOME:-/opt/onap/ccsdk} -APPC_HOME=${APPC_HOME:-/opt/onap/appc} -SLEEP_TIME=${SLEEP_TIME:-120} -MYSQL_PASSWD=${MYSQL_ROOT_PASSWORD} -ENABLE_ODL_CLUSTER=${ENABLE_ODL_CLUSTER:-false} -ENABLE_AAF=${ENABLE_AAF:-true} -DBINIT_DIR=${DBINIT_DIR:-/opt/opendaylight/current/daexim} - -# -# Wait for database to init properly -# -echo "Waiting for mariadbgalera" -until mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql >/dev/null 2>&1 -do - printf "." - sleep 1 -done -echo -echo "mariadbgalera ready" - -if [ ! -d ${DBINIT_DIR} ] -then - mkdir -p ${DBINIT_DIR} -fi - -if [ ! -f ${DBINIT_DIR}/.installed ] -then - sdnc_db_exists=$(mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql <<-END -show databases like 'sdnctl'; -END -) - if [ "${sdnc_db_exists}" = "" ] - then - echo "Installing SDNC database" - ${SDNC_HOME}/bin/installSdncDb.sh - - appc_db_exists=$(mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql <<-END -show databases like 'appcctl'; -END -) - if [ "${appc_db_exists}" = "" ] - then - echo "Installing APPC database" - ${APPC_HOME}/bin/installAppcDb.sh - fi - else - sleep 30 - fi - - echo "Installed at `date`" > ${DBINIT_DIR}/.installed -fi - - -if [ ! -f ${SDNC_HOME}/.installed ] -then - echo "Installing ODL Host Key" - ${SDNC_HOME}/bin/installOdlHostKey.sh - -# echo "Copying a working version of the logging configuration into the opendaylight etc folder" -# cp ${APPC_HOME}/data/org.ops4j.pax.logging.cfg ${ODL_HOME}/etc/org.ops4j.pax.logging.cfg - - - echo "Waiting ${SLEEP_TIME} seconds for OpenDaylight to initialize" - sleep ${SLEEP_TIME} - - - if [ -x ${SDNC_HOME}/svclogic/bin/install.sh ] - then - echo "Installing directed graphs" - ${SDNC_HOME}/svclogic/bin/install.sh - fi - - if [ -x ${APPC_HOME}/svclogic/bin/install-converted-dgs.sh ] - then - echo "Installing APPC JSON DGs converted to XML using dg-loader" - ${APPC_HOME}/svclogic/bin/install-converted-dgs.sh - fi - - if $ENABLE_ODL_CLUSTER - then - echo "Enabling Opendaylight cluster features" - enable_odl_cluster - fi - - echo "Copying the aaa shiro configuration into opendaylight" - mkdir -p ${ODL_HOME}/etc/opendaylight/datastore/initial/config - if $ENABLE_AAF - then - cp ${APPC_HOME}/data/properties/aaa-app-config.xml ${ODL_HOME}/etc/opendaylight/datastore/initial/config/aaa-app-config.xml - fi - -fi - -# Move journal and snapshots directory to persistent storage - -hostdir=${ODL_HOME}/daexim/$(hostname -s) -if [ ! -d $hostdir ] -then - mkdir -p $hostdir - if [ -d ${ODL_HOME}/journal ] - then - mv ${ODL_HOME}/journal ${hostdir} - else - mkdir ${hostdir}/journal - fi - if [ -d ${ODL_HOME}/snapshots ] - then - mv ${ODL_HOME}/snapshots ${hostdir} - else - mkdir ${hostdir}/snapshots - fi -fi - -ln -s ${hostdir}/journal ${ODL_HOME}/journal -ln -s ${hostdir}/snapshots ${ODL_HOME}/snapshots - -echo "Starting cdt-proxy-service jar, logging to ${APPC_HOME}/cdt-proxy-service/jar.log" -java -jar ${APPC_HOME}/cdt-proxy-service/cdt-proxy-service.jar > ${APPC_HOME}/cdt-proxy-service/jar.log & - -echo "Starting dmaap-event-service jar, logging to ${APPC_HOME}/dmaap-event-service/jar.log" -java -jar -Dorg_onap_appc_bootstrap_path=/opt/onap/appc/data/properties -Dorg_onap_appc_bootstrap_file=appc.properties ${APPC_HOME}/dmaap-event-service/dmaap-event-service.jar > ${APPC_HOME}/dmaap-event-service/jar.log & - -echo "Adding a property system.properties for AAF cadi.properties location" -echo "" >> ${ODL_HOME}/etc/system.properties -echo "cadi_prop_files=${APPC_HOME}/data/properties/cadi.properties" >> ${ODL_HOME}/etc/system.properties -echo "" >> ${ODL_HOME}/etc/system.properties - -echo "Adding a value to property appc.asdc.env in appc.properties for appc-asdc-listener feature" -echo "" >> $APPC_HOME/data/properties/appc.properties -echo "appc.asdc.env=$DMAAP_TOPIC_ENV" >> $APPC_HOME/data/properties/appc.properties -echo "" >> $APPC_HOME/data/properties/appc.properties - -echo "Copying jetty, keystore for https into opendalight" -cp ${APPC_HOME}/data/jetty.xml ${ODL_HOME}/etc/jetty.xml -cp ${APPC_HOME}/data/keystore ${ODL_HOME}/etc/keystore -cp ${APPC_HOME}/data/custom.properties ${ODL_HOME}/etc/custom.properties - -echo "Copying a working version of the logging configuration into the opendaylight etc folder" -cp ${APPC_HOME}/data/org.ops4j.pax.logging.cfg ${ODL_HOME}/etc/org.ops4j.pax.logging.cfg - -ODL_BOOT_FEATURES_EXTRA="odl-netconf-connector,odl-restconf-noauth,odl-netconf-clustered-topology,odl-mdsal-clustering" -sed -i -e "\|featuresBoot[^a-zA-Z]|s|$|,${ODL_BOOT_FEATURES_EXTRA}|" $ODL_HOME/etc/org.apache.karaf.features.cfg - -exec ${APPC_HOME}/bin/dockerInstall.sh & -echo "Starting OpenDaylight" -exec ${ODL_HOME}/bin/karaf server diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaa-app-config.xml b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaa-app-config.xml deleted file mode 100644 index de6e7e4742..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaa-app-config.xml +++ /dev/null @@ -1,121 +0,0 @@ - - - - - - -
- tokenAuthRealm - - org.onap.aaf.cadi.shiro.AAFRealm -
- - - -
- securityManager.realms - $tokenAuthRealm -
- - -
- authcBasic - org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter -
- - -
- accountingListener - org.opendaylight.aaa.shiro.filters.AuthenticationListener -
-
- securityManager.authenticator.authenticationListeners - $accountingListener -
- - -
- dynamicAuthorization - org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter -
- - - - - - - /auth/** - - authcBasic, roles[org.onap.appc.odl:odl-api:*] - - - /restconf/config/aaa-cert-mdsal** - - authcBasic, roles[org.onap.appc.odl:odl-api:*] - - - /restconf/operational/aaa-cert-mdsal** - - authcBasic, roles[org.onap.appc.odl:odl-api:*] - - - /restconf/operations/aaa-cert-rpc** - - authcBasic, roles[org.onap.appc.odl:odl-api:*] - - - /restconf/config/aaa-authn-model** - - authcBasic, roles[org.onap.appc.odl:odl-api:*] - - - /restconf/operational/aaa-authn-model** - - authcBasic, roles[org.onap.appc.odl:odl-api:*] - - - /restconf/operations/cluster-admin** - - authcBasic, roles[org.onap.appc.odl:odl-api:*] - - - /** - - authcBasic, roles[org.onap.appc.odl:odl-api:*] - - - diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaiclient.properties b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaiclient.properties deleted file mode 100644 index 24b10bcb89..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaiclient.properties +++ /dev/null @@ -1,251 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### - -# -# Configuration file for A&AI Client -# - -# -# Certificate keystore and truststore -# -*/}} -org.onap.ccsdk.sli.adaptors.aai.ssl.trust=/opt/onap/appc/data/stores/truststoreONAPall.jks -org.onap.ccsdk.sli.adaptors.aai.ssl.trust.psswd=changeit -org.onap.ccsdk.sli.adaptors.aai.ssl.key=/opt/onap/appc/data/stores/truststoreONAPall.jks -org.onap.ccsdk.sli.adaptors.aai.ssl.key.psswd=changeit - -org.onap.ccsdk.sli.adaptors.aai.client.name=appc@appc.onap.org -org.onap.ccsdk.sli.adaptors.aai.client.psswd=demo123456! - -org.onap.ccsdk.sli.adaptors.aai.application=openECOMP -connection.timeout=60000 -read.timeout=60000 - -# -# Configuration file for A&AI Client -# -org.onap.ccsdk.sli.adaptors.aai.uri=https://aai.{{.Release.Namespace}}:8443 - -# query -org.onap.ccsdk.sli.adaptors.aai.path.query=/aai/v14/search/sdn-zone-query -org.onap.ccsdk.sli.adaptors.aai.query.nodes=/aai/v14/search/nodes-query?search-node-type={node-type}&filter={entity-identifier}:EQUALS:{entity-name} -org.onap.ccsdk.sli.adaptors.aai.query.generic=/aai/v14/search/generic-query?key={identifier}:{value}&start-node-type={start-node-type}&include=complex&depth=3 - -# named query -org.onap.ccsdk.sli.adaptors.aai.query.named=/aai/search/named-query - - -#update -org.onap.ccsdk.sli.adaptors.aai.update=/aai/v14/actions/update - -# vce -org.onap.ccsdk.sli.adaptors.aai.path.vce =/aai/v14/network/vces/vce/ -org.onap.ccsdk.sli.adaptors.aai.path.vces=/aai/v14/network/vces/ - -# vpe -org.onap.ccsdk.sli.adaptors.aai.path.vpe =/aai/v14/network/vpes/vpe/ -org.onap.ccsdk.sli.adaptors.aai.path.vpes=/aai/v14/network/vpes/ - -# customer -org.onap.ccsdk.sli.adaptors.aai.path.customer=/aai/v14/business/customers/customer/{customer-id} - -# service subscription -org.onap.ccsdk.sli.adaptors.aai.path.service.subscription=/aai/v14/business/customers/customer/{global-customer-id}/service-subscriptions/service-subscription/{service-type} - -# service instance -org.onap.ccsdk.sli.adaptors.aai.path.svcinst=/aai/v14/business/customers/customer/{customer-id}/service-subscriptions/service-subscription/{service-type}/service-instances -org.onap.ccsdk.sli.adaptors.aai.path.svcinst.query=/aai/v14/search/generic-query?key=service-instance.service-instance-id:{svc-instance-id}&start-node-type=service-instance&include=service-instance -org.onap.ccsdk.sli.adaptors.aai.path.service.instance=/aai/v14/business/customers/customer/{global-customer-id}/service-subscriptions/service-subscription/{service-type}/service-instances/service-instance/{service-instance-id} - -# complex -org.onap.ccsdk.sli.adaptors.aai.path.complexes=/aai/v14/cloud-infrastructure/complexes -org.onap.ccsdk.sli.adaptors.aai.path.complex=/aai/v14/cloud-infrastructure/complexes/complex/{physical-location-id} - -# tenant -org.onap.ccsdk.sli.adaptors.aai.path.tenant=/aai/v14/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant/{tenant-id} -org.onap.ccsdk.sli.adaptors.aai.path.tenant.query=/aai/v14/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant?tenant-name={tenant-name} - -# vservers -org.onap.ccsdk.sli.adaptors.aai.path.vservers=/aai/v14/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant/{tenant-id}/vservers/ -org.onap.ccsdk.sli.adaptors.aai.path.vserver=/aai/v14/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant/{tenant-id}/vservers/vserver/{vserver-id} - -# vpls-pe -org.onap.ccsdk.sli.adaptors.aai.path.vpls.pes=/aai/v14/network/vpls-pes/ -org.onap.ccsdk.sli.adaptors.aai.path.vpls.pe =/aai/v14/network/vpls-pes/vpls-pe/ - -# ctag-pool -org.onap.ccsdk.sli.adaptors.aai.path.ctag.pools=/aai/v14/cloud-infrastructure/complexes/complex/{physical-location-id}/ctag-pools -org.onap.ccsdk.sli.adaptors.aai.path.ctag.pool=/aai/v14/cloud-infrastructure/complexes/complex/{physical-location-id}/ctag-pools/ctag-pool/{target-pe}/{availability-zone-name} - -# -#-------------- 1510 ---------------------- -# - -# pservers -org.onap.ccsdk.sli.adaptors.aai.path.pservers=/aai/v14/cloud-infrastructure/pservers -org.onap.ccsdk.sli.adaptors.aai.path.pserver=/aai/v14/cloud-infrastructure/pservers/pserver/{hostname} - -# generic-vnf -org.onap.ccsdk.sli.adaptors.aai.path.generic.vnfs=/aai/v14/network/generic-vnfs -org.onap.ccsdk.sli.adaptors.aai.path.generic.vnf=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id} - -# dvs-switch -org.onap.ccsdk.sli.adaptors.aai.path.dvsswitches=/aai/v14/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/dvs-switches -org.onap.ccsdk.sli.adaptors.aai.path.dvsswitch=/aai/v14/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/dvs-switches/dvs-switch/{switch-name} - -# L3 Networks -org.onap.ccsdk.sli.adaptors.aai.path.l3networks=/aai/v14/network/l3-networks -org.onap.ccsdk.sli.adaptors.aai.path.l3network=/aai/v14/network/l3-networks/l3-network/{network-id} -org.onap.ccsdk.sli.adaptors.aai.path.l3network.query.name=/aai/v14/network/l3-networks/l3-network?network-name={network-name} - -# P-Interfaces -org.onap.ccsdk.sli.adaptors.aai.path.pserver.pinterfaces=/aai/v14/cloud-infrastructure/pservers/pserver/{hostname}/p-interfaces -org.onap.ccsdk.sli.adaptors.aai.path.pserver.pinterface=/aai/v14/cloud-infrastructure/pservers/pserver/{hostname}/p-interfaces/p-interface/{interface-name} - -# Physical Link -org.onap.ccsdk.sli.adaptors.aai.path.physical.links=/aai/v14/network/physical-links -org.onap.ccsdk.sli.adaptors.aai.path.physical.link=/aai/v14/network/physical-links/physical-link/{link-name} - -# VPN Bindings -org.onap.ccsdk.sli.adaptors.aai.path.vpn.bindings=/aai/v14/network/vpn-bindings/ -org.onap.ccsdk.sli.adaptors.aai.path.vpn.binding=/aai/v14/network/vpn-bindings/vpn-binding/{vpn-id} - -# VNF IMAGES -org.onap.ccsdk.sli.adaptors.aai.path.vnf.images=/aai/v14/service-design-and-creation/vnf-images -org.onap.ccsdk.sli.adaptors.aai.path.vnf.image=/aai/v14/service-design-and-creation/vnf-images/vnf-image/{att-uuid} -org.onap.ccsdk.sli.adaptors.aai.path.vnf.image.query=/aai/v14/service-design-and-creation/vnf-images/vnf-image?application={application_model}&application-vendor={application_vendor} - -# UBB Notify -org.onap.ccsdk.sli.adaptors.aai.path.notify=/aai/v14/actions/notify -org.onap.ccsdk.sli.adaptors.aai.notify.selflink.fqdn=https://aai.{{.Release.Namespace}}:8443/restconf/config/L3SDN-API:services/layer3-service-list/{service-instance-id} -org.onap.ccsdk.sli.adaptors.aai.notify.selflink.avpn=https://aai.{{.Release.Namespace}}:8443/restconf/config/L3AVPN-EVC-API:services/service-list/{service-instance-id}/service-data/avpn-logicalchannel-information - -# Service -org.onap.ccsdk.sli.adaptors.aai.path.service=/aai/v14/service-design-and-creation/services/service/{service-id} -org.onap.ccsdk.sli.adaptors.aai.path.services=/aai/v14/service-design-and-creation/services - - -# -#-------------- 1604 ---------------------- -# - -# VNFC -org.onap.ccsdk.sli.adaptors.aai.path.vnfc=/aai/v14/network/vnfcs/vnfc/{vnfc-name} - -# class-of-service -org.onap.ccsdk.sli.adaptors.aai.path.class.of.service=/aai/v14/network/site-pair-sets/site-pair-set/{site-pair-set-id}/routing-instances/routing-instance/{routing-instance-id}/site-pairs/site-pair/{site-pair-id}/classes-of-service/class-of-service/{cos-id} - -# site-pair -org.onap.ccsdk.sli.adaptors.aai.path.site.pair=/aai/v14/network/site-pair-sets/site-pair-set/{site-pair-set-id}/routing-instances/routing-instance/{routing-instance-id}/site-pairs/site-pair/{site-pair-id} - -# routing-instance -org.onap.ccsdk.sli.adaptors.aai.path.routing.instance=/aai/v14/network/site-pair-sets/site-pair-set/{site-pair-set-id}/routing-instances/routing-instance/{routing-instance-id} - -# site-pair-set -org.onap.ccsdk.sli.adaptors.aai.path.site.pair.set=/aai/v14/network/site-pair-sets/site-pair-set/{site-pair-set-id} - -# license key resource -org.onap.ccsdk.sli.adaptors.aai.path.license.acquire=/aai/v14/actions/assignment/license-management/assignment-group-uuid/{assignment-group-uuid} -org.onap.ccsdk.sli.adaptors.aai.path.license=/aai/v14/license-management/license-key-resources/license-key-resource/{att-uuid} - -# logical-link -org.onap.ccsdk.sli.adaptors.aai.path.logical.link =/aai/v14/network/logical-links/logical-link/{link-name} - -# virtual-data-center -org.onap.ccsdk.sli.adaptors.aai.path.virtual.data.center=/aai/v14/cloud-infrastructure/virtual-data-centers/virtual-data-center/{vdc-id} - -# wan-connector -org.onap.ccsdk.sli.adaptors.aai.path.wan.connector=/aai/v14/business/connectors/connector/{resource-instance-id} - -# l-interface -org.onap.ccsdk.sli.adaptors.aai.path.lag.interface.l.interface=/aai/v14/cloud-infrastructure/pservers/pserver/{hostname}/lag-interfaces/lag-interface/{lag-interface.interface-name}/l-interfaces/l-interface/{interface-name} -org.onap.ccsdk.sli.adaptors.aai.path.p.interface.l.interface=/aai/v14/cloud-infrastructure/pservers/pserver/{hostname}/p-interfaces/p-interface/{p-interface.interface-name}/l-interfaces/l-interface/{interface-name} - -# l-interface pnf -org.onap.ccsdk.sli.adaptors.aai.path.lag.interface.l.interface.pnf=/aai/v14/network/pnfs/pnf/{pnf-name}/lag-interfaces/lag-interface/{lag-interface.interface-name}/l-interfaces/l-interface/{interface-name} -org.onap.ccsdk.sli.adaptors.aai.path.p.interface.l.interface.pnf=/aai/v14/network/pnfs/pnf/{pnf-name}/p-interfaces/p-interface/{p-interface.interface-name}/l-interfaces/l-interface/{interface-name} - -# subinterface -org.onap.ccsdk.sli.adaptors.aai.path.pnf.lag.interface.subinterface=/aai/v14/network/pnfs/pnf/{pnf-name}/lag-interfaces/lag-interface/{lag-interface.interface-name}/l-interfaces/l-interface/{interface-name} -org.onap.ccsdk.sli.adaptors.aai.path.pnf.p.interface.l.interface=/aai/v14/network/pnfs/pnf/{pnf-name}/p-interfaces/p-interface/{p-interface.interface-name}/l-interfaces/l-interface/{interface-name} - -# vlans -org.onap.ccsdk.sli.adaptors.aai.path.vlan=/aai/v14/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant/{tenant-id}/vservers/vserver/{vserver-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface} -org.onap.ccsdk.sli.adaptors.aai.path.generic.vnf.vlan=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface} - -# l3-interface-ipv4-address-list -org.onap.ccsdk.sli.adaptors.aai.path.l3.interface.ipv4.address.list=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/l3-interface-ipv4-address-list/{l3-interface-ipv4-address} -org.onap.ccsdk.sli.adaptors.aai.path.vlan.l3.interface.ipv4.address.list=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface}/l3-interface-ipv4-address-list/{l3-interface-ipv4-address} - -# l3-interface-ipv6-address-list -org.onap.ccsdk.sli.adaptors.aai.path.l3.interface.ipv6.address.list=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/l3-interface-ipv6-address-list/{l3-interface-ipv6-address} -org.onap.ccsdk.sli.adaptors.aai.path.vlan.l3.interface.ipv6.address.list=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface}/l3-interface-ipv6-address-list/{l3-interface-ipv6-address} - -# ipsec-configuration -org.onap.ccsdk.sli.adaptors.aai.path.ipsec.configuration=/aai/v14/network/ipsec-configurations/ipsec-configuration/{ipsec-configuration-id} - -# vig server -org.onap.ccsdk.sli.adaptors.aai.path.vig.server=/aai/v14/network/ipsec-configurations/ipsec-configuration/{ipsec-configuration-id}/vig-servers/vig-server/{vig-address-type} - -# l3-network -org.onap.ccsdk.sli.adaptors.aai.path.l3.network=/aai/v14/network/l3-networks/l3-network/{network-id} - -# subnet -org.onap.ccsdk.sli.adaptors.aai.path.subnet=/aai/v14/network/l3-networks/l3-network/{network-id}/subnets/subnet/{subnet-id} - -# multicast-configuration -org.onap.ccsdk.sli.adaptors.aai.path.multicast.configuration=/aai/v14/network/multicast-configurations/multicast-configuration/{multicast-configuration-id} - -# org.onap.ccsdk.sli.adaptors.aai.path.l.interface.ipv4.address.list -org.onap.ccsdk.sli.adaptors.aai.path.l3-interface.ipv4.address.list=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/l3-interface-ipv4-address-list/{l3-interface-ipv4-address} - -# org.onap.ccsdk.sli.adaptors.aai.path.l.interface.vlan.ipv4.address.list -org.onap.ccsdk.sli.adaptors.aai.path.l3-interface.vlan.ipv4.address.list=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface}/l3-interface-ipv4-address-list/{l3-interface-ipv4-address} - -# org.onap.ccsdk.sli.adaptors.aai.path.l.interface.ipv6.address.list -org.onap.ccsdk.sli.adaptors.aai.path.l3-interface.ipv6.address.list=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/l3-interface-ipv6-address-list/{l3-interface-ipv6-address} - -# volume.group -org.onap.ccsdk.sli.adaptors.aai.path.volume.group=/aai/v14/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/volume-groups/volume-group/{volume-group-id} - -#cloud region -org.onap.ccsdk.sli.adaptors.aai.path.cloud.region=/aai/v14/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id} - -# vf-module -org.onap.ccsdk.sli.adaptors.aai.path.vf.module=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/vf-modules/vf-module/{vf-module-id} - -# l-interface through generic-vnf -org.onap.ccsdk.sli.adaptors.aai.path.generic.vnf.linterface=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name} - -# network-policy -org.onap.ccsdk.sli.adaptors.aai.path.network.policy=/aai/v14/network/network-policies/network-policy/{network-policy-id} - -# pnf -org.onap.ccsdk.sli.adaptors.aai.path.pnf=/aai/v14/network/pnfs/pnf/{pnf-name} - -# -# Formatting -# -org.onap.ccsdk.sli.adaptors.aai.param.format=filter=%s:%s -org.onap.ccsdk.sli.adaptors.aai.param.vnf_type=vnf-type -org.onap.ccsdk.sli.adaptors.aai.param.physical.location.id=physical-location-id -org.onap.ccsdk.sli.adaptors.aai.param.service.type=service-type diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/appc.properties b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/appc.properties deleted file mode 100644 index 3b7f02d6f7..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/appc.properties +++ /dev/null @@ -1,139 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -# ECOMP is a trademark and service mark of AT&T Intellectual Property. -### -*/}} - -### ### -### Properties for demo ### -### ### -appc.demo.poolMembers=message-router.{{.Release.Namespace}}:3904 -appc.demo.topic.read=APPC-CL -appc.demo.topic.write=APPC-CL -appc.demo.client.name=appcDemoEventListener -appc.demo.threads.queuesize.min=1 -appc.demo.threads.queuesize.max=1000 -appc.demo.threads.poolsize.min=1 -appc.demo.threads.poolsize.max=2 -appc.demo.provider.user={{.Values.config.odlUser}} -appc.demo.provider.pass={{.Values.config.odlPassword}} -appc.demo.provider.url=http://localhost:8181/restconf/operations/appc-provider -appc.provider.vfodl.url=http://{{.Values.config.odlUser|urlquery}}:{{.Values.config.odlPassword|urlquery}}@localhost:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/NODE_NAME/yang-ext:mount/stream-count:stream-count/streams/ - -# The properties right below are needed to properly call the Master DG to serve demo purposes -appc.service.logic.module.name=APPC -appc.topology.dg.method=topology-operation-all -appc.topology.dg.version=2.0.0 - -# TEMP - Properties that might be needed to make the AAI-APPC connection -org.onap.appc.db.url.appcctl=jdbc:mysql://{{.Values.config.mariadbGaleraSVCName}}:3306/{{.Values.config.appcdb.dbName}} -org.onap.appc.db.user.appcctl=${APPC_DB_USER} -org.onap.appc.db.pass.appcctl=${APPC_DB_PASSWD} - -org.onap.appc.db.url.sdnctl=jdbc:mysql://{{.Values.config.mariadbGaleraSVCName}}:3306/{{.Values.config.sdncdb.dbName}} -org.onap.appc.db.user.sdnctl=${SDNC_DB_USER} -org.onap.appc.db.pass.sdnctl=${SDNC_DB_PASSWD} - - -### ### -### OpenStack credentials (these properties also are used in appc-rest-adapter-bundle, appc-chef-adapter-bundle, appc-iaas-adapter-bundle) ### -### ### -provider1.type={{.Values.config.openStackType}} -provider1.name={{.Values.config.openStackName}} -provider1.identity={{.Values.config.openStackKeyStoneUrl}} -provider1.tenant1.name={{.Values.config.openStackServiceTenantName}} -provider1.tenant1.domain={{.Values.config.openStackDomain}} -provider1.tenant1.userid={{.Values.config.openStackUserName}} -provider1.tenant1.password={{.Values.config.openStackEncryptedPassword}} - -### ### -### Properties that are not covered or being replaced from default.properties files. Default value for DMaaP IP is 10.0.11.1:3904 ### -### which is what the Master HEAT Template to instantiate OpenECOMP is pointing to (version R1). All other default values are ### -### left there since these are pre-defined as part of APP-C/OpenECOMP default instantiation with Master HEAT Template ### -### ### - - -# Property below is valid in appc-command-executor-core, appc-license-manager-core, appc-lifecycle-management-core, -# appc-request-handler-core, appc-workflow-management-core (all from the appc-dispatcher package). -dmaap.poolMembers=message-router.{{.Release.Namespace}}:3904 - - -# appc-event-listener-bundle properties (only defined in src/test of default.properties) -appc.LCM.poolMembers=message-router.{{.Release.Namespace}}:3904 -appc.LCM.topic.read=APPC-LCM-READ -appc.LCM.topic.write=APPC-LCM-WRITE -appc.LCM.client.name=APPC-EVENT-LISTENER-TEST -appc.LCM.provider.user={{.Values.config.odlUser}} -appc.LCM.provider.pass={{.Values.config.odlPassword}} -appc.LCM.provider.url=http://localhost:8181/restconf/operations/appc-provider-lcm -appc.LCM.scopeOverlap.endpoint=http://localhost:8181/restconf/operations/interfaces-service:execute-service - -# properties from appc-netconf-adapter-bundle, appc-dg-common, appc-dmaap-adapter-bundle -poolMembers=message-router.{{.Release.Namespace}}:3904 -event.pool.members=message-router.{{.Release.Namespace}}:3904 -restconf.user={{.Values.config.odlUser}} -restconf.pass={{.Values.config.odlPassword}} - - -# properties found in appc-rest-adapter-bundle, appc-chef-adapter-bundle, appc-iaas-adapter-bundle) -#Your OpenStack IP -test.ip=10.0.11.100 -# Your OpenStack Platform's Keystone Port (default is 5000) -test.port=5000 -test.tenantid=test -test.vmid=test -# Port 8774 below is default port for OpenStack's Nova API Service -test.url=http://api.appc.local/vm/9999999/test/99999999-9999-9999-9999-999999999999 -#skips hypervisor check which usually occurs during iaas-adapter-bundle startup -org.onap.appc.iaas.skiphypervisorcheck=true - -# Properties from default.properties in the src/test and src/main paths of appc-asdc-listener-bundle -appc.sdc.host=sdc-be.{{.Release.Namespace}}:8443 -appc.sdc.env=APPC-ASDC-ENV -appc.sdc.user=test -appc.sdc.pass=test -appc.sdc.consumer=APPC-ASDC-CONSUMER -appc.sdc.consumer.id=APPC-ASDC-CONSUMER-ID -appc.sdc.provider.url=http://localhost:8181/restconf/operations/AsdcMessage:configuration-document-request - -# Properties used by EventSenderDmaapImpl.java -DCAE.dmaap.event.topic.write=EventSenderTest -DCAE.dmaap.event.username=test -DCAE.dmaap.event.password=test -DCAE.dmaap.event.poolMembers=message-router.{{.Release.Namespace}}:3904 - -#OAM Listener -appc.OAM.disabled=true -appc.OAM.provider.url=http://localhost:8181/restconf/operations/appc-oam -appc.OAM.poolMembers=message-router.{{.Release.Namespace}}:3904 -appc.OAM.service=ueb -appc.OAM.topic.read=testOAM -appc.OAM.topic.write=testOAM -appc.OAM.client.name=testOAM -appc.OAM.provider.user={{.Values.config.odlUser}} -appc.OAM.provider.pass={{.Values.config.odlPassword}} - -appc.asdc.env={{.Values.config.dmaapTopicEnv}} - -#Properties for communication between appc dmaap microservice and appc -appc.srvcomm.messaging.username={{.Values.config.dmaapServiceUser}} -appc.srvcomm.messaging.password={{.Values.config.dmaapServicePassword}} -appc.srvcomm.messaging.url={{.Values.config.dmaapServiceUrl}} diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/bath_config.csv b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/bath_config.csv deleted file mode 100644 index 24a3dff7e2..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/bath_config.csv +++ /dev/null @@ -1,8 +0,0 @@ -# APPC HELM CHART APPC_RESTCONF_UI -> appc@appc.onap.org -Basic YWRtaW46S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ==,Basic YXBwY0BhcHBjLm9uYXAub3JnOmRlbW8xMjM0NTYh,2050-03-03 -# jolokiaall = demo@people.osaaf.org -Basic am9sb2tpYWFsbDpqb2xva2lhYWxs,Basic ZGVtb0BwZW9wbGUub3NhYWYub3JnOmRlbW8xMjM0NTYh,2050-03-03 -# restall = aaf_admin@people.osaaf.org -Basic cmVzdGFsbDpyZXN0YWxs,Basic YWFmX2FkbWluQHBlb3BsZS5vc2FhZi5vcmc6ZGVtbzEyMzQ1NiE=,2050-03-03 -# odlro = mmmanger@people.osaaf.org -Basic b2Rscm86b2Rscm8=,Basic bW1tYW5nZXJAcGVvcGxlLm9zYWFmLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/cadi.properties b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/cadi.properties deleted file mode 100644 index 0592f8b06f..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/cadi.properties +++ /dev/null @@ -1,60 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2018 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### -#hostname=localhost -*/}} - -cadi_loglevel=DEBUG -cadi_bath_convert=/opt/onap/appc/data/properties/bath_config.csv - -############################################################ -# Properties Generated by AT&T Certificate Manager -# @copyright 2016, AT&T -############################################################ -cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US -cadi_keyfile=/opt/onap/appc/data/stores/org.onap.appc.keyfile -cadi_keystore=/opt/onap/appc/data/stores/org.onap.appc.p12 -cadi_keystore_password=enc:j5wAY4JjI6Gg8KbPRT3CK55kCaBZcrSq9XMe0vU2Hj3_TWfhln414p_og8-0u4EV -#cadi_key_password=enc: -cadi_alias=appc@appc.onap.org -cadi_truststore=/opt/onap/appc/data/stores/truststoreONAPall.jks -cadi_truststore_password=enc:9WJ6CRlrFmHiQrFlckhHybFXOwPW3tRetofp3AZ5nyt - -## -## org.osaaf.location.props -## -## Localized Machine Information -## -# Almeda California ? -cadi_latitude=37.78187 -cadi_longitude=-122.26147 - -# Locate URL (which AAF Env) -aaf_locate_url=https://aaf-locate.{{.Release.Namespace}}:8095 - -# AAF URL -aaf_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1 - -# AAF Environment Designation -aaf_env=DEV - -# OAuth2 Endpoints -aaf_oauth2_token_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.token:2.1/token -aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.introspect:2.1/introspect diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/dblib.properties b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/dblib.properties deleted file mode 100644 index 3c19fb44e3..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/dblib.properties +++ /dev/null @@ -1,39 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### -*/}} - -# dblib.properrties -org.onap.ccsdk.sli.dbtype=jdbc - -org.onap.ccsdk.sli.jdbc.hosts=dbhost -org.onap.ccsdk.sli.jdbc.url=jdbc:mysql://{{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}}:3306/{{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.driver=org.mariadb.jdbc.Driver -org.onap.ccsdk.sli.jdbc.database={{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.user=${SDNC_DB_USER} -org.onap.ccsdk.sli.jdbc.password=${SDNC_DB_PASSWD} -org.onap.ccsdk.sli.jdbc.connection.name=sdnctldb01 -org.onap.ccsdk.sli.jdbc.connection.timeout=50 -org.onap.ccsdk.sli.jdbc.request.timeout=100 -org.onap.ccsdk.sli.jdbc.limit.init=10 -org.onap.ccsdk.sli.jdbc.limit.min=10 -org.onap.ccsdk.sli.jdbc.limit.max=20 -org.onap.dblib.connection.recovery=false diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/svclogic.properties b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/svclogic.properties deleted file mode 100644 index 95f672c2e2..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/svclogic.properties +++ /dev/null @@ -1,31 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### -*/}} - -org.onap.ccsdk.sli.dbtype = dblib -#Note : the next 4 fields are only used if org.onap.ccsdk.sli.dbtype = jdbc -org.onap.ccsdk.sli.jdbc.url=jdbc:mysql://{{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}}:3306/{{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.database={{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.user=${SDNC_DB_USER} -org.onap.ccsdk.sli.jdbc.password=${SDNC_DB_PASSWD} - -org.xml.sax.driver=org.apache.xerces.parsers.SAXParser diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/svclogic/bin/showActiveGraphs.sh b/kubernetes/appc/resources/config/appc/opt/onap/appc/svclogic/bin/showActiveGraphs.sh deleted file mode 100755 index b6fb2d88a9..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/svclogic/bin/showActiveGraphs.sh +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/sh - -{{/* -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -# ECOMP is a trademark and service mark of AT&T Intellectual Property. -### -*/}} - -MYSQL_USER=${SDNC_DB_USER} -MYSQL_PWD=${SDNC_DB_PASSWD} -MYSQL_DB={{.Values.config.sdncdb.dbName}} -MYSQL_HOST=${MYSQL_HOST:-{{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}}} - -mysql --user=${MYSQL_USER} --password=${MYSQL_PWD} --host=${MYSQL_HOST} ${MYSQL_DB} <<-END -SELECT module, rpc, version, mode from SVC_LOGIC where active='Y'; -END diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/svclogic/config/svclogic.properties b/kubernetes/appc/resources/config/appc/opt/onap/appc/svclogic/config/svclogic.properties deleted file mode 100644 index a6f7f50026..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/svclogic/config/svclogic.properties +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -# ECOMP is a trademark and service mark of AT&T Intellectual Property. -### -*/}} - -org.onap.ccsdk.sli.dbtype = jdbc -org.onap.ccsdk.sli.jdbc.url = jdbc:mysql://{{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}}:3306/{{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.database = {{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.user = ${SDNC_DB_USER} -org.onap.ccsdk.sli.jdbc.password = ${SDNC_DB_PASSWD} diff --git a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/bin/installSdncDb.sh b/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/bin/installSdncDb.sh deleted file mode 100755 index 7257d186e6..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/bin/installSdncDb.sh +++ /dev/null @@ -1,49 +0,0 @@ -#!/bin/sh - -{{/* - -### -# ============LICENSE_START======================================================= -# openECOMP : SDN-C -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights -# reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### -*/}} - -SDNC_HOME=${SDNC_HOME:-/opt/onap/ccsdk} -MYSQL_PASSWD=${MYSQL_ROOT_PASSWORD} - -SDNC_DB_USER=${SDNC_DB_USER} -SDNC_DB_PASSWD=${SDNC_DB_PASSWD} -SDNC_DB_DATABASE={{.Values.config.sdncdb.dbName}} - - -# Create tablespace and user account -mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql <<-END -CREATE DATABASE ${SDNC_DB_DATABASE}; -CREATE USER '${SDNC_DB_USER}'@'localhost' IDENTIFIED BY '${SDNC_DB_PASSWD}'; -CREATE USER '${SDNC_DB_USER}'@'%' IDENTIFIED BY '${SDNC_DB_PASSWD}'; -GRANT ALL PRIVILEGES ON ${SDNC_DB_DATABASE}.* TO '${SDNC_DB_USER}'@'localhost' WITH GRANT OPTION; -GRANT ALL PRIVILEGES ON ${SDNC_DB_DATABASE}.* TO '${SDNC_DB_USER}'@'%' WITH GRANT OPTION; -commit; -END - -if [ -f ${SDNC_HOME}/data/odlsli.dump ] -then -mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} ${SDNC_DB_DATABASE} < ${SDNC_HOME}/data/odlsli.dump -fi diff --git a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/data/properties/aaiclient.properties b/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/data/properties/aaiclient.properties deleted file mode 100644 index fb56680a1d..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/data/properties/aaiclient.properties +++ /dev/null @@ -1,251 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### -*/}} - -# -# Configuration file for A&AI Client -# - -# -# Certificate keystore and truststore -# -org.onap.ccsdk.sli.adaptors.aai.ssl.trust=/opt/openecomp/appc/data/stores/truststore.openecomp.client.jks -org.onap.ccsdk.sli.adaptors.aai.ssl.trust.psswd=adminadmin -org.onap.ccsdk.sli.adaptors.aai.host.certificate.ignore=true - -org.onap.ccsdk.sli.adaptors.aai.client.name=AAI -org.onap.ccsdk.sli.adaptors.aai.client.psswd=AAI - -org.onap.ccsdk.sli.adaptors.aai.application=openECOMP -#connection.timeout=1000 -#read.timeout=2000 - -# -# Configuration file for A&AI Client -# -org.onap.ccsdk.sli.adaptors.aai.uri=https://aai.{{.Release.Namespace}}:8443 - - -# query -org.onap.ccsdk.sli.adaptors.aai.path.query=/aai/v11/search/sdn-zone-query -org.onap.ccsdk.sli.adaptors.aai.query.nodes=/aai/v11/search/nodes-query?search-node-type={node-type}&filter={entity-identifier}:EQUALS:{entity-name} -org.onap.ccsdk.sli.adaptors.aai.query.generic=/aai/v11/search/generic-query?key={identifier}:{value}&start-node-type={start-node-type}&include=complex&depth=3 - -# named query -org.onap.ccsdk.sli.adaptors.aai.query.named=/aai/search/named-query - - -#update -org.onap.ccsdk.sli.adaptors.aai.update=/aai/v11/actions/update - -# vce -org.onap.ccsdk.sli.adaptors.aai.path.vce =/aai/v11/network/vces/vce/ -org.onap.ccsdk.sli.adaptors.aai.path.vces=/aai/v11/network/vces/ - -# vpe -org.onap.ccsdk.sli.adaptors.aai.path.vpe =/aai/v11/network/vpes/vpe/ -org.onap.ccsdk.sli.adaptors.aai.path.vpes=/aai/v11/network/vpes/ - -# customer -org.onap.ccsdk.sli.adaptors.aai.path.customer=/aai/v11/business/customers/customer/{customer-id} - -# service subscription -org.onap.ccsdk.sli.adaptors.aai.path.service.subscription=/aai/v11/business/customers/customer/{global-customer-id}/service-subscriptions/service-subscription/{service-type} - -# service instance -org.onap.ccsdk.sli.adaptors.aai.path.svcinst=/aai/v11/business/customers/customer/{customer-id}/service-subscriptions/service-subscription/{service-type}/service-instances -org.onap.ccsdk.sli.adaptors.aai.path.svcinst.query=/aai/v11/search/generic-query?key=service-instance.service-instance-id:{svc-instance-id}&start-node-type=service-instance&include=service-instance -org.onap.ccsdk.sli.adaptors.aai.path.service.instance=/aai/v11/business/customers/customer/{global-customer-id}/service-subscriptions/service-subscription/{service-type}/service-instances/service-instance/{service-instance-id} - -# complex -org.onap.ccsdk.sli.adaptors.aai.path.complexes=/aai/v11/cloud-infrastructure/complexes -org.onap.ccsdk.sli.adaptors.aai.path.complex=/aai/v11/cloud-infrastructure/complexes/complex/{physical-location-id} - -# tenant -org.onap.ccsdk.sli.adaptors.aai.path.tenant=/aai/v11/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant/{tenant-id} -org.onap.ccsdk.sli.adaptors.aai.path.tenant.query=/aai/v11/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant?tenant-name={tenant-name} - -# vservers -org.onap.ccsdk.sli.adaptors.aai.path.vservers=/aai/v11/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant/{tenant-id}/vservers/ -org.onap.ccsdk.sli.adaptors.aai.path.vserver=/aai/v11/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant/{tenant-id}/vservers/vserver/{vserver-id} - -# vpls-pe -org.onap.ccsdk.sli.adaptors.aai.path.vpls.pes=/aai/v11/network/vpls-pes/ -org.onap.ccsdk.sli.adaptors.aai.path.vpls.pe =/aai/v11/network/vpls-pes/vpls-pe/ - -# ctag-pool -org.onap.ccsdk.sli.adaptors.aai.path.ctag.pools=/aai/v11/cloud-infrastructure/complexes/complex/{physical-location-id}/ctag-pools -org.onap.ccsdk.sli.adaptors.aai.path.ctag.pool=/aai/v11/cloud-infrastructure/complexes/complex/{physical-location-id}/ctag-pools/ctag-pool/{target-pe}/{availability-zone-name} - -# -#-------------- 1510 ---------------------- -# - -# pservers -org.onap.ccsdk.sli.adaptors.aai.path.pservers=/aai/v11/cloud-infrastructure/pservers -org.onap.ccsdk.sli.adaptors.aai.path.pserver=/aai/v11/cloud-infrastructure/pservers/pserver/{hostname} - -# generic-vnf -org.onap.ccsdk.sli.adaptors.aai.path.generic.vnfs=/aai/v11/network/generic-vnfs -org.onap.ccsdk.sli.adaptors.aai.path.generic.vnf=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id} - -# dvs-switch -org.onap.ccsdk.sli.adaptors.aai.path.dvsswitches=/aai/v11/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/dvs-switches -org.onap.ccsdk.sli.adaptors.aai.path.dvsswitch=/aai/v11/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/dvs-switches/dvs-switch/{switch-name} - -# L3 Networks -org.onap.ccsdk.sli.adaptors.aai.path.l3networks=/aai/v11/network/l3-networks -org.onap.ccsdk.sli.adaptors.aai.path.l3network=/aai/v11/network/l3-networks/l3-network/{network-id} -org.onap.ccsdk.sli.adaptors.aai.path.l3network.query.name=/aai/v11/network/l3-networks/l3-network?network-name={network-name} - -# P-Interfaces -org.onap.ccsdk.sli.adaptors.aai.path.pserver.pinterfaces=/aai/v11/cloud-infrastructure/pservers/pserver/{hostname}/p-interfaces -org.onap.ccsdk.sli.adaptors.aai.path.pserver.pinterface=/aai/v11/cloud-infrastructure/pservers/pserver/{hostname}/p-interfaces/p-interface/{interface-name} - -# Physical Link -org.onap.ccsdk.sli.adaptors.aai.path.physical.links=/aai/v11/network/physical-links -org.onap.ccsdk.sli.adaptors.aai.path.physical.link=/aai/v11/network/physical-links/physical-link/{link-name} - -# VPN Bindings -org.onap.ccsdk.sli.adaptors.aai.path.vpn.bindings=/aai/v11/network/vpn-bindings/ -org.onap.ccsdk.sli.adaptors.aai.path.vpn.binding=/aai/v11/network/vpn-bindings/vpn-binding/{vpn-id} - -# VNF IMAGES -org.onap.ccsdk.sli.adaptors.aai.path.vnf.images=/aai/v11/service-design-and-creation/vnf-images -org.onap.ccsdk.sli.adaptors.aai.path.vnf.image=/aai/v11/service-design-and-creation/vnf-images/vnf-image/{att-uuid} -org.onap.ccsdk.sli.adaptors.aai.path.vnf.image.query=/aai/v11/service-design-and-creation/vnf-images/vnf-image?application={application_model}&application-vendor={application_vendor} - -# UBB Notify -org.onap.ccsdk.sli.adaptors.aai.path.notify=/aai/v11/actions/notify -org.onap.ccsdk.sli.adaptors.aai.notify.selflink.fqdn=https://aai.{{.Release.Namespace}}:8443/restconf/config/L3SDN-API:services/layer3-service-list/{service-instance-id} -org.onap.ccsdk.sli.adaptors.aai.notify.selflink.avpn=https://aai.{{.Release.Namespace}}:8443/restconf/config/L3AVPN-EVC-API:services/service-list/{service-instance-id}/service-data/avpn-logicalchannel-information - -# Service -org.onap.ccsdk.sli.adaptors.aai.path.service=/aai/v11/service-design-and-creation/services/service/{service-id} -org.onap.ccsdk.sli.adaptors.aai.path.services=/aai/v11/service-design-and-creation/services - - -# -#-------------- 1604 ---------------------- -# - -# VNFC -org.onap.ccsdk.sli.adaptors.aai.path.vnfc=/aai/v11/network/vnfcs/vnfc/{vnfc-name} - -# class-of-service -org.onap.ccsdk.sli.adaptors.aai.path.class.of.service=/aai/v11/network/site-pair-sets/site-pair-set/{site-pair-set-id}/routing-instances/routing-instance/{routing-instance-id}/site-pairs/site-pair/{site-pair-id}/classes-of-service/class-of-service/{cos-id} - -# site-pair -org.onap.ccsdk.sli.adaptors.aai.path.site.pair=/aai/v11/network/site-pair-sets/site-pair-set/{site-pair-set-id}/routing-instances/routing-instance/{routing-instance-id}/site-pairs/site-pair/{site-pair-id} - -# routing-instance -org.onap.ccsdk.sli.adaptors.aai.path.routing.instance=/aai/v11/network/site-pair-sets/site-pair-set/{site-pair-set-id}/routing-instances/routing-instance/{routing-instance-id} - -# site-pair-set -org.onap.ccsdk.sli.adaptors.aai.path.site.pair.set=/aai/v11/network/site-pair-sets/site-pair-set/{site-pair-set-id} - -# license key resource -org.onap.ccsdk.sli.adaptors.aai.path.license.acquire=/aai/v11/actions/assignment/license-management/assignment-group-uuid/{assignment-group-uuid} -org.onap.ccsdk.sli.adaptors.aai.path.license=/aai/v11/license-management/license-key-resources/license-key-resource/{att-uuid} - -# logical-link -org.onap.ccsdk.sli.adaptors.aai.path.logical.link =/aai/v11/network/logical-links/logical-link/{link-name} - -# virtual-data-center -org.onap.ccsdk.sli.adaptors.aai.path.virtual.data.center=/aai/v11/cloud-infrastructure/virtual-data-centers/virtual-data-center/{vdc-id} - -# wan-connector -org.onap.ccsdk.sli.adaptors.aai.path.wan.connector=/aai/v11/business/connectors/connector/{resource-instance-id} - -# l-interface -org.onap.ccsdk.sli.adaptors.aai.path.lag.interface.l.interface=/aai/v11/cloud-infrastructure/pservers/pserver/{hostname}/lag-interfaces/lag-interface/{lag-interface.interface-name}/l-interfaces/l-interface/{interface-name} -org.onap.ccsdk.sli.adaptors.aai.path.p.interface.l.interface=/aai/v11/cloud-infrastructure/pservers/pserver/{hostname}/p-interfaces/p-interface/{p-interface.interface-name}/l-interfaces/l-interface/{interface-name} - -# l-interface pnf -org.onap.ccsdk.sli.adaptors.aai.path.lag.interface.l.interface.pnf=/aai/v11/network/pnfs/pnf/{pnf-name}/lag-interfaces/lag-interface/{lag-interface.interface-name}/l-interfaces/l-interface/{interface-name} -org.onap.ccsdk.sli.adaptors.aai.path.p.interface.l.interface.pnf=/aai/v11/network/pnfs/pnf/{pnf-name}/p-interfaces/p-interface/{p-interface.interface-name}/l-interfaces/l-interface/{interface-name} - -# subinterface -org.onap.ccsdk.sli.adaptors.aai.path.pnf.lag.interface.subinterface=/aai/v11/network/pnfs/pnf/{pnf-name}/lag-interfaces/lag-interface/{lag-interface.interface-name}/l-interfaces/l-interface/{interface-name} -org.onap.ccsdk.sli.adaptors.aai.path.pnf.p.interface.l.interface=/aai/v11/network/pnfs/pnf/{pnf-name}/p-interfaces/p-interface/{p-interface.interface-name}/l-interfaces/l-interface/{interface-name} - -# vlans -org.onap.ccsdk.sli.adaptors.aai.path.vlan=/aai/v11/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant/{tenant-id}/vservers/vserver/{vserver-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface} -org.onap.ccsdk.sli.adaptors.aai.path.generic.vnf.vlan=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface} - -# l3-interface-ipv4-address-list -org.onap.ccsdk.sli.adaptors.aai.path.l3.interface.ipv4.address.list=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/l3-interface-ipv4-address-list/{l3-interface-ipv4-address} -org.onap.ccsdk.sli.adaptors.aai.path.vlan.l3.interface.ipv4.address.list=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface}/l3-interface-ipv4-address-list/{l3-interface-ipv4-address} - -# l3-interface-ipv6-address-list -org.onap.ccsdk.sli.adaptors.aai.path.l3.interface.ipv6.address.list=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/l3-interface-ipv6-address-list/{l3-interface-ipv6-address} -org.onap.ccsdk.sli.adaptors.aai.path.vlan.l3.interface.ipv6.address.list=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface}/l3-interface-ipv6-address-list/{l3-interface-ipv6-address} - -# ipsec-configuration -org.onap.ccsdk.sli.adaptors.aai.path.ipsec.configuration=/aai/v11/network/ipsec-configurations/ipsec-configuration/{ipsec-configuration-id} - -# vig server -org.onap.ccsdk.sli.adaptors.aai.path.vig.server=/aai/v11/network/ipsec-configurations/ipsec-configuration/{ipsec-configuration-id}/vig-servers/vig-server/{vig-address-type} - -# l3-network -org.onap.ccsdk.sli.adaptors.aai.path.l3.network=/aai/v11/network/l3-networks/l3-network/{network-id} - -# subnet -org.onap.ccsdk.sli.adaptors.aai.path.subnet=/aai/v11/network/l3-networks/l3-network/{network-id}/subnets/subnet/{subnet-id} - -# multicast-configuration -org.onap.ccsdk.sli.adaptors.aai.path.multicast.configuration=/aai/v11/network/multicast-configurations/multicast-configuration/{multicast-configuration-id} - -# org.onap.ccsdk.sli.adaptors.aai.path.l.interface.ipv4.address.list -org.onap.ccsdk.sli.adaptors.aai.path.l3-interface.ipv4.address.list=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/l3-interface-ipv4-address-list/{l3-interface-ipv4-address} - -# org.onap.ccsdk.sli.adaptors.aai.path.l.interface.vlan.ipv4.address.list -org.onap.ccsdk.sli.adaptors.aai.path.l3-interface.vlan.ipv4.address.list=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface}/l3-interface-ipv4-address-list/{l3-interface-ipv4-address} - -# org.onap.ccsdk.sli.adaptors.aai.path.l.interface.ipv6.address.list -org.onap.ccsdk.sli.adaptors.aai.path.l3-interface.ipv6.address.list=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/l3-interface-ipv6-address-list/{l3-interface-ipv6-address} - -# volume.group -org.onap.ccsdk.sli.adaptors.aai.path.volume.group=/aai/v11/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/volume-groups/volume-group/{volume-group-id} - -#cloud region -org.onap.ccsdk.sli.adaptors.aai.path.cloud.region=/aai/v11/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id} - -# vf-module -org.onap.ccsdk.sli.adaptors.aai.path.vf.module=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/vf-modules/vf-module/{vf-module-id} - -# l-interface through generic-vnf -org.onap.ccsdk.sli.adaptors.aai.path.generic.vnf.linterface=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name} - -# network-policy -org.onap.ccsdk.sli.adaptors.aai.path.network.policy=/aai/v11/network/network-policies/network-policy/{network-policy-id} - -# pnf -org.onap.ccsdk.sli.adaptors.aai.path.pnf=/aai/v11/network/pnfs/pnf/{pnf-name} - -# -# Formatting -# -org.onap.ccsdk.sli.adaptors.aai.param.format=filter=%s:%s -org.onap.ccsdk.sli.adaptors.aai.param.vnf_type=vnf-type -org.onap.ccsdk.sli.adaptors.aai.param.physical.location.id=physical-location-id -org.onap.ccsdk.sli.adaptors.aai.param.service.type=service-type diff --git a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/data/properties/dblib.properties b/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/data/properties/dblib.properties deleted file mode 100644 index a46920f001..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/data/properties/dblib.properties +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# openECOMP : SDN-C -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights -# reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### -*/}} - -# dblib.properrties -org.onap.ccsdk.sli.dbtype=jdbc - -org.onap.ccsdk.sli.jdbc.hosts=dbhost -org.onap.ccsdk.sli.jdbc.url=jdbc:mysql://{{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}}:3306/{{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.driver=org.mariadb.jdbc.Driver -org.onap.ccsdk.sli.jdbc.database={{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.user=${SDNC_DB_USER} -org.onap.ccsdk.sli.jdbc.password=${SDNC_DB_PASSWD} -org.onap.ccsdk.sli.jdbc.connection.name=sdnctldb01 -org.onap.ccsdk.sli.jdbc.connection.timeout=50 -org.onap.ccsdk.sli.jdbc.request.timeout=100 -org.onap.ccsdk.sli.jdbc.limit.init=10 -org.onap.ccsdk.sli.jdbc.limit.min=10 -org.onap.ccsdk.sli.jdbc.limit.max=20 -org.onap.dblib.connection.recovery=false diff --git a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/data/properties/svclogic.properties b/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/data/properties/svclogic.properties deleted file mode 100644 index a0df862636..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/data/properties/svclogic.properties +++ /dev/null @@ -1,32 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# openECOMP : SDN-C -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights -# reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### -*/}} - -org.onap.ccsdk.sli.dbtype = dblib -#Note : the next 4 fields are only used if org.onap.ccsdk.sli.dbtype = jdbc -org.onap.ccsdk.sli.jdbc.url=jdbc:mysql://{{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}}:3306/{{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.database={{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.user=${SDNC_DB_USER} -org.onap.ccsdk.sli.jdbc.password=${SDNC_DB_PASSWD} - -org.xml.sax.driver=org.apache.xerces.parsers.SAXParser diff --git a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/svclogic/bin/showActiveGraphs.sh b/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/svclogic/bin/showActiveGraphs.sh deleted file mode 100755 index d0e6c3ee71..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/svclogic/bin/showActiveGraphs.sh +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/sh - -{{/* -### -# ============LICENSE_START======================================================= -# openECOMP : SDN-C -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights -# reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### -*/}} - -MYSQL_USER=${SDNC_DB_USER} -MYSQL_PWD=${SDNC_DB_PASSWD} -MYSQL_DB={{.Values.config.sdncdb.dbName}} -MYSQL_HOST=${MYSQL_HOST:-{{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}}} - -mysql --user=${MYSQL_USER} --password=${MYSQL_PWD} --host=${MYSQL_HOST} ${MYSQL_DB} <<-END -SELECT module, rpc, version, mode from SVC_LOGIC where active='Y'; -END diff --git a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/svclogic/config/svclogic.properties b/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/svclogic/config/svclogic.properties deleted file mode 100644 index 5be5b8ddab..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/svclogic/config/svclogic.properties +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# openECOMP : SDN-C -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights -# reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### -*/}} - -org.onap.ccsdk.sli.dbtype = jdbc -org.onap.ccsdk.sli.jdbc.url = jdbc:mysql://{{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}}:3306/{{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.database = {{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.user = ${SDNC_DB_USER} -org.onap.ccsdk.sli.jdbc.password = ${SDNC_DB_PASSWD} diff --git a/kubernetes/appc/resources/config/certs/org.onap.appc.keyfile b/kubernetes/appc/resources/config/certs/org.onap.appc.keyfile deleted file mode 100644 index b7dd5ff9e7..0000000000 --- a/kubernetes/appc/resources/config/certs/org.onap.appc.keyfile +++ /dev/null @@ -1,27 +0,0 @@ -EVYIj42lKzRyMicebf8OOUa9CVwvaKie3N7fTGeDT-GjiR6M6AHQCwBD9Bj95VxgVWOyXGAYy7eT -SSfnkVBgcdZWXlRL7HSUocs52DneRTGYcYGIBGz24O6EpmeZQyWluCKBcVCALKClPzqBNsHa2W06 -XwAccZzYPkDV-taGqF5kP10RiYvKe5YoZEQYBfauS3lDqf47AP-Dh1wLUIpvTSAUfBgDW9FBx9Ay -8Wy2geTuAXcPduBtTGIj3law-5ePDFRqwVVkXmSaEmEn34NvJ4z6Ww7VHqzqBxKAvLErV-KCEHEa -L3L1CCqNCXjUUa_D8CReDA-LPAG_v0yrjQxrdqzcYJ76Q0uIlNmEi_85AlAUXx6KGC03TqaGqICW -nNs4ouxM6U4ekiDi9qbFh7RlTEXw6bHhJPCq-G5ID-crWDHSarQ3IUR5qOmgIFIxpkPksBSGmUI4 -OIScgb2TtqG94EAZ3qu3PmzVlJrxbHYHVFlNLEecu7tGtiQJTLUHpJ0Z8O2GOc8bBz6o6NBT72Pv -i068VkLyUyrSNnVo9rNVFWAc3HREFi85KszBdk58kPTr2AQFH9iK2hmrXTdnPMjhmQgRh4xiAn4J -v5Gsb4DL2si3ZjD2E36Fy5XlPhyFFc8gdB6-v-Et1XJTU6mwV5DgKgg5o3WdHTuHZjYgWmcATZiQ -yLOQ6ZdjTF_004yOSkUzHbArOEmS6LIPTuLibvN6CY1Q0u_ucl5iaIbcwo_sVFisnVXQBHYXblBm -MgZZFg0n5ugL-bdUSdJtU7yIU5t79n0aMxnN84QhuREMSvCUioCrBD5c5H22iqbY7UCPO9Yy7lM- -aPVDRPwHAKEVjYqf4Z4k0Jthn7wqWS2iAKVOEi4R1oniAuuIcM9xoha0-LdRe8hWTV-qXDbtCVDz -h6Rw3dqtS5mCGBMC0TCrLJzG5n3Ed_4kGl5Emb3SXHWNqI_BuIalU4uot7seCv464E3QWQgAkv8w -wTk_IEWIFZhKJIcy5Brsw7Fz-XWQWkExEU3xKButC9hFXpdszF0y8CYUI6EPt2mPqaxB6zu3s4Bv -bKrVxFPX97mOeD8TpmxElmF0vpdhJ9Ee8clvBrGtLl1UIP6B80PrAPEZMLNhLV8S-ZJMKL5PTZh0 -_HNpj1EfiXnBz02cbes5Fuq9M8Dk7f16tP8prYzJ1JbnLTNHHcW4Z1quKrN8RIoYw3qzlXuYRm6Y -8rbuPlZ1wTllIxf00omnonJw8Fx9XzArv_UvqTvAYrv22YliUSl-lcFi8cOK58bmM5rBmkWoFObK -DsCMicfyPWhKf3DEwg1Y0j0qKppFqtKcSxnIbQ-VPRCrRv2yTjauEW6iNlq3RQKSJqFjUVmSUn2w -7tYQzeNv0tYgfRtHgSy_CA9q_ANJFFlxDtqtrFTsgrEH4jOlLs2_UN96RNUhVqSu95X5hEukI574 -kQBUMc5gGQvQ2_Xug15O_-cFfhtalI7NBZkGNNPY5K8h7xYZp2aAl-pNPwKHAmrOWAvFwy64A1NT -_RrZxrtVkj-k3f8Mv_p56yChUpujZ_ZDwLgYKWraqDxyEctpXyMMgjOYRy2CZ6oZfuAygrN5Gw4k -zMKBDkz_5LO_rYU2RUa2NRDLlh2Y47Gxt90IEw_i8y7nxn7K6y3nApI11tfsiiotYq8DLk6jYh07 -mJg-D8lb0q9JRYmnJcNkIQNVJ06bmJnaJQZ7GXUz9MF8_zuTdm4D8m_Ly2Ai4KFq_lw5CBVrLM5k -pfJveSw_6_uF5pda_EZoR4bBoWdrFvLNwob3lsdgiIYGTafQx2SFfQiiEB_CwpGuj4_Dv-TkUT2O -Ui2UWI9Gr-HxSITnvUR0UHStrDb5miXEr8E_Znwc4Db2juh30L57aEtl5N0TYwKI925qLNLHbFg0 -FKEvIt-o7HmvPY6UqajwAtIAdKpxWpWD-hl-eNVNsT4mVzdegIrM2wzzKIcLOvCEEvyWei_E8mIp -nqYw9LoFrQf3dCh8XeamqYkbPE00E8p1zXPNRow5iz9NQ-BNksp1e-ghqF_xr3L4eh7BkEu2 \ No newline at end of file diff --git a/kubernetes/appc/resources/config/certs/org.onap.appc.p12 b/kubernetes/appc/resources/config/certs/org.onap.appc.p12 deleted file mode 100644 index 352c4f562a..0000000000 Binary files a/kubernetes/appc/resources/config/certs/org.onap.appc.p12 and /dev/null differ diff --git a/kubernetes/appc/resources/config/log/filebeat/filebeat.yml b/kubernetes/appc/resources/config/log/filebeat/filebeat.yml deleted file mode 100644 index 98df709639..0000000000 --- a/kubernetes/appc/resources/config/log/filebeat/filebeat.yml +++ /dev/null @@ -1,65 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -filebeat.prospectors: -#it is mandatory, in our case it's log -- input_type: log - #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. - paths: - - /var/log/onap/*/*/*/*.log - - /var/log/onap/*/*/*.log - - /var/log/onap/*/*.log - - # The below commented properties are for time-based rolling policy. But as the log4j 1.2x does not support time-based rolling these properties are not set - #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive - #ignore_older: 48h - # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit - #clean_inactive: 96h - - #Multiline properties for log4j xml log events - multiline.pattern: '' - multiline.negate: true - multiline.match: before - #multiline.max_lines: 500 - #multiline.timeout: 5s - -# Name of the registry file. If a relative path is used, it is considered relative to the -# data path. Else full qualified file name. -#filebeat.registry_file: ${path.data}/registry - - -output.logstash: - #List of logstash server ip addresses with port number. - #But, in our case, this will be the loadbalancer IP address. - #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. - hosts: ["{{.Values.config.logstashServiceName}}.{{.Release.Namespace}}:{{.Values.config.logstashPort}}"] - #If enable will do load balancing among availabe Logstash, automatically. - loadbalance: true - - #The list of root certificates for server verifications. - #If certificate_authorities is empty or not set, the trusted - #certificate authorities of the host system are used. - #ssl.certificate_authorities: $ssl.certificate_authorities - - #The path to the certificate for SSL client authentication. If the certificate is not specified, - #client authentication is not available. - #ssl.certificate: $ssl.certificate - - #The client certificate key used for client authentication. - #ssl.key: $ssl.key - - #The passphrase used to decrypt an encrypted key stored in the configured key file - #ssl.key_passphrase: $ssl.key_passphrase diff --git a/kubernetes/appc/resources/config/log/org.ops4j.pax.logging.cfg b/kubernetes/appc/resources/config/log/org.ops4j.pax.logging.cfg deleted file mode 100644 index b74cc995fd..0000000000 --- a/kubernetes/appc/resources/config/log/org.ops4j.pax.logging.cfg +++ /dev/null @@ -1,97 +0,0 @@ -{{/* -################################################################################ -# -# ============LICENSE_START======================================================= -# ONAP : APPC -# ================================================================================ -# Copyright (C) 2017-2018 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -# -################################################################################ -*/}} - -# Common pattern layout for appenders -log4j2.pattern = %d{ISO8601} | %-5p | %-16t | %-32c{1} | %X{bundle.id} - %X{bundle.name} - %X{bundle.version} | %m%n - -# Root logger -log4j2.rootLogger.level = INFO -# uncomment to use asynchronous loggers, which require mvn:com.lmax/disruptor/3.3.2 library -#log4j2.rootLogger.type = asyncRoot -#log4j2.rootLogger.includeLocation = false -log4j2.rootLogger.appenderRef.RollingFile.ref = RollingFile -log4j2.rootLogger.appenderRef.PaxOsgi.ref = PaxOsgi -log4j2.rootLogger.appenderRef.Console.ref = Console -log4j2.rootLogger.appenderRef.Console.filter.threshold.type = ThresholdFilter -log4j2.rootLogger.appenderRef.Console.filter.threshold.level = ${karaf.log.console:-OFF} - -# Loggers configuration - -# Spifly logger -log4j2.logger.spifly.name = org.apache.aries.spifly -log4j2.logger.spifly.level = WARN - -# Security audit logger -log4j2.logger.audit.name = org.apache.karaf.jaas.modules.audit -log4j2.logger.audit.level = INFO -log4j2.logger.audit.additivity = false -log4j2.logger.audit.appenderRef.AuditRollingFile.ref = AuditRollingFile - -# Appenders configuration - -# Console appender not used by default (see log4j2.rootLogger.appenderRefs) -log4j2.appender.console.type = Console -log4j2.appender.console.name = Console -log4j2.appender.console.layout.type = PatternLayout -log4j2.appender.console.layout.pattern = ${log4j2.pattern} - -# Rolling file appender -log4j2.appender.rolling.type = RollingRandomAccessFile -log4j2.appender.rolling.name = RollingFile -log4j2.appender.rolling.fileName = ${karaf.data}/log/karaf.log -log4j2.appender.rolling.filePattern = ${karaf.data}/log/karaf.log.%i -# uncomment to not force a disk flush -#log4j2.appender.rolling.immediateFlush = false -log4j2.appender.rolling.append = true -log4j2.appender.rolling.layout.type = PatternLayout -log4j2.appender.rolling.layout.pattern = ${log4j2.pattern} -log4j2.appender.rolling.policies.type = Policies -log4j2.appender.rolling.policies.size.type = SizeBasedTriggeringPolicy -log4j2.appender.rolling.policies.size.size = 16MB - -# Audit file appender -log4j2.appender.audit.type = RollingRandomAccessFile -log4j2.appender.audit.name = AuditRollingFile -log4j2.appender.audit.fileName = ${karaf.data}/security/audit.log -log4j2.appender.audit.filePattern = ${karaf.data}/security/audit.log.%i -log4j2.appender.audit.append = true -log4j2.appender.audit.layout.type = PatternLayout -log4j2.appender.audit.layout.pattern = ${log4j2.pattern} -log4j2.appender.audit.policies.type = Policies -log4j2.appender.audit.policies.size.type = SizeBasedTriggeringPolicy -log4j2.appender.audit.policies.size.size = 8MB - -# OSGi appender -log4j2.appender.osgi.type = PaxOsgi -log4j2.appender.osgi.name = PaxOsgi -log4j2.appender.osgi.filter = * - -# help with identification of maven-related problems with pax-url-aether -#log4j2.logger.aether.name = shaded.org.eclipse.aether -#log4j2.logger.aether.level = TRACE -#log4j2.logger.http-headers.name = shaded.org.apache.http.headers -#log4j2.logger.http-headers.level = DEBUG -#log4j2.logger.maven.name = org.ops4j.pax.url.mvn -#log4j2.logger.maven.level = TRACE - diff --git a/kubernetes/appc/templates/NOTES.txt b/kubernetes/appc/templates/NOTES.txt deleted file mode 100644 index 455b030b0a..0000000000 --- a/kubernetes/appc/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/appc/templates/configmap.yaml b/kubernetes/appc/templates/configmap.yaml deleted file mode 100644 index 6ebf0b1026..0000000000 --- a/kubernetes/appc/templates/configmap.yaml +++ /dev/null @@ -1,134 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onap-sdnc-bin - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/appc/opt/onap/ccsdk/bin/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onap-sdnc-data-properties - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/appc/opt/onap/ccsdk/data/properties/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onap-sdnc-svclogic-bin - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/appc/opt/onap/ccsdk/svclogic/bin/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onap-sdnc-svclogic-config - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/appc/opt/onap/ccsdk/svclogic/config/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onap-appc-bin - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/appc/opt/onap/appc/bin/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onap-appc-data-properties - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/appc/opt/onap/appc/data/properties/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onap-appc-svclogic-bin - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/appc/opt/onap/appc/svclogic/bin/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onap-appc-svclogic-config - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/appc/opt/onap/appc/svclogic/config/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-logging-cfg - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/log/*").AsConfig . | indent 2 }} - -{{ include "common.log.configMap" . }} diff --git a/kubernetes/appc/templates/ingress.yaml b/kubernetes/appc/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/appc/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/appc/templates/pv.yaml b/kubernetes/appc/templates/pv.yaml deleted file mode 100644 index 0df2dbf378..0000000000 --- a/kubernetes/appc/templates/pv.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, AT&T, Bell Canada -# # -# # Licensed under the Apache License, Version 2.0 (the "License"); -# # you may not use this file except in compliance with the License. -# # You may obtain a copy of the License at -# # -# # http://www.apache.org/licenses/LICENSE-2.0 -# # -# # Unless required by applicable law or agreed to in writing, software -# # distributed under the License is distributed on an "AS IS" BASIS, -# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# # See the License for the specific language governing permissions and -# # limitations under the License. -*/}} -{{- $global := . }} -{{- if and $global.Values.persistence.enabled (not $global.Values.persistence.existingClaim) -}} -{{- if eq "True" (include "common.needPV" .) -}} -{{- range $i, $t := until (int $global.Values.replicaCount)}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" $global }}-data-{{$i}} - namespace: {{ include "common.namespace" $global }} - labels: - app: {{ include "common.fullname" $global }} - chart: "{{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" $global }}" - heritage: "{{ $global.Release.Service }}" - name: {{ include "common.fullname" $global }} -spec: - capacity: - storage: {{ $global.Values.persistence.size}} - accessModes: - - {{ $global.Values.persistence.accessMode }} - storageClassName: "{{ include "common.fullname" $global }}-data" - persistentVolumeReclaimPolicy: {{ $global.Values.persistence.volumeReclaimPolicy }} - hostPath: - path: {{ $global.Values.global.persistence.mountPath | default $global.Values.persistence.mountPath }}/{{ include "common.release" $global }}/{{ $global.Values.persistence.mountSubPath }}{{$i}} -{{if ne $i (int $global.Values.replicaCount) }} ---- -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/appc/templates/secrets.yaml b/kubernetes/appc/templates/secrets.yaml deleted file mode 100644 index 3cccd128eb..0000000000 --- a/kubernetes/appc/templates/secrets.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-certs - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -type: Opaque -data: -{{ tpl (.Files.Glob "resources/config/certs/*").AsSecrets . | indent 2 }} diff --git a/kubernetes/appc/templates/service.yaml b/kubernetes/appc/templates/service.yaml deleted file mode 100644 index eb95ffc405..0000000000 --- a/kubernetes/appc/templates/service.yaml +++ /dev/null @@ -1,89 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "appc", - "version": "v1", - "url": "/", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "visualRange":"1", - "path": "/" - } - ]' -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: "{{ .Values.service.portName }}-8443" - - port: {{ .Values.service.externalPort2 }} - targetPort: {{ .Values.service.internalPort2 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} - name: "{{ .Values.service.portName }}-1830" - - port: {{ .Values.service.externalPort3 }} - targetPort: {{ .Values.service.internalPort3 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort3 }} - name: "{{ .Values.service.portName }}-9090" - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}-8443 - - port: {{ .Values.service.externalPort2 }} - targetPort: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.portName }}-1830 - - port: {{ .Values.service.externalPort3 }} - targetPort: {{ .Values.service.internalPort3 }} - name: {{ .Values.service.portName }}-9090 - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }}-cluster - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - annotations: - service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" -spec: - ports: - - name: "{{ .Values.service.portName }}-cluster-port" - port: {{ .Values.service.clusterPort }} - clusterIP: None - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - sessionAffinity: None - type: ClusterIP diff --git a/kubernetes/appc/templates/statefulset.yaml b/kubernetes/appc/templates/statefulset.yaml deleted file mode 100644 index d67e1687ba..0000000000 --- a/kubernetes/appc/templates/statefulset.yaml +++ /dev/null @@ -1,292 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - serviceName: "{{ .Values.service.name }}-cluster" - replicas: {{ .Values.replicaCount }} - podManagementPolicy: Parallel - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - command: - - sh - args: - - -c - - "cd /config-input && for PFILE in `find . -not -type d | grep -v -F ..`; do envsubst <${PFILE} >/config/${PFILE}; chmod 0755 /config/${PFILE}; done" - env: - - name: APPC_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "appcdb-user-creds" "key" "login") | indent 10 }} - - name: APPC_DB_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "appcdb-user-creds" "key" "password") | indent 10 }} - - name: SDNC_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdncdb-user-creds" "key" "login") | indent 10 }} - - name: SDNC_DB_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdncdb-user-creds" "key" "password") | indent 10 }} - volumeMounts: - - mountPath: /config-input/appc-data-properties - name: onap-appc-data-properties-input - - mountPath: /config-input/appc-svclogic-config - name: onap-appc-svclogic-config-input - - mountPath: /config-input/sdnc-data-properties - name: onap-sdnc-data-properties-input - - mountPath: /config-input/sdnc-svclogic-config - name: onap-sdnc-svclogic-config-input - - mountPath: /config/appc-data-properties - name: onap-appc-data-properties - - mountPath: /config/appc-svclogic-config - name: onap-appc-svclogic-config - - mountPath: /config/sdnc-data-properties - name: onap-sdnc-data-properties - - mountPath: /config/sdnc-svclogic-config - name: onap-sdnc-svclogic-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --container-name - - {{.Values.config.mariadbGaleraContName}} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - - name: {{ include "common.name" . }}-chown - image: {{ include "repositoryGenerator.image.busybox" . }} - command: ["sh", "-c", "chown -R {{ .Values.config.odlUid }}:{{ .Values.config.odlGid}} {{ .Values.persistence.mdsalPath }}"] - volumeMounts: - - mountPath: {{ .Values.persistence.mdsalPath }} - name: {{ include "common.fullname" . }}-data - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /opt/appc/bin/startODL.sh - ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.externalPort2 }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: MYSQL_ROOT_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-pass" "key" "password") | indent 14}} - - name: APPC_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "appcdb-user-creds" "key" "login") | indent 14 }} - - name: APPC_DB_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "appcdb-user-creds" "key" "password") | indent 14 }} - - name: SDNC_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdncdb-user-creds" "key" "login") | indent 14 }} - - name: SDNC_DB_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdncdb-user-creds" "key" "password") | indent 14 }} - - name: SDNC_CONFIG_DIR - value: "{{ .Values.config.configDir }}" - - name: APPC_CONFIG_DIR - value: "{{ .Values.config.configDir }}" - - name: DMAAP_TOPIC_ENV - value: "{{ .Values.config.dmaapTopic }}" - - name: ENABLE_AAF - value: "{{ .Values.config.enableAAF }}" - - name: ENABLE_ODL_CLUSTER - value: "{{ .Values.config.enableClustering }}" - - name: APPC_REPLICAS - value: "{{ .Values.replicaCount }}" - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /opt/onap/appc/data/properties/dblib.properties - name: onap-appc-data-properties - subPath: dblib.properties - - mountPath: /opt/onap/appc/data/properties/svclogic.properties - name: onap-appc-data-properties - subPath: svclogic.properties - - mountPath: /opt/onap/appc/data/properties/appc.properties - name: onap-appc-data-properties - subPath: appc.properties - - mountPath: /opt/onap/appc/data/properties/aaiclient.properties - name: onap-appc-data-properties - subPath: aaiclient.properties - - mountPath: /opt/onap/appc/data/properties/cadi.properties - name: onap-appc-data-properties - subPath: cadi.properties - - mountPath: /opt/onap/appc/data/properties/aaa-app-config.xml - name: onap-appc-data-properties-input - subPath: aaa-app-config.xml - - mountPath: /opt/onap/appc/data/properties/bath_config.csv - name: onap-appc-data-properties - subPath: bath_config.csv - - mountPath: /opt/onap/appc/svclogic/config/svclogic.properties - name: onap-appc-svclogic-config - subPath: svclogic.properties - - mountPath: /opt/onap/appc/svclogic/bin/showActiveGraphs.sh - name: onap-appc-svclogic-bin - subPath: showActiveGraphs.sh - - mountPath: /opt/onap/appc/bin/startODL.sh - name: onap-appc-bin - subPath: startODL.sh - - mountPath: /opt/onap/appc/bin/installAppcDb.sh - name: onap-appc-bin - subPath: installAppcDb.sh - - mountPath: /opt/onap/appc/bin/health_check.sh - name: onap-appc-bin - subPath: health_check.sh - - mountPath: /opt/onap/ccsdk/data/properties/dblib.properties - name: onap-sdnc-data-properties - subPath: dblib.properties - - mountPath: /opt/onap/ccsdk/data/properties/svclogic.properties - name: onap-sdnc-data-properties - subPath: svclogic.properties - - mountPath: /opt/onap/ccsdk/data/properties/aaiclient.properties - name: onap-sdnc-data-properties - subPath: aaiclient.properties - - mountPath: /opt/onap/ccsdk/svclogic/config/svclogic.properties - name: onap-sdnc-svclogic-config - subPath: svclogic.properties - - mountPath: /opt/onap/ccsdk/svclogic/bin/showActiveGraphs.sh - name: onap-sdnc-svclogic-bin - subPath: showActiveGraphs.sh - - mountPath: /opt/onap/ccsdk/bin/installSdncDb.sh - name: onap-sdnc-bin - subPath: installSdncDb.sh - - mountPath: {{ .Values.persistence.mdsalPath }} - name: {{ include "common.fullname" . }}-data - - mountPath: {{ .Values.log.path }} - name: logs - - mountPath: /opt/onap/appc/data/org.ops4j.pax.logging.cfg - name: log-config - subPath: org.ops4j.pax.logging.cfg - - mountPath: /opt/onap/appc/data/stores/org.onap.appc.p12 - name: p12-certs - subPath: org.onap.appc.p12 - - mountPath: /opt/onap/appc/data/stores/org.onap.appc.keyfile - name: keyfile-certs - subPath: org.onap.appc.keyfile - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - - # side car containers - {{ include "common.log.sidecar" . | nindent 8 }} - volumes: - - name: keyfile-certs - secret: - secretName: {{ include "common.fullname" . }}-certs - - name: p12-certs - secret: - secretName: {{ include "common.fullname" . }}-certs - - name: localtime - hostPath: - path: /etc/localtime - - name: log-config - configMap: - name: {{ include "common.fullname" . }}-logging-cfg - - name: logs - emptyDir: {} - {{ include "common.log.volumes" . | nindent 8 }} - - name: onap-appc-data-properties-input - configMap: - name: {{ include "common.fullname" . }}-onap-appc-data-properties - - name: onap-appc-svclogic-config-input - configMap: - name: {{ include "common.fullname" . }}-onap-appc-svclogic-config - - name: onap-appc-svclogic-bin - configMap: - name: {{ include "common.fullname" . }}-onap-appc-svclogic-bin - defaultMode: 0755 - - name: onap-appc-bin - configMap: - name: {{ include "common.fullname" . }}-onap-appc-bin - defaultMode: 0755 - - name: onap-sdnc-data-properties-input - configMap: - name: {{ include "common.fullname" . }}-onap-sdnc-data-properties - - name: onap-sdnc-svclogic-config-input - configMap: - name: {{ include "common.fullname" . }}-onap-sdnc-svclogic-config - - name: onap-sdnc-svclogic-bin - configMap: - name: {{ include "common.fullname" . }}-onap-sdnc-svclogic-bin - defaultMode: 0755 - - name: onap-sdnc-bin - configMap: - name: {{ include "common.fullname" . }}-onap-sdnc-bin - defaultMode: 0755 - - name: onap-appc-data-properties - emptyDir: - medium: Memory - - name: onap-appc-svclogic-config - emptyDir: - medium: Memory - - name: onap-sdnc-data-properties - emptyDir: - medium: Memory - - name: onap-sdnc-svclogic-config - emptyDir: - medium: Memory -{{ if not .Values.persistence.enabled }} - - name: {{ include "common.fullname" . }}-data - emptyDir: {} -{{ else }} - volumeClaimTemplates: - - metadata: - name: {{ include "common.fullname" . }}-data - labels: - name: {{ include "common.fullname" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - spec: - accessModes: - - {{ .Values.persistence.accessMode }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size }} -{{ end }} diff --git a/kubernetes/appc/values.yaml b/kubernetes/appc/values.yaml deleted file mode 100644 index f59a64f3d2..0000000000 --- a/kubernetes/appc/values.yaml +++ /dev/null @@ -1,370 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - centralizedLoggingEnabled: false - persistence: - mountPath: /dockerdata-nfs - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: "db-root-pass" - name: '{{ include "common.release" . }}-appc-db-root-pass' - externalSecret: '{{ .Values.config.dbRootPassExternalSecret }}' - type: password - password: '{{ .Values.config.dbRootPass }}' - - uid: 'appcdb-user-creds' - name: '{{ include "common.release" . }}-appcdb-user-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.appcdb.userCredentialsExternalSecret) . }}' - login: '{{ .Values.config.appcdb.userName }}' - password: '{{ .Values.config.appcdb.password }}' - - uid: 'sdncdb-user-creds' - name: '{{ include "common.release" . }}-sdncdb-user-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.sdncdb.userCredentialsExternalSecret) . }}' - login: '{{ .Values.config.sdncdb.userName }}' - password: '{{ .Values.config.sdncdb.password }}' - - -################################################################# -# Application configuration defaults. -################################################################# -flavor: small -# application image -image: onap/appc-image:1.7.2 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# log configuration -log: - path: /var/log/onap - -# application configuration -config: -# dbRootPassExternalSecret: some secret -# dbRootPass: password - appcdb: - # Warning: changing this config option may not work. - # It seems that the DB name is hardcoded. - dbName: appcctl - userName: appcctl - # password: appcctl - # userCredsExternalSecret: some secret - sdncdb: - # Warning: changing this config option may not work. - # It seems that the DB name is hardcoded. - dbName: sdnctl - userName: sdnctl - # password: gamma - # userCredsExternalSecret: some secret - odlUid: 100 - odlGid: 101 - ansibleServiceName: appc-ansible-server - ansiblePort: 8000 - mariadbGaleraSVCName: &appc-db appc-db - mariadbGaleraContName: *appc-db - enableAAF: true - enableClustering: false - configDir: /opt/onap/appc/data/properties - dmaapTopic: SUCCESS - dmaapTopicEnv: AUTO - logstashServiceName: log-ls - logstashPort: 5044 - odlPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U - openStackType: OpenStackProvider - openStackName: OpenStack - openStackKeyStoneUrl: http://localhost:8181/apidoc/explorer/index.html - openStackServiceTenantName: default - openStackDomain: default - openStackUserName: admin - openStackEncryptedPassword: enc:LDEbHEAvTF1R - odlUser: admin - dmaapServiceUrl: http://localhost:8080/publish - dmaapServiceUser: appc - dmaapServicePassword: onapappc - -appc-ansible-server: - enabled: true - service: - name: appc-ansible-server - internalPort: 8000 - config: - mysqlServiceName: *appc-db - -appc-cdt: - enabled: true - -mariadb-galera: - nameOverride: *appc-db - rootUser: - externalSecret: '{{ include "common.release" . }}-appc-db-root-pass' - service: - name: *appc-db - nfsprovisionerPrefix: appc - sdnctlPrefix: appc - persistence: - mountSubPath: appc/data - enabled: true - disableNfsProvisioner: true - serviceAccount: - nameOverride: *appc-db - replicaCount: 1 - - mariadbConfiguration: |- - [client] - port=3306 - socket=/opt/bitnami/mariadb/tmp/mysql.sock - plugin_dir=/opt/bitnami/mariadb/plugin - - [mysqld] - lower_case_table_names = 1 - default_storage_engine=InnoDB - basedir=/opt/bitnami/mariadb - datadir=/bitnami/mariadb/data - plugin_dir=/opt/bitnami/mariadb/plugin - tmpdir=/opt/bitnami/mariadb/tmp - socket=/opt/bitnami/mariadb/tmp/mysql.sock - pid_file=/opt/bitnami/mariadb/tmp/mysqld.pid - bind_address=0.0.0.0 - - ## Character set - collation_server=utf8_unicode_ci - init_connect='SET NAMES utf8' - character_set_server=utf8 - - ## MyISAM - key_buffer_size=32M - myisam_recover_options=FORCE,BACKUP - - ## Safety - skip_host_cache - skip_name_resolve - max_allowed_packet=16M - max_connect_errors=1000000 - sql_mode=STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_AUTO_VALUE_ON_ZERO,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE - sysdate_is_now=1 - - ## Binary Logging - log_bin=mysql-bin - expire_logs_days=14 - # Disabling for performance per http://severalnines.com/blog/9-tips-going-production-galera-cluster-mysql - sync_binlog=0 - # Required for Galera - binlog_format=row - - ## Caches and Limits - tmp_table_size=32M - max_heap_table_size=32M - # Re-enabling as now works with Maria 10.1.2 - query_cache_type=1 - query_cache_limit=4M - query_cache_size=256M - max_connections=500 - thread_cache_size=50 - open_files_limit=65535 - table_definition_cache=4096 - table_open_cache=4096 - - ## InnoDB - innodb=FORCE - innodb_strict_mode=1 - # Mandatory per https://github.com/codership/documentation/issues/25 - innodb_autoinc_lock_mode=2 - # Per https://www.percona.com/blog/2006/08/04/innodb-double-write/ - innodb_doublewrite=1 - innodb_flush_method=O_DIRECT - innodb_log_files_in_group=2 - innodb_log_file_size=128M - innodb_flush_log_at_trx_commit=1 - innodb_file_per_table=1 - # 80% Memory is default reco. - # Need to re-evaluate when DB size grows - innodb_buffer_pool_size=2G - innodb_file_format=Barracuda - - ## Logging - log_error=/opt/bitnami/mariadb/logs/mysqld.log - slow_query_log_file=/opt/bitnami/mariadb/logs/mysqld.log - log_queries_not_using_indexes=1 - slow_query_log=1 - - ## SSL - ## Use extraVolumes and extraVolumeMounts to mount /certs filesystem - # ssl_ca=/certs/ca.pem - # ssl_cert=/certs/server-cert.pem - # ssl_key=/certs/server-key.pem - - [galera] - wsrep_on=ON - wsrep_provider=/opt/bitnami/mariadb/lib/libgalera_smm.so - wsrep_sst_method=mariabackup - wsrep_slave_threads=4 - wsrep_cluster_address=gcomm:// - wsrep_cluster_name=galera - wsrep_sst_auth="root:" - # Enabled for performance per https://mariadb.com/kb/en/innodb-system-variables/#innodb_flush_log_at_trx_commit - innodb_flush_log_at_trx_commit=2 - # MYISAM REPLICATION SUPPORT # - wsrep_replicate_myisam=ON - binlog_format=row - default_storage_engine=InnoDB - innodb_autoinc_lock_mode=2 - transaction-isolation=READ-COMMITTED - wsrep_causal_reads=1 - wsrep_sync_wait=7 - - [mariadb] - plugin_load_add=auth_pam - - ## Data-at-Rest Encryption - ## Use extraVolumes and extraVolumeMounts to mount /encryption filesystem - # plugin_load_add=file_key_management - # file_key_management_filename=/encryption/keyfile.enc - # file_key_management_filekey=FILE:/encryption/keyfile.key - # file_key_management_encryption_algorithm=AES_CTR - # encrypt_binlog=ON - # encrypt_tmp_files=ON - - ## InnoDB/XtraDB Encryption - # innodb_encrypt_tables=ON - # innodb_encrypt_temporary_tables=ON - # innodb_encrypt_log=ON - # innodb_encryption_threads=4 - # innodb_encryption_rotate_key_age=1 - - ## Aria Encryption - # aria_encrypt_tables=ON - # encrypt_tmp_disk_tables=ON - -dgbuilder: - nameOverride: appc-dgbuilder - certInitializer: - nameOverride: appc-dgbuilder-cert-initializer - config: - db: - rootPasswordExternalSecret: '{{ include "common.release" . }}-appc-db-root-pass' - userCredentialsExternalSecret: '{{ include "common.release" . }}-sdncdb-user-creds' - dbPodName: *appc-db - dbServiceName: *appc-db - service: - name: appc-dgbuilder - serviceAccount: - nameOverride: appc-dgbuilder - ingress: - enabled: false - service: - - baseaddr: "appc-dgbuilder" - name: "appc-dgbuilder" - port: 3000 - config: - ssl: "redirect" - -#passing value to cdt chart. value of nodePort3 will be same as appc.service.nodePort3. -appc-cdt: - nodePort3: 11 -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 300 - periodSeconds: 60 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 300 - periodSeconds: 60 - -service: - type: NodePort - name: appc - portName: appc - - internalPort: 8443 - externalPort: 8443 - nodePort: 30 - - externalPort2: 1830 - nodePort2: 31 - clusterPort: 2550 - - internalPort3: 9191 - externalPort3: 9090 - nodePort3: 11 - -## Persist data to a persitent volume -persistence: - enabled: true - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - volumeReclaimPolicy: Retain - - ## database data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - accessMode: ReadWriteOnce - size: 1Gi - mountPath: /dockerdata-nfs - mountSubPath: appc/mdsal - mdsalPath: /opt/opendaylight/current/daexim - -ingress: - enabled: false - service: - - baseaddr: "appc.api" - name: "appc" - port: 8443 - config: - ssl: "redirect" - -# Configure resource requests and limits -# ref: http://kubernetes.io/docs/user-guide/compute-resources/ -resources: - small: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - large: - limits: - cpu: 4 - memory: 8Gi - requests: - cpu: 2 - memory: 4Gi - unlimited: {} diff --git a/kubernetes/cds/Chart.yaml b/kubernetes/cds/Chart.yaml index 7115e9e39f..d8b6cc7de0 100644 --- a/kubernetes/cds/Chart.yaml +++ b/kubernetes/cds/Chart.yaml @@ -17,32 +17,33 @@ apiVersion: v2 description: ONAP Controller Design Studio (CDS) name: cds -version: 11.0.0 +version: 13.0.2 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: mariadb-galera - version: ~11.x-0 + version: ~13.x-0 repository: '@local' + condition: global.mariadbGalera.localCluster - name: cds-blueprints-processor - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/cds-blueprints-processor' condition: cds-blueprints-processor.enabled - name: cds-command-executor - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/cds-command-executor' condition: cds-command-executor.enabled - name: cds-py-executor - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/cds-py-executor' condition: cds-py-executor.enabled - name: cds-sdc-listener - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/cds-sdc-listener' condition: cds-sdc-listener.enabled - name: cds-ui - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/cds-ui' condition: cds-ui.enabled diff --git a/kubernetes/cds/Makefile b/kubernetes/cds/Makefile index 51d7de122c..08ed7cb9da 100644 --- a/kubernetes/cds/Makefile +++ b/kubernetes/cds/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := dist resources templates charts docker HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -36,12 +42,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/cds/components/Makefile b/kubernetes/cds/components/Makefile index f4c9784bc4..9544d70f33 100644 --- a/kubernetes/cds/components/Makefile +++ b/kubernetes/cds/components/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -36,12 +42,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/cds/components/cds-blueprints-processor/Chart.yaml b/kubernetes/cds/components/cds-blueprints-processor/Chart.yaml index 2002e5695b..e4fc011880 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/Chart.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/Chart.yaml @@ -1,6 +1,6 @@ # Copyright (c) 2019 IBM, Bell Canada # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,18 +17,18 @@ apiVersion: v2 description: ONAP CDS Blueprints Processor name: cds-blueprints-processor -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - - name: certInitializer - version: ~11.x-0 + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/cds/components/cds-blueprints-processor/resources/config/ONAP_RootCA.cer b/kubernetes/cds/components/cds-blueprints-processor/resources/config/ONAP_RootCA.cer deleted file mode 100755 index e9a50d7ea0..0000000000 --- a/kubernetes/cds/components/cds-blueprints-processor/resources/config/ONAP_RootCA.cer +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFPjCCAyagAwIBAgIJAJ6u7cCnzrWdMA0GCSqGSIb3DQEBCwUAMCwxDjAMBgNV -BAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQMQswCQYDVQQGEwJVUzAeFw0xODA0MDUx -NDE1MjhaFw0zODAzMzExNDE1MjhaMCwxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQK -DARPTkFQMQswCQYDVQQGEwJVUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC -ggIBAMA5pkgRs7NhGG4ew5JouhyYakgYUyFaG121+/h8qbSdt0hVQv56+EA41Yq7 -XGie7RYDQK9NmAFF3gruE+6X7wvJiChp+Cyd7sFMnb65uWhxEdxWTM2BJFrgfzUn -H8ZCxgaCo3XH4PzlKRy2LQQJEJECwl/RZmRCXijMt5e9h8XoZY/fKkKcZZUsWNCM -pTo266wjvA9MXLmdgReRj0+vrCjrNqy+htwJDztoiHWiYPqT6o8EvGcgjNqjlZx7 -NUNf8MfLDByqKF6+wRbHv1GKjn3/Vijd45Fv8riyRYROiFanvbV6jIfBkv8PZbXg -2VDWsYsgp8NAvMxK+iV8cO+Ck3lBI2GOPZbCEqpPVTYbLUz6sczAlCXwQoPzDIZY -wYa3eR/gYLY1gP2iEVHORag3bLPap9ZX5E8DZkzTNTjovvLk8KaCmfcaUMJsBtDd -ApcUitz10cnRyZc1sX3gE1f3DpzQM6t9C5sOVyRhDcSrKqqwb9m0Ss04XAS9FsqM -P3UWYQyqDXSxlUAYaX892u8mV1hxnt2gjb22RloXMM6TovM3sSrJS0wH+l1nznd6 -aFXftS/G4ZVIVZ/LfT1is4StoyPWZCwwwly1z8qJQ/zhip5NgZTxQw4mi7ww35DY -PdAQOCoajfSvFjqslQ/cPRi/MRCu079heVb5fQnnzVtnpFQRAgMBAAGjYzBhMB0G -A1UdDgQWBBRTVTPyS+vQUbHBeJrBKDF77+rtSTAfBgNVHSMEGDAWgBRTVTPyS+vQ -UbHBeJrBKDF77+rtSTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAN -BgkqhkiG9w0BAQsFAAOCAgEAPx/IaK94n02wPxpnYTy+LVLIxwdq/kawNd6IbiMz -L87zmNMDmHcGbfoRCj8OkhuggX9Lx1/CkhpXimuYsZOFQi5blr/u+v4mIbsgbmi9 -7j+cUHDP0zLycvSvxKHty51LwmaX9a4wkJl5zBU4O1sd/H9tWcEmwJ39ltKoBKBx -c94Zc3iMm5ytRWGj+0rKzLDAXEWpoZ5bE5PLJauA6UDCxDLfs3FwhbS7uDggxYvf -jySF5FCNET94oJ+m8s7VeHvoa8iPGKvXrIqdd7XDHnqJJlVKr7m9S0fMbyEB8ci2 -RtOXDt93ifY1uhoEtEykn4dqBSp8ezvNMnwoXdYPDvTd9uCAFeWFLVreBAWxd25h -PsBTkZA5hpa/rA+mKv6Af4VBViYr8cz4dZCsFChuioVebe9ighrfjB//qKepFjPF -CyjzKN1u0JKm/2x/ORqxkTONG8p3uDwoIOyimUcTtTMv42bfYD88RKakqSFXE9G+ -Z0LlaKABqfjK49o/tsAp+c5LoNlYllKhnetO3QAdraHwdmC36BhoghzR1jpX751A -cZn2VH3Q4XKyp01cJNCJIrua+A+bx6zh3RyW6zIIkbRCbET+UD+4mr8WIcSE3mtR -ZVlnhUDO4z9//WKMVzwS9Rh8/kuszrGFI1KQozXCHLrce3YP6RYZfOed79LXaRwX -dYY= ------END CERTIFICATE----- diff --git a/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties b/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties index 2818fd99b4..b99bae7197 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties +++ b/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties @@ -1,6 +1,6 @@ {{/* # -# Copyright (c) 2017-2022 AT&T, IBM, Bell Canada, Nordix Foundation. +# Copyright (c) 2017-2023 AT&T, IBM, Bell Canada, Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -101,11 +101,7 @@ blueprintsprocessor.restclient.sdnc.password=Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoG # AAI Data REST Client settings blueprintsprocessor.restclient.aai-data.type=basic-auth -{{ if ( include "common.needTLS" .) }} -blueprintsprocessor.restclient.aai-data.url=https://{{ .Values.global.aaiData.ServiceName }}:8443 -{{- else -}} blueprintsprocessor.restclient.aai-data.url=http://{{ .Values.global.aaiData.ServiceName }}:{{ .Values.global.aaiData.ExternalPlainPort }} -{{- end }} blueprintsprocessor.restclient.aai-data.username=aai@aai.onap.org blueprintsprocessor.restclient.aai-data.password=demo123456! blueprintsprocessor.restclient.aai-data.additionalHeaders.X-TransactionId=cds-transaction-id @@ -121,70 +117,44 @@ blueprintsprocessor.restclient.cps-data.additionalHeaders.Accept=application/jso blueprintsprocessor.restclient.cps-data.additionalHeaders.Content-Type=application/json # Self Service Request Kafka Message Consumer -blueprintsprocessor.messageconsumer.self-service-api.kafkaEnable={{ .Values.kafkaRequestConsumer.enabled }} -blueprintsprocessor.messageconsumer.self-service-api.type={{ .Values.kafkaRequestConsumer.type }} -{{ if eq .Values.useStrimziKafka true }} +blueprintsprocessor.messageconsumer.self-service-api.kafkaEnable=true +blueprintsprocessor.messageconsumer.self-service-api.type=kafka-scram-plain-text-auth blueprintsprocessor.messageconsumer.self-service-api.bootstrapServers={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 -{{- else -}} -blueprintsprocessor.messageconsumer.self-service-api.bootstrapServers={{ .Values.kafkaRequestConsumer.bootstrapServers }} +{{- with (first .Values.kafkaUser.acls) }} +blueprintsprocessor.messageconsumer.self-service-api.groupId={{ .name }} {{- end }} -blueprintsprocessor.messageconsumer.self-service-api.groupId={{ .Values.kafkaRequestConsumer.groupId }} -blueprintsprocessor.messageconsumer.self-service-api.topic={{ .Values.kafkaRequestConsumer.topic }} -blueprintsprocessor.messageconsumer.self-service-api.clientId={{ .Values.kafkaRequestConsumer.clientId }} -blueprintsprocessor.messageconsumer.self-service-api.pollMillSec={{ .Values.kafkaRequestConsumer.pollMillSec }} -{{ if and (eq .Values.kafkaRequestConsumer.type "kafka-scram-plain-text-auth") (eq .Values.useStrimziKafka true) }} -# SCRAM -blueprintsprocessor.messageconsumer.self-service-api.scramUsername={{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} -blueprintsprocessor.messageconsumer.self-service-api.scramPassword=${JAAS_PASS} -{{ end }} +blueprintsprocessor.messageconsumer.self-service-api.topic=cds.blueprint-processor.self-service-api.request +blueprintsprocessor.messageconsumer.self-service-api.clientId=request-receiver-client-id +blueprintsprocessor.messageconsumer.self-service-api.pollMillSec=1000 +blueprintsprocessor.messageconsumer.self-service-api.scramUsername={{ include "common.name" . }}-ku +blueprintsprocessor.messageconsumer.self-service-api.scramPassword=${SASL_JAAS_PASS} # Self Service Response Kafka Message Producer -blueprintsprocessor.messageproducer.self-service-api.type={{ .Values.kafkaRequestProducer.type }} -{{ if eq .Values.useStrimziKafka true }} +blueprintsprocessor.messageproducer.self-service-api.type=kafka-scram-plain-text-auth blueprintsprocessor.messageproducer.self-service-api.bootstrapServers={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 -{{- else -}} -blueprintsprocessor.messageproducer.self-service-api.bootstrapServers={{ .Values.kafkaRequestProducer.bootstrapServers }} -{{- end }} -blueprintsprocessor.messageproducer.self-service-api.clientId={{ .Values.kafkaRequestProducer.clientId }} -blueprintsprocessor.messageproducer.self-service-api.topic={{ .Values.kafkaRequestProducer.topic }} -{{ if and (eq .Values.kafkaRequestConsumer.type "kafka-scram-plain-text-auth") (eq .Values.useStrimziKafka true) }} -# SCRAM -blueprintsprocessor.messageproducer.self-service-api.scramUsername={{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} -blueprintsprocessor.messageproducer.self-service-api.scramPassword=${JAAS_PASS} -{{ end }} +blueprintsprocessor.messageproducer.self-service-api.clientId=request-producer-client-id +blueprintsprocessor.messageproducer.self-service-api.topic=cds.blueprint-processor.self-service-api.response +blueprintsprocessor.messageproducer.self-service-api.scramUsername={{ include "common.name" . }}-ku +blueprintsprocessor.messageproducer.self-service-api.scramPassword=${SASL_JAAS_PASS} # AUDIT KAFKA FEATURE CONFIGURATION # Audit feature dumps CDS request to a topic as well as a truncated response message to another topic. ## Audit request -blueprintsprocessor.messageproducer.self-service-api.audit.kafkaEnable={{ .Values.kafkaAuditRequest.enabled }} -blueprintsprocessor.messageproducer.self-service-api.audit.request.type={{ .Values.kafkaAuditRequest.type }} -{{ if eq .Values.useStrimziKafka true }} +blueprintsprocessor.messageproducer.self-service-api.audit.kafkaEnable=true +blueprintsprocessor.messageproducer.self-service-api.audit.request.type=kafka-scram-plain-text-auth blueprintsprocessor.messageproducer.self-service-api.audit.request.bootstrapServers={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 -{{- else -}} -blueprintsprocessor.messageproducer.self-service-api.audit.request.bootstrapServers={{ .Values.kafkaAuditRequest.bootstrapServers }} -{{- end }} -blueprintsprocessor.messageproducer.self-service-api.audit.request.clientId={{ .Values.kafkaAuditRequest.clientId }} -blueprintsprocessor.messageproducer.self-service-api.audit.request.topic={{ .Values.kafkaAuditRequest.topic }} -{{ if and (eq .Values.kafkaRequestConsumer.type "kafka-scram-plain-text-auth") (eq .Values.useStrimziKafka true) }} -# SCRAM -blueprintsprocessor.messageproducer.self-service-api.audit.request.scramUsername={{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} -blueprintsprocessor.messageproducer.self-service-api.audit.request.scramPassword=${JAAS_PASS} -{{ end }} +blueprintsprocessor.messageproducer.self-service-api.audit.request.clientId=audit-request-producer-client-id +blueprintsprocessor.messageproducer.self-service-api.audit.request.topic=cds.blueprint-processor.self-service-api.audit.request +blueprintsprocessor.messageproducer.self-service-api.audit.request.scramUsername={{ include "common.name" . }}-ku +blueprintsprocessor.messageproducer.self-service-api.audit.request.scramPassword=${SASL_JAAS_PASS} ## Audit response -blueprintsprocessor.messageproducer.self-service-api.audit.response.type={{ .Values.kafkaAuditResponse.type }} -{{ if eq .Values.useStrimziKafka true }} +blueprintsprocessor.messageproducer.self-service-api.audit.response.type=kafka-scram-plain-text-auth blueprintsprocessor.messageproducer.self-service-api.audit.response.bootstrapServers={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 -{{- else -}} -blueprintsprocessor.messageproducer.self-service-api.audit.response.bootstrapServers={{ .Values.kafkaAuditRequest.bootstrapServers }} -{{- end }} -blueprintsprocessor.messageproducer.self-service-api.audit.response.clientId={{ .Values.kafkaAuditResponse.clientId }} -blueprintsprocessor.messageproducer.self-service-api.audit.response.topic={{ .Values.kafkaAuditResponse.topic }} -{{ if and (eq .Values.kafkaRequestConsumer.type "kafka-scram-plain-text-auth") (eq .Values.useStrimziKafka true) }} -# SCRAM -blueprintsprocessor.messageproducer.self-service-api.audit.response.scramUsername={{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} -blueprintsprocessor.messageproducer.self-service-api.audit.response.scramPassword=${JAAS_PASS} -{{ end }} +blueprintsprocessor.messageproducer.self-service-api.audit.response.clientId=audit-response-producer-client-id +blueprintsprocessor.messageproducer.self-service-api.audit.response.topic=cds.blueprint-processor.self-service-api.audit.response +blueprintsprocessor.messageproducer.self-service-api.audit.response.scramUsername={{ include "common.name" . }}-ku +blueprintsprocessor.messageproducer.self-service-api.audit.response.scramPassword=${SASL_JAAS_PASS} # Executor Options blueprintsprocessor.resourceResolution.enabled=true @@ -225,3 +195,14 @@ blueprintprocessor.k8s.plugin.url=http://multicloud-k8s:9015/ #Workflow audit store configuration blueprintsprocessor.workflow.self-service-api.audit.storeEnable={{ .Values.workflow.storeEnabled }} + +#Tracing +spring.zipkin.baseUrl={{ .Values.tracing.collector.baseUrl }} +spring.zipkin.checkTimeout=5000 +spring.zipkin.service.name={{ include "common.name" . }} +spring.sleuth.messaging.jms.enabled=false +spring.sleuth.trace-id128=true +spring.sleuth.sampler.probability={{ .Values.tracing.sampling.probability }} +spring.sleuth.propagation.type=w3c, b3 +spring.sleuth.supports-join=false +spring.sleuth.web.skip-pattern={{ join "," .Values.tracing.ignorePatterns }} diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-topics.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-topics.yaml deleted file mode 100644 index 555f4d4e60..0000000000 --- a/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-topics.yaml +++ /dev/null @@ -1,68 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{ if eq .Values.useStrimziKafka true }} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: {{ .Values.kafkaRequestConsumer.topic }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - partitions: 10 - replicas: 2 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: {{ .Values.kafkaRequestProducer.topic }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - partitions: 10 - replicas: 2 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: {{ .Values.kafkaAuditRequest.topic }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - partitions: 10 - replicas: 2 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: {{ .Values.kafkaAuditResponse.topic }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - partitions: 10 - replicas: 2 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 -{{ end }} \ No newline at end of file diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-user.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-user.yaml deleted file mode 100644 index 65ee1d2a96..0000000000 --- a/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-user.yaml +++ /dev/null @@ -1,49 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{ if eq .Values.useStrimziKafka true }} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaUser -metadata: - name: {{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - authentication: - type: scram-sha-512 - authorization: - type: simple - acls: - - resource: - type: group - name: {{ .Values.kafkaRequestConsumer.groupId }} - operation: All - - resource: - type: topic - name: {{ .Values.kafkaRequestConsumer.topic }} - operation: All - - resource: - type: topic - name: {{ .Values.kafkaRequestProducer.topic }} - operation: All - - resource: - type: topic - name: {{ .Values.kafkaAuditRequest.topic }} - operation: All - - resource: - type: topic - name: {{ .Values.kafkaAuditResponse.topic }} - operation: All -{{ end }} \ No newline at end of file diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml index 1e4f5e10a0..c00d12fe74 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml @@ -1,7 +1,7 @@ {{/* # Copyright (c) 2019 IBM, Bell Canada # Copyright (c) 2020 Samsung Electronics -# Modification Copyright © 2022 Nordix Foundation +# Modification Copyright © 2022-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,38 +18,25 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} strategy: type: RollingUpdate rollingUpdate: - # This allow a new pod to be ready before terminating the old one + # This allows a new pod to be ready before terminating the old one # causing no downtime when replicas is set to 1 maxUnavailable: 0 - # maxSurge to 1 is very important for the hazelcast integration # we only want one pod at a time to restart not multiple # and break the hazelcast cluster. We should not use % maxSurge value # ref : https://hazelcast.com/blog/rolling-upgrade-hazelcast-imdg-on-kubernetes/ maxSurge: 1 template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }} - command: - sh args: @@ -75,21 +62,6 @@ spec: name: {{ include "common.name" . }}-update-config - command: - - /app/ready.py - args: - - --container-name - - cds-db - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - - name: fix-permission - command: - chown - -R - 1000:1000 @@ -99,6 +71,8 @@ spec: volumeMounts: - mountPath: {{ .Values.persistence.deployedBlueprint }} name: {{ include "common.fullname" . }}-blueprints + name: fix-permission + containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -110,8 +84,6 @@ spec: value: {{ if (gt (int (.Values.replicaCount)) 2) }} {{ .Values.cluster.enabled | quote }} {{ else }} "false" {{ end }} - name: CLUSTER_ID value: {{ .Values.cluster.clusterName }} - - name: AAF_CREDSPATH - value: {{ .Values.certInitializer.credsPath }} - name: CLUSTER_NODE_ID valueFrom: fieldRef: @@ -122,10 +94,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-creds" "key" "login") | indent 12 }} - name: CPS_PASS_PLAIN {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-creds" "key" "password") | indent 12 }} - {{ if .Values.useStrimziKafka }} - - name: JAAS_PASS - value: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cds-kafka-secret" "key" "password") | indent 12 }} - {{ end }} + - name: SASL_JAAS_PASS + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: password ports: - containerPort: {{ .Values.service.http.internalPort }} - containerPort: {{ .Values.service.grpc.internalPort }} @@ -133,7 +106,7 @@ spec: startupProbe: httpGet: path: /api/v1/execution-service/health-check - port: {{ .Values.service.http.internalPort }} + port: {{ .Values.startup.port }} httpHeaders: - name: Authorization value: Basic Y2NzZGthcHBzOmNjc2RrYXBwcw== @@ -146,7 +119,7 @@ spec: livenessProbe: httpGet: path: /api/v1/execution-service/health-check - port: {{ .Values.service.http.internalPort }} + port: {{ .Values.liveness.port }} httpHeaders: - name: Authorization value: Basic Y2NzZGthcHBzOmNjc2RrYXBwcw== @@ -157,17 +130,14 @@ spec: readinessProbe: httpGet: path: /api/v1/execution-service/health-check - port: {{ .Values.service.http.internalPort }} + port: {{ .Values.readiness.port }} httpHeaders: - name: Authorization value: Basic Y2NzZGthcHBzOmNjc2RrYXBwcw== initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + volumeMounts: - mountPath: {{ .Values.config.appConfigDir }}/application.properties name: processed-config subPath: application.properties @@ -180,15 +150,9 @@ spec: - mountPath: {{ .Values.config.appConfigDir }}/hazelcast.yaml name: {{ include "common.fullname" . }}-config subPath: hazelcast.yaml - - - mountPath: {{ .Values.config.appConfigDir }}/ONAP_RootCA.cer - name: {{ include "common.fullname" . }}-config - subPath: ONAP_RootCA.cer - - mountPath: {{ .Values.persistence.deployedBlueprint }} name: {{ include "common.fullname" . }}-blueprints - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -198,10 +162,7 @@ spec: {{ toYaml .Values.affinity | indent 10 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: - name: {{ include "common.fullname" . }}-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -214,13 +175,10 @@ spec: path: logback.xml - key: hazelcast.yaml path: hazelcast.yaml - - key: ONAP_RootCA.cer - path: ONAP_RootCA.cer - name: {{ include "common.fullname" . }}-blueprints persistentVolumeClaim: claimName: {{ include "common.release" . }}-cds-blueprints - name: processed-config emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/kafkatopic.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/kafkatopic.yaml new file mode 100644 index 0000000000..d1d21a6dbc --- /dev/null +++ b/kubernetes/cds/components/cds-blueprints-processor/templates/kafkatopic.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkatopic" . }} diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/kafkauser.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/cds/components/cds-blueprints-processor/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/service.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/service.yaml index 153740c553..a841811dd1 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/templates/service.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/templates/service.yaml @@ -1,5 +1,6 @@ {{/* # Copyright (c) 2019 IBM, Bell Canada +# Modification Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -24,19 +25,15 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} - annotations: spec: type: {{ .Values.service.http.type }} ports: - port: {{ .Values.service.http.externalPort }} targetPort: {{ .Values.service.http.internalPort }} - {{- if eq .Values.service.http.type "NodePort"}} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.http.nodePort }} - {{- end}} - name: {{ .Values.service.http.portName | default "http" }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} + name: {{ .Values.service.http.portName | default "http" }} selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + app.kubernetes.io/instance: {{ include "common.release" . }} + app.kubernetes.io/name: {{ include "common.name" . }} --- apiVersion: v1 kind: Service @@ -48,7 +45,6 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} - annotations: spec: type: {{ .Values.service.grpc.type }} ports: @@ -56,8 +52,8 @@ spec: targetPort: {{ .Values.service.grpc.internalPort }} name: {{ .Values.service.grpc.portName | default "grpc" }} selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + app.kubernetes.io/instance: {{ include "common.release" . }} + app.kubernetes.io/name: {{ include "common.name" . }} --- apiVersion: v1 kind: Service @@ -69,16 +65,13 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} - annotations: spec: type: {{ .Values.service.cluster.type }} + clusterIP: None ports: - port: {{ .Values.service.cluster.externalPort }} targetPort: {{ .Values.service.cluster.internalPort }} - {{- if eq .Values.service.cluster.type "NodePort"}} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.cluster.nodePort }} - {{- end}} name: {{ .Values.service.cluster.portName | default "cluster" }} selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + app.kubernetes.io/instance: {{ include "common.release" . }} + app.kubernetes.io/name: {{ include "common.name" . }} diff --git a/kubernetes/cds/components/cds-blueprints-processor/values.yaml b/kubernetes/cds/components/cds-blueprints-processor/values.yaml index 023bf4917b..b0812f26b8 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/values.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/values.yaml @@ -1,6 +1,6 @@ # Copyright (c) 2019 IBM, Bell Canada # Copyright (c) 2020 Samsung Electronics -# Modification Copyright © 2022 Nordix Foundation +# Modification Copyright © 2022-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,20 +18,24 @@ # Global configuration defaults. ################################################################# global: - # Change to an unused port prefix range to prevent port conflicts - # with other instances running within the same k8s cluster - nodePortPrefixExt: 304 - + mariadbGalera: &mariadbGalera + # flag to enable the DB creation via mariadb-operator + useOperator: true + #This flag allows NBI to instantiate its own mariadb-galera cluster + #When changing it to "true", also set "globalCluster: false" + #as the dependency check will not work otherwise (Chart.yaml) + localCluster: true + globalCluster: false + service: mariadb-galera + internalPort: 3306 + nameOverride: mariadb-galera # image pull policy pullPolicy: Always - persistence: mountPath: /dockerdata-nfs - # This configuration specifies Service and port for SDNC OAM interface sdncOamService: sdnc-oam sdncOamPort: 8282 - # This concerns CDS/AAI communication through HTTP when TLS is not being needed # Port value should match the one in aai/values.yml : service.externalPlainPort aaiData: @@ -39,9 +43,6 @@ global: ServiceName: aai # domain # http://aai:80 or https://aai:443 - #AAF is enabled by default - #aafEnabled: true - #enable importCustomCerts to add custom CA to blueprint processor pod #importCustomCertsEnabled: true @@ -65,13 +66,6 @@ secrets: externalSecret: '{{ tpl (default "" .Values.config.sdncDB.dbRootPassExternalSecret) . }}' password: '{{ .Values.config.sdncDB.dbRootPass }}' passwordPolicy: required - - uid: cds-kafka-secret - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: password - value: '{{ .Values.config.someConfig }}' - policy: generate - uid: cps-creds type: basicAuth externalSecret: '{{ tpl (default "" .Values.config.cps.cpsUserExternalSecret) . }}' @@ -79,36 +73,11 @@ secrets: password: '{{ .Values.config.cps.cpsPassword }}' passwordPolicy: required -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: cds-blueprints-processor-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: sdnc-cds - fqi: sdnc-cds@sdnc-cds.onap.org - public_fqdn: sdnc-cds.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - fqi_namespace: org.onap.sdnc-cds - #enable below if we need custom CA to be added to blueprint processor pod - #importCustomCertsEnabled: true - #truststoreMountpath: /opt/onap/cds - #truststoreOutputFileName: truststoreONAPall.jks - aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh; - /opt/app/aaf_config/bin/agent.sh local showpass - {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/ccsdk-blueprintsprocessor:1.3.0 +image: onap/ccsdk-blueprintsprocessor:1.5.3 pullPolicy: Always # flag to enable debugging - application support required @@ -132,7 +101,6 @@ config: # dbCredsExternalSecret: # dbRootPassword: password # dbRootPassExternalSecret - someConfig: blah cps: cpsUsername: '' cpsPassword: '' @@ -145,46 +113,52 @@ nodeSelector: {} affinity: {} -# If useStrimziKafka is true, the following also applies: -# strimzi will create an associated kafka user and the topics defined for Request and Audit elements below. -# The connection type must be kafka-scram-plain-text-auth -# The bootstrapServers will target the strimzi kafka cluster by default -useStrimziKafka: false -cdsKafkaUser: cds-kafka-user +# Strimzi KafkaUser config +kafkaUser: + acls: + - name: cds-bp-processor + type: group + operations: [Read] + - name: cds.blueprint-processor + type: topic + patternType: prefix + operations: [Read, Write] +# Strimzi KafkaTopic config +kafkaTopic: + - name: cds.blueprint-processor.self-service-api.request + - name: cds.blueprint-processor.self-service-api.response + - name: cds.blueprint-processor.self-service-api.audit.request + - name: cds.blueprint-processor.self-service-api.audit.response + + +containerHttpPort: &svc_http_port 8080 +containerGrpcPort: &svc_grpc_port 9111 +containerTcpPort: &svc_tcp_port 5701 -kafkaRequestConsumer: - enabled: false - type: kafka-scram-plain-text-auth - bootstrapServers: host:port - groupId: cds-consumer - topic: cds.blueprint-processor.self-service-api.request - clientId: request-receiver-client-id - pollMillSec: 1000 -kafkaRequestProducer: - type: kafka-scram-plain-text-auth - bootstrapServers: host:port - clientId: request-producer-client-id - topic: cds.blueprint-processor.self-service-api.response - enableIdempotence: false -kafkaAuditRequest: - enabled: false - type: kafka-scram-plain-text-auth - bootstrapServers: host:port - clientId: audit-request-producer-client-id - topic: cds.blueprint-processor.self-service-api.audit.request - enableIdempotence: false -kafkaAuditResponse: - type: kafka-scram-plain-text-auth - bootstrapServers: host:port - clientId: audit-response-producer-client-id - topic: cds.blueprint-processor.self-service-api.audit.response - enableIdempotence: false +service: + http: + type: ClusterIP + portName: http + internalPort: *svc_http_port + externalPort: *svc_http_port + grpc: + type: ClusterIP + portName: grpc + internalPort: *svc_grpc_port + externalPort: *svc_grpc_port + cluster: + type: ClusterIP + portName: tcp-cluster + internalPort: *svc_tcp_port + externalPort: *svc_tcp_port + port: *svc_http_port # probe configuration parameters startup: initialDelaySeconds: 10 failureThreshold: 30 periodSeconds: 10 + port: *svc_http_port liveness: initialDelaySeconds: 1 @@ -193,28 +167,13 @@ liveness: # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: false + port: *svc_http_port readiness: initialDelaySeconds: 120 periodSeconds: 10 timeoutSeconds: 20 - -service: - http: - type: ClusterIP - portName: http - internalPort: 8080 - externalPort: 8080 - grpc: - type: ClusterIP - portName: grpc - internalPort: 9111 - externalPort: 9111 - cluster: - type: ClusterIP - portName: tcp-cluster - internalPort: 5701 - externalPort: 5701 + port: *svc_http_port persistence: volumeReclaimPolicy: Retain @@ -227,9 +186,7 @@ persistence: cluster: # Cannot have cluster enabled if the replicaCount is not at least 3 enabled: false - clusterName: cds-cluster - # Defines the number of node to be part of the CP subsystem/raft algorithm. This value should be # between 3 and 7 only. groupSize: 3 @@ -237,7 +194,7 @@ cluster: ingress: enabled: false service: - - baseaddr: "blueprintsprocessorhttp" + - baseaddr: "cds-blueprintsprocessor-api" name: "cds-blueprints-processor-http" port: 8080 config: @@ -257,20 +214,25 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "1.8Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "0.5" + memory: "1.8Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "2" + memory: "3.6Gi" requests: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "3.6Gi" unlimited: {} +readinessCheck: + wait_for: + services: + - '{{ .Values.global.mariadbGalera.service }}' + #Pods Service Account serviceAccount: nameOverride: cds-blueprints-processor @@ -280,3 +242,11 @@ serviceAccount: # workflow store flag workflow: storeEnabled: false + +tracing: + collector: + baseUrl: http://jaeger-collector.istio-system:9411 + sampling: + probability: 1.0 # percentage of requests that are sampled (between 0-1/0%-100%) + ignorePatterns: + - .*/execution-service/health-check diff --git a/kubernetes/cds/components/cds-command-executor/Chart.yaml b/kubernetes/cds/components/cds-command-executor/Chart.yaml index 6749d8d9e8..eaa1e8de9e 100755 --- a/kubernetes/cds/components/cds-command-executor/Chart.yaml +++ b/kubernetes/cds/components/cds-command-executor/Chart.yaml @@ -17,15 +17,15 @@ apiVersion: v2 description: ONAP CDS Command Executor name: cds-command-executor -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' \ No newline at end of file diff --git a/kubernetes/cds/components/cds-command-executor/templates/deployment.yaml b/kubernetes/cds/components/cds-command-executor/templates/deployment.yaml index da835162e7..07736cfa1e 100755 --- a/kubernetes/cds/components/cds-command-executor/templates/deployment.yaml +++ b/kubernetes/cds/components/cds-command-executor/templates/deployment.yaml @@ -16,31 +16,19 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - command: - /app/ready.py args: - - --container-name - - cds-blueprints-processor + - --service-name + - cds-blueprints-processor-http env: - name: NAMESPACE valueFrom: @@ -51,39 +39,41 @@ spec: - name: PROMETHEUS_METRICS_ENABLED value: {{ .Values.metrics.serviceMonitor.enabled | quote }} - name: PROMETHEUS_PORT - value: {{ .Values.service.metrics.internalPort | quote }} + value: {{ .Values.metrics.serviceMonitor.internalPort | quote }} {{ end }} image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.grpc.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} {{ if .Values.liveness.enabled }} livenessProbe: tcpSocket: - port: {{ .Values.service.grpc.internalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} {{ end }} readinessProbe: tcpSocket: - port: {{ .Values.service.grpc.internalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: {{ .Values.persistence.deployedBlueprint }} name: {{ include "common.fullname" . }}-blueprints - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -94,9 +84,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: {{ include "common.fullname" . }}-blueprints {{- if .Values.persistence.enabled }} persistentVolumeClaim: @@ -104,5 +91,4 @@ spec: {{- else }} emptyDir: {} {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/cds/components/cds-command-executor/templates/service.yaml b/kubernetes/cds/components/cds-command-executor/templates/service.yaml index 7540728ee9..c131358663 100755 --- a/kubernetes/cds/components/cds-command-executor/templates/service.yaml +++ b/kubernetes/cds/components/cds-command-executor/templates/service.yaml @@ -1,5 +1,5 @@ {{/* -# Copyright (c) 2019 Bell Canada +# Copyright (C) 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,34 +14,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.grpc.externalPort }} - targetPort: {{ .Values.service.grpc.internalPort }} - {{- if eq .Values.service.type "NodePort"}} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - {{- end}} - name: {{ .Values.service.grpc.portName | default "grpc" }} - {{- if .Values.metrics.serviceMonitor.enabled }} - - port: {{ .Values.service.metrics.externalPort }} - targetPort: {{ .Values.service.metrics.internalPort }} - {{- if eq .Values.service.type "NodePort"}} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - {{- end}} - name: {{ .Values.service.metrics.portName | default "metrics" }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} \ No newline at end of file +{{ include "common.service" . }} diff --git a/kubernetes/cds/components/cds-command-executor/values.yaml b/kubernetes/cds/components/cds-command-executor/values.yaml index e2511401f3..e517d8bdbf 100755 --- a/kubernetes/cds/components/cds-command-executor/values.yaml +++ b/kubernetes/cds/components/cds-command-executor/values.yaml @@ -32,7 +32,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/ccsdk-commandexecutor:1.3.0 +image: onap/ccsdk-commandexecutor:1.5.3 pullPolicy: Always # application configuration @@ -62,14 +62,13 @@ readiness: service: type: ClusterIP - grpc: - portName: grpc - internalPort: 50051 - externalPort: 50051 - metrics: - portName: tcp-metrics - internalPort: 10005 - externalPort: 10005 + name: cds-command-executor + internalPort: 50051 + ports: + - name: grpc + port: 50051 + - name: &metricsPortname tcp-metrics + port: &metricsPort 10005 persistence: enabled: false @@ -82,18 +81,18 @@ ingress: resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "200Mi" requests: - cpu: 1 - memory: 1Gi + cpu: "0.5" + memory: "200Mi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "2" + memory: "400Mi" requests: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "400Mi" unlimited: {} #Pods Service Account @@ -105,7 +104,8 @@ serviceAccount: metrics: serviceMonitor: enabled: false - port: tcp-metrics + port: *metricsPortname + internalPort: *metricsPort path: /actuator/prometheus basicAuth: enabled: false diff --git a/kubernetes/cds/components/cds-py-executor/Chart.yaml b/kubernetes/cds/components/cds-py-executor/Chart.yaml index cf09b56b96..ea1723c31c 100755 --- a/kubernetes/cds/components/cds-py-executor/Chart.yaml +++ b/kubernetes/cds/components/cds-py-executor/Chart.yaml @@ -17,15 +17,15 @@ apiVersion: v2 description: ONAP CDS Py Executor name: cds-py-executor -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/cds/components/cds-py-executor/templates/deployment.yaml b/kubernetes/cds/components/cds-py-executor/templates/deployment.yaml index 754e0d0f50..1376eb7b37 100755 --- a/kubernetes/cds/components/cds-py-executor/templates/deployment.yaml +++ b/kubernetes/cds/components/cds-py-executor/templates/deployment.yaml @@ -63,9 +63,6 @@ spec: - name: ARTIFACT_MANAGER_SERVER_LOG_FILE value: {{ .Values.config.artifactManagerLogFile }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: {{ .Values.persistence.deployedBlueprint }} name: {{ include "common.fullname" . }}-blueprints resources: @@ -80,14 +77,10 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime # Py executor shares the blueprintsprocessor storage (for now) to # share uploaded CBA files. In the future it will be deprecated # when all parts of the CDS will make use of Artifact Manager - name: {{ include "common.fullname" . }}-blueprints persistentVolumeClaim: claimName: {{ include "common.release" . }}-cds-blueprints - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/cds/components/cds-py-executor/values.yaml b/kubernetes/cds/components/cds-py-executor/values.yaml index a1eb0a0818..f3d712e7c1 100755 --- a/kubernetes/cds/components/cds-py-executor/values.yaml +++ b/kubernetes/cds/components/cds-py-executor/values.yaml @@ -30,7 +30,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/ccsdk-py-executor:1.3.0 +image: onap/ccsdk-py-executor:1.5.3 pullPolicy: Always # default number of instances @@ -97,18 +97,18 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "200Mi" requests: - cpu: 1 - memory: 1Gi + cpu: "0.5" + memory: "200Mi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "2" + memory: "400Mi" requests: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "400Mi" unlimited: {} #Pods Service Account diff --git a/kubernetes/cds/components/cds-sdc-listener/Chart.yaml b/kubernetes/cds/components/cds-sdc-listener/Chart.yaml index 14cd147255..dc5fef287a 100755 --- a/kubernetes/cds/components/cds-sdc-listener/Chart.yaml +++ b/kubernetes/cds/components/cds-sdc-listener/Chart.yaml @@ -17,15 +17,15 @@ apiVersion: v2 description: ONAP CDS SDC listener microservice name: cds-sdc-listener -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' \ No newline at end of file diff --git a/kubernetes/cds/components/cds-sdc-listener/resources/config/application.yaml b/kubernetes/cds/components/cds-sdc-listener/resources/config/application.yaml index 3710f5f510..fe4edc7779 100644 --- a/kubernetes/cds/components/cds-sdc-listener/resources/config/application.yaml +++ b/kubernetes/cds/components/cds-sdc-listener/resources/config/application.yaml @@ -1,20 +1,19 @@ listenerservice: config: - asdcAddress: sdc-be.{{include "common.namespace" .}}:{{ (eq "true" (include "common.needTLS" .)) | ternary 8443 8080 }} #SDC-BE + sdcAddress: sdc-be.{{include "common.namespace" .}}:8080 #SDC-BE messageBusAddress: message-router.{{include "common.namespace" .}} #Message-Router user: cds #SDC-username password: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U #SDC-password pollingInterval: 15 pollingTimeout: 60 relevantArtifactTypes: TOSCA_CSAR - consumerGroup: cds + consumerGroup: {{ (first .Values.kafkaUser.acls).name }} + consumerId: {{ (first .Values.kafkaUser.acls).name }}-sdc-listener environmentName: AUTO - consumerId: cds keyStorePassword: keyStorePath: activateServerTLSAuth : false - isUseHttpsWithDmaap: false - isUseHttpsWithSDC: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} + isUseHttpsWithSDC: false archivePath: /opt/app/onap/sdc-listener/ grpcAddress: cds-blueprints-processor-grpc grpcPort: 9111 diff --git a/kubernetes/cds/components/cds-sdc-listener/templates/deployment.yaml b/kubernetes/cds/components/cds-sdc-listener/templates/deployment.yaml index 3a6d76165b..6922b24c8e 100644 --- a/kubernetes/cds/components/cds-sdc-listener/templates/deployment.yaml +++ b/kubernetes/cds/components/cds-sdc-listener/templates/deployment.yaml @@ -1,5 +1,6 @@ {{/* # Copyright (c) 2019 Bell Canada +# Modification Copyright © 2022 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,38 +14,23 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} - apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} replicas: {{ .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - command: - /app/ready.py args: - - --container-name + - --service-name - sdc-be - - --container-name - - message-router - - --container-name - - cds-blueprints-processor + - --service-name + - cds-blueprints-processor-http env: - name: NAMESPACE valueFrom: @@ -54,6 +40,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -61,21 +54,24 @@ spec: env: - name: APP_CONFIG_HOME value: {{ .Values.config.appConfigDir }} - ports: - - containerPort: {{ .Values.service.http.internalPort }} - name: {{ .Values.service.http.portName }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + ports: {{- include "common.containerPorts" . | nindent 12 }} {{ if .Values.liveness.enabled }} livenessProbe: httpGet: path: /api/v1/sdclistener/healthcheck - port: {{ .Values.service.http.portName }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{end}} readinessProbe: httpGet: path: /api/v1/sdclistener/healthcheck - port: {{ .Values.service.http.portName }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: @@ -85,8 +81,7 @@ spec: - mountPath: {{ .Values.config.appConfigDir }}/logback.xml name: {{ include "common.fullname" . }}-config subPath: logback.xml - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -105,5 +100,4 @@ spec: path: application.yaml - key: logback.xml path: logback.xml - imagePullSecrets: - - name: {{ include "common.namespace" . }}-docker-registry-key + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/cds/components/cds-sdc-listener/templates/kafkauser.yaml b/kubernetes/cds/components/cds-sdc-listener/templates/kafkauser.yaml new file mode 100644 index 0000000000..324a068cf0 --- /dev/null +++ b/kubernetes/cds/components/cds-sdc-listener/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2022-23 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/cds/components/cds-sdc-listener/templates/service.yaml b/kubernetes/cds/components/cds-sdc-listener/templates/service.yaml index 42bd2b33e9..e62653fff2 100644 --- a/kubernetes/cds/components/cds-sdc-listener/templates/service.yaml +++ b/kubernetes/cds/components/cds-sdc-listener/templates/service.yaml @@ -1,5 +1,5 @@ {{/* -# Copyright (c) 2019 Bell Canada +# Copyright (c) 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,25 +13,5 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.http.externalPort }} - targetPort: {{ .Values.service.http.internalPort }} - {{- if eq .Values.service.type "NodePort"}} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - {{- end}} - name: {{ .Values.service.http.portName | default "http" }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/cds/components/cds-sdc-listener/values.yaml b/kubernetes/cds/components/cds-sdc-listener/values.yaml index 1499ad5b04..4658b578bf 100644 --- a/kubernetes/cds/components/cds-sdc-listener/values.yaml +++ b/kubernetes/cds/components/cds-sdc-listener/values.yaml @@ -1,4 +1,5 @@ # Copyright (c) 2019 Bell Canada +# Modification Copyright © 2022 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -29,14 +30,23 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/ccsdk-sdclistener:1.3.0 +image: onap/ccsdk-sdclistener:1.5.3 name: sdc-listener pullPolicy: Always # flag to enable debugging - application support required debugEnabled: false -# application configuration +kafkaUser: + acls: + - name: cds + type: group + operations: [Read] + - name: SDC-DISTR + type: topic + patternType: prefix + operations: [Read, Write] + config: appConfigDir: /opt/app/onap/config @@ -61,10 +71,11 @@ readiness: service: type: ClusterIP - http: - portName: http - internalPort: 8080 - externalPort: 8080 + name: cds-sdc-listener + internalPort: 8080 + ports: + - name: http + port: 8080 persistence: enabled: true @@ -86,18 +97,18 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "700Mi" requests: - cpu: 1 - memory: 1Gi + cpu: "0.5" + memory: "700Mi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "2" + memory: "1.4Gi" requests: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "1.4Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/cds/components/cds-ui/Chart.yaml b/kubernetes/cds/components/cds-ui/Chart.yaml index c356a0f9b0..51485b76e1 100644 --- a/kubernetes/cds/components/cds-ui/Chart.yaml +++ b/kubernetes/cds/components/cds-ui/Chart.yaml @@ -17,18 +17,15 @@ apiVersion: v2 description: ONAP CDS UI name: cds-ui -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 - repository: '@local' - - name: certInitializer - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/cds/components/cds-ui/templates/deployment.yaml b/kubernetes/cds/components/cds-ui/templates/deployment.yaml index 6457ce3736..a58f1d9e29 100644 --- a/kubernetes/cds/components/cds-ui/templates/deployment.yaml +++ b/kubernetes/cds/components/cds-ui/templates/deployment.yaml @@ -17,35 +17,18 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} replicas: {{ .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.fullname" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - {{- if .Values.global.aafEnabled }} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - {{- end }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{- include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{ if .Values.liveness.enabled }} @@ -58,6 +41,8 @@ spec: env: - name: HOST value: 0.0.0.0 + - name: PROTOCOL + value: "{{ .Values.config.env.protocol }}" - name: APP_ACTION_DEPLOY_BLUEPRINT_GRPC_ENABLED value: "{{ .Values.config.app.action.deployBlueprint.grpcEnabled }}" - name: API_BLUEPRINT_CONTROLLER_HTTP_BASE_URL @@ -74,23 +59,12 @@ spec: value: "{{ .Values.config.api.processor.grpc.port }}" - name: API_BLUEPRINT_PROCESSOR_GRPC_AUTH_TOKEN value: {{ .Values.config.api.processor.grpc.authToken }} - {{- if .Values.global.aafEnabled }} - - name: KEYSTORE - value: "{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12" - - name: PASSPHRASE - value: "{{ .Values.certInitializer.credsPath }}/mycreds.prop" - {{- end }} readinessProbe: tcpSocket: port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 12 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -100,9 +74,4 @@ spec: {{ toYaml .Values.affinity | indent 10 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/cds/components/cds-ui/templates/service.yaml b/kubernetes/cds/components/cds-ui/templates/service.yaml index bfc3e30c84..e62653fff2 100644 --- a/kubernetes/cds/components/cds-ui/templates/service.yaml +++ b/kubernetes/cds/components/cds-ui/templates/service.yaml @@ -1,5 +1,5 @@ {{/* -# Copyright © 2017 Amdocs, Bell Canada, Orange +# Copyright (c) 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,28 +14,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}-{{ .Values.service.internalPort }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/cds/components/cds-ui/values.yaml b/kubernetes/cds/components/cds-ui/values.yaml index 14fc014920..7a25bea4c7 100644 --- a/kubernetes/cds/components/cds-ui/values.yaml +++ b/kubernetes/cds/components/cds-ui/values.yaml @@ -22,33 +22,14 @@ global: subChartsOnly: enabled: true -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: cds-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: sdnc-cds - fqi: sdnc-cds@sdnc-cds.onap.org - public_fqdn: sdnc-cds.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - fqi_namespace: org.onap.sdnc-cds - aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh; - /opt/app/aaf_config/bin/agent.sh local showpass - {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop - # application image -image: onap/ccsdk-cds-ui-server:1.3.0 +image: onap/ccsdk-cds-ui-server:1.5.3 pullPolicy: Always # application configuration config: + env: + protocol: HTTP app: action: deployBlueprint: @@ -94,15 +75,18 @@ readiness: service: type: NodePort - portName: cds-ui name: cds-ui - nodePort: 97 internalPort: 3000 + ports: + - name: http + port: 3000 + nodePort: 97 + useNodePortExt: true ingress: enabled: false service: - - baseaddr: "cdsui" + - baseaddr: "cds-ui" name: "cds-ui" port: 3000 config: @@ -114,18 +98,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "200Mi" requests: - cpu: 10m - memory: 100Mi + cpu: "0.5" + memory: "200Mi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "200Mi" requests: - cpu: 200m - memory: 200Mi + cpu: "1" + memory: "200Mi" unlimited: {} #Pods Service Account diff --git a/kubernetes/cds/values.yaml b/kubernetes/cds/values.yaml index 58e6b65c6f..ced4f1d930 100644 --- a/kubernetes/cds/values.yaml +++ b/kubernetes/cds/values.yaml @@ -1,7 +1,7 @@ # Copyright © 2020 Samsung Electronics # Copyright © 2019 Orange, Bell Canada # Copyright © 2017 Amdocs, Bell Canada -# Modification Copyright © 2022 Nordix Foundation +# Modification Copyright © 2022-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,7 +23,20 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - cdsKafkaUser: cds-kafka-user + mariadbGalera: &mariadbGalera + # flag to enable the DB creation via mariadb-operator + useOperator: true + #This flag allows NBI to instantiate its own mariadb-galera cluster + #When changing it to "true", also set "globalCluster: false" + #as the dependency check will not work otherwise (Chart.yaml) + localCluster: true + globalCluster: false + service: mariadb-galera + internalPort: 3306 + nameOverride: mariadb-galera + # (optional) if localCluster=false and an external secret is used set this variable + #userRootSecret: + ################################################################# # Secrets metaconfig @@ -42,7 +55,6 @@ secrets: # application images pullPolicy: Always - subChartsOnly: enabled: true @@ -80,132 +92,15 @@ mariadb-galera: name: &mysqlDbName sdnctl nameOverride: &dbServer cds-db replicaCount: 1 + mariadbOperator: + galera: + enabled: false persistence: enabled: true mountSubPath: cds/data serviceAccount: nameOverride: *dbServer - mariadbConfiguration: |- - [client] - port=3306 - socket=/opt/bitnami/mariadb/tmp/mysql.sock - plugin_dir=/opt/bitnami/mariadb/plugin - - [mysqld] - lower_case_table_names = 1 - default_storage_engine=InnoDB - basedir=/opt/bitnami/mariadb - datadir=/bitnami/mariadb/data - plugin_dir=/opt/bitnami/mariadb/plugin - tmpdir=/opt/bitnami/mariadb/tmp - socket=/opt/bitnami/mariadb/tmp/mysql.sock - pid_file=/opt/bitnami/mariadb/tmp/mysqld.pid - bind_address=0.0.0.0 - - ## Character set - collation_server=utf8_unicode_ci - init_connect='SET NAMES utf8' - character_set_server=utf8 - - ## MyISAM - key_buffer_size=32M - myisam_recover_options=FORCE,BACKUP - - ## Safety - skip_host_cache - skip_name_resolve - max_allowed_packet=16M - max_connect_errors=1000000 - sql_mode=STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_AUTO_VALUE_ON_ZERO,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE,ONLY_FULL_GROUP_BY - sysdate_is_now=1 - - ## Binary Logging - log_bin=mysql-bin - expire_logs_days=14 - # Disabling for performance per http://severalnines.com/blog/9-tips-going-production-galera-cluster-mysql - sync_binlog=0 - # Required for Galera - binlog_format=row - - ## Caches and Limits - tmp_table_size=32M - max_heap_table_size=32M - # Re-enabling as now works with Maria 10.1.2 - query_cache_type=1 - query_cache_limit=4M - query_cache_size=256M - max_connections=500 - thread_cache_size=50 - open_files_limit=65535 - table_definition_cache=4096 - table_open_cache=4096 - - ## InnoDB - innodb=FORCE - innodb_strict_mode=1 - # Mandatory per https://github.com/codership/documentation/issues/25 - innodb_autoinc_lock_mode=2 - # Per https://www.percona.com/blog/2006/08/04/innodb-double-write/ - innodb_doublewrite=1 - innodb_flush_method=O_DIRECT - innodb_log_files_in_group=2 - innodb_log_file_size=128M - innodb_flush_log_at_trx_commit=1 - innodb_file_per_table=1 - # 80% Memory is default reco. - # Need to re-evaluate when DB size grows - innodb_buffer_pool_size=2G - innodb_file_format=Barracuda - - ## Logging - log_error=/opt/bitnami/mariadb/logs/mysqld.log - slow_query_log_file=/opt/bitnami/mariadb/logs/mysqld.log - log_queries_not_using_indexes=1 - slow_query_log=1 - - ## SSL - ## Use extraVolumes and extraVolumeMounts to mount /certs filesystem - # ssl_ca=/certs/ca.pem - # ssl_cert=/certs/server-cert.pem - # ssl_key=/certs/server-key.pem - - [galera] - wsrep_on=ON - wsrep_provider=/opt/bitnami/mariadb/lib/libgalera_smm.so - wsrep_sst_method=mariabackup - wsrep_slave_threads=4 - wsrep_cluster_address=gcomm:// - wsrep_cluster_name=galera - wsrep_sst_auth="root:" - # Enabled for performance per https://mariadb.com/kb/en/innodb-system-variables/#innodb_flush_log_at_trx_commit - innodb_flush_log_at_trx_commit=2 - # MYISAM REPLICATION SUPPORT # - wsrep_replicate_myisam=ON - - [mariadb] - plugin_load_add=auth_pam - - ## Data-at-Rest Encryption - ## Use extraVolumes and extraVolumeMounts to mount /encryption filesystem - # plugin_load_add=file_key_management - # file_key_management_filename=/encryption/keyfile.enc - # file_key_management_filekey=FILE:/encryption/keyfile.key - # file_key_management_encryption_algorithm=AES_CTR - # encrypt_binlog=ON - # encrypt_tmp_files=ON - - ## InnoDB/XtraDB Encryption - # innodb_encrypt_tables=ON - # innodb_encrypt_temporary_tables=ON - # innodb_encrypt_log=ON - # innodb_encryption_threads=4 - # innodb_encryption_rotate_key_age=1 - - ## Aria Encryption - # aria_encrypt_tables=ON - # encrypt_tmp_disk_tables=ON - cds-blueprints-processor: enabled: true config: @@ -214,7 +109,6 @@ cds-blueprints-processor: dbPort: 3306 dbName: *mysqlDbName dbCredsExternalSecret: *dbUserSecretName - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.kafkaUser }}' cds-command-executor: enabled: true @@ -228,24 +122,22 @@ cds-sdc-listener: cds-ui: enabled: true - #Resource Limit flavor -By Default using small flavor: small -#segregation for different envionment (Small and Large) - +#segregation for different environment (Small and Large) resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" requests: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "4" + memory: "8Gi" requests: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" unlimited: {} diff --git a/kubernetes/cli/Chart.yaml b/kubernetes/cli/Chart.yaml index 1432f750f5..956a923e0d 100644 --- a/kubernetes/cli/Chart.yaml +++ b/kubernetes/cli/Chart.yaml @@ -17,21 +17,18 @@ apiVersion: v2 description: ONAP Command Line Interface name: cli -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - - name: certInitializer - version: ~11.x-0 - repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/cli/resources/configuration/lighttpd.conf b/kubernetes/cli/resources/configuration/lighttpd.conf index 0809868b35..f1735a1e5d 100644 --- a/kubernetes/cli/resources/configuration/lighttpd.conf +++ b/kubernetes/cli/resources/configuration/lighttpd.conf @@ -1,6 +1,7 @@ {{/* # Copyright 2018 Huawei Technologies Co., Ltd. # Copyright 2021 Huawei Technologies Co., Ltd. +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,9 +19,7 @@ server.document-root = "/var/www-data/servers/open-cli/" server.username = "www-data" server.groupname = "www-data" -server.port = 443 -ssl.engine = "enable" -ssl.pemfile = "{{ .Values.certInitializer.credsPath }}/certs/fullchain.pem" +server.port = {{ .Values.containerPort }} mimetype.assign = ( ".html" => "text/html", @@ -38,18 +37,8 @@ server.modules = ( "mod_proxy", "mod_alias", "mod_compress", - "mod_redirect", -# "mod_rewrite", + "mod_redirect" ) -#server.upload-dirs = ( "/var/cache/lighttpd/uploads" ) server.errorlog = "/var/log/lighttpd/error.log" server.pid-file = "/var/run/lighttpd.pid" -#compress.cache-dir = "/var/cache/lighttpd/compress/" -#compress.filetype = ( "application/javascript", "text/css", "text/html", "text/plain" ) - -# default listening port for IPv6 falls back to the IPv4 port -## Use ipv6 if available -#include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port -#include_shell "/usr/share/lighttpd/create-mime.assign.pl" -#include_shell "/usr/share/lighttpd/include-conf-enabled.pl" \ No newline at end of file diff --git a/kubernetes/cli/templates/NOTES.txt b/kubernetes/cli/templates/NOTES.txt deleted file mode 100644 index f3fe9c9d55..0000000000 --- a/kubernetes/cli/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ template "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/cli/templates/configmap.yaml b/kubernetes/cli/templates/configmap.yaml index ae515a0ec5..a4c636f0e4 100644 --- a/kubernetes/cli/templates/configmap.yaml +++ b/kubernetes/cli/templates/configmap.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,13 +17,6 @@ apiVersion: v1 kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-lighttpd - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} data: -{{ tpl (.Files.Glob "resources/configuration/*").AsConfig . | indent 2 }} \ No newline at end of file +{{ tpl (.Files.Glob "resources/configuration/*").AsConfig . | indent 2 }} diff --git a/kubernetes/cli/templates/deployment.yaml b/kubernetes/cli/templates/deployment.yaml index 0a3f967eee..9f8d71c332 100644 --- a/kubernetes/cli/templates/deployment.yaml +++ b/kubernetes/cli/templates/deployment.yaml @@ -16,57 +16,41 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPort1 }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container + ports: {{ include "common.containerPorts" . | nindent 12 }} {{- if eq .Values.liveness.enabled true }} livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} + httpGet: + port: {{ .Values.liveness.port }} + path: {{ .Values.liveness.path }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end -}} readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} + httpGet: + port: {{ .Values.readiness.port }} + path: {{ .Values.readiness.path }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: {{- include "common.certInitializer.volumeMount" . | nindent 10 }} + volumeMounts: - name: lighttpd - mountPath: "/etc/lighttpd/lighttpd.conf" + mountPath: /etc/lighttpd/lighttpd.conf subPath: lighttpd.conf readOnly: true env: - name: OPEN_CLI_MODE value: "{{ .Values.config.climode }}" - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -76,9 +60,8 @@ spec: {{ toYaml .Values.affinity | indent 10 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} + volumes: - name: lighttpd configMap: - name: {{ include "common.fullname" . }}-lighttpd - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + name: {{ include "common.fullname" . }} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/cli/templates/ingress.yaml b/kubernetes/cli/templates/ingress.yaml index 8f87c68f1e..0deb6ce481 100644 --- a/kubernetes/cli/templates/ingress.yaml +++ b/kubernetes/cli/templates/ingress.yaml @@ -1 +1,16 @@ +{{/* +# Modifications Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} {{ include "common.ingress" . }} diff --git a/kubernetes/cli/templates/service.yaml b/kubernetes/cli/templates/service.yaml index eaa85086b3..b33db211f9 100644 --- a/kubernetes/cli/templates/service.yaml +++ b/kubernetes/cli/templates/service.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,36 +15,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.name }}{{ .Values.service.externalPort }} - - port: {{ .Values.service.externalPort1 }} - targetPort: {{ .Values.service.internalPort1 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort1 }} - name: {{ .Values.service.name }}{{ .Values.service.externalPort1 }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }}{{ .Values.service.externalPort }} - - port: {{ .Values.service.externalPort1 }} - targetPort: {{ .Values.service.internalPort1 }} - name: {{ .Values.service.name }}{{ .Values.service.externalPort1 }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} diff --git a/kubernetes/cli/values.yaml b/kubernetes/cli/values.yaml index 58c649c326..8ad2240ee4 100644 --- a/kubernetes/cli/values.yaml +++ b/kubernetes/cli/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,63 +17,45 @@ # Global configuration defaults. ################################################################# global: - nodePortPrefix: 302 - -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: cli-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: "cli" - app_ns: "org.osaaf.aaf" - fqi_namespace: "org.onap.cli" - fqi: "cli@cli.onap.org" - public_fqdn: "aaf.osaaf.org" - cadi_longitude: "0.0" - cadi_latitude: "0.0" - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "*** transform AAF certs into pem files" - mkdir -p {{ .Values.credsPath }}/certs - keytool -exportcert -rfc -file {{ .Values.credsPath }}/certs/cacert.pem \ - -keystore {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.trust.jks \ - -alias ca_local_0 \ - -storepass $cadi_truststore_password - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** generating needed file" - cat {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \ - {{ .Values.credsPath }}/certs/cert.pem \ - {{ .Values.credsPath }}/certs/cacert.pem \ - > {{ .Values.credsPath }}/certs/fullchain.pem; - cat {{ .Values.credsPath }}/certs/fullchain.pem - echo "*** change ownership of certificates to targeted user" - chown -R 33 {{ .Values.credsPath }} - - + persistence: {} ################################################################# # Application configuration defaults. ################################################################# # application image image: onap/cli:6.0.1 -pullPolicy: Always +pullPolicy: IfNotPresent + +# flag to enable debugging - application support required +debugEnabled: false + +nodeSelector: {} +affinity: {} + +# Resource Limit flavor -By Default using small flavor: small +# default number of instances +replicaCount: 1 # application configuration config: climode: daemon -# default number of instances -replicaCount: 1 - -nodeSelector: {} +containerPort: &svc_port 8080 +service: + type: ClusterIP + name: cli + ports: + - name: http + port: *svc_port + targetPort: *svc_port -affinity: {} +ingress: + enabled: true + service: + - baseaddr: "cli-api" + path: "/" + name: "cps" + port: *svc_port # probe configuration parameters liveness: @@ -81,50 +64,33 @@ liveness: # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true + port: *svc_port + path: / readiness: initialDelaySeconds: 10 periodSeconds: 10 + port: *svc_port + path: / -service: - type: NodePort - name: cli - externalPort: 443 - externalPort1: 9443 - internalPort: "443" - internalPort1: 9443 - nodePort: "60" - nodePort1: "71" - -ingress: - enabled: false - service: - - baseaddr: "cli.api" - name: "cli" - port: 443 - - baseaddr: "cli2.api" - name: cli - port: 9443 - config: - ssl: "redirect" # Configure resource requests and limits # ref: http://kubernetes.io/docs/user-guide/compute-resources/ resources: small: limits: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" requests: - cpu: 10m - memory: 500Mi + cpu: "10m" + memory: "500Mi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "4" + memory: "8Gi" requests: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/common/Makefile b/kubernetes/common/Makefile index 6d5d9365b7..2fce88fe84 100644 --- a/kubernetes/common/Makefile +++ b/kubernetes/common/Makefile @@ -20,19 +20,37 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets COMMON_CHARTS_DIR := common EXCLUDES := -PROCESSED_LAST := cert-wrapper repository-wrapper -PROCESSED_FIRST := repositoryGenerator readinessCheck serviceAccount certInitializer -TO_FILTER := $(PROCESSED_FIRST) $(EXCLUDES) $(PROCESSED_LAST) +PROCESSED_LAST := repository-wrapper +PROCESSED_FIRST := repositoryGenerator readinessCheck serviceAccount cmpv2Config +TO_FILTER := $(COMMON_CHARTS_DIR) $(PROCESSED_FIRST) $(EXCLUDES) $(PROCESSED_LAST) HELM_BIN := helm -HELM_CHARTS := $(PROCESSED_FIRST) $(filter-out $(TO_FILTER), $(sort $(patsubst %/.,%,$(wildcard */.)))) $(PROCESSED_LAST) +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + +HELM_CHARTS := $(filter-out $(TO_FILTER), $(sort $(patsubst %/.,%,$(wildcard */.)))) HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") .PHONY: $(HELM_CHARTS) $(TO_FILTER) -all: $(COMMON_CHARTS_DIR) $(HELM_CHARTS) +all: $(COMMON_CHARTS_DIR) $(PROCESSED_FIRST) $(HELM_CHARTS) $(PROCESSED_LAST) + +$(COMMON_CHARTS_DIR): + @echo "\n[$@]" + @make package-$@ + +$(PROCESSED_FIRST): $(COMMON_CHARTS_DIR) + @echo "\n[$@]" + @make package-$@ -$(HELM_CHARTS): +$(HELM_CHARTS): $(PROCESSED_FIRST) + @echo "\n[$@]" + @make package-$@ + +$(PROCESSED_LAST): $(HELM_CHARTS) @echo "\n[$@]" @make package-$@ @@ -43,16 +61,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) -ifeq "$(findstring v3,$(HELM_VER))" "v3" - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) push -f $$PACKAGE_NAME local; fi -else - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi -endif - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/common/cassandra/Chart.yaml b/kubernetes/common/cassandra/Chart.yaml index 8095acbddd..ee3f4e5355 100644 --- a/kubernetes/common/cassandra/Chart.yaml +++ b/kubernetes/common/cassandra/Chart.yaml @@ -18,15 +18,16 @@ apiVersion: v2 description: ONAP cassandra name: cassandra -version: 11.0.0 +version: 13.1.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../common' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../repositoryGenerator' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../serviceAccount' + condition: global.cassandra.enableServiceAccount \ No newline at end of file diff --git a/kubernetes/common/cassandra/templates/backup/configmap.yaml b/kubernetes/common/cassandra/templates/backup/configmap.yaml index 9bbc69ba04..2c85a1a01f 100644 --- a/kubernetes/common/cassandra/templates/backup/configmap.yaml +++ b/kubernetes/common/cassandra/templates/backup/configmap.yaml @@ -13,6 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} +{{- if not .Values.global.cassandra.useOperator }} {{- if .Values.backup.enabled }} apiVersion: v1 kind: ConfigMap @@ -28,3 +29,4 @@ data: {{ tpl (.Files.Glob "resources/restore.sh").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/exec.py").AsConfig . | indent 2 }} {{- end -}} +{{- end -}} diff --git a/kubernetes/common/cassandra/templates/backup/cronjob.yaml b/kubernetes/common/cassandra/templates/backup/cronjob.yaml index 27f3cc690d..6db1202b4f 100644 --- a/kubernetes/common/cassandra/templates/backup/cronjob.yaml +++ b/kubernetes/common/cassandra/templates/backup/cronjob.yaml @@ -14,6 +14,8 @@ # limitations under the License. */}} {{- if .Values.backup.enabled }} +{{- if .Values.global.cassandra.useOperator }} +{{ else }} apiVersion: batch/v1beta1 kind: CronJob metadata: @@ -37,7 +39,7 @@ spec: - command: - /app/ready.py args: - - --container-name + - --app-name - {{ include "common.name" . }} env: - name: NAMESPACE @@ -48,9 +50,23 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" - name: "cassandra-backup-init" image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" command: - /bin/bash - -c @@ -132,9 +148,6 @@ spec: apiVersion: v1 fieldPath: metadata.namespace volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true {{- range $i := until (int .Values.replicaCount)}} - mountPath: /onap-data/cassandra-{{ $i }} name: data-dir-{{ $i }} @@ -223,13 +236,7 @@ spec: volumeMounts: - name: backup-dir mountPath: /backup - - name: localtime - mountPath: /etc/localtime - readOnly: true volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: scripts configMap: name: {{ include "common.fullname" . }}-configmap @@ -243,3 +250,4 @@ spec: persistentVolumeClaim: claimName: {{ include "common.fullname" . }}-backup-data {{- end -}} +{{- end -}} \ No newline at end of file diff --git a/kubernetes/common/cassandra/templates/backup/pv.yaml b/kubernetes/common/cassandra/templates/backup/pv.yaml index 10c310077b..e7218fae7d 100644 --- a/kubernetes/common/cassandra/templates/backup/pv.yaml +++ b/kubernetes/common/cassandra/templates/backup/pv.yaml @@ -14,6 +14,8 @@ # limitations under the License. */}} {{- if .Values.backup.enabled }} +{{- if .Values.global.cassandra.useOperator }} +{{ else }} {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} {{- if eq "True" (include "common.needPV" .) -}} --- @@ -39,3 +41,4 @@ spec: {{- end -}} {{- end -}} {{- end -}} +{{- end -}} diff --git a/kubernetes/common/cassandra/templates/backup/pvc.yaml b/kubernetes/common/cassandra/templates/backup/pvc.yaml index 6fd53618bc..56b3ba8b02 100644 --- a/kubernetes/common/cassandra/templates/backup/pvc.yaml +++ b/kubernetes/common/cassandra/templates/backup/pvc.yaml @@ -14,6 +14,8 @@ # limitations under the License. */}} {{- if .Values.backup.enabled }} +{{- if .Values.global.cassandra.useOperator }} +{{ else }} {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} --- kind: PersistentVolumeClaim @@ -39,3 +41,4 @@ spec: storageClassName: {{ include "common.storageClass" . }} {{- end -}} {{- end -}} +{{- end -}} diff --git a/kubernetes/common/cassandra/templates/cassOp.yaml b/kubernetes/common/cassandra/templates/cassOp.yaml new file mode 100644 index 0000000000..9f463adf08 --- /dev/null +++ b/kubernetes/common/cassandra/templates/cassOp.yaml @@ -0,0 +1,19 @@ +{{/* +# Copyright © 2023 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if .Values.global.cassandra.useOperator }} +{{ include "common.k8ssandraCluster" . }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/cassandra/templates/configmap.yaml b/kubernetes/common/cassandra/templates/configmap.yaml index ab08c82fef..5510986e54 100644 --- a/kubernetes/common/cassandra/templates/configmap.yaml +++ b/kubernetes/common/cassandra/templates/configmap.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.global.cassandra.useOperator }} {{- if .Values.configOverrides }} apiVersion: v1 kind: ConfigMap @@ -25,3 +26,4 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/docker-entrypoint.sh").AsConfig . | indent 2 }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/cassandra/templates/ingress.yaml b/kubernetes/common/cassandra/templates/ingress.yaml new file mode 100644 index 0000000000..97d6155a09 --- /dev/null +++ b/kubernetes/common/cassandra/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright (C) 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/common/cassandra/templates/pv.yaml b/kubernetes/common/cassandra/templates/pv.yaml index a0d998cd07..d18e51d2f4 100644 --- a/kubernetes/common/cassandra/templates/pv.yaml +++ b/kubernetes/common/cassandra/templates/pv.yaml @@ -13,5 +13,6 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} - +{{- if not .Values.global.cassandra.useOperator }} {{ include "common.replicaPV" . }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/cassandra/templates/secrets.yaml b/kubernetes/common/cassandra/templates/secrets.yaml new file mode 100644 index 0000000000..5a611a9bef --- /dev/null +++ b/kubernetes/common/cassandra/templates/secrets.yaml @@ -0,0 +1,21 @@ +{{/* +# Copyright © 2018 Amdocs, Bell Canada +# Copyright © 2019 Samsung Electronics +# Copyright © 2019-2020 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if .Values.global.cassandra.useOperator }} +{{ include "common.secretFast" . }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/cassandra/templates/service.yaml b/kubernetes/common/cassandra/templates/service.yaml index 8934d41c33..8b2e534a5f 100644 --- a/kubernetes/common/cassandra/templates/service.yaml +++ b/kubernetes/common/cassandra/templates/service.yaml @@ -14,4 +14,6 @@ # limitations under the License. */}} +{{- if not .Values.global.cassandra.useOperator }} {{ include "common.headlessService" . }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/cassandra/templates/servicemonitor.yaml b/kubernetes/common/cassandra/templates/servicemonitor.yaml index 5297e692d2..078107393a 100644 --- a/kubernetes/common/cassandra/templates/servicemonitor.yaml +++ b/kubernetes/common/cassandra/templates/servicemonitor.yaml @@ -14,6 +14,8 @@ # limitations under the License. */}} +{{- if not .Values.global.cassandra.useOperator }} {{- if .Values.metrics.serviceMonitor.enabled }} {{ include "common.serviceMonitor" . }} +{{- end }} {{- end }} \ No newline at end of file diff --git a/kubernetes/common/cassandra/templates/statefulset.yaml b/kubernetes/common/cassandra/templates/statefulset.yaml index 43367ee542..ddaff5c7c0 100644 --- a/kubernetes/common/cassandra/templates/statefulset.yaml +++ b/kubernetes/common/cassandra/templates/statefulset.yaml @@ -14,6 +14,7 @@ # limitations under the License. */}} +{{- if not .Values.global.cassandra.useOperator }} apiVersion: apps/v1 kind: StatefulSet metadata: {{- include "common.resourceMetadata" . | nindent 2 }} @@ -26,19 +27,9 @@ spec: type: {{ .Values.updateStrategy.type }} template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} - {{- if or .Values.podAnnotations (and .Values.metrics.serviceMonitor.enabled .Values.metrics.podAnnotations) }} - annotations: - {{- if .Values.podAnnotations }} - {{- include "common.tplValue" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} - {{- end }} - {{- if and .Values.metrics.serviceMonitor.enabled .Values.metrics.podAnnotations }} - {{- include "common.tplValue" (dict "value" .Values.metrics.podAnnotations "context" $) | nindent 8 }} - {{- end }} - {{- end }} spec: hostNetwork: {{ .Values.hostNetwork }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} @@ -47,9 +38,6 @@ spec: volumeMounts: - name: {{ include "common.fullname" . }}-data mountPath: /var/lib/cassandra - - name: localtime - mountPath: /etc/localtime - readOnly: true - name: cassandra-entrypoint mountPath: /docker-entrypoint.sh subPath: docker-entrypoint.sh @@ -178,9 +166,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "nothing" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime {{- range $key, $value := .Values.configOverrides }} - name: cassandra-config-{{ $key | replace "." "-" }} configMap: @@ -214,3 +199,4 @@ spec: requests: storage: {{ .Values.persistence.size | quote }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/cassandra/values.yaml b/kubernetes/common/cassandra/values.yaml index 7d017f266b..0ab1f0961c 100644 --- a/kubernetes/common/cassandra/values.yaml +++ b/kubernetes/common/cassandra/values.yaml @@ -21,6 +21,65 @@ global: # global defaults mountPath: /dockerdata-nfs backup: mountPath: /dockerdata-nfs/backup + cassandra: + # flag to enable the DB creation via k8ssandra-operator + useOperator: true + # if useOperator set to "true", set "enableServiceAccount to "false" + # as the SA is created by the Operator + enableServiceAccount: false + +k8ssandraOperator: + cassandraVersion: 4.1.3 + persistence: + #storageClassName: default + size: 10Gi + config: + clusterName: cassandra + secretName: &secretName cassandra-default-user + superuserName: &superusername cassandra + superuserPassword: &superuserpassword cassandra + casOptions: + authorizer: AllowAllAuthorizer + read_request_timeout: 10000ms + write_request_timeout: 10000ms + counter_write_request_timeout: 15000ms + jvmOptions: + heap_initial_size: 512M + heap_max_size: 8192M + hostNetwork: false + datacenters: + - name: dc1 + size: 3 + reaper: + enabled: true + stargate: + enabled: false + tag: v1.0.77 + size: 1 + jvmOptions: + heapSize: 384Mi + +################################################################# +# Secrets metaconfig +# used to store the default superuser for k8ssandra-operator +################################################################# +secrets: + - uid: *secretName + type: genericKV + externalSecret: '{{ tpl (default "" .Values.k8ssandraOperator.config.userCredentialsExternalSecret) . }}' + envs: + - name: username + value: *superusername + - name: password + value: *superuserpassword + +ingress: + enabled: false + service: + - baseaddr: "reaper-dc1" + path: "/webui" + name: "cassandra-dc1-reaper-service" + port: 8080 # application image image: cassandra:3.11.4 @@ -33,8 +92,8 @@ debugEnabled: false config: cluster_domain: cluster.local heap: - max: 2048M - min: 100M + max: 4096M + min: 200M jvmOpts: -Dcassandra.consistent.rangemovement=false clusterName: cassandra dataCenter: Pod @@ -101,16 +160,14 @@ service: podAnnotations: # sidecar.istio.io/inject: "false" - traffic.sidecar.istio.io/excludeInboundPorts: "7000,7001" + traffic.sidecar.istio.io/excludeInboundPorts: "7000,7001,7199,50051" traffic.sidecar.istio.io/includeInboundPorts: '*' - traffic.sidecar.istio.io/excludeOutboundPorts: "7000,7001" + traffic.sidecar.istio.io/excludeOutboundPorts: "7000,7001,7199,50051" + podManagementPolicy: OrderedReady updateStrategy: type: RollingUpdate -ingress: - enabled: false - persistence: enabled: true @@ -152,11 +209,11 @@ configOverrides: {} # Minimum memory for production is 4 CPU cores and 8GB memory resources: limits: - cpu: 0.8 - memory: 4Gi + cpu: "2" + memory: "16Gi" requests: - cpu: 0.2 - memory: 2.5Gi + cpu: "0.2" + memory: "2.5Gi" backup: enabled: false cron: "00 00 * * *" diff --git a/kubernetes/common/cert-wrapper/Chart.yaml b/kubernetes/common/cert-wrapper/Chart.yaml deleted file mode 100644 index fbafd9a4f8..0000000000 --- a/kubernetes/common/cert-wrapper/Chart.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Wrapper chart to allow truststore to be shared among cert-initializer instances -name: cert-wrapper -version: 11.0.0 - -dependencies: - - name: certInitializer - version: ~11.x-0 - repository: 'file://../certInitializer' diff --git a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh deleted file mode 100755 index 96b0c0c0c8..0000000000 --- a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh +++ /dev/null @@ -1,90 +0,0 @@ -#!/bin/sh -{{/* - -# Copyright © 2020-2021 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -CERTS_DIR=${CERTS_DIR:-/certs} -MORE_CERTS_DIR=${MORE_CERTS_DIR:-/more_certs} -WORK_DIR=${WORK_DIR:-/updatedTruststore} -ONAP_TRUSTSTORE=${ONAP_TRUSTSTORE:-truststoreONAPall.jks} -JRE_TRUSTSTORE=${JRE_TRUSTSTORE:-$JAVA_HOME/lib/security/cacerts} -TRUSTSTORE_OUTPUT_FILENAME=${TRUSTSTORE_OUTPUT_FILENAME:-truststore.jks} -SSL_WORKDIR=${SSL_WORKDIR:-/usr/local/share/ca-certificates} - -mkdir -p $WORK_DIR - -# Decrypt and move relevant files to WORK_DIR -for f in $CERTS_DIR/*; do - export canonical_name_nob64=$(echo $f | sed 's/.*\/\([^\/]*\)/\1/') - export canonical_name_b64=$(echo $f | sed 's/.*\/\([^\/]*\)\(\.b64\)/\1/') - if [ "$AAF_ENABLED" = "false" ] && [ "$canonical_name_b64" = "$ONAP_TRUSTSTORE" ]; then - # Dont use onap truststore when aaf is disabled - continue - fi - if [ "$AAF_ENABLED" = "false" ] && [ "$canonical_name_nob64" = "$ONAP_TRUSTSTORE" ]; then - # Dont use onap truststore when aaf is disabled - continue - fi - if echo $f | grep '\.sh$' >/dev/null; then - continue - fi - if echo $f | grep '\.b64$' >/dev/null - then - base64 -d $f > $WORK_DIR/`basename $f .b64` - else - cp $f $WORK_DIR/. - fi -done - -for f in $MORE_CERTS_DIR/*; do - if echo $f | grep '\.pem$' >/dev/null; then - cp $f $WORK_DIR/. - fi -done - -# Prepare truststore output file -if [ "$AAF_ENABLED" = "true" ] - then - echo "AAF is enabled, use 'AAF' truststore" - export TRUSTSTORE_OUTPUT_FILENAME=${ONAP_TRUSTSTORE} - else - echo "AAF is disabled, using JRE truststore" - cp $JRE_TRUSTSTORE $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME -fi - -# Import Custom Certificates -for f in $WORK_DIR/*; do - if echo $f | grep '\.pem$' >/dev/null; then - echo "importing certificate: $f" - keytool -import -file $f -alias `basename $f` -keystore $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME -storepass $TRUSTSTORE_PASSWORD -noprompt - if [ $? != 0 ]; then - echo "failed importing certificate: $f" - exit 1 - fi - fi -done - -# Import certificates to Linux SSL Truststore -cp $CERTS_DIR/*.crt $SSL_WORKDIR/. -cp $MORE_CERTS_DIR/*.crt $SSL_WORKDIR/. -update-ca-certificates -if [ $? != 0 ] - then - echo "failed importing certificates" - exit 1 - else - cp /etc/ssl/certs/ca-certificates.crt $WORK_DIR/. -fi diff --git a/kubernetes/common/cert-wrapper/resources/truststoreONAP.p12.b64 b/kubernetes/common/cert-wrapper/resources/truststoreONAP.p12.b64 deleted file mode 100644 index 71b6782c58..0000000000 --- a/kubernetes/common/cert-wrapper/resources/truststoreONAP.p12.b64 +++ /dev/null @@ -1,30 +0,0 @@ -MIIGFAIBAzCCBdoGCSqGSIb3DQEHAaCCBcsEggXHMIIFwzCCBb8GCSqGSIb3DQEHBqCCBbAw -ggWsAgEAMIIFpQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIIYleh/TibnoCAggAgIIF -eGle/QhuHZkU5OjTo1L4MUbBFMGEu2hFNjqzYC3fuvfSIdMUxVZ1vQspIPNiPs1+WZ/lB9vZ -vBkQZ6AyBNTqZlHk5vv1tNyLksZCMRWlPLB/GF8becTuawuC2+IJajmuN5aLG9Fsx9G+bKQ6 -fO/VUq4urhuOEhKtft2wVUrQON0GnDcUemj/OLE6jMWrNlrxVdCqqII8xs5yGr/qfIRtpIVx -NZOAJdlKGZcc47wIG+lXHDeibH4rtObOLSk6mY9bjQ7Omp6HsshOaFDsx/ZWiG1+H7ZRDSSK -v5qWpr5xEhBM66TufMi0Tn8XNUsjkKCar25acH1odQQIQLhpFcqDyKaqFQM/60fvH4CTQ1SA -7vhpfUx9y7t2cEIg8lDEhhOUSRIVr+iw0zhoknPxJLfPuhRDzVKm8KxADCVjVR29K9nBgIrF -IVQ4gW0RRmCcHqBPVoakWs0BdTzhMwWtnxTLkpSLZoMkoi/8wfw7SDhaV4G6qXXqvDVaWbwR -nqpZWeQBRDSqOEmsPuLzq2J1Ls/v9J5ZQpeqyyYinGCjUUlC+fE6nhCrNsHeWTOlmBUyh/kA -WDAx1LgctqTwgIpPrJzkjPCfIuJyO7lhHFyBK8j/8NwMUgA5zBismhtQ3kQ3GBmTCm1cFkdz -AR4cV30244Oe3GmJG8ZUWiTjIuq2Eo4ISUR1h50uXlCja9n9n964wPJkNJyHyUa5cqz/EAkM -vzeL0VNW7Jpym3gRxNLqYILFBjZnhC7R9RhHciHYwIEEMj9WywDE6hDZqFReI6N3ZQNIWnHt -Je6e1YFwduGWnQFnL33XZi7ZqVY9Pr7mwu9c/LaCUuwDwy2rtAY50cnpp9CfbIp3oD33sfNe -LMmCcEkRvl/BNMtifnWnsaiCCoUZxLe6d8JWudu4r8M+bdoIkqoIUSyhuIsjjKnYAE/wmZvy -nphgC9tN1g5rY5CxqEQXyGvaD/lRgxpchKqwFFF89dEU27llLPneRSiIpth/pnip104N7H/+ -I5RaHNfaiNTUGLJSqmewCPCKritGJogqaBCj8oiI8uGovQZEYd8kgaDao8FCrpOFaHFhlUxd -fltyOZImAQ4cLEywj9VZFz/AriV+FZWe0VS1A6pBCknwZJBBJPKSQ4fAoDwAWmQsiHRE6h/N -OcD9zh4XqnCgy2f07SOPBf8AnLoe9XJXVm5T6xG8ZwfrmtDYk9Ze2VTxFJsolcaz/58JqSe3 -2mc3nuQqhZEzP7bWoD68ekykfbm2qJcC82fxYKkooNJ1T/Aagh+Vxsc8t/ubAEAKzz4fXZY5 -hO2zuk3AIn6WkwKZwoHfuCXXH1o3vlGsQx59N2kvifNUZf5ZzSbHIB8Hefckh0W9FMYE99de -lKdv5H4BSIiZ4v7r/0AkiV0M6WJOdogkEBIBcE81URAI6uwBuq2vUMyhIlekvmGlfV1+70jR -T22rjPiaswc8+GqDoI1kRrEwHHYT8O2JLBkSBv9A6LkCJPNt2bepPnJM7OyShQ0srmwdZOpY -0YcDZwbWVQNPZqtvZJl860mMisXO9MRIBS1udkL2SgzWYNpgGJN/vaRgjQiDyN9B4x8a+5sx -7fCLzmcxHeP7eYBkmH4guPCRr8VZboQanShKje3iS6ukKI15aD9FnzGn3TwrMyLTqzvBZSct -yM5Ew7cwUe67OKAXATaLc3AK5OBAqyLGMsi5Q1C8Hd/zqu6tQ/aRUpqfocRIIVrO+zEVfPfA -DOTtA7y6FHY00J2WwOkmZ9CkUWURFadA1+w3oIvlAxMDTfvEstOfvIs5TJalPRjsQYFW2875 -9IQ01SN7jFYKGWzGfsdtDrEJC3157J9Kjy56QUNgYKVaYe0V26Olwir3mAGH4dSaQMVsMDEw -ITAJBgUrDgMCGgUABBTxE9oEHuqG7KvR83sl8JdO+A6MxAQIwdEAxeLiamcCAggA - diff --git a/kubernetes/common/cert-wrapper/resources/truststoreONAPall.jks.b64 b/kubernetes/common/cert-wrapper/resources/truststoreONAPall.jks.b64 deleted file mode 100644 index 4a92325b19..0000000000 --- a/kubernetes/common/cert-wrapper/resources/truststoreONAPall.jks.b64 +++ /dev/null @@ -1,2733 +0,0 @@ -/u3+7QAAAAIAAACBAAAAAgAXZGlnaWNlcnRhc3N1cmVkaWRyb290Y2EAAAF8EFmtSAAFWC41 -MDkAAAO7MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBl -MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGln -aWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0EwHhcNMDYx -MTEwMDAwMDAwWhcNMzExMTEwMDAwMDAwWjBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGln -aUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2Vy -dCBBc3N1cmVkIElEIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCt -DhXO5EOAXLGH87dg+XESpa7cJpSIqvTO9SA5KFhgDPiA2qkVlTJhPLWxKISKityfCgyDF3qP -kKyK53lTXDGEKvYPmDI2dsze3Tyoou9q+yHyUmHfnyDXH+Kx2f4YZNISW1/5WBg1vEfNoTb5 -a3/UsDg+wRvDjDPZ2C8Y/igPs6eD1sNuRMBhNZYW/lmci3Zt1/GiSw0r/wty2p5g0I6QNcZ4 -VYcgoc/lbQrISXwxmDNsIumH0DJaoroTghHtORedmTpyoeb6pNnVFzF1roV9Iq4/AUaG9ih5 -yLHa5FcXxH4cDrC0kqZWs72yl+2qp/C3xag/lRbQ/6GW6whfGHdPAgMBAAGjYzBhMA4GA1Ud -DwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRF66Kv9JLLgjEtUYunpyGd -823IDzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYunpyGd823IDzANBgkqhkiG9w0BAQUFAAOC -AQEAog683+Lt8ONyc3pklL/3cmbYMuRCdWKuh+vy1dneVrOfzM4UKLkNl2BcEkxY5NM9g0lF -WJc1aRqoR+pWxnmrEthngYTffwk8lOa4JiwgvT2zKIn3X/8i4peEH+ll74fg38FnSbNd67IJ -Kusm7Xi+fT8r87cmNW1fiQG2SVufAQWbqz0lwcy2f8Lxb4bG+mRo64EtlOtCt/qMHt1i8b5Q -Z7dsvfPxH2sMNgcWfzd8qVttevESRmCD1ycEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe -+o0bJW1sj6W3YQGx0qMmoRBxna3iw/nDmVG3KwcIzi7mULKn+gpFL6Lw8gAAAAIAFWFuZnNl -Y3VyZXNlcnZlcnJvb3RjYQAAAXwQWa1IAAVYLjUwOQAABfMwggXvMIID16ADAgECAggN0+O8 -bPlrsTANBgkqhkiG9w0BAQsFADCBhDESMBAGA1UEBRMJRzYzMjg3NTEwMQswCQYDVQQGEwJF -UzEnMCUGA1UEChMeQU5GIEF1dG9yaWRhZCBkZSBDZXJ0aWZpY2FjaW9uMRQwEgYDVQQLEwtB -TkYgQ0EgUmFpejEiMCAGA1UEAxMZQU5GIFNlY3VyZSBTZXJ2ZXIgUm9vdCBDQTAeFw0xOTA5 -MDQxMDAwMzhaFw0zOTA4MzAxMDAwMzhaMIGEMRIwEAYDVQQFEwlHNjMyODc1MTAxCzAJBgNV -BAYTAkVTMScwJQYDVQQKEx5BTkYgQXV0b3JpZGFkIGRlIENlcnRpZmljYWNpb24xFDASBgNV -BAsTC0FORiBDQSBSYWl6MSIwIAYDVQQDExlBTkYgU2VjdXJlIFNlcnZlciBSb290IENBMIIC -IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2+trK+ZkVJWCkKNypBkBnZwLgV9zSbqn -rPMETnuWC+wR4FumHM4b0g2DHCu4nh1+RTJgDwfpd1h+n2rIYU62JsFMjf9M7zSyH2XYuXj1 -ralxue9PWB2l3nQgl6HtaEzekhdLvKv/ZZqe+0fZV3LzCaGudkQTbpwtRDm8+cc7pFg9Qb20 -wkmjyA3Sly8HZVIAp27Ir2js9BSWtlcfVsM5nytt5PM+9jVk2gwcoYRLL0tL4iwknW2TQOu1 -I44yym9F06iJex7PHvpbQ4vNzagPasoMXrmeR4/w2bYKC1hlFzO5I+R3GX3LSi6Se08vEHex -jS9onGLM4FD47JGnVExXCdV2Y8XoZR7ubWrPCZ36fE+tYAj9VpkPFSx7qYCrjGGPSgd2Qt49 -9N2yJDNbuLWjRMmsf3c8HSPsgqmm4sgGTAL+rFyZmQsvEIqm9H/Vh3QNWUlF9vBxXDkp1r9K -I4v1XwFj0odzKLVLCvX4q4IsfnMlMh0LYwoXgQD/tnZe57SxQMohu9WAUeVIUmcs0mGJBw0P -zkJ3wERznERQoNsQCi2VHIGv5BzlFB7xNkEBAi99c6feQsxM6YkNVvefkdQDxmzJj9vYHOBA -mF1mmZiAbi3/AcXOy0YfrALGQ+auooQ8xU4ePW3JFEzjLkG7yjm/NjwqGapBh06lzksyed2Q -SX8CAwEAAaNjMGEwHwYDVR0jBBgwFoAUnF/QbGOjX5PKk5gIrYyHpSxcwTcwHQYDVR0OBBYE -FJxf0Gxjo1+TypOYCK2Mh6UsXME3MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/ -MA0GCSqGSIb3DQEBCwUAA4ICAQBOHrmKxqCYP27DacBqXElSrMsrXXg4wdVUhJ+T8IcZPSxm -iesNQvzM8HWFP4v0gF155RdnvTWC4vI8jn1bNstagAAp8s4rLPGPqm0Fk2xyx1br31AjKOVF -ED3oZ6OvDlUPkAli70tZovZT8cA15C/BJL15L04gIjv9GiCwpA4scO10P7gTlQZRyOiHJsqk -W2oWIZLdc2CeEBjePIHq6BjDfInyi1A+vRHiFQOoNn0zAWxIFdeIkJkExczmB/S89JDtE+Lq -i8OPozMPwSlME07aFVZxc3KCUPaaM3yisagaNHRlXM7R66tT4BqA2Oo6SeQmMJvlHIqoqRUy -hpmSChAjVhLg9s5M4ru+242ScwFmL2I+snInRTbtTVbjl5n/OjU+pVRKUllLYNvu/ngRf0rc -FHlgtmtkA9sVg+GivvYjl1DwCTM2p3GWJfO5Qn3bOD8sWKzoQuEO2NM7TC6C6YMuazHZ3UeG -T22XkS5P4ihxNRbR8nP+JSsHRyRjJ8j49tlr/BIxVgjAU0KvnNAzfvwG8DFEAxTxWOryag2p -EbKDvsUavwfqWdyjiDXvnHYyPE0GIs4V5d2e2I/a3tLEOeUXgc84R+t/iG1ZG9+fQhSufs+o -sGZl2jevn6o96ii23tUxWBaCW+q7GXUCcxrKSBohk5AKjpOEp307IxiSiaCNrAAAAAIAFWFm -ZmlybXRydXN0Y29tbWVyY2lhbAAAAXwQWa1IAAVYLjUwOQAAA1AwggNMMIICNKADAgECAgh3 -dwYnJqmxfDANBgkqhkiG9w0BAQsFADBEMQswCQYDVQQGEwJVUzEUMBIGA1UECgwLQWZmaXJt -VHJ1c3QxHzAdBgNVBAMMFkFmZmlybVRydXN0IENvbW1lcmNpYWwwHhcNMTAwMTI5MTQwNjA2 -WhcNMzAxMjMxMTQwNjA2WjBEMQswCQYDVQQGEwJVUzEUMBIGA1UECgwLQWZmaXJtVHJ1c3Qx -HzAdBgNVBAMMFkFmZmlybVRydXN0IENvbW1lcmNpYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IB -DwAwggEKAoIBAQD2G09nByuhFfUGIssfAbLjc0UGREksu0klFNbOw7erLE/GQTKUV/oSp1sO -4o8fHoYZp6q1LblfDYrCr4U1eTItuxxiN/KxW0o9ys1xX+lCvpToyN75IkhkxuWrxittrQXw -+tULz5rl8FCkiztHpSNbenr4Mz+475mX4yDB1iiJz5T7uUXt40AXEdR08Asx4ismaptMV66s -ID66RXoF872baRWufU4gY8Q1djoHAsk3/cdH7ujxdh1zFfKXpLXIennZQqorf1z+ziZPo2aB -Na9EulQeHDAyZZ3mPJNeUE564zrUbswa+/nSN64kKqtXAyIoDUl1f7co2nW/juPcDnkxAgMB -AAGjQjBAMB0GA1UdDgQWBBSdk8ZTi17Krz+fHg/lmZW8JPaUjzAPBgNVHRMBAf8EBTADAQH/ -MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAWKz0BA7NwA3/Cv3UuhZfKb17 -aJlYSdK0HTdNfyd9RgZdQ8aGLj5zsiZ9T5OptsQqmqshlxSx3ozTq4kV2Gsk1PEWrtikXNR/ -UY7tGAGxk2O9vPhhgJqesc5CcOKpfQYlfSeh/m/ssx4k2uNLVRoAOzW0O9nXXTD9gROJ8sIG -K+1nxI7JQ7JcaxWJArxi/E7ytTOqsm/TCqJQ4/Y76C5EwttmOKkzVkjxbRszjQ2MP2A3ndPK -bX40fg2fcnaLG59y/VI1QUUCli8csppzSSGxSUdFR7TvajQRyU2azFm31gKeWk5ltZSuG98p -sBbxvwCeBzoXZLUEtSMhmQqVO5d87wAAAAIALHRydXN0d2F2ZWdsb2JhbGVjY3AyNTZjZXJ0 -aWZpY2F0aW9uYXV0aG9yaXR5AAABfBBZrUgABVguNTA5AAACZDCCAmAwggIHoAMCAQICDA1q -Xwg/KFw+UZXfXTAKBggqhkjOPQQDAjCBkTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCElsbGlu -b2lzMRAwDgYDVQQHEwdDaGljYWdvMSEwHwYDVQQKExhUcnVzdHdhdmUgSG9sZGluZ3MsIElu -Yy4xOjA4BgNVBAMTMVRydXN0d2F2ZSBHbG9iYWwgRUNDIFAyNTYgQ2VydGlmaWNhdGlvbiBB -dXRob3JpdHkwHhcNMTcwODIzMTkzNTEwWhcNNDIwODIzMTkzNTEwWjCBkTELMAkGA1UEBhMC -VVMxETAPBgNVBAgTCElsbGlub2lzMRAwDgYDVQQHEwdDaGljYWdvMSEwHwYDVQQKExhUcnVz -dHdhdmUgSG9sZGluZ3MsIEluYy4xOjA4BgNVBAMTMVRydXN0d2F2ZSBHbG9iYWwgRUNDIFAy -NTYgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR+ -+2zmI+NzMgjKYOZTnLp0jRiweJBSgN04wEod0ajMk6SXBjjKDRVixo4BKmWdqt80kS6BweQz -kjHE/Qk6pj+to0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBgAwHQYDVR0O -BBYEFKNBBqyQbdFK63WlShCZs7Ghi0r3MAoGCCqGSM49BAMCA0cAMEQCIAfmVNoOoFqyrhGf -h8W2/2neJb74oLcI80TOKt8IIQw3AiAtJgOgBb1r0fZc+GXMhm2znDRIY4QJxY13GuLMnOF0 -ewAAAAIAGXQtdGVsZXNlY2dsb2JhbHJvb3RjbGFzczMAAAF8EFmtSAAFWC41MDkAAAPHMIID -wzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoM -IlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVt -cyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDMw -HhcNMDgxMDAxMTAyOTU2WhcNMzMxMDAxMjM1OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNV -BAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lz -dGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNz -IDMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9dZPwYiJvJK7genasfb3ZJNW4 -t/zN8ELg63iIVl6bmlQdTQyK9tPPcPRStdiTBONGhnFBSivwKixVA9ZIw+A5OO3yXDw/RLyT -PWGrTs0NvvAgJ1gORH8EGoel15YUNpDQSXuhdfsaa3Ox+M6pCSzyU9XDFES4hqX2iys52qMz -VNn6chr3IhUciJFrf2blw2qAsCTz34ZFiP0Zf3WHHx+xGwpzJFu5ZeAsVMhg02YXP+HMVDNz -kQI6pn97djmiH5a2OK61yJN0HZ65tOVgnS9W0eDrXltMEnAMbEQgqxHY9Bn20pxSN+f6tsIx -O0rUFJmtxxr1XV/6B7h8DR/Wgx6zAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P -AQH/BAQDAgEGMB0GA1UdDgQWBBS1A/d2O2GCahKqGFPrAyGUv/7OyjANBgkqhkiG9w0BAQsF -AAOCAQEAVj3vlNW92nOyWL6ukK2YJ5f+AbGwUgC4TeQbIXQbfsDuXmkqJa9c1h3a0nnJ85cp -4IaH3gRZD/FZ1GSFS5mvJQQeyUapl96Cshtwn5z2r3Ex3XsFpSzTucpH9sry9uetuUg/vBa3 -wW306gmv7PO15wWeph6KU1HWk4HMdJP2udqmJQV0eVp+QD6CSyYRMG7hP0HHRwA11fXT91Q+ -gT3aSWqas+8QPebrb9HIIkfLzM8BMZLZGOMivgkeGj5asuRrDFR6fUNOuImle9eiPZaGzPIm -NC1qkp2aGtAw4l1OBLBfiyB+d8E9lYLRRpo7PHi4b6HQDWSieB4pTpPDpFQUWwAAAAIAGXQt -dGVsZXNlY2dsb2JhbHJvb3RjbGFzczIAAAF8EFmtSAAFWC41MDkAAAPHMIIDwzCCAqugAwIB -AgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVt -cyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBD -ZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAx -MTA0MDE0WhcNMzMxMDAxMjM1OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lz -dGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVz -dCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0G -CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUdAqSzm1nz -HoqvNK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiCFoT6ZrAIxlQjgeTN -uUk/9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi1hKTXrcxlkIF+3anHqP1wvzp -esVsqXFP6st4vGCvx9702cu+fjOlbpSD8DT6IavqjnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfF -mPHmBiiRqiDFt1MmUUOyCxGVWOHAD3bZwI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14 -np+GPgNeGYtEotXHAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEG -MB0GA1UdDgQWBBS/WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOi -YQsfdOhyNsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPAC -uvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVwIEoHNN/q -/xWA5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6g1XqfMIpiRvpb7PO -4gWEyS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN9noHV8cigwUtPJslJj0Ys6lD -fMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlPBSeOE6FuwgAAAAIAH2NvbW9kb2VjY2Nl -cnRpZmljYXRpb25hdXRob3JpdHkAAAF8EFmtSAAFWC41MDkAAAKNMIICiTCCAg+gAwIBAgIQ -H0evqmIAcFBUTAGem2OZKjAKBggqhkjOPQQDAzCBhTELMAkGA1UEBhMCR0IxGzAZBgNVBAgT -EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RP -IENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRob3Jp -dHkwHhcNMDgwMzA2MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMCR0IxGzAZ -BgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR -Q09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBFQ0MgQ2VydGlmaWNhdGlvbiBB -dXRob3JpdHkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQDR3svdcmCFYX7deSRFtSrYpn1PlIL -Bs5BAH+X4QokPB0BBO490o0JlwzgdeT6+3eKKvUDYEs2ixYjFq0JcfRK9ChQtP6IHG4/bC8v -CVlbpVsLM5niwz2J+Wos77LTBumjQjBAMB0GA1UdDgQWBBR1cacZSBm8nZ3qQUfflMRId5nT -eTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAwNoADBlAjEA -7wNbeqy3eApyt4jf/7VGFAkK+qDmfQjGGoe9GKhzvSbKYAydzpmfz1wPMOG+FDHqAjAU9JM8 -SaczepBGR7NjfRObTrdvGDeAU/7dIOA1mjbRxwG55tzd8/8dLDoWV9mSOdYAAAACABRzd2lz -c3NpZ25zaWx2ZXJjYS1nMgAAAXwQWa1IAAVYLjUwOQAABcEwggW9MIIDpaADAgECAghPG9Qv -VLsvSzANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJDSDEVMBMGA1UEChMMU3dpc3NTaWdu -IEFHMSEwHwYDVQQDExhTd2lzc1NpZ24gU2lsdmVyIENBIC0gRzIwHhcNMDYxMDI1MDgzMjQ2 -WhcNMzYxMDI1MDgzMjQ2WjBHMQswCQYDVQQGEwJDSDEVMBMGA1UEChMMU3dpc3NTaWduIEFH -MSEwHwYDVQQDExhTd2lzc1NpZ24gU2lsdmVyIENBIC0gRzIwggIiMA0GCSqGSIb3DQEBAQUA -A4ICDwAwggIKAoICAQDE8Yd/03gx9zjJ+MOZQ7zH97w3505xukuPpXMdXG6YrgNXrjg3Qy8X -PR/IzmgQwXiuGQMrEPoseYP26LlouVXyBESnOfn8BIse8aJNJ/lhe7q35aITtuthPtBs0eb7 -+l7tHbSeoDVboZLL8EmS/oUKBT7m2QviT7vclTf8kekyNSLRHzpOJ4WdsBWUMtphDUdNYEKu -kkfog1pQWOmKi7ldodzdmUofNme7SOSDtjfrSDqvD2ePFwfoBMrvajGH1MC2+ZRxe2dkuLaR -SkJ7ZS4wagz1kO6V5vLNguzZoUrs9rJL5UWF5m14kwQunIJtNqnEMWQfhoMLKvQ1CnjJVc9B -sEfpMJ+ZvmGoBoS5KHpfONkbqTiwg39zwcM7SCqCDyGbuMyoNcOEG4OzPr6klWkBOokAeATZ -yfSZGatWfluLhjkVkaQQLAkygGCzk8AqthgLnX6NSfIQSn/51UYvGZKjmacmrLuMPOYOvEcH -3HNR8XBkLwj5tEcdMGxE6ik3hZJoZryDOP57OS7TUPAf+15gtqmm+idB8ZsYcvL1hHRKyWfE -VK5IZN+M0W6wHeEHjwgemZxx6UzYpfdHEh900VGehvPCoiNAC3PbS6bncwaMwaDpwVmsRvrm -L/jPcZxGbbnEFY04eQNFSO/EXdcI7oc5IoayDQ9YQ/dxqUgu/erWHwIDAQABo4GsMIGpMA4G -A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQXoM3B5EG2Ols7y0Wd -vRzCmPqGWDAfBgNVHSMEGDAWgBQXoM3B5EG2Ols7y0WdvRzCmPqGWDBGBgNVHSAEPzA9MDsG -CWCFdAFZAQMBATAuMCwGCCsGAQUFBwIBFiBodHRwOi8vcmVwb3NpdG9yeS5zd2lzc3NpZ24u -Y29tLzANBgkqhkiG9w0BAQUFAAOCAgEAc8aB4CfSLQ/glTDimkF/UCxfX2JhqYZqaRgMdEnW -XYTqQVIYb1itUFYgasa9KGlYkdyRETWpOh28GqVgntgff0WRadl+u3hywQYPKs6PhXBhrKDN -C7g5KVaEMk6Guz3EKtnXH3Lu/lGhIkGxcQJjGoKwYqteVxIf38vddaDAXXmQjBvgUObeMf6Y -e3BfpZDYrfgCtm/TYN1ASyLFPa06ep8aGkeReTO6gtwyaQOWbh9L8HH+42dyoLG/XIvk+pki -x4S5G40jlz/tJeDPZbv1YQTv3R6yWkEiWqGfXSzoW8ltqQwMeKpgxlaPAVoMaLxpGXnEH36X -Bb/F6SRRXtTVS1Pt2SNaNgNlo8EDrUEw80YbhZCvZbXVseQWW3h1HZd6bVmpKo973sOHiRCZ -SXN4yD29UTV0KtXxfmkbKrs7vSW4mlo9cmGQZofuDNZN1BF0C2r+CwP8o1VXif5Ky65bFwXI -8o0jMVM40i1qP4K5jQhq915BdG7DEX4HrClgkT84ylcQDb0wL8el5kGg2q4Fh5qgpGVsTAkM -ibq407nAk4ow+o3lmmsVAU5nqtpiVj6ECGbSxDZ9pz4Q/Ijg1IDlAL2q804Go3pq+WJy4wlP -65sOASPxn7t83NxsEZclsvK0YxTSBipnjIP1zuoH2JpqHuzkCrsqTOsJYDnOymLYLm4AAAAC -AA1jYWRpc2lncm9vdHIyAAABfBBZrUgABVguNTA5AAAFbTCCBWkwggNRoAMCAQICCQCSuIjb -sIrBYzANBgkqhkiG9w0BAQsFADBSMQswCQYDVQQGEwJTSzETMBEGA1UEBxMKQnJhdGlzbGF2 -YTETMBEGA1UEChMKRGlzaWcgYS5zLjEZMBcGA1UEAxMQQ0EgRGlzaWcgUm9vdCBSMjAeFw0x -MjA3MTkwOTE1MzBaFw00MjA3MTkwOTE1MzBaMFIxCzAJBgNVBAYTAlNLMRMwEQYDVQQHEwpC -cmF0aXNsYXZhMRMwEQYDVQQKEwpEaXNpZyBhLnMuMRkwFwYDVQQDExBDQSBEaXNpZyBSb290 -IFIyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoqPEAAnWhV0tbRT2wsNznjXC -cVV+gfurRlDgwXxJeOareVg82v98HJ/YlwJ4PmtBBOlBvb4DLEX2L2TUq12jRz1km+lomsbM -Gz+6vrKLNAIumFUZ/Ixvql/aTM5NAyGj2NI0k1aWy0wMABY8XxrNyMdspq3TMae86OXhZtbS -+wO0QWXJEK4OBWPGgGppMP3S7pDvDSffn5Vz9OEl2mwW3kE4NOqL/NHoBBRhLUF+rMd3TstR -VPtekhgbBFpoxsnE+rcToJi3ESu31lfMfJ4X0csl/oZOJC5WDHhNngESpiunAWVufGIdhITf -6sBrtaUqlYPDUxEMcx0LskaQ0UI6zkBula3/xpStbpeEjn1vnoqADUltc+J7kh7D88Hz6y4F -b9kbzzd2BMi0WuQXp8vddh/QGXboLAWz1pw02JbcYYeRBeRECDPB2rkIZdSusjYN67o4ugzl -m57rjWbdmc/WiUH2BJKKKSltazoc53V9AnEO88DnvcsZ3Z1gssJmYLaxBO7J5oa5mmZAqOcR -7YFFA4v2Z1nowQYRvd3PgAJPZUB4XEdQyJvmH4F75ESoW4Wa4t5a1cf5OkRmS+QyVHzkbJyz -Dj0XorI0EtZ+sqhJu9F6KEC+ohYf3+Q3HxFz+5AKZUOiDXz4BgFVM32wDbj09a6lQld8NhGM -e17EA52MeZ0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD -VR0OBBYEFLWZ+K+wlPXjINYKrc5OVqQubkLtMA0GCSqGSIb3DQEBCwUAA4ICAQAmBl5w52Uz -yIJu2ZwXOht6ZrIB9ng7aV4v6v9O+SjDmCphTLQkEop9bREU95y1yua8nieOTBnIqb16wNc2 -Dm2Fcm6oxqJt9vpzY3+8bnkIHJ2KnxqKU6bYu9k1VbERxakDs1Y7uYSTIl5+wfYSUovqLGe8 -/jZM9bjP0bNJkjvTKQ6ZG5b3Ybg7xCu2eGy0I2/w/dOyXnUfmZWorPba4cUxe/vRRrPSvGe0 -YlS6CfdjsJOimvnpUi6LYBKr/PVgVu8QXIvEGkLcg1tkDsu1vNZPwXw8bo0Tbft76zDQ3E2v -xdW2pUxbccnoMb7oOAZIoRri6tLeEjlYGv+ADoJ15rfJB2wO7/848ZhxxLd/DhXQJWm9Ip0r -7QX2Rkes7cDw1Dvi7O6WW5ATTh5WOuuw75a7liMRuvJDhnRklcgodd8dNbrSN4M4Uzg2O89s -6flrDtD7BOhPd9dlAXiGDHo+IWLxf2NxDMmfRNuoJ6J1vm6BPtfA6xuYD3BcNLKKzMCFGOtu -erP3WqEHv6lCkvNgIpfkFKEHm052wI59/aQlx0ft/x9zrMzDpelvCo6bZcJQhbWjoFMSzFWH -YfOBrhBGYb1EIbjCPXTPfiQ1+hwHDps9IsrvMS+MrBK970Ao/Clnn7ITT2YkxFMZ6R4pFe/m -bbB/LWf982wbdUaj5UoX6aTXCwAAAAIADXNlY3VyZXRydXN0Y2EAAAF8EFmtSAAFWC41MDkA -AAO8MIIDuDCCAqCgAwIBAgIQDPCOXAgWpa1Cf/DrJxhZ0DANBgkqhkiG9w0BAQUFADBIMQsw -CQYDVQQGEwJVUzEgMB4GA1UEChMXU2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24xFzAVBgNVBAMT -DlNlY3VyZVRydXN0IENBMB4XDTA2MTEwNzE5MzExOFoXDTI5MTIzMTE5NDA1NVowSDELMAkG -A1UEBhMCVVMxIDAeBgNVBAoTF1NlY3VyZVRydXN0IENvcnBvcmF0aW9uMRcwFQYDVQQDEw5T -ZWN1cmVUcnVzdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKukgeWVzfX2 -FI7CT8rU4niVWJxB4Q2ZQCQXOZEzZum+4YOvYlyJ0fwkW2Gz4BERQRwdbvC4u/jep4G6pkjG -nx29vo6pQT64lO0pGtSO0gMdA+9tDWccV9cGrcrI9f4Or2YlSASWC12juhbDCE/RRvgUXPLI -XgGZbf2IzIaowW8xQmxSPmjL8xk037uHGFaAJsTQ3MBv396gwpEWoGQRS0S8Hvbn+mPeZqx2 -pHGj7DaUaHp3pLHnDi+BeuK1cobvomuL8A/b01k/unK8RCSc43Oz969XL0Imnal0ugBS8kvN -U3xHCzaFDmapCJcWNFfBZveA4+1wVMeT4C4oFVmHursCAwEAAaOBnTCBmjATBgkrBgEEAYI3 -FAIEBh4EAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUQjK2 -FvoE/f5dS3rD/fdMQB1aQ68wNAYDVR0fBC0wKzApoCegJYYjaHR0cDovL2NybC5zZWN1cmV0 -cnVzdC5jb20vU1RDQS5jcmwwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEB -ADDtT0rhWDpSclu1pqNlGKa7UTt36Z3q059c4EVlew3KW+JwULKUBRSuSceNQQcSc5R+DCMh -/bwQf2AQWnL1mA6s7Ll/3XpvXdMc9P+IBWlCqQVxyLesJugutIxq/3HcuLHfmbx8IVQr5Fii -u1cprp6poxkmD5kuCLDv/WnPmRoJjeOnnyvJNjR7JLN4TJUXpAYmHrZkUjZfYGfZnMUFdAvn -ZyPSCPyI6a6Lf+Ew9Dd+/cYy2i2eRDAwbO4H3tI0/NL/QPZL9GZGBlSm8jIKYyYwa5vR3ItH -uuG51WLQoqD0ZwV4KWMabwTW+MZMo5qxN7SN5ShLHZ4swrhovO0C7jEAAAACAAlhY2N2cmFp -ejEAAAF8EFmtSAAFWC41MDkAAAfXMIIH0zCCBbugAwIBAgIIXsO3pkN/pOAwDQYJKoZIhvcN -AQEFBQAwQjESMBAGA1UEAwwJQUNDVlJBSVoxMRAwDgYDVQQLDAdQS0lBQ0NWMQ0wCwYDVQQK -DARBQ0NWMQswCQYDVQQGEwJFUzAeFw0xMTA1MDUwOTM3MzdaFw0zMDEyMzEwOTM3MzdaMEIx -EjAQBgNVBAMMCUFDQ1ZSQUlaMTEQMA4GA1UECwwHUEtJQUNDVjENMAsGA1UECgwEQUNDVjEL -MAkGA1UEBhMCRVMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCbqau/YUqXry+X -Zpp0X9DZlv3P4uRm7x8fRzPCRKPfmt4ftVTdFXxpNRFvu8gMjmoYHtiP2Ra8EEg2XPBjs5Ba -XCQ316PWywlxufEBcoSwfdtNgM3802/J+Nq2DoLSRYWoG2ioPej0RGy9ocLLA76MPhMAhN9K -SMDjIgro6TenGEyxCQ0jVn8ETdkXhBilyNpAlHPrzg5XPAOBOp0KoVdDaaxXbXmQeOW1tDvY -vEyNKKGno6e6Ak4l0Squ7a4DIrhrIA8wKFSVf+DuzgpmndFALW4ir50awQUZ0m/A8p/4e7MC -QvtQqR0tkw8jq8bBD5L/0KIV9VMJcRz/RROE5iZe+OCIHAr8Fraocwa48GOEAqDGWuzndN9w -rqODJerWx5eHk6fGioozl2A3ED6XPm4pFdahD9GILBKfb6qkxkLrQaLjlUPTAYVtjrs78yM2 -x/474KElB0iryYl0/wiPgL/AlmXz7uxLaL2diMMxs0Dx6M/2OLuc5NF/1OVYm3z61PMOm3WR -5LpSLhl+0fXNWhn8ugb2+1KoS5kE3fj5tItQo05iifCHJPqDQsGH+tUtKSpacXpkatcnYGMN -285J9Y0fkIkyF/hzQ7jSWpOGYdbhdQrqeWZ2iE9x6wQl1gpaepPluUsXQA+xtrn13k/c4LOs -OxFwYIRKQ26ZIMApcQrAZQIDAQABo4ICyzCCAscwfQYIKwYBBQUHAQEEcTBvMEwGCCsGAQUF -BzAChkBodHRwOi8vd3d3LmFjY3YuZXMvZmlsZWFkbWluL0FyY2hpdm9zL2NlcnRpZmljYWRv -cy9yYWl6YWNjdjEuY3J0MB8GCCsGAQUFBzABhhNodHRwOi8vb2NzcC5hY2N2LmVzMB0GA1Ud -DgQWBBTSh7Tj3zcnk1X2VuqB5TbMjB4/vTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaA -FNKHtOPfNyeTVfZW6oHlNsyMHj+9MIIBcwYDVR0gBIIBajCCAWYwggFiBgRVHSAAMIIBWDCC -ASIGCCsGAQUFBwICMIIBFB6CARAAQQB1AHQAbwByAGkAZABhAGQAIABkAGUAIABDAGUAcgB0 -AGkAZgBpAGMAYQBjAGkA8wBuACAAUgBhAO0AegAgAGQAZQAgAGwAYQAgAEEAQwBDAFYAIAAo -AEEAZwBlAG4AYwBpAGEAIABkAGUAIABUAGUAYwBuAG8AbABvAGcA7QBhACAAeQAgAEMAZQBy -AHQAaQBmAGkAYwBhAGMAaQDzAG4AIABFAGwAZQBjAHQAcgDzAG4AaQBjAGEALAAgAEMASQBG -ACAAUQA0ADYAMAAxADEANQA2AEUAKQAuACAAQwBQAFMAIABlAG4AIABoAHQAdABwADoALwAv -AHcAdwB3AC4AYQBjAGMAdgAuAGUAczAwBggrBgEFBQcCARYkaHR0cDovL3d3dy5hY2N2LmVz -L2xlZ2lzbGFjaW9uX2MuaHRtMFUGA1UdHwROMEwwSqBIoEaGRGh0dHA6Ly93d3cuYWNjdi5l -cy9maWxlYWRtaW4vQXJjaGl2b3MvY2VydGlmaWNhZG9zL3JhaXphY2N2MV9kZXIuY3JsMA4G -A1UdDwEB/wQEAwIBBjAXBgNVHREEEDAOgQxhY2N2QGFjY3YuZXMwDQYJKoZIhvcNAQEFBQAD -ggIBAJcxAp/n/UNnSEQU5CmH7UwoZtCPNdpNYbdKl02125DgBS4OxnnQ8pdpD70ER9m+27Up -2pvZrqmZ1dM8MJP1jaGo/AaNRPTKFpV8M9xii6g3+CfYCS0b78gUJyCpZET/LtZ1qmxNYEAZ -SUNUY9rizLpm5U9EelvZaoErQNV/+QEnWCzI7UiRfD+mAM/EKXMRNt6GGT6d7hmKG9Ww7Y49 -nCrADdg9ZuM8Db3VlFzi4qc1GwQA9j9ajepDvV+JHanBsMyZ4k0ACtrJJ1vnE5Bc5PUzolVt -3OAJTS+xJlsndQAJxGJ3KQhfnlmstn6tn1QwIgPBHnFk/vk4CpYY3QIUrCPLBhwepH2NDd4n -Qeit2hW3sCPdK6jT2iWH7ehVRE2I9DZ+hJp4rPcOVkkO1jMl1oRQQmwgEh0q1b688nCBpHBg -vgW1m54ERL5hI6zppSSMEYCUWqKiuUnSwdzRp+0xESyeGabu4VXhwOrPDYTkF7eifKXeVSUG -7szAh1xA2syVP1XgNce4hL60Xc16gwFy7ofmXx2utYXGJt/mwZrpHgJHnyqobalbz+xFd3+Y -J5oyXSrjhO7FmGYvliAd3djDJ9ew+f7Zfc3Qn48LFFhRny+Lwzgt3uiP1o2HpPVWQxaZLPSk -VrQ0uGE3ycJYgBugl6H8WY3pEfbRD0tVNEYqi4Y7AAAAAgAhZW50cnVzdHJvb3RjZXJ0aWZp -Y2F0aW9uYXV0aG9yaXR5AAABfBBZrUgABVguNTA5AAAElTCCBJEwggN5oAMCAQICBEVrUFQw -DQYJKoZIhvcNAQEFBQAwgbAxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMu -MTkwNwYDVQQLEzB3d3cuZW50cnVzdC5uZXQvQ1BTIGlzIGluY29ycG9yYXRlZCBieSByZWZl -cmVuY2UxHzAdBgNVBAsTFihjKSAyMDA2IEVudHJ1c3QsIEluYy4xLTArBgNVBAMTJEVudHJ1 -c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjExMjcyMDIzNDJaFw0yNjEx -MjcyMDUzNDJaMIGwMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjE5MDcG -A1UECxMwd3d3LmVudHJ1c3QubmV0L0NQUyBpcyBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJlbmNl -MR8wHQYDVQQLExYoYykgMjAwNiBFbnRydXN0LCBJbmMuMS0wKwYDVQQDEyRFbnRydXN0IFJv -b3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -AoIBAQC2lbZDQvrGbSpvSN+UTDlXBe7DeRFBaDbt7P6aAY+hOCj89xBGZi5NHhqxGk7G0cCV -iLDJ/zGLMwPbt4N7PiCEXu2yViin+OC5QHE3xctHDpcqaMAilWIV20fZ9dAr/4JLya0+3kzb -kIBQPwmKhADsMAo9GM37/SpZmiOVFyxFnh9uQ3ltDFyY/kinxSNHXF79bucetPZoRdGGg1ui -io2x4ymA/iVxiK2+vI+sUpZLqlGN5BMxGehOTZ/brLNq1bw5VHHKenp/kN19HYDZgbtZJsIR -/uaT4veA5GX7NDcOKYBwTa84hi6ef1evnheu6xzLKCFfthzY56IEIvnT2tjLAgMBAAGjgbAw -ga0wDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wKwYDVR0QBCQwIoAPMjAwNjEx -MjcyMDIzNDJagQ8yMDI2MTEyNzIwNTM0MlowHwYDVR0jBBgwFoAUaJDkZ6SmU4DHhmak8fdL -Q/uEvW0wHQYDVR0OBBYEFGiQ5GekplOAx4ZmpPH3S0P7hL1tMB0GCSqGSIb2fQdBAAQQMA4b -CFY3LjE6NC4wAwIEkDANBgkqhkiG9w0BAQUFAAOCAQEAk9QwsNcDICrQ+WPokQwFIKlfGcp7 -ck7UsdvQlvtUWhksDAj3sryFqJ1/bTtSsyrb59SEjGP2D8smAZFQbPRfFOKTdMATnjA6UOO0 -YMUc8CJEjXFHrMgayembmgBgE/9wfl8RTUkbsxVSe8lU2r+dla9rmtie6fHkQ43iEUQ6v6+9 -g0JzUouqu6cpz/VkHApN0byqrJ8q0P9/f9p96rHtMCXBhNo00lt4g1bsnDbDJuIR9mdJHZKr -jPvr/3ruhUqnUIDwp1xKlC5fBZk8UkHgzbRjzwFDupyD3I9gO/NatLR7rtoLkDh174EdZtL3 -V3A2s7/8KK9xJYVbE/4ef1q0PAAAAAIAHGlkZW50cnVzdHB1YmxpY3NlY3RvcnJvb3RjYTEA -AAF8EFmtSAAFWC41MDkAAAVqMIIFZjCCA06gAwIBAgIQCgFCgAAAAUUjz0Z8AAAAAjANBgkq -hkiG9w0BAQsFADBNMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MSowKAYDVQQD -EyFJZGVuVHJ1c3QgUHVibGljIFNlY3RvciBSb290IENBIDEwHhcNMTQwMTE2MTc1MzMyWhcN -MzQwMTE2MTc1MzMyWjBNMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MSowKAYD -VQQDEyFJZGVuVHJ1c3QgUHVibGljIFNlY3RvciBSb290IENBIDEwggIiMA0GCSqGSIb3DQEB -AQUAA4ICDwAwggIKAoICAQC2IpT8pEiv6EdrCvsnduTyP4o7ekosMSqMjbCpwzFrqHd2hCa2 -rIFCDQjrVVi7evi8ZX3yoG2LqEfpYnYeEe4IFNGyRBb06tD6Hi9e28tzQa68ALBKK0CyrOE7 -S8ItneShm+waOh7wCLPQ5CQ1B5+ctMlSbdsHyo+1W/CD80/HLaXIrcuVIKQxKFdYWuSNG5qr -ng0M8gozOSI5Cpcu81N3uURF/YTLNiCBWS2ab21ISGHKTN9T0a9SvESfqy9rg3LvdYDaBjMb -XcjaY8ZNzaxmMc3R3j6HEDbhuaR672BQssvKplbgN6+rNBM5Jeg5ZuSYeqoSmJxZZoY+rfGw -yj4GD3vwEUs3oERte8uojHH01bWRNszwFcYr3lEXsZdMUD2xlVl8BX0tIdUAvwFnol57plzy -9yLxkA2T26pEUWbMfXYD62qoKjgZl3YNa4ph+bz27nb9cCvdKTz4Ch5bQhyLVi9VGxyhLrXH -Fub4qjySjmm2AcG1hp2JDws4lFTo6tyePSW8Uybt1as5qsVATFSrsrTZ2fjXctscvG29ZV/v -iDUqZi/u9rNl8DONfJhBaUYPQxxp+pu10GFqzcpL2UyQRqsVWaFHVCkugyhfHMKiq3IXAAaO -ReyL4jM9f9oZRORicsPfIsbyVtTdX5Vy7W1f90gDW/3FKqD2cyOEEBsB5wIDAQABo0IwQDAO -BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU43HgntinQtnbcZFr -lJPrw6PRFKMwDQYJKoZIhvcNAQELBQADggIBAEf63QqwEZE4rU1d9+UOl1QZgkiHVIyqZJnY -Wv6IAcVYpZmxI1Qjt2odIFflAWJBF9MJ23XLblSQdf4an4EKwt3X9wnQW3IV5B4Jaj0z8yGa -5hV+rVHVDRDtfULAj+7AmgjVQdZcDiFpboBhDhXAuM/FSRJSzL46zNQuOAXeNf0fb7iAaJg9 -TaDKQGXSc3z1i9kKlT/YPyNtGtEqJBnZhbMX73huqVjRI9PHE+1yJX9dsXNw0H8GlwmEKYBh -Hfpe/3OsoOOJuBxxFcbeMX8S3OFtm6/n6J91eEyrRjuazr8FGF1NFTwWmhlQBJqymm9li1Jf -PFgEKCXAZmExfrngdbkaqIHWchezxQMxNRF4eKLg6TCMf4DfWN88uieW4oA0beOY02QnrEh+ -KHdcxiVhJfiFDGX6xDIvpZgF5PgLZxYWxoK4Mhn5+bl53B/N66+rDt0b20XkeucC4pVd/Gnw -U2lhlXV5C15V5jgclKlZM57IcXR5f1GJtshquDDIajjDbp7hNxbqBWJMWxJH7ae0s1hWx0nz -fxJoCTFx8G34Tkf71oXuxVhAGaQdp/lLQzfcaFpPz+vCZHTetBXZ9FRUGi8c15dxVJCO2SCd -Uyt/q4/i6jC8UDfv8Ue1fXwsBOxonbRJRBD0ckscZOf85muQ3Wl9af0AVqW3rLatt8o+Ae+c -AAAAAgAkZW50cnVzdC5uZXRwcmVtaXVtMjA0OHNlY3VyZXNlcnZlcmNhAAABfBBZrUgABVgu -NTA5AAAELjCCBCowggMSoAMCAQICBDhj3vgwDQYJKoZIhvcNAQEFBQAwgbQxFDASBgNVBAoT -C0VudHJ1c3QubmV0MUAwPgYDVQQLFDd3d3cuZW50cnVzdC5uZXQvQ1BTXzIwNDggaW5jb3Jw -LiBieSByZWYuIChsaW1pdHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBFbnRydXN0Lm5l -dCBMaW1pdGVkMTMwMQYDVQQDEypFbnRydXN0Lm5ldCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 -eSAoMjA0OCkwHhcNOTkxMjI0MTc1MDUxWhcNMjkwNzI0MTQxNTEyWjCBtDEUMBIGA1UEChML -RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBpbmNvcnAu -IGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5IEVudHJ1c3QubmV0 -IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRpZmljYXRpb24gQXV0aG9yaXR5 -ICgyMDQ4KTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK1NS6kShrLqoyAHFRZk -KitL0b8LSk2O7YB2pWe3eEDAc0LIaMDbUyvdXrh2mDWTixqdfBM6Dh9btx7P5SQUHrGBqY19 -uMxrSwPxAgzcq6VAJAB/dJShnQgps4gL9Yd3nVXN5MN+12pkq4UUhpVblzJQbz3IumYM4/y9 -uEnBdolJGf3AqL2Jo2cvxp+8cRlguC3pLMmQdmZ7lOKveNZlU1081pyyzykD+S+kULLUSM4F -MlWK/bJkTA7kmAd123/fuQhVYIUwKfl7SKRphuM1Px6GXXp6Fb3vAI4VIlQXAJAmk7wOSWiR -v/hH052VQsEOTd9vJs/DGCFiZkNw1tXAB+ECAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8G -A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFXkgdERgL7YibkIozH5oSQJFrlwMA0GCSqGSIb3 -DQEBBQUAA4IBAQA7m49WmzDnU5l8enmnTZfXGZWQ+wYfyjN8RmOPlmYk+kAbISfK5nJz8k/+ -MZn9yAxMaFPGgIITmPq2rdpdPfHObvYVEZSCDO4/la8Rqw/XL94fA49XLB7Ju5oaRJXrGE+m -H819VxAvmwQJWoS1btgdOuHWntFseV55HBTF49BMkztlPO3fPb6m5ZUaw7UZw71eW7v/I+9o -GcsSkydcAy1vMNAethqs3lr30aqoJ6b+eYHEeZkzV7oSsKngQmyTylbe/m2ECwiLfo3q15gh -xvPnPHkvXpzRTBWN4ewiN8yaQwuX3ICQjbNnm29ICBVWz7/xK3xemnbpWZDFfIM1EWVRAAAA -AgAOc2VjdXJlZ2xvYmFsY2EAAAF8EFmtSAAFWC41MDkAAAPAMIIDvDCCAqSgAwIBAgIQB1Yi -pOjUiolN9BPI8PjqpTANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEgMB4GA1UEChMX -U2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24xGTAXBgNVBAMTEFNlY3VyZSBHbG9iYWwgQ0EwHhcN -MDYxMTA3MTk0MjI4WhcNMjkxMjMxMTk1MjA2WjBKMQswCQYDVQQGEwJVUzEgMB4GA1UEChMX -U2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24xGTAXBgNVBAMTEFNlY3VyZSBHbG9iYWwgQ0EwggEi -MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvNS7YrGxVaQZx5RNoJLNP2MwhR/jxYDiJ -iQPpvepeRlMJ3Fz1Wuj3RSoC6zFh1ykzTM7HfAo3fg+6MpjhHZevj8fcyTiW89sa/FHtaMbQ -bqR8JNGuQsiWUGMu4P51/pinX0kuleM5M2SOHqRfkNJnPLLZ/kG5VacJjnIFHovdRIWCQtBJ -wB1g8NEXLJXr9qXBkqPFwqcIYA1gBBCWeZ4WNOaptvolRTnIHmX5k/Wq8VLcmZg9pYYaDDUz -+kulBAYVHDGA76oYa8J719rO+TMg1fW9ajMtgQT7sFzUnKPiXB3jqUJ1XnvUd+85VLrJChgb -EplJL4hL/VBi0XPnj3pDAgMBAAGjgZ0wgZowEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0P -BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFK9EBMJBfkiD2045AuzshHrmzsmk -MDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc2VjdXJldHJ1c3QuY29tL1NHQ0EuY3Js -MBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBBQUAA4IBAQBjGghAfaReUw132HquHw0L -URYD7xh8yOOvaliTFGCRsoTciE6+OYo68+aCiV0BN7OrJKQVDpI1WkpEXk5X+nXOH0jOZvQ8 -QCaSmGwb7iRGDBezUqXbpZGRzzfTb+cnCDpOGR86p1hcF895P4vkp9MmI50mD1hp/Ed+stCN -i5O/KU9DaXR2Z0vPB4zmAve14bRDtUstFJ/53CYNv6ZHdAbYiNE6KTCEztI5gGIbqMdXSbxq -VVFnFUq+NQfk1XWYN3kwFNspnWzFacxHVaIw98xcf8LDmBxrThaA63p4ZUWiABqvDA1VZDRI -uJK58bRQKfJPIx/abKwfROHdI3hRW8cWAAAAAgAgbmV0bG9ja2FyYW55KGNsYXNzZ29sZClm -dGFuc3R2bnkAAAF8EFmtSAAFWC41MDkAAAQZMIIEFTCCAv2gAwIBAgIGSUEs5AAQMA0GCSqG -SIb3DQEBCwUAMIGnMQswCQYDVQQGEwJIVTERMA8GA1UEBwwIQnVkYXBlc3QxFTATBgNVBAoM -DE5ldExvY2sgS2Z0LjE3MDUGA1UECwwuVGFuw7pzw610dsOhbnlraWFkw7NrIChDZXJ0aWZp -Y2F0aW9uIFNlcnZpY2VzKTE1MDMGA1UEAwwsTmV0TG9jayBBcmFueSAoQ2xhc3MgR29sZCkg -RsWRdGFuw7pzw610dsOhbnkwHhcNMDgxMjExMTUwODIxWhcNMjgxMjA2MTUwODIxWjCBpzEL -MAkGA1UEBhMCSFUxETAPBgNVBAcMCEJ1ZGFwZXN0MRUwEwYDVQQKDAxOZXRMb2NrIEtmdC4x -NzA1BgNVBAsMLlRhbsO6c8OtdHbDoW55a2lhZMOzayAoQ2VydGlmaWNhdGlvbiBTZXJ2aWNl -cykxNTAzBgNVBAMMLE5ldExvY2sgQXJhbnkgKENsYXNzIEdvbGQpIEbFkXRhbsO6c8OtdHbD -oW55MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxCRec75LbRTDofTjl5Bu0jBF -HjzuZ9lk4BqKf8owyoPjIMHj9DrTlF8afFttvzBPhCf2nx9JvMaZCpDyD/V/Q4Q3Y1GLeqVw -/HpYzY6b7cNGbIRwXdrzAZAj/E4wqX7hJ2Pn7WQ8oLjJM2P+FpD/sLj916jAwJRDC7bVWaae -VtAkH3B5r9s5VA1lddkVQZQBr17s9o3x/61k/iCa11zr/qYfCGSji3ZVrR47KGAuhyXoqq8f -xmRGILdwfzzeSNuWU7c5d+Qa4scWhHaXWy+7GRWF+GmF9ZmnqfI0p6m2pgP8b4Y9VHx2BJtr -+UBdADTHLpl1neWIA6pN+APSQnbAGwIDAKiLo0UwQzASBgNVHRMBAf8ECDAGAQH/AgEEMA4G -A1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUzPpnk/C2uNClwB7zU/2MU9+D15YwDQYJKoZIhvcN -AQELBQADggEBAKt/7hwWqZw8UQCgwBEIBaeZ5m8BiFRhbvG5GK1Krf6BQCOUL/t1fC8oS2Ik -gYIL9WHxHG64YTjrgfpioTtaYtOUZcTh5m2C+C8lcLIhJsFyUR+MLMOEkMNaj7rP9KdlpeuY -0fsFskZ1FSNqb4VjMIDw1Z4fKRzCbLBQWV2QWzuoDTDPv31/zvGdg73JRm4gpvlhUbohL3u+ -pRVjodSVh/GeufOJ8z2FuLjbvrW5KfnaNwUASZQDhETnv0Mxz3WLJdH0pmT1kvarBes96aUL -NmLazAZfNou2XjG4Kvte9nHfRCaexOYNkbQudZWAUWpLMKawYqGT8ZvYzsRjdT9ZR7EAAAAC -ABN0ZWxpYXNvbmVyYXJvb3RjYXYxAAABfBBZrUgABVguNTA5AAAFPDCCBTgwggMgoAMCAQIC -EQCVvhag9y5G8Xs5gnL6i82WMA0GCSqGSIb3DQEBBQUAMDcxFDASBgNVBAoMC1RlbGlhU29u -ZXJhMR8wHQYDVQQDDBZUZWxpYVNvbmVyYSBSb290IENBIHYxMB4XDTA3MTAxODEyMDA1MFoX -DTMyMTAxODEyMDA1MFowNzEUMBIGA1UECgwLVGVsaWFTb25lcmExHzAdBgNVBAMMFlRlbGlh -U29uZXJhIFJvb3QgQ0EgdjEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDCvusn -8CGj82kmVX6dxVUWkVz97yG/U4B6LdKRjGMx8Owk8MOl0nJ8EG30N7fl5nx56oy1gouuSLas -ANxldewqTV/Bh/UgZSuBqEc+iSOVMBaQf+hXB0jnGa6/RWexNxsGKv7e+ax9g/teuuSPl2e+ -S46NZAdXOFVpNDY9E0jvT+LTZh6kzxq3XjYz1LQGvRgB/XeEUABF9Yxd6CO8fv414e1Qe6kw -jRnTCY5oZ12/PJcYU7spYsXKXnLBx5bU2y2gtB9pA+zq4lDxDDzwrPNTLfAc9e1sOTlzgBbI -UrAjzeA+3N08R6C7NYrimGiLvuW/cu7S+qXtEu38mBipJnbcKEsQIBzTfxZ3Le1vgPdJu1MF -u11ox9TIdRY/iVqL9xdH1Ezx0ol5Pk09mKhh3joe0vheA+DByRyM041N05U2szdfY2ObMxTw -LSZrU3yJjDLCbuw9IQA5yaFo4lCDLrA6K/M2oKwv5G9hwlEJOT6LU7m7Z9rcU7l2WTadQ+Ug -4D0yYIUiUbfHM7vdFS+keKYHe4FGNgSG3Xk1x5UsO7CjFzXlcx+0XFnv2uoQZXt60H+fs7Qq -Nztwi5tbuSu37LJREpdTKVrU8BIQ3E8CuxKSL2LUP2lDfA3W/Fh1AYidWBZL3rqQ/0cBiQZq -9l+ykGqzAqYCiL+zR34q2dX6aHg1TQIDAQABoz8wPTAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud -DwQEAwIBBjAdBgNVHQ4EFgQU8I9ZOACz9Y+algzV6/p7qhfoExIwDQYJKoZIhvcNAQEFBQAD -ggIBAL7kXGJOJPQMCP/w0wxo5JNJIj9EJ2+7bd6DZs6ozA389ZoG5XcUkeudQXuZKoTl//wh -wV3w5B9Xt3WpoV8CJv/Xx/dO3k/49xxGwHpPQCwiNfAZsdBrZyywqODAQDc19oRcXOOvQnj+ -p8kNUOoNhHb2Ue+DU8Z6/w5WSS6PetYM5idU400KYHJizZEH1qW/yJlr7cQZ5qtMETjFbzHi -bknIP3aAJgMmKeA29vYgU+MXcDQXnWNoHmvsw02GuBMwL11GDUdD1RuqWQ65XI0GSK10h1/H -/DFUQRPixyEOnuAeDeHAe0OFkMWKWMZlCnhX8sYjDwHZIEveD/uShXUqXHONbXslkcruRa4G -SwDM07FZUNo6iDspQ0ZelytUzlNvjUrnlvq/cQ5Ci3z9KKDQSMraxIFMu6JzkybI6wzWJoi2 -wCTPu71b63V96QiOhjMseXcJaaWJ/LNwkId2j9Miu0LOvXMLICYq0Js9cB4kbM2HdqkXlrfP -DZL7jhipmEnRnv5gRHIhuRntwvUx8TlIiJAkdVQWrc70+GkUZDn7o7i6cEDHJxy/xFZT+mNl -0PMcDhb1a4ZYTRjU5A2OpZ1bkdx2JFA/xir72bectdbm0NnoGYsVcUitt+rYWYjUkL8Ws9np -rFlhVMgcusrByuG5IEyPOpOJpaDMv9P2daR1lm1WAAAAAgA0YXV0b3JpZGFkZGVjZXJ0aWZp -Y2FjaW9uZmlybWFwcm9mZXNpb25hbGNpZmE2MjYzNDA2OAAAAXwQWa1IAAVYLjUwOQAABhgw -ggYUMIID/KADAgECAghT7Dvu+7JIXzANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJFUzFC -MEAGA1UEAww5QXV0b3JpZGFkIGRlIENlcnRpZmljYWNpb24gRmlybWFwcm9mZXNpb25hbCBD -SUYgQTYyNjM0MDY4MB4XDTA5MDUyMDA4MzgxNVoXDTMwMTIzMTA4MzgxNVowUTELMAkGA1UE -BhMCRVMxQjBABgNVBAMMOUF1dG9yaWRhZCBkZSBDZXJ0aWZpY2FjaW9uIEZpcm1hcHJvZmVz -aW9uYWwgQ0lGIEE2MjYzNDA2ODCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMqW -a47q+PvxojXgf0za4MNS1322EMgCXrNDKsRParLKHF0omngRGmlZV6+1IELkiw/m31umA5Iv -9RHkYtcycTjZBAxxqz1Rfg8H32MFXOm/lG/BKYLAtNpRsME8u603SlzK8Us2DiSrv8OEd/2o -UPSx58Yv0i1ZjXoKTpZpUgKqNpjs/PoUgww3H8mSN3/XgS3lxLngPjT+Z/Q+ZtHT9EDPXmI0 -D3AGPiAYWs73chslbJN0FJOjc7EOqocQI1lfIAUZR+1ojpISyl381iuykjwgz+FfryC+oHZ/ -duXsGoZhMz7ne7Q/oA+Oorlqb7mHJm9BbIimUP1qYwv1kxYbGY+y7ZubyZD1AQzfGT0PPjgj -yS+PDNEC/htV1k7QjTyvT6Tz/q8q0wWdeQihy1cxtJzIkLJn9BgWkzr8R9jReJYxH7orDF9d -ma1jiVokIHbY3/2rTqYiqp1e5ieKfWgpo+eKuNoRuxctmZ0TJEb3xeLYn45/x490bVqy6HL1 -rO4kEK0vFNr/LZpGcUe+Qt+7Adv0f9MojzFZW9PJAqa0Uspul/tDxQgmb4r0u/2fKKoN1UXz -Ezod2MB4j0FnPB6UZK57C8Xo2QGIORqXhmRB1TuHDG76D8a9SBS/OU3UnkG2j5YdY5aT2ZUG -eDFonjcGO4CJRWE5I8cbRKMV5Rz4kjC7AgMBAAGjge8wgewwEgYDVR0TAQH/BAgwBgEB/wIB -ATAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFGXN66s1HgA+ftV0wBy0c0cOGmQvMIGmBgNV -HSAEgZ4wgZswgZgGBFUdIAAwgY8wLwYIKwYBBQUHAgEWI2h0dHA6Ly93d3cuZmlybWFwcm9m -ZXNpb25hbC5jb20vY3BzMFwGCCsGAQUFBwICMFAeTgBQAGEAcwBlAG8AIABkAGUAIABsAGEA -IABCAG8AbgBhAG4AbwB2AGEAIAA0ADcAIABCAGEAcgBjAGUAbABvAG4AYQAgADAAOAAwADEA -NzANBgkqhkiG9w0BAQUFAAOCAgEAF32g+bTdxcXrrUsktaECq92liEqyD1VLK1eMO+Ux3f7E -MvHnW2SWNjIY7KUyd9fjRLbAESqAuT1qbnyb0638w9aj5mQpfNHhOB6CK/8nZa/7FhXELnGE -5bX/+qRHvWQyu/YlhKInQvUgsMITEBHNEBW6QpAq0kThlibrMUgS/SrayQbPdB6pS9WHKPl5 -NJI+LkTo9o9PjzU/JbM53GMqkGsgX8RSEk6XLCqsnZfeSPKjZtvC0oOVpmanniUP6QszkWUK -WsPZVBLdr8NODh8mXg3cs43s1YFw3tJPJAXzbE71TElmjdH/0gslQUj+UYTGQq+ABM/QfmRJ -5PLfouyxTMAqHee0sWWixLzxmPSqcAdjtLjaO0z6QCIwWxGm8AUOxgIDSKuGm4Xd293qonaA -c331nATERY3nuRyLnurXddFysd51ROdCfeJXa33cmbw9gyjqgJONxUxlwXCBuDj8QzGy9gM0 -R7Ks+yIGyx7dF0ccX2a50xqi2hGxpLwjyeS+h/+5lLb4XSBK1F/nvWh7ZfIVHtI6qS3p2Gsk -rJdYREetWRjxIWVw3s40YKhA8fM8pMMoI4z+JzNDQKAXPOvqO7BypqO5SkteFkj0srzIjJLF -nZ+scja8NIA0a6mLksC4F+3sdlP1JAGMsyLoS3xVxp36oxS7ZYVubk8Sfgo8nZUAAAACAA5h -Y3JhaXpmbm10LXJjbQAAAXwQWa1IAAVYLjUwOQAABYcwggWDMIIDa6ADAgECAg9dk40wZzbI -Bh0ax1SEaQcwDQYJKoZIhvcNAQELBQAwOzELMAkGA1UEBhMCRVMxETAPBgNVBAoMCEZOTVQt -UkNNMRkwFwYDVQQLDBBBQyBSQUlaIEZOTVQtUkNNMB4XDTA4MTAyOTE1NTk1NloXDTMwMDEw -MTAwMDAwMFowOzELMAkGA1UEBhMCRVMxETAPBgNVBAoMCEZOTVQtUkNNMRkwFwYDVQQLDBBB -QyBSQUlaIEZOTVQtUkNNMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAunGAekyG -bn/IE23Axn0cAJePLAwjuxCaQKkat4eI+JtWavvme46Lko6nJV1ZEds2LrdRFx+pCB8EFyRY -qjdKGN/lOdRX/dfBLJEBkeIi1APAWPx3R+yPPnRDuqw0jU04dmeOsMhvMDNYcVy09Wtu1AFQ -uBN+bEqjSdEgGe68wCkYZafe/u/dCpAh5xpnkkIQmF9PMLw+HEW0ENdoQBTAQPrndxd65guP -ZVs82ZpS27W9nkbPPeuRBQLAlrJ2TE0QljuS+px/D5nfviM1RR4CXP61qJuZJdpe8yLDOfXk -Ki7Txh/EbKrFHGoBBUov0sXBqDQmXWal0gIh+Ri3BvVOmW+oq0xR6M9QGMV3yDkJLEmSMpmo -uxcXebBaxeajxFllRzWDXqnoNQuZu+TNIMabSgY5tWj8IrruVYwrTurzseP8tpma1UL6cU0I -z4ceanF9+dO06aVxgXvCTkeWpfZ2haMoj+mAboFTpW1fuEj5wvk2pi5J/7iWwowHs5uIWPzr -GxzeLXDil5IwoYnjvFWoJ9ZL7ZCti/pjJVktqDXdypczvOXNx53R7O9eDkqQBiZjrbnZNS0H -unZlLKxXj330B5TXgQKWXaMHSdV60Ff5G+dTRnWqsHlCy2hxCOlgvTlpzvSvw1ZAx61Sognk -b4ZHih/rKCddgyCvBMlsVpqLRvUCAwEAAaOBgzCBgDAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud -DwEB/wQEAwIBBjAdBgNVHQ4EFgQU933F/cTomht3ZKf1HaDMv4dgmm0wPgYDVR0gBDcwNTAz -BgRVHSAAMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cuY2VydC5mbm10LmVzL2RwY3MvMA0G -CSqGSIb3DQEBCwUAA4ICAQAHkErf8yNO8MOcUWWbnCKiigyF83Mpa03+AeKpDGMBvwRnpZ2Y -X/0BE/rsmmLphv62YtJuTJT7wHVFfGUM+LI3z6wPz41v+Rn3j+we8nCe8Mq477f/djd2W/Zu -iPOvYjIikw06ao4UZgwtU3RXZR7Vst0jgTulZiMnZwmP4XeqQ81lUQjtUVj+5jn5y0eEpBXx -druk7qQ7xF/vsjOWERi3yWW+GOGjpNz6GPnTvBObOXo0utNB+/oyiiq3K4YLaYM4vs2KLgtw -rY0mku4e9QErCtnWl5tu4KgZHDohiwweQK0D591mfvW5IA0D6Jb5gkXUOeCgAF3XmOZ9nmdz -w5oq96uLoToU7zS8Ug6JmJoEQIQdfkVpk1fO6874UHxPHG4EQ5v51jsjGOnqjtFNRo3xO+Rq -yrr7I7eb+pkBKVpYWi3j+dRtDiatwW40vDL4DAX6ZaPbOzeDIunW3HIz/V3yIL12PCPaKPf5 -G+tZZNXcX3J+IPzNibWQZ01iej9OrR3DOf569CgW30H2SIAF1w9ReawQq9TsA2bmarC6MZJC -QGq+OtNy4Wo3VbysHZW3aWHyQ5F05qDTCiRGoQiv1tpFGZbUUx1bhHnwwPdH74uPxQaunUxi -nf9GBPjTybYQJUB1/haqyUpghi+67zB35FTiuISZWICqE4tROk9I9ou2swAAAAIAE2dkY2F0 -cnVzdGF1dGhyNXJvb3QAAAF8EFmtSAAFWC41MDkAAAWMMIIFiDCCA3CgAwIBAgIIfQmX/vBH -6nowDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMCQ04xMjAwBgNVBAoMKUdVQU5HIERPTkcg -Q0VSVElGSUNBVEUgQVVUSE9SSVRZIENPLixMVEQuMR8wHQYDVQQDDBZHRENBIFRydXN0QVVU -SCBSNSBST09UMB4XDTE0MTEyNjA1MTMxNVoXDTQwMTIzMTE1NTk1OVowYjELMAkGA1UEBhMC -Q04xMjAwBgNVBAoMKUdVQU5HIERPTkcgQ0VSVElGSUNBVEUgQVVUSE9SSVRZIENPLixMVEQu -MR8wHQYDVQQDDBZHRENBIFRydXN0QVVUSCBSNSBST09UMIICIjANBgkqhkiG9w0BAQEFAAOC -Ag8AMIICCgKCAgEA2aMW8Mh0dHeb7zMNOwZ+Vfy1YI92hhJCfVZmPoiC7XJjDp6L3TQsAlFR -wxn9WVSEyfFrs0yw6ehGXTjGoqcuEVe6ghWinI9tsJlKCvLriXBjTnnEt1u9ol2x8kECK62p -OqPseQrsXzrj/e+APK00mxqriCZ7VqKChh/rNYmDf1+uKU49tm7srsHwJ5uu4/Ts765/94Y9 -cnrrpftZTqfrlYwiOXnhLQiPzLyRuEH3FMEjqcOtmkVEs7LXLM3GKeJQEK5cy4KOFxg2fZfm -iJqwTTQJ9Cy5WmYqsBebnh52nUpmMUHfP/vFBu8btn4aRjb3ZGM74zkYI+dndRTVdVeSN72+ -ahsmUPI2JgaQxXABZG12ZuGR224HwGGALrIuL4xwp9E7PLOR5G62xDtw8mySlwnNR30YwPO7 -ng/Wi64HtloPzgsMR6flPri9fcebNaBhlzpBdRfMK5Z3KpIhHtmVdiBnaM8Nvd/WHwlqmuLM -c3GkL30SgLdTMEZeS1SZD2fJpcjyIMGC7J0R38IC+xo70e0gmu9lZJIQDSri3nDxGGeCjGHe -uLzRL5z7D9Ar7Rt2ueQ5Vfj4oR24qoAATILnsn8JuLwwoC8N9VKejveSswoAHQBUlwbgsQfZ -xw9cZX08bVlX5O2ljelAU58VS6Bx9hoh49pwBiFYFIeFd3mqgnkCAwEAAaNCMEAwHQYDVR0O -BBYEFOLJQJ9NzuiaoXzPDj9lxSmIahlRMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD -AgGGMA0GCSqGSIb3DQEBCwUAA4ICAQDRSVfgp8xoWLoBDysZzY2wYUWsEe1jUGn4H3++Fo/9 -nesLqjJHdtJnJO29fDMylyrHBYZmDRd9FBUb1Ov9H5r2XpdptxolpAqzkT9fNqyL7FeoPueB -ihhXOYV0GkLH6VsTX4/5COmSdI31R9KrO9b7eGZONn356ZLpBN79SWP8bfsUcZNnL0dKt7n/ -HipzcEYwv1ryL3ml4Y0M2fmyYzeMN2WFcGpcWwlyua1jPLHd+PwyvzeG5LuOmCd+uh8W4XAR -8gPfJWIyJyYYMoSf/wA6E7qaTfRPuBRwIrHKK5DOKcFw9C+df/KQHtZa37dG/OaG+svgIHZ6 -uqbL9XzeYqWxi+7egmaKTjowHz+Ay60nugxe19CxVsp3cbK1daFQqUBDF8Io2c9Si1vIY9RC -PqAzekYu9wogRlR+ak8x8YF+QnQ4ZXMn7sZ8uI7XpTrXmKGcjBBV09tL7ECQ8s1uV9JiDnxX -k7Gnbc2dg7sq5+W2O3FYrf3RRbxake5TFW/TRQl1brqQXR4EzzffHqhmsYzmIGrv/EhOdJhC -rylvLmrH+33RZjEizIYAfmaDDEL0vTSSwxrqT8p+ck0LcIymSLumoRT2+1hEmRSuqguTaaAp -JUqlyyvdimYHFngVV3Eb7PVHhPOeMTd61X8kreS8/f3MboPoDKi3QWwH3b08hpcv0gAAAAIA -Cml6ZW5wZS5jb20AAAF8EFmtSAAFWC41MDkAAAX1MIIF8TCCA9mgAwIBAgIQALC3WhZIX7/h -y/WL1xnmfTANBgkqhkiG9w0BAQsFADA4MQswCQYDVQQGEwJFUzEUMBIGA1UECgwLSVpFTlBF -IFMuQS4xEzARBgNVBAMMCkl6ZW5wZS5jb20wHhcNMDcxMjEzMTMwODI4WhcNMzcxMjEzMDgy -NzI1WjA4MQswCQYDVQQGEwJFUzEUMBIGA1UECgwLSVpFTlBFIFMuQS4xEzARBgNVBAMMCkl6 -ZW5wZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDJ03rKDx6sp4boFmVq -scIbRTJxldn+EFvMr+eleQGPicPK8lVx93e+d5TzcqQsRNiekpsUOqHnJJAKClaOxdgmlOHZ -SOEtPtoKct2jmRXagaKH9HtuJneJWK3W6wyyQXpzbm3benhB6QiIEn6HLmYRY2xU+zydcsC8 -Lv/Ct90NduM61/e0aL6i9eOBbsFGb12N4E3GVFWJGjMxCrFXuaOKmMPsOzTFlUFpfnXCPCDF -YbpRR6AgkJOhkEvzTnyFRVSa0QUmQbC1TR0zvsQDyCV8wXDbO/QJLVQnSKwv4cSsPsjLkkxT -OTcj7NMB+eAJRE1NZMDhDVqHIrytG6P+JrUV86f8hBnp7KGItERphIPzidF0BqnMC9bC3ieF -UCbKF7jJeodWLBoBHmy+E60QrLUk9TiRodZL2vG70t5HtfG8gfZZa88ZU+mNFctKy6lvROUb -Qc/hhqfK0GqfvEyNBjNaooXlkDWgYlwWTvDjovoDGrQscbNYLN57C9saD+veIR8GdwYDsMnv -mfzAuU8Lhij+0rnq49qlw0dpEuDb8PYZi+17cNcC1u2HGCgsBCRMd+RIihrGO5rUD8r6ddIB -QFqNeb+Lz0vPqhbBleStTIo+F5HUsWLlguWABKQDfo2/2n+iD5dPDNMN+9fR5XJ+HMh3/1ua -D7euBUbl8agW7EekFwIDAQABo4H2MIHzMIGwBgNVHREEgagwgaWBD2luZm9AaXplbnBlLmNv -baSBkTCBjjFHMEUGA1UECgw+SVpFTlBFIFMuQS4gLSBDSUYgQTAxMzM3MjYwLVJNZXJjLlZp -dG9yaWEtR2FzdGVpeiBUMTA1NSBGNjIgUzgxQzBBBgNVBAkMOkF2ZGEgZGVsIE1lZGl0ZXJy -YW5lbyBFdG9yYmlkZWEgMTQgLSAwMTAxMCBWaXRvcmlhLUdhc3RlaXowDwYDVR0TAQH/BAUw -AwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFB0cZQ6o8iV7tJHP5LGx5r1VdGwFMA0G -CSqGSIb3DQEBCwUAA4ICAQB4pgwWSp9MiDrAyw6lFn2fuUhfGI8NYjb2zRlrrKvV9pF9rnHz -P7MOeIWblaQnIUdCSnxIOvVFfLMMjlF4rJUT3sb9fbgakEyrkgPH7UIBzg/YsfqikuFgba56 -awmqxinuaElnMIAkejEWOVt+8Rwu3WwJrfIxwYJOubv5vr8qhT/AQKM6WfxZSzwoJNu0FXWu -DYi6LnPAvViH5ULy617uHjAimcs30cQhbIHsvm0m5hzkQiCeR7Csg1lwLDXWrzY0tM07+DKo -7+N4ifuNRSzanLh+QBxh5z6ikixL8s36mLYp//Pye6kfLqCTVyvehQP5aTfLnnhqBbTFMXiJ -7HqnheG5ezzevh55hM6fcA5ZwjUukCox2eRFekGkLhObNA5me0mrZJfQRsN5nXJQY6aYWwa9 -SG3YOYNw6DXwBdGqvOPbyALqfP2C2sJbUjWumDqtujWTI6cfSN01RpiyEGjkpTHCClguGYEQ -yVB1/OpaFs4R1+7vUIgtYf8/QnMFlEPVjjxOAToZpR9GTnfQXeWBIiGH/pR9hNiTrdZoQ0iy -2+tzJOeRf1SktoA+naM8THLCV8Sg1Mw4J87VBp6iSNnpn86CcDaTmjvfliHjWbcM2pE38P1Z -WrOZyGlsQyYBNWNgVYkDOnXYukrZVP/u3oDYLdE41V4tC5h9Pmzb/CaIxwAAAAIAGm9pc3Rl -d2lzZWtleWdsb2JhbHJvb3RnY2NhAAABfBBZrUgABVguNTA5AAACbTCCAmkwggHvoAMCAQIC -ECEqVgyu2gyrQEW/K6ItOuowCgYIKoZIzj0EAwMwbTELMAkGA1UEBhMCQ0gxEDAOBgNVBAoT -B1dJU2VLZXkxIjAgBgNVBAsTGU9JU1RFIEZvdW5kYXRpb24gRW5kb3JzZWQxKDAmBgNVBAMT -H09JU1RFIFdJU2VLZXkgR2xvYmFsIFJvb3QgR0MgQ0EwHhcNMTcwNTA5MDk0ODM0WhcNNDIw -NTA5MDk1ODMzWjBtMQswCQYDVQQGEwJDSDEQMA4GA1UEChMHV0lTZUtleTEiMCAGA1UECxMZ -T0lTVEUgRm91bmRhdGlvbiBFbmRvcnNlZDEoMCYGA1UEAxMfT0lTVEUgV0lTZUtleSBHbG9i -YWwgUm9vdCBHQyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABEzpUMDGD3IYvNjxurOJ4nlK -oxana1Qk21H/6vQJJMMLIp/LaieCgQ3SwK8x5HSCbsol2Yx1nfHb0JqiSyF+FqdjkNI51LGH -eF8Ylg9QGzU3D2rG3NkTTaSOkDfmvVsxkaNUMFIwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB -/wQFMAMBAf8wHQYDVR0OBBYEFEiHFKzjw56QYDrXyonu062MtFBmMBAGCSsGAQQBgjcVAQQD -AgEAMAoGCCqGSM49BAMDA2gAMGUCMCbHaVvc1eey58gMjIzD3XmMG2PVyVKUTk2CSnMesoCE -qSXATFptSSlgeBPifkjrZAIxANs0IDII/5pJAraI3hSvXWyZcY0aP4vX4KI2hhwHgjp2U/3C -ou3ve7CAT1gPS1M5vQAAAAIAHWUtdHVncmFjZXJ0aWZpY2F0aW9uYXV0aG9yaXR5AAABfBBZ -rUgABVguNTA5AAAGTzCCBkswggQzoAMCAQICCGpoPpxRm8tTMA0GCSqGSIb3DQEBCwUAMIGy -MQswCQYDVQQGEwJUUjEPMA0GA1UEBwwGQW5rYXJhMUAwPgYDVQQKDDdFLVR1xJ9yYSBFQkcg -QmlsacWfaW0gVGVrbm9sb2ppbGVyaSB2ZSBIaXptZXRsZXJpIEEuxZ4uMSYwJAYDVQQLDB1F -LVR1Z3JhIFNlcnRpZmlrYXN5b24gTWVya2V6aTEoMCYGA1UEAwwfRS1UdWdyYSBDZXJ0aWZp -Y2F0aW9uIEF1dGhvcml0eTAeFw0xMzAzMDUxMjA5NDhaFw0yMzAzMDMxMjA5NDhaMIGyMQsw -CQYDVQQGEwJUUjEPMA0GA1UEBwwGQW5rYXJhMUAwPgYDVQQKDDdFLVR1xJ9yYSBFQkcgQmls -acWfaW0gVGVrbm9sb2ppbGVyaSB2ZSBIaXptZXRsZXJpIEEuxZ4uMSYwJAYDVQQLDB1FLVR1 -Z3JhIFNlcnRpZmlrYXN5b24gTWVya2V6aTEoMCYGA1UEAwwfRS1UdWdyYSBDZXJ0aWZpY2F0 -aW9uIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOL1P5MFUR6F -YlReegv1GAeDrn6vfPfUimulY0M5uUv3w8ZkiT2ULlSAUjk5B0tL3YUHdofMvy+VTMx9pz28 -Rw+YcPiMhR50jpJtG0DRmQ27dW7IqWuawIQxr8pDy+srNOiPl2sBm9UOSgiqW5J0hUPTgK6h -iFuus+peyxaad0TIofZUaM7ej5crultAAgxkF8C1k83h8RNmzgx579GRKKtfoBJSMHMZjo/h -jAeiw7tK8OofFajuJcykRvgbIu+zDkO6LCS4xSxc1Bz4XWS9w5NeKKc/J/GOHtMqUAWjVdnL -5zlTwJiejFRiiyaw932NfOTGnmZCVYJH57JYjWb3B3wuNuZQHD/bQyTFv4ZHebN5HPda9BPs -bPg/4lkfle5CPrmtqDKFSZdG/ksxj1rLrXRHH+mRt98oBCKg1A9d4nlP6myFhr2ops7k+sPh -s67ePFHuyxN8AX+EDl1RlJ4TDLYupUz5OXA2b5bKLgxEVcXK+l0Co9/WZIxaswEKqbUKRxf/ -75FAKo6hRjoxmOUR/My7SVaK/LnQYZpvZWzmw8s+dUn+j6fiicVn151GE04xdjsks54RZYar -f+8d1Pi856xaXLdaR1xVzlW0InFbWwvwz9ygYWTqqddoCmOn4A0/oK/TqtJ+71Gg5lErVZIV -F1PLt2YOZkz4+XVMkOcScMdFAgMBAAGjYzBhMB0GA1UdDgQWBBQu49uySdCcVHlc+icq/sxO -0uhOVDAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFC7j27JJ0JxUeVz6Jyr+zE7S6E5U -MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEABTc69E23ReJFdSSPtndS6BzY -EJNl8/JZBqQ+HinsXdHQq3zgCpBIeO1OmAOZ/ihgkR0wHbhjfKjmNbX602F25tYHS8ppmrKE -eneTRRcVnyTQmBMS/7ugLv1OTIf4zlyqmBsF4ABGSoKApTOLKNztONPf5T7p/vtZ3WGET9JU -lhNhEz6PgGm+k0e1NUPSWrs9XO+zQkfNO1UTBrAJ2/1j9jqICplvfuHOG1NqRGYjUQh7vFtS -ov0GNzhAYY9KlriQN/hmx3iQABUui61RNVMHqGtorvlOPAcmzQgFcMw5P3a9pdNnJgGGplPS -YDt8Q39ViryVGsEoOUwfQ9KR9HJZirlW/D+0ndpwnHZajENQ7o4wck3f/0n3xqln2W2sAhHi -OhYlp1gIy29TQZxIOEdoM9HXx4/UdCHUwwWQev/OloixFSldI6vQYKEST970F80y5cm/yEOt -/S6O8a/i9Jj6Eh8g2MCnDIXFkPQ7LZYmsSy+TKvrsdKKydt4Ew8eCZ1tjwCfAtrB+h96egnE -SuaIKpefiYv9N19fOs44WYZLr3ELtNjycE+fMhPjsKdX5draQ8uENPIoxOpt9CrvwWt22vt+ -u4U80lPCTb5x4UXR/SNnDRN1+89lZyKdrrAJ0Qn/HTS//iOXN9I5+j0NBgu02zujq29cHbZ+ -6LOCNO0GXCQAAAACAA9xdW92YWRpc3Jvb3RjYTMAAAF8EFmtSAAFWC41MDkAAAahMIIGnTCC -BIWgAwIBAgICBcYwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1 -b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1b1ZhZGlzIFJvb3QgQ0EgMzAeFw0wNjExMjQx -OTExMjNaFw0zMTExMjQxOTA2NDRaMEUxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRp -cyBMaW1pdGVkMRswGQYDVQQDExJRdW9WYWRpcyBSb290IENBIDMwggIiMA0GCSqGSIb3DQEB -AQUAA4ICDwAwggIKAoICAQDMV0IWVJzmmNPTTe7+7cefQzlKZbPoFog02w1ZkXTPkrgEQK0C -SzGrvI2RaNggDhoB4hp7Thdd4oq3P5kazethq8Jlph+3t723j/z9cI8LoGe+AaJZz3HmDyl2 -/7FWeUUrH556VOijKTVopAFPD6QuN+8bv+OPEKhyq1hX51SGyMnzW9os2l2ObjyjPtr7guXd -8lyyBTNvijbO0BNO/79KDDRMpsMhvVAEVeuxu537RR5kFd5VAYwCdrXLoT9CabwvvWhDFlaJ -Kjdhkf2mrk7AyxRllDdLkgbvBNDInIjbC3uBr7E9KsRlOni27tyAsdLTmZw67mtaa7ONt9XO -nMK+pUsvFrGeaDsGb659n/je7Mwpp5ijJUMv7/FfJuGITfhebtfZFG4ZM2mnO4SJk8RTVROh -UXhA+LjJou57ulJCg54U7QVSWllWp5f8nT8KKdjcT5EOE7zelaTfi5m+rJsziO+1ga8bxiJT -yPbH7pcUsMV8eFLI8M5ud2CEpukqdiDtWAEXMJPpGovgc2PZapKUSU60rUqFxKMiMPwJ7Wgi -c6aIDFUhWMXhOp8q3crhkODZc6tsgLjoC2SToJyMGf+z0gzskSaHirOi4XCPLArlzW1oUeva -PwV/izLmE1xr/l9A4iLItLRkT9a6fUg+qGkM17uGcclzuD87nSVL2v9A6wIDAQABo4IBlTCC -AZEwDwYDVR0TAQH/BAUwAwEB/zCB4QYDVR0gBIHZMIHWMIHTBgkrBgEEAb5YAAMwgcUwgZMG -CCsGAQUFBwICMIGGGoGDQW55IHVzZSBvZiB0aGlzIENlcnRpZmljYXRlIGNvbnN0aXR1dGVz -IGFjY2VwdGFuY2Ugb2YgdGhlIFF1b1ZhZGlzIFJvb3QgQ0EgMyBDZXJ0aWZpY2F0ZSBQb2xp -Y3kgLyBDZXJ0aWZpY2F0aW9uIFByYWN0aWNlIFN0YXRlbWVudC4wLQYIKwYBBQUHAgEWIWh0 -dHA6Ly93d3cucXVvdmFkaXNnbG9iYWwuY29tL2NwczALBgNVHQ8EBAMCAQYwHQYDVR0OBBYE -FPLAE+CCQz777i9nMpY1XNu4ywLQMG4GA1UdIwRnMGWAFPLAE+CCQz777i9nMpY1XNu4ywLQ -oUmkRzBFMQswCQYDVQQGEwJCTTEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRlZDEbMBkGA1UE -AxMSUXVvVmFkaXMgUm9vdCBDQSAzggIFxjANBgkqhkiG9w0BAQUFAAOCAgEAT62gLEz6wPJv -92ZVqyM07ucp2sNbtrCD2dDQ4iH782CnO11gUyeim/YIIirnv6By5ZwkajGxkHon24QRiSem -d1o417+shvzuXYO8BsbRd2sPbSQvS3pspweWyuOEn62Iix2rFo1bZhfZFvSLgNLd+LJ2w/w4 -E6oM3kJpK27zPOuAJ9v1pkQNn1pVWQvVDVJIxa6f8i+AxeoyUDUSly7B4f/xI4hROJ/yZlZ2 -5w9Rl6VSDE1JUZU2Pb+iSwwQHYaZTKrzchGT5Or2m9qoXadNt54CrnMAyNojA+j56hl0YgCU -yyIgvpSnWbWCar6ZeXqp8kokUvd0/bpO5qgdAm6xDYBEwa7TIzdfu4V8K5Iu6H6li92Z4b8n -by1dqnuH/grdS/yO9SbkbnBCbjPsMZ57k8HkyWkaPcBrTiJt7qtYTcbQQcEr6k8Sh17rRdhs -9ZgC06DYVYoGmRmioHfRMJ6szHXug/WwYjnPbFfiTNKRCw51KBuav/0aQ/HKd/s7j2G4aSgW -QgRecCocIdiP4b0jWy10QJLZYxkNc91pvGJHvOB0K7Lrfb5BG7XARsWhIstfTsEokt4YutUq -KLsRixeTmJlglFwjz1onl14LBQaTNx47aTbrqZ5hHY8y2o4M1nQ+ewkk2gF3R8Q7zTSMmfXK -4SVhM7JZG+Ju1zdXtg2pEtoAAAACAA9xdW92YWRpc3Jvb3RjYTIAAAF8EFmtSAAFWC41MDkA -AAW7MIIFtzCCA5+gAwIBAgICBQkwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0xGTAX -BgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1b1ZhZGlzIFJvb3QgQ0EgMjAe -Fw0wNjExMjQxODI3MDBaFw0zMTExMjQxODIzMzNaMEUxCzAJBgNVBAYTAkJNMRkwFwYDVQQK -ExBRdW9WYWRpcyBMaW1pdGVkMRswGQYDVQQDExJRdW9WYWRpcyBSb290IENBIDIwggIiMA0G -CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCaGMpLlA0ALa8DKYrwD4HIrkwZhR0In6spRIXz -L4GtMh6QRr+jhiYaHv5+HBg6XJxgFyo6dIMzMH1hVBHL7avg5tKifvVrbxi3Cgst/ek+7wrG -sxDp3MJGF/hd/aTa/55JWpzmM+Yklvc/ulsrHHo1wtZn/qtmUIttKGAr79dgw8eTvI02kfN/ -+NsRE8Scd3bBrrcCaoF6qUWD4gXmuVbBlDePSHFjIuwXZQeVikvfj8ZaCuWw419eaxGrDPmF -60Tp+ARz8un+XJiM9XOva7R+zdRcAitMOeGylZUtQofX1bOQQ7dsE/He3fbE+Ik/0XX1ksOR -1YqI0JDs3G3eicJlcZaLDQP9nL9bFqyS2+r+eXyt66/3FsvbzSUr5R/7mp/iUcw6UwxI5g69 -ybR2BlLmEROFcmMDBOAENisgGQLodKcftslWZvB1JdxnwQ5hYIizPtGo/KPaHbDRsSNU30R2 -be1B2MGyIrZTHN81Hdyhdyox5C315eXbyOD/5YDXC2Og/zOhD7osFRXql7PSorW+8oyWHhqP -HWykYTe5hnMz15eWniN9gqRMgeKh0bpnX5UHoycR7hYQe7xFSkyyBNKr79X9DFHOUGoIMfmR -2gyPZFwDwzqLID9ujWc9Otb+fVuIyV77zGHcizN300QyNQliBJIWENieJ0f7OyHj+OsdWwID -AQABo4GwMIGtMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBQahGK8 -SEwzJQTU7tD2A8QZRtGUazBuBgNVHSMEZzBlgBQahGK8SEwzJQTU7tD2A8QZRtGUa6FJpEcw -RTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1 -b1ZhZGlzIFJvb3QgQ0EgMoICBQkwDQYJKoZIhvcNAQEFBQADggIBAD4KFk2fBluornFdLwUv -Z+YTRYPENvbzwCYMDbVHZF34tHLJRqUDGCdViXh9duqWNIAXINzng/iN/Ae42l9NLmeyhP3Z -RPx3UIHmfLTJDQtyU/h2BwdBR5YM++CCJpNVjP4iH2BlfF/nJrP3MpCYUNQ3cVX2kiF495V5 -+vgtJodmVjB3pjd4M1IQWK4/YY7yarHvGH5KWWPKjaJW1acvvFYfzznB4vsKqBUsfU16Y8Zs -l0Q80m/DShcK+JDSV6IZUaUtl0HaB0+pUNqQjZRG4T7wlP0QADj1O+hA4bRuVhogzG9Yje0u -RY/W6ZM/57Es3zrWIozchLsib9D45MY56QSIPMO661V6bYCZJPVsAfv4l7CUW+v90m/xd2gN -NWQjrLhVoQPRTUIZ3Ph1WVaj+ahJefivDrkRoHy3au000LYmYjgahwz46P0u05B/B5EqHdZ+ -XIWDmbA4CD/pXvk1B+TJYm5Xf6dQlfe6yJvmjqIBxdZmv3lh8zwc4bmCXF2gw+nYSL0ZohEU -GW6yhhtoPkg3Goi3XZZenMfvJ2II4pEZXNLxId26F0KCl3GBUzGpn/Z9Yr9y4aOTHcyKJloJ -ONDO1w2AFrR4pTqHTI2KpdVGl/IsELm8VCLAAVBpQ570su9t+Oza8eOx79+Rj1QqCyXBJhnE -UhAFZdWCEOrCMc0uAAAAAgAlZW50cnVzdHJvb3RjZXJ0aWZpY2F0aW9uYXV0aG9yaXR5LWVj -MQAAAXwQWa1IAAVYLjUwOQAAAv0wggL5MIICgKADAgECAg0Apot5KQAAAABQ0JH5MAoGCCqG -SM49BAMDMIG/MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UE -CxMfU2VlIHd3dy5lbnRydXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMTIg -RW50cnVzdCwgSW5jLiAtIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTMwMQYDVQQDEypFbnRy -dXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBFQzEwHhcNMTIxMjE4MTUyNTM2 -WhcNMzcxMjE4MTU1NTM2WjCBvzELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIElu -Yy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsT -MChjKSAyMDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEzMDEG -A1UEAxMqRW50cnVzdCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRUMxMHYwEAYH -KoZIzj0CAQYFK4EEACIDYgAEhBPJ0LptQXvibNDrVV9mAhok9FuJaUfjuMJ98fICxZ+g9lvV -iwYZhk9TEG0HJCehoPjVRxlhTH3KkyfqdAzvb5YJ/mPscF02rWd3rsmdfFVEOqJjUR/142LU -qUcHPswgo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU -t2PnGt2N6QimVYOk4GpQQWURQkkwCgYIKoZIzj0EAwMDZwAwZAIwYXnY5UJH3xyuU5kXtm8c -feG/EZTRA4h15I2JpIp3Rt5tYe8C9fu138z+Tv/+qeanAjBbmdeFNwa1ewj96yeLSpT54fqn -jiYI6HySaG1z2G8mrCECuJm3JkFbJWCu0Ega7gYAAAACABpvaXN0ZXdpc2VrZXlnbG9iYWxy -b290Z2JjYQAAAXwQWa1IAAVYLjUwOQAAA7kwggO1MIICnaADAgECAhB2sSBSdPCFh0az+CMa -9sLAMA0GCSqGSIb3DQEBCwUAMG0xCzAJBgNVBAYTAkNIMRAwDgYDVQQKEwdXSVNlS2V5MSIw -IAYDVQQLExlPSVNURSBGb3VuZGF0aW9uIEVuZG9yc2VkMSgwJgYDVQQDEx9PSVNURSBXSVNl -S2V5IEdsb2JhbCBSb290IEdCIENBMB4XDTE0MTIwMTE1MDAzMloXDTM5MTIwMTE1MTAzMVow -bTELMAkGA1UEBhMCQ0gxEDAOBgNVBAoTB1dJU2VLZXkxIjAgBgNVBAsTGU9JU1RFIEZvdW5k -YXRpb24gRW5kb3JzZWQxKDAmBgNVBAMTH09JU1RFIFdJU2VLZXkgR2xvYmFsIFJvb3QgR0Ig -Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYF7ccSiQq1pexyuIe+30475j1 -sjmYTie4EV170iWUiIIVJmobMbuoWyEhK9gPTp9a8bFa5HnWMiMr4VPMmUVce0+tvL+HSgtL -l1qo9kjsfXsNzSEG354V/UGKSLcg9KF6G1fUXVD/umfYI5kfyD/j3v9vW3exa264yWT34cpB -Rg4pcdC5I/zJgV9O92/fv4Stc2S7t0KOafbUdh1+nae4V4pRZ3LX1Ki4lVRAcwP26vTr/ihC -dz+dIxuytj2AFAdMLk/31QoWDb1mQzd+I0N5w0CG9Uwp2o6arQ2lBIeIHoXj6VPVm8iLA2N4 -6+AZSm67L2szZFiTrWm/jxvvgkjHAgMBAAGjUTBPMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8E -BTADAQH/MB0GA1UdDgQWBBQ1D8g2Y17io+z5O2YVzlFS45GaPTAQBgkrBgEEAYI3FQEEAwIB -ADANBgkqhkiG9w0BAQsFAAOCAQEAQEz7h7KZgZB+ncWwsCbNiHsrMo1uuCFxWJd9rjcUrz7n -95riffZxmJkEqkN0eKPjSWE+c4xNlOD5ccS2Fg5TeB/WoocvAjmBKTyvFZghMP4okACM0eHL -+l7I/fgQRjuieEKRF3RVCt5QZ01m0af//dnAtaijis5m9Q9DzacrV3tjRmqqLlLY9O3hba0p -kHhIuuEjqqOJ7LWrlsC0S6Idl5568m5Acd9o8WVNznwF31NlqaXwsZcEcBVGA5jU0r9UtKBY -fVJv2lYmYtTY24kxbxzwIsLTYhw1zUxpFVQakJje6x5fynfHy449Q2mcmljQJDvfG0CWfjWt -gcdOcbqIEwAAAAIAJW5hdmVyZ2xvYmFscm9vdGNlcnRpZmljYXRpb25hdXRob3JpdHkAAAF8 -EFmtSAAFWC41MDkAAAWmMIIFojCCA4qgAwIBAgIUAZQwHqIL3fXFMyqxQ0Rx+NZQTQ0wDQYJ -KoZIhvcNAQEMBQAwaTELMAkGA1UEBhMCS1IxJjAkBgNVBAoMHU5BVkVSIEJVU0lORVNTIFBM -QVRGT1JNIENvcnAuMTIwMAYDVQQDDClOQVZFUiBHbG9iYWwgUm9vdCBDZXJ0aWZpY2F0aW9u -IEF1dGhvcml0eTAeFw0xNzA4MTgwODU4NDJaFw0zNzA4MTgyMzU5NTlaMGkxCzAJBgNVBAYT -AktSMSYwJAYDVQQKDB1OQVZFUiBCVVNJTkVTUyBQTEFURk9STSBDb3JwLjEyMDAGA1UEAwwp -TkFWRVIgR2xvYmFsIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3 -DQEBAQUAA4ICDwAwggIKAoICAQC21PGTXLVAiQqrDZBbUGOukJR0F0Vy1ntlWilLp1agS7gv -QnXp2XskWjFlqxcX0TM62RHcQDaH38dq6SZeWYp34+hInDEW+j6RscrJo+KfziFTowI2MMtS -AuXaMl3Dxeb57hHHi8lEHoSTGEq0n+USZGnQJoViAbbJAh2+g1G7XNr4rRVqmfeSVPc0W+m/ -6imBEtRTkZazkVrd/pBzKPswRrXKCAfHcXLJZtM0l/aM9BhK4dA9WkW2aacp+yPOiNgSnABI -qKYPszuSjXEOdMWLyEz59JuOuDxp7W87UC9Y7cSw0BwbagzivESq2M0UXZR4Yb8ObtoqvC8M -C3GmsxY/nOb5zJ9TNeIDoKAYv7vxvvTWjIcNQvcGufFt7QSUqP620wbGQGHfnZ3zVHbOUzoB -ppJB7ASjjw2i1QnK1sua8e9DXcCrpUHPXFNwcMmIpi3Ua2FzUCaGYQ5fG8Ir4ozVu53BA0K6 -lNpfqbDKzE0K70dpAy8i+/Eozr9dUGWokG2zdLAIx6yo0es+nPxdGoMuK8u180SdOqcXYZai -cdNwlhVNt0xz7hlcxVs+Qf6sdWA7G2POAN3aCJBitOUt7kinaxeZVL6HSuOpXgRM6xBtVNbv -8ejyYhbLgGvtPe31HzClrkvJE+2KAQHJuFFYwGY6sWZLxNUxAmLpdIQM201GLQIDAQABo0Iw -QDAdBgNVHQ4EFgQU0p+I36HNLL3s9TsBAZMzJ7LrYEswDgYDVR0PAQH/BAQDAgEGMA8GA1Ud -EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBADLKgLOdPVQG3dLSLvCkASELZ0jKbY7g -yKoNqo0hV4/GPnrK21HUUrPUloSlWGB/5QuOH/XcChWB5Tu2tyIvCZwTFrFsDDUIbatjcu3c -vuzHV+YwIHHW1xDBE1UBjCpD5EHxzzp6U5LOogMFDTjfArsQLtk70pt6wKGm+LUx5vR1yblT -mXVHIloUFcd4G7ad6Qz4G3bxhYTeodoS76TiEJd6eN4MUZeoIUCLhr0N8F5OSza7OyAfikJW -4Qsav3vQIkMsRIz75Sq0bBwcupTgE34h5prCy8VCZLQelHsIJchxzIdFV4XTnyliIoNRlwAY -l3dqmJLJfGBs32x9SuRwTMKeuB330DTHD8z7p/8Dvq1wkNoL3chtl1+afwkyQf3NosxabUzy -qkn+Zvjp2DXrDige7kgvOtB5CTh8piKCk5XQA76+AqAF3SAi428diDRgxuYKuQl1C/AH6GmW -Ncf7I4GOODm4RStDeKLRLBT/DShycpWbXgnbiUSYqqFJu3FS8r/2/yehNq+4tneI3TqkbZs0 -kNwUXTC/t+sX5Ie3cdCh13cV1ELX8vMxmV2b3RZtP+oGI/hGoiLtk/bdmuYqh7GYVPEi92tF -4+KOdh2ajcQGjTa3FPOdVGm3jjzVpG2Tgbet9r1ke8LJaDmgkpzNNIaRkPpkUZ3+/uul9XXe -ifdyAAAAAgAJZ3Rzcm9vdHI0AAABfBBZrUgABVguNTA5AAACDjCCAgowggGRoAMCAQICEG5H -qciLlLbouzsq2KKywZkwCgYIKoZIzj0EAwMwRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdv -b2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFI0MB4XDTE2MDYy -MjAwMDAwMFoXDTM2MDYyMjAwMDAwMFowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2ds -ZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFI0MHYwEAYHKoZIzj0C -AQYFK4EEACIDYgAE83Rzp2iLYK5DuDXFgTB7S0md+8FhzubeRr1r1WEYNa5A3XP3iZEwWus8 -7oV8okB2O6nGuEfYKueSkWpz6bFyOZ8pn6KY019eWIZlD6GEZQbR3IvJx3PIjGov5cSr0R2K -o0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUgEzW63T/ -STaj1dj8tT7FavCUHYwwCgYIKoZIzj0EAwMDZwAwZAIwalBSdAjEcNyeUHQh6I16IcNPlm4V -0SI1YS36CDfuGW2t27LMfQc09WAZLLU02W8gAjADcbG6o2ALhu2aCGqVaJ/is+GTZHxek6bf -eS2NheOUzyNdcczysE3W/pnIlKl1ouMAAAACAAlndHNyb290cjMAAAF8EFmtSAAFWC41MDkA -AAIQMIICDDCCAZGgAwIBAgIQbkepx2ypcyRAiQ8DVd2NHTAKBggqhkjOPQQDAzBHMQswCQYD -VQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIGA1UEAxML -R1RTIFJvb3QgUjMwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAwMDAwWjBHMQswCQYDVQQG -EwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIGA1UEAxMLR1RT -IFJvb3QgUjMwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQfTzOHMymKoYTey8chWEGJ6ladK0uF -xh1MJ7x/JlFyb+Kf1qPKzEUURout736GjOyxfi//qXGdGIRFBEFVbivqJn+7kAHjSxm65FSW -RQmx1WyRRK2EE46ajA2ADDL24CejQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTAD -AQH/MB0GA1UdDgQWBBTB8Sa6oC2uhYHP0/EqEr24Cmf9vDAKBggqhkjOPQQDAwNpADBmAjEA -gFukfCPAlaUs3L6JbyO5o91lAFJekazInXJ0glMLfalAvWhgxeG4VDvBNhcl2MG9AjEAnjWS -dIUlUfUk7GRSJFClH9voy8l27OyCbvWFGFPouOOaKaqW04MjyaR7YbPMAuhdAAAAAgAUZGln -aWNlcnRnbG9iYWxyb290ZzMAAAF8EFmtSAAFWC41MDkAAAJDMIICPzCCAcWgAwIBAgIQBVVW -vPJepDU1w6QP1atFcjAKBggqhkjOPQQDAzBhMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGln -aUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2Vy -dCBHbG9iYWwgUm9vdCBHMzAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJ -BgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2Vy -dC5jb20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEczMHYwEAYHKoZIzj0CAQYF -K4EEACIDYgAE3afZu4q4C/sLfyHS8L6+c/MzXRq8NOrexpu80JX28MzQC7phW1FGfp4tn+6O -YwwX7Adw9c+ELkCDnOg/QW07rdOkFFk2eJ0DQ+4QE2xy3q6Ip6FrtUPOZ9wj/wMco+I+o0Iw -QDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUs9tIpPmhxdiu -NkHMEWNpYim8S8YwCgYIKoZIzj0EAwMDaAAwZQIxAK288mw/EkrRLTnDCgmXc/SINoyIJ7vm -iI1Qhadj+Z4y3maTD/HMsQmP3Wyr+mt/oAIwOWZbwmSNuJ5Q3KjVSaLtx9zRSX8XAbjIho9O -jIgrqJqpisXRAL34VOKa5Vt8sycXAAAAAgAJZ3Rzcm9vdHIyAAABfBBZrUgABVguNTA5AAAF -XjCCBVowggNCoAMCAQICEG5HqcZas+cgxTCaP2hS8m8wDQYJKoZIhvcNAQEMBQAwRzELMAkG -A1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMT -C0dUUyBSb290IFIyMB4XDTE2MDYyMjAwMDAwMFoXDTM2MDYyMjAwMDAwMFowRzELMAkGA1UE -BhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dU -UyBSb290IFIyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzt79pvvs7BQ0PAcG -WmxZ9xk13ffBnVWq0807pJNy7wr6bZ328IWAW6FIUp85xbfuKKzvy3ZoFLnfrQFsmR/EIh2f -/nJ34Cxbr+QEv09yoBo0mOg5aOyVJXt2oeZpuYUZvYmM/q3tNupzvP+D4st9wdLOSrONBZ6L -SZPfwVvQbl7wLjAugvz6vLQXCkjliJvFm2vesMq0A/Da9JC4ZWT3XEyt6H5mXpnXuMI+yNAT -na3u5EV7iVX3ih9iUoQSs8JAl+OKH0eRpnRa0vixYygQuLMJuFZ3QKImmHnG/t8l7j7loH/U -YQ9RSzw/jNrhcHTYwmih+cEM6aHif7tVPHYG7mpOzJKIME2avU8LSJqEtZij1ftzwVdh3ShW -dROuh47nDFEJEHWITLyN+Xs81CJIHyrc62u7RLHLM3EyRq+tSvGM6HQ6rOcaInOA0jD3JULH -Ijs7Eq2WLsbDdgeqILc1SVfpkknodhZyMWcrln6Ko8eUViK/akt+ASGyIzLf5JpEbVlbXfUA -oBybxniXjZD/m8iqtK8RUTle2ftnrdVbEZ0ymhu91bpbpcnLJWlTVSdc4Mo2y4hh+x630Mvu -FvvTpkzekqXU4t/1BlTeLp1LtJMwqoHO3RrcUXMNT3Dp5bYWIRl5suaJC3VkytWrvAnBGKH/ -1FShhTz9FCQDsofTpLcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB -Af8wHQYDVR0OBBYEFLv/yo4jn0+ZytviaKalFScXHtkOMA0GCSqGSIb3DQEBDAUAA4ICAQC2 -afCmd/6e7guBreHAqcf5NR1AgqvmBLTfy/cdD4PwfhNNjYzu4zMiwzn8QN9uQUtCU74WiPHS -OF7EaJkcmFKTjOdo7Rtqc3oFQE1/ZTvWWPHOg0dg4/+XqZxgdxhVtX4Ik8/Q9jxnAxVhCfmB -efXsU6SfyY8Bi3PEd3bcg6L1DEkaqHbekptk+LMsxSfTB8AIgKSYkuMBlgKqAu6PO8XRbQoz -MHN4uU9UFr8LB6GkXObLyVyEjw/gFXcsfiZ+2sRL26cWdwewzXXockLWlYSdhoPy5JDNCUfU -iwNw2lrGA0L07Tei8BtQVEsO2ITeGSiZgUeuCRs/SNHDb+KwYBf17iMCpdoAW22Qq+6i6Rs7 -6cdEJ0WOa5/1pIS8d/lrl6w+UUWiEabMhe4KaPI+UDh6JGIeFyA3bWpNtwmbyfykWPW2+5xO -GLuVAuehrZsH7jZrJNI5hsGTg1DSgUaoX2JXLLtsZIgIbu8TVF/dLcRnY9PPiTe/nSD0+3qD -m6AegQBQwuQMIllSEO1DVocA+BRSpx2Lk4yiTUZ/J8ZxmyTe5NqGiw1+ayDBwJ7hZdhqo6bo -hYs6BwgcuvWPVZoYdX7l7IFm0SFzoTVEC4A9W5xebyoXltGDI4hmbeaG4nAyL1Ii58jnf8Qs -YF0vw6+eRQXDhAK3/SwIUk+C3aPw1IYJAgAAAAIAEnN3aXNzc2lnbmdvbGRjYS1nMgAAAXwQ -Wa1IAAVYLjUwOQAABb4wggW6MIIDoqADAgECAgkAu0AcQ/VeT7AwDQYJKoZIhvcNAQEFBQAw -RTELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEfMB0GA1UEAxMWU3dpc3NT -aWduIEdvbGQgQ0EgLSBHMjAeFw0wNjEwMjUwODMwMzVaFw0zNjEwMjUwODMwMzVaMEUxCzAJ -BgNVBAYTAkNIMRUwEwYDVQQKEwxTd2lzc1NpZ24gQUcxHzAdBgNVBAMTFlN3aXNzU2lnbiBH -b2xkIENBIC0gRzIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCv5O5+iyQOEm6p -UC0WRDuSklzKuF2EkkITKrxlV4JAPlckzVCLJSq3b/zvotDAHwIkShOWjyMT5ihYAKNHxwan -hCMru72WK39VzIvBVx8OYmUP3T1WinParn5tuoEcfkKMIDXZQ02E+oTbUizzDid3C2u/ES9y -eJ8u2D7mGDdaKnL52mKQkpXKH5zpszwry/MBE79az8G1CmC93bWZZFO4oJazb+Imd5GM4GIQ -Ap80D6TVkjNR3r6NuoR6YDxq258r7N7eAT9uTeVQhsu0r+1EQMXKWoza0it8qO6+puUKqg6l -3wVSt1XHIl0yapeXYxPbydt5NnuFOkrFUon5JOedd6mC/1UcpXFpK9ECJPKzJtRr2gRV5cEK -x20wN5Aq5J4UM14WF1XFW7XLNImS8Z0mj6EH1MayeFDbDAwLfAuMQde56d2MiPejTbIyzNgX -2s23zmad1P1e/72XPil1536nYlivJTSlQcc9vA1QygMDDwhaH5VzeGK/r3IUaQ6l5QMOeI4m -KELwBwtiIBBnOUb6qQPMBDh6Zu8gg7WMSlaOkQD8jlyC3oigw+Jobn2N7zzdZfRdrFHvJICu -qlaXb/mtfdphP5h3PKWRthyMJtplogltweJU47nKTEyAj3d7YJoe37bySB4Ouk5UbZjg4aIa -ondQz8RjkuxHGZ3r5mvOwQIDAQABo4GsMIGpMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E -BTADAQH/MB0GA1UdDgQWBBRbJXuWpGVRfrg588B4Zl7oOufw7jAfBgNVHSMEGDAWgBRbJXuW -pGVRfrg588B4Zl7oOufw7jBGBgNVHSAEPzA9MDsGCWCFdAFZAQIBATAuMCwGCCsGAQUFBwIB -FiBodHRwOi8vcmVwb3NpdG9yeS5zd2lzc3NpZ24uY29tLzANBgkqhkiG9w0BAQUFAAOCAgEA -J7rjlHzxrsDeF+bl2NX1VLCD9LvNXgV7T591Zq886FZ+/HJ4OAPZK2IbALn46WDNzM5RisdQ -MW7hSn4YL2lZtj1kgSvjg4TmIoeOfeDuAplhuB70uCuIEhaEwjGTOJYxprk7Uz/DJJNWW2mS -7MXBuzgA4+wXqbjcx3wBg58yR7pSIjQdMnoJVqd8JTapPUvawIJvCrsSyIdLJxH5Hi3Hkz+e -218ma1LZLorxFMZEjRWpt7+93qYa7q4t+0h3F/677K8Y9SpR8DmEl5VsbhvDK8R0YHklsAon -399e0jnPRX1CS9+zLB7Fxl3KVTqgnGmaj9rvsrA8n4dsEitlcBVSMRokz28xI1AfjE+PI8N0 -QWMcVagU3T7gUVDP8RswVg6SsIKF2IPLImS8Lbgl1VSiuAbqrZKkJKDBhrVKE2pHzy4LVpVU -y86a22q0prLbQQiGJ3f3aqBCbAs4ztd1UDKSwt8rMCJI0NVBOCVdpOldn8aUddBF/TCXQ4+Q -qwrHhnNgSmkt3qV41wbaap5LPnc6IBMiAdC/aJ5jYGs1TQttuqE9wJPgfyOzVa1yJU5G+dIW -77BkwQGe6cqgapgOz9hg8i9JuORC4Tg1FvTIbk/3gVbouqO+I6+u/W8D4AI7MHb6G21BzwGx -6bjJZvTbJvM6pHTySSRbybDQV8H6Pnrhl8kAAAACABVjb21vZG9hYWFzZXJ2aWNlc3Jvb3QA -AAF8EFmtSAAFWC41MDkAAAQ2MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQsw -CQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxm -b3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj -YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezELMAkGA1UE -BhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBwwHU2FsZm9yZDEa -MBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMMGEFBQSBDZXJ0aWZpY2F0ZSBT -ZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL5AnfRu4ep2hxxNRUSO -vkbIgwadwSr+GB+O5AL686tdUIoWMQuaBtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70 -VJoSCsN6sjNg4tqJVfMiWPPe3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5 -YZ92IFCokcdmtet4YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4 -qMsXeDZRrOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm -ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQUoBEKIz6W -8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wewYDVR0f -BHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20vQUFBQ2VydGlmaWNhdGVTZXJ2 -aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29tb2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNl -cnZpY2VzLmNybDANBgkqhkiG9w0BAQUFAAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMym -trwUSWgEdujm7l3sAg9g1o1QGE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHC -v8S5dIa2LX1rzNLzRt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8 -tqtlbgT2G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi -l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3smPi9WIs -gtRqAEFQ8TmDn5XpNpaYbgAAAAIAFGRpZ2ljZXJ0Z2xvYmFscm9vdGcyAAABfBBZrUgABVgu -NTA5AAADkjCCA44wggJ2oAMCAQICEAM68eanEamguyhksR0J+uUwDQYJKoZIhvcNAQELBQAw -YTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRp -Z2ljZXJ0LmNvbTEgMB4GA1UEAxMXRGlnaUNlcnQgR2xvYmFsIFJvb3QgRzIwHhcNMTMwODAx -MTIwMDAwWhcNMzgwMTE1MTIwMDAwWjBhMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNl -cnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBH -bG9iYWwgUm9vdCBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALs3zTTce2vJ -smiQrUp1/0a6IQoIjfUZVMn7iNvzrvI6iZE8euarBhprz6wt6F4JJES6Ypp+1qOofuBUdSAF -rFC3nGMabDDc2h8Zsdce3v3X4MuUgzeu7B9DTt17LNK9LqUv5Km4rTrUmaS2JembawBgkmD/ -TyFJGPdnkKthBpyP8rrptOmSMmu181foXRvNjB2rlQSVSfM1LZbjSW3dd+P7SUu0rFUHqY+V -s7Qju0xtRfD2qbKVMLT9TFWMJ0pXFHyCnc1zktMWSgYMjFDRjx4Jvheh5iHK/YPlELyDpQrE -Zyj2cxQUPUZ2w4cUiSE0Ta8PRQymSaG6u5zFsTODKYUCAwEAAaNCMEAwDwYDVR0TAQH/BAUw -AwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFE4iVCAYlebjbuYP+vq5Eu0GF485MA0G -CSqGSIb3DQEBCwUAA4IBAQBgZyiUbw5IY+sx3epnGNWJfTzFi0p/6b7bKxffsF9zdyoyEzmB -Z0KEI/JFZzXsiL/4j7BhDDSkriBMhMbb+DXhdtnfpkK7x0QIhn82dCRa2mwNFFk1vfJJ3bYf -ybMNRyo9mS+7XLu11CDhmV9TRhXbaJvw8zDVPjHijYSe44ra2pY+NROlX/D5cFBwR0ERVxlO -wI+uBsSVExcvGyWfdfKxjpmhbxOxQXH+iCrITxAgVdfzFEXl4ET06oeVMpMO/lNG+iyd/4si -uUvZCUWk3qS4mljdG31Sn45ZQ4iBpJ4m1W+t3Q3GN33tA5Ib5Xdfdu48jcRdVlui2WZuszU3 -5TK2AAAAAgAJZ3Rzcm9vdHIxAAABfBBZrUgABVguNTA5AAAFXjCCBVowggNCoAMCAQICEG5H -qcVLRwwN7DPQibkc9OEwDQYJKoZIhvcNAQEMBQAwRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoT -GUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFIxMB4XDTE2 -MDYyMjAwMDAwMFoXDTM2MDYyMjAwMDAwMFowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdv -b2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFIxMIICIjANBgkq -hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAthECix7joXebO9y/lD63ladAPKH9gvl9MgaCcfb2 -jH/76Nu8ai6Xl6OMS/kr9rH5zoQdsfnFl97vufKj6bwSiV6nqlKr+CMny6SxnGPb15l+8Ape -62im9MZaRw1NEDPjTrETo8gYbEvs/AmQ351kKSUjB6G00j0uYODP0gmHu81I8E3CwnqIiru6 -z1kZ1q+PsAewnjHxgsHA3y6mbWwZDrXYfiYaRQM9sHmklCitD38m5agI/pboPGiUU+6DOogr -FZYJsuB6jC511pzrp1Zkj5ZPaK49l8KEj8C8QMALXL32h7M1bKwYUH+E4EzNktMg6TO8Upmv -MrUpsyUqtEj5cuHKZPfmghCN6J3Cioj6OGaK/GP5Afl4/Xtcd/p2h/rs37EOeZVXtL0m79YB -0esWCruOC7XFxYpVq9Os6pFLKcwZpDIlTirxZUTQAs6qzkm06p98g7BAe+dDq6dso499iYH6 -TKX/1Y7DzkvgtdizjkXPdsDtQCv9Uw+wp9U7DbGKogPeMa3Md+pvez7W35EiEua++tgy/BBj -FFFy3l3WFpO9KWgz7zpm7AeKJt8T11dleCfeXkkUAKIAf5qoIbapsZWwpbkNFhHax2xIPEDg -fg1azVY80ZcFuctL7TlLnMQ/0lUTbiSw1nH69MG6zO0b9f6BQdgAmD06yK56mDcYBZUCAwEA -AaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOSvKyZx -GitIJ4UvUmYs7/CJE3E+MA0GCSqGSIb3DQEBDAUAA4ICAQA4lgruPbSWHl/vnZwLM58r4Mr9 -0o4KH0F0pXyqhNTl8h7mN1IynAvRYR2/KMG2RCk1dXeYsnzZvXSsimjjqTEJKQFgc+NHfFOo -kEon70vXn5PngjbOmmgMgufP1BAWb18OmVz2H3F97+97L37qNtaXcAsV7tdcVmozpeNJOAy4 -ffuNhaSxWV70auHdofZkRK7mUYMhZsYRPvPOR+6cKB8l2v+sZpXdNQ9c7yAsYv2RuqnM/Fqc -k4GDKZdKfFpytDnQt3fLef1pOpI37W44ZUZ+6WC9eYiXXzgS9O6vW4LIhtXhmW2MBPJ2ukn2 -bultHl+g7yeCdkD4ptNYXA8sQtpCxnuINMfB2EWbwT7FYR3ZY1BJ9jSFauAYxW5Hq0FCKZv2 -YA3SMdNjmCOTWgCBSLTvzYrNyc+Z7tmeqjbhaEtxSRQ2KDo9Hc6ajyXmgHFhK7V7zPklFoHh -MV+ho34WpJwWapcYvXZypQueHTbmL6EvvnCRD6jm2vjEkkBsJX57swncshetgETwaKWPlHX/ -dFroqAJ8DAniqUsLoIULYrnvoTGS++/2UQSJbOipdKG7F7O1/UkPfDzsgxggQ07Vk7q0NLEf -FjYfDOZkORZM3OD+HcipYj1A6srFNAK0romIMzXcLBNz2Cfx0HLudTsi3phoZlvxxmNHVRy6 -pQhRdaZIJQAAAAIAC2RzdHJvb3RjYXgzAAABfBBZrUgABVguNTA5AAADTjCCA0owggIyoAMC -AQICEESvsIDWoye6iTA5hi74QGswDQYJKoZIhvcNAQEFBQAwPzEkMCIGA1UEChMbRGlnaXRh -bCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQDEw5EU1QgUm9vdCBDQSBYMzAeFw0wMDA5 -MzAyMTEyMTlaFw0yMTA5MzAxNDAxMTVaMD8xJDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJl -IFRydXN0IENvLjEXMBUGA1UEAxMORFNUIFJvb3QgQ0EgWDMwggEiMA0GCSqGSIb3DQEBAQUA -A4IBDwAwggEKAoIBAQDfr+mXUAiDV7TMYmX2kILsx9MsazDKW+zZw33HQMEYFIvg6DN2SSrj -PyFJk6xODq8+SMtl7vzTIQ9l0irZMo+M5fd3sBJ7tZXAiaOpuu1zLnoMBjKDon6KFDDNEaDh -Kji5eQox/VC9gGXft1Fjg8jiiGHqS2GB7FJruaLiSxoon0ijngzaCY4+Fy4e3SDfW8Yqiqsu -vXCtxQsaJZB0csV7aqs01jCJ/+VoE3tUC8jWruxanJIePWSzjMbfv8lBcOwWctUm7DhVOUPQ -/P0YXEDxl+vVmpuNHbraJbnG2N/BFQI6q9pu8T4u9VwInDzWg2nkEJsZKrYpV+PlPZuf8AJd -AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTE -p7Gkeyxx+tvhS5B1/8QVYIWJEDANBgkqhkiG9w0BAQUFAAOCAQEAoxosmxcAXKke7ihmNzq/ -g8c/S8MJoJUgXePZWUTSPg0+vYpLoHQfzhCCnHQaHX6YGt3LE0uzIETkkenM/H2l22rl/ub9 -4E7dtwA6tXBJr/Ll6wLx0QKLGcuUOl5IxBgeWBlfHgJa8Azxsa2p3FmGi27pkfWGyvq5ZjOq -WVvO4qcWc0fLK8yZsDdIz+NWS/XPDwxyMofG8ES7U3JtQ/UmSJpSZ7dYq/5ndnF42w2iVhQT -OSQxhaKoAlowR+HdUAe8AgmQAOtkY2CbFryIyRLm0n2Ri/k9Mo1ltOl8sVd26sW2KDm/FWUc -yPZ3lmoKjXcL2JELBI4H2ym2Cu6dgjU1EAAAAAIACGNlcnRpZ25hAAABfBBZrUgABVguNTA5 -AAADrDCCA6gwggKQoAMCAQICCQD+3OMBD8lI/zANBgkqhkiG9w0BAQUFADA0MQswCQYDVQQG -EwJGUjESMBAGA1UECgwJRGhpbXlvdGlzMREwDwYDVQQDDAhDZXJ0aWduYTAeFw0wNzA2Mjkx -NTEzMDVaFw0yNzA2MjkxNTEzMDVaMDQxCzAJBgNVBAYTAkZSMRIwEAYDVQQKDAlEaGlteW90 -aXMxETAPBgNVBAMMCENlcnRpZ25hMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA -yGjxydbWszR1JoIe7LS+6lzhJu0RR2HhonwWeEAh5GCeWshj4cSxlpL/GG1pI+ErYvfd4jYv -kQe5SM8O7Hm2LOc0S3AIJaM8hxsZ8oEHDziQGdMR/oa08tFeHh6WzYBszjsxk7byoNCplRJ9 -pZrMa8iEVoozqeciFVMW8MwX7Fdf6aIKmAne41+cb9xI44ULFVqmup+sSOMJsvf0Mt5eNL4c -eF1CW84OIo9NkNd9MhizCyxqv44/FBGJIA53FLU9lAiH9yUe1bJgAOxvKiglbio+GGMXJT8+ -RCAW9ibIJa4FSrTnYyzzjBZTflz7ERoIwUZinyK48cKNadz6OlgG3wIDAQABo4G8MIG5MA8G -A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBrt/kE5kLQkWb4B8lLVRfZaOdwRMGQGA1UdIwRd -MFuAFBrt/kE5kLQkWb4B8lLVRfZaOdwRoTikNjA0MQswCQYDVQQGEwJGUjESMBAGA1UECgwJ -RGhpbXlvdGlzMREwDwYDVQQDDAhDZXJ0aWduYYIJAP7c4wEPyUj/MA4GA1UdDwEB/wQEAwIB -BjARBglghkgBhvhCAQEEBAMCAAcwDQYJKoZIhvcNAQEFBQADggEBAIUDHpJx9kKv4aNhnuvz -wA/ypdTalebWvmg2PX5uH0yK79EPIW1epVJjzhL47yrab+s3/hMCx8s7PiJr2mEuf9RyPd0w -4R5MQBmMD9ec0YMwe5hZ3H3GuQwpTKEzoutnOmWE05bi7XZFcI+1K975I9ZJbjwUtcafNR5Q -0MGPanBEAmLLrh1oQaeqV+hTqgfSBvbVFAYLkQN1LGxytWGVmg2LuQ3n9d9Uzd7m2NYJCJdj -5cEusLdEJsAmwK9VMJ471TYqGQT0XB7/zyy3/9D9h0AR1REju0jAIamkKC39FfiwTiv0MFsh -/BGRNL5B73udl3X/l5XAllgv6rtG17vk2S4AAAACAB1kaWdpY2VydGhpZ2hhc3N1cmFuY2Vl -dnJvb3RjYQAAAXwQWa1IAAVYLjUwOQAAA8kwggPFMIICraADAgECAhACrFwmagtAm48LefKu -RiV3MA0GCSqGSIb3DQEBBQUAMGwxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJ -bmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xKzApBgNVBAMTIkRpZ2lDZXJ0IEhpZ2gg -QXNzdXJhbmNlIEVWIFJvb3QgQ0EwHhcNMDYxMTEwMDAwMDAwWhcNMzExMTEwMDAwMDAwWjBs -MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGln -aWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5jZSBFViBSb290IENB -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxszlc+b71LvlLS0ypt/lgT/JzSVJ -tnEqw9WUNGeiChywX2mmQLHEt7KP0JikqUFZOtPclNY823Q4pErMTSWC90qlUxI47vNJbXGR -fmO2q6Zfw6SE+E9iUb74xezbOJLjBuUIkQzEKEFV+8taiRV+ceg1v01yCT2+OjhQW3cxG42z -xyRFmqesbQAUWgS3uhPrUQqYQUEiTmVhh4FBUKZ5XIneGUpX1S7mXRxTLH6YzRoGFqRoc9A0 -BBNcoXHTWnxV215k4TeHMFYE5RG0KYAS8Xk5iKICEXwnZreIt3jyygqoOKsKZMK/Zl2VhMGh -JR6HXRpQCyASzEG7bgtROLhLywIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/ -BAUwAwEB/zAdBgNVHQ4EFgQUsT7DaQP4v0cB1JgmGggC72NkK8MwHwYDVR0jBBgwFoAUsT7D -aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQEFBQADggEBABwaBpfc15yfPIhmBghXIdsh -R/gqZ6q/GDJ2QBBXwYrzetkRZY41+p78RbWe2UwxS7iR6EMsjrN4ztvjU3lx1uUhlAHaVYea -JGT2imbM3pw3zag0sWmbI8ieeCIrcEPjVUcxYRnvWMWFL04w9qAxFiPI5+JlFjPLvxoboD34 -yl6LMYtgCIktDAZcUrfE+QqY0RVfnxK+fDZjOL1EpH/kJisKxJdpDemM4sAQV7jIdhKRVfJI -adi8KgJbD0TUIDHb9LpwJl2QYJ68SxcJL7TLHkNoyQcnwdJc9+ohuWgSnDycv578gFybY83s -R6olJ2egN/MAgn1U16n46S4To3foH0oAAAACACJ1c2VydHJ1c3Ryc2FjZXJ0aWZpY2F0aW9u -YXV0aG9yaXR5AAABfBBZrUgABVguNTA5AAAF4jCCBd4wggPGoAMCAQICEAH9bTD8o8pRqBu8 -ZA41Ay0wDQYJKoZIhvcNAQEMBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVy -c2V5MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3 -b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4X -DTEwMDIwMTAwMDAwMFoXDTM4MDExODIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQI -EwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJU -UlVTVCBOZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0 -aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw12 -7c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC -tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQfjtTkUcYR -Z0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9X -Wrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND -8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND -5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjN -hLixP6Q5D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ -WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMa -TLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX -HAc/DVL17e8vgg8CAwEAAaNCMEAwHQYDVR0OBBYEFFN5v1qqK0rPVIDh2JvAnfKyA2bLMA4G -A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDAUAA4ICAQBc1HwN -z/cBfUGZZQxzxVKfy/jPmQZ/G9pDFZ+eAlVXlhTxUjwnh5Qo7R86ATeidvxTUMCEm8ZrTrqM -IU+ijlVikfNpFdi8iOPEqgv976jpS1UqBiBtVXgpGe5fMFxLJBFV/ySabl4qK+4LTZ9/9wE4 -lBSVQwcJ+2Cp7hyrEoygml6nmGpZbYs/CPvI0UWvGBVkkBIPcyguxeIkTvxY7PD0Rf4is+sv -jtLZRWEFwZdvqHZyj4uMNq+/DQXOcY3mpm8fbKZxYsXY0INyDPFnEYkMnBNMcjTfvNVx36px -3eG5bIw8El1l2r1XErZDa//l3k1mEVHPma7sF7bocZGM3kn+3TVxohUnlBzPYeMmu2+jZyUh -XebdHQsuaBs7gq/sg2eF1JhRdLG5mYCJ/394GVx5SmAukkCuTDcqLMnHYsgOXfc2W8rgJSUB -tN0aB5x3AD/Q3NXsPdT6uz/MhdZvf6kt37kC9/WXmrU12sNnsIdKqSieI47/XCdr4bBP8wfu -AC7UWYfLUkGV6vRH1+5kQVV8jVkCld1incK57loodISlm7eQxwwH3/WJNnQy1ijBsLAL4JxM -wxzW/ONptUdGgS+igqvTY0RwxI3/LTO6rY97tXCIrj4Zz0Ao2PzIkLtdmSL1UuZYxR+IMUPu -iB3Xxo48Q2odpxjefT0W8WL5ypCo/QAAAAIADmNlcnRzaWducm9vdGNhAAABfBBZrUgABVgu -NTA5AAADPDCCAzgwggIgoAMCAQICBiAGBRZwAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQG -EwJSTzERMA8GA1UEChMIY2VydFNJR04xGTAXBgNVBAsTEGNlcnRTSUdOIFJPT1QgQ0EwHhcN -MDYwNzA0MTcyMDA0WhcNMzEwNzA0MTcyMDA0WjA7MQswCQYDVQQGEwJSTzERMA8GA1UEChMI -Y2VydFNJR04xGTAXBgNVBAsTEGNlcnRTSUdOIFJPT1QgQ0EwggEiMA0GCSqGSIb3DQEBAQUA -A4IBDwAwggEKAoIBAQC3M7l+yCVKjrXbtCgbqleQ6NEi02S605Po1KyGYUBqYFdoVIRNvGpU -AgX/35uaKq5dB49Kwyh/7/sr+nnxx63wEFMkkItmyaiIq69aowDpvrpG7ltzeywXgoFeYiyh -AmWzvcUrAH7E/AMzVw3t4vrOXUXWOM01trLB0JyBSqrksgFcHY9fmcSxrduIIeuQCIKA8zCj -Q+aQgq5VKEntW9epEDgO/o9MW5tG6kH1sAh0w9CIM7Z813Tf3ITRQw51OaElQCjqeMsOLC45 -nYyLbhYcLyaCEOLjZZQKBMBe911b+BDi0Lp6S/veNwAAGlso49Kccz4yh5ihyVEv196sM7NP -AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBTg -jJvbJUmz8XyG1rJChwvQa6DZ5DANBgkqhkiG9w0BAQUFAAOCAQEAPtIciS41/Ph13eZ/ZYj0 -ckzJLNcyTvPdGXlHvY47W5MPUEkkE2sUBnLvCdOhoeNAhMnnGDJ0PEhuD59L1Pce05OGZFSX -Y3JQ1VXP+iCTAqKbwyOTThZVdqBweW3NIR/PLy28GeOIMfhZGoEJyJemdMdgxFvMV46ydf0b -AgnbWW9yk2n3MUHWiDi/h7K9Fnn5quS+iCXdYScjHLUxBwQ2tBqQvaB0cVCJbbwU4w+GrvGr -PsegCcyjSNHg22TnkrXPr3JDcIv5w4Q8E6p+kptXU5P6cMKRDjH5m2dd6ZY4Xl+zc06IFWfe -nnYQYiC+VWmVQwA5TfbusFpOSURUWF9CgwAAAAIADWFtYXpvbnJvb3RjYTQAAAF8EFmtSAAF -WC41MDkAAAH2MIIB8jCCAXigAwIBAgITBmyf18G7EEwpQ+Vxe3ssyBrBDjAKBggqhkjOPQQD -AzA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24gUm9v -dCBDQSA0MB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkGA1UEBhMCVVMx -DzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3QgQ0EgNDB2MBAGByqGSM49 -AgEGBSuBBAAiA2IABNKrijdPo1MN/sGKe0uoe0ZLY7Bi9i0b2whxIdIA6GO9mif78DluXeo9 -pcmBqqNbIJhFXRbb/egQbeOc4OO9X4Ri83BkM6DLJC9wuoihKqB1+IGuYgbEgds5bimwHvou -XKNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFNPsxzpl -bszh2naaVvuc84ZtV+WBMAoGCCqGSM49BAMDA2gAMGUCMDqLIfG9fhGt0O9Yli/W651+kI0r -z2ZVwyzjKKlwCkcO8DdZEv8tmZQoTipPNU0zWgIxAOp1AE47xDqUEpHJWEadIRNyp4iciuRM -StuW1KyLa2tJElMzrdfkviT8tQp21KW8EAAAAAIAEGNlcnRzaWducm9vdGNhZzIAAAF8EFmt -SAAFWC41MDkAAAVLMIIFRzCCAy+gAwIBAgIJEQA0tk7GNi02MA0GCSqGSIb3DQEBCwUAMEEx -CzAJBgNVBAYTAlJPMRQwEgYDVQQKEwtDRVJUU0lHTiBTQTEcMBoGA1UECxMTY2VydFNJR04g -Uk9PVCBDQSBHMjAeFw0xNzAyMDYwOTI3MzVaFw00MjAyMDYwOTI3MzVaMEExCzAJBgNVBAYT -AlJPMRQwEgYDVQQKEwtDRVJUU0lHTiBTQTEcMBoGA1UECxMTY2VydFNJR04gUk9PVCBDQSBH -MjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMDFdRmRfUR0dIf+DjuW3NgBFszu -Y5HnC2/OOwppGnzC46+CjobXXo9X69MhWf05N0IwvlDqtg+piNguLWkh59E3GE59kdUWX2tb -AMI5Qw02hVK5U2UPHULlj88F0+7cDBrZuIt4ImfkabBoxTzkbFpG583H+u/E7Eu9aqSs/cwo -Ue+StCmrqzWaTOTECMYmzPhpn+Sc8CnTXPnGFiWeI8MgwT0PPzhAsP6CRDiqWhqKa2NYOLQV -07YRaXseVO6MGiKscpc/I1mbySKEwQdPzH/iV8oScLumZfNpdWO9lfsbl83kqK/20U6o2Ypx -JM02PbyWxPFsqa7lzw1uKA2wDrXKUXt4FMMgL3/7FFXhEZn91QqhngLjYl/rNUssuHLoPj1P -rCy7Lobio3aP5ZMqz6WryFyNSwb/EkaseMsUBzXgqd+L6a8VTxaJW732jcZZroiFDsGJ6x9n -xUWO/203Nit4ZoORUSs9/1F3dmKh7Gc+PoGD4FapUB8fepmrY7+EF3fxDTvf95xhszWYijqy -7DwaNz9+j5LP2RIUZNoQAhVB/0/E6xyjyfqZ90bp4RjZsbgyLcsUDFDYg2WD7rlcz8sFWkz6 -GZdr1l0T08JcVLwyc6B49fFtHsufpaafItzRUZ6CeWRgKRM+o/1Pcmqr4tTluCRVLERLiohE -nMqE0yo7AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1Ud -DgQWBBSCIS1mxteg4BXrzkwJd8RgnlRuAzANBgkqhkiG9w0BAQsFAAOCAgEAYN4auOfyYILV -AzOBywaK8SJJ6ejqkX/GM15oGQOGO0MBzwdw5AgeZYWR5hEit/UCI46uuR59H35s5r0l1ZUa -8gWmr4UCb6741jH/JclKyMeKqdmfS0mbEVeZkkMR3rYzpMzXjWR91M08KCy0mpbqTfXERMQl -qiCA2ClV9+BB/AYm/7k29UMUA2Z44RGx2iBfRgB4ACGlHgAoYXhvqAEBj500mv/0OJD7uNGz -cgbJceaBxXntC6Z58hMLnPddDnskk7RI24Zf3lCGeOdA5jGokHZwYa+cNywRtYK3qq4kNFty -DGkNzVmf9nGvnAvRCjj5BiKDUyUM/FHE5r7iOZULJK2v0ZXkltd0ZGtxTgI8qoXzIKNDOXZb -bFD+mpwUHmUUihW9o4JFWklWatKcsWMy5WHgUyIOpwpJ6st+H6jiYoD2EEVSmAYY3qXNL3+q -1Ok+CHLsIwMCPKaq2LxndD0UF/tUSxfj03k9bWtJySgOLnRQvwzZRjoQhsmnP+mg7H/rpXdY -aXHmgwo38oZJar55CJD2AhZkPuXaTH4MNMn5X7azKFGnpyuqSfqNZSlO42sTp5SjLVFteAxE -y9/eCG/Oo2Sr05WE1LlSVHJ7liXMvGnjSG4N0MedJ5qq+BOS3R7fY581qRY27Iy4g/Q9iY/N -tBde17MXQRBdJ3NghVdJIgcAAAACAA1hbWF6b25yb290Y2EzAAABfBBZrUgABVguNTA5AAAB -ujCCAbYwggFboAMCAQICEwZsn9V0lzZmPzsLmtnonnYD8kowCgYIKoZIzj0EAwIwOTELMAkG -A1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3QgQ0EgMzAe -Fw0xNTA1MjYwMDAwMDBaFw00MDA1MjYwMDAwMDBaMDkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQK -EwZBbWF6b24xGTAXBgNVBAMTEEFtYXpvbiBSb290IENBIDMwWTATBgcqhkjOPQIBBggqhkjO -PQMBBwNCAAQpl6fGQX/ADZvoARtWxvJSpbotshLo0i7X+snF2KptH3OBOzuYazl8M6XFToaO -gBdoYkVXfURYHbM35WcI62beo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB -hjAdBgNVHQ4EFgQUq7bb1waeN6wwhgeRcMecxBmxeMAwCgYIKoZIzj0EAwIDSQAwRgIhAOCF -kqMXt435Kwalk6wamGhhcvrhodD7HHhgpkOZxbjEAiEAnALv8ZScs5b568Yq+LYs/jqQFBbX -jGMkSBzfMH3VaDsAAAACAA1hbWF6b25yb290Y2EyAAABfBBZrUgABVguNTA5AAAFRTCCBUEw -ggMpoAMCAQICEwZsn9KWNYafCg/lhnj4Wya7ijcwDQYJKoZIhvcNAQEMBQAwOTELMAkGA1UE -BhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3QgQ0EgMjAeFw0x -NTA1MjYwMDAwMDBaFw00MDA1MjYwMDAwMDBaMDkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQKEwZB -bWF6b24xGTAXBgNVBAMTEEFtYXpvbiBSb290IENBIDIwggIiMA0GCSqGSIb3DQEBAQUAA4IC -DwAwggIKAoICAQCtlp8tnEpMSoF5UZnsistrYFETvE1tBvywCI3dGRBqxyYMNdjAbyCE6ZSx -m4UDw1vbSujI+JB22VtP40zoBjZNzJqsPQyQK5LUBhlgrDdEeYWBgq1aN+ANzJ2mTFJ26kOd -twTRUPZV4NXSpkmF6Tfpyn6uXJVNSJo/riBabYiV2TS4UhpDkLC/bAW5tni36tDkOjwSU2L/ -SvJ7vjUFqRI04/NkdGIsPQBJWij+MkS7h91lJwJxO9pK9x/azfchVZBPD+yuguGfa9lF07vw -X4ftPCw5hto/3uxyVet5o63b3XywuhzO/N5PNXbPD/h4H2o2UUYnYVvpns/wolV9fCWKby+0 -xc+ELiv9DVEQbPtfG7wbfsWuO5gBMZL/C1f0mrK5V+mr7w120fDu9M6Gp+Bu6bRpod9p9jPG -aS6XE56lh7BXEIE3yVOzu3/2ktGc0Bj0km7ag0+mY5lMpfte7yFkeiBfbGSFFcs36WIMCyoW -3AEuMto+S/WeOvYXQJTvnpEIhvq+Y6haM+zLdEOV+WxpUjbHKW/8VQNcH/ufvUfr50lHlQtO -iSIJSeD1YR7xvy6Kcm6AWf9XOvl1MqNOX+ztKGLZTXPyzIEXYO3N69zbp8rFfgK98lQIVP20 -LQksF1RKmNFU4VFnCNLtbn5vP9ItgVkpZsuQOZURHnQn/t3rrwIDAQABo0IwQDAPBgNVHRMB -Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUsAzwTDD0BVgCSP0z5VKvS4Tj -ZlIwDQYJKoZIhvcNAQEMBQADggIBAKqogI8OeKPgotTN5vWYejvqAAOwlw6TvFqo9iyMcoep -sfx/c/1jcXilh1nPMOENELITWm2C9WrmgJ+gBQto5Edrx2rftv13MnLlGPoJ9KCTLF3SjHWF -dmWQDAN5tzEjY614gwmGaITK//nPJpqSeefNS8XnYacXy/OpEpOTa6foL1OSxGBYsMwCURhb -hY1iWWO2rbTemvsm9wAnwF1VN3SZyVB/41kuROMsJe7sTDJ3tJ8a6UtdIMXa/RyHFsZD6NS7 -JppFcF6pCzdT4kZ7J/3gRvKJt8xCtssoJm7Zpck6yEETYPdQjBWusm0aFRpXeOaSKtllkII/ -bAKvrhI6J5Y2BNcdooBjqZvx5bq0fBSwTsmxH3RfOPZR6pv6LKIR1KktJxpFsa+yTnENwFhG -1mkGy1PLs/5rQc1Bfn1MD3xyeXpZzV5KDqybqZhzeXy09My5uAcMsnRcuMdviKGQp/Sq+b9n -OvQaFWIet5++PbEpr2ehEvJYEBlTAzAbuBqJ9py9lwOOownzHYsh8bTf5BzRn2UCBupc1hOz -hO+ipVyMdymnaMBrrkDSqLTqzfCNSzicGZobKFS4iZDvynWBPh7yZCTHGK9O/0eeB/Y1ZaTT -Clb/9RdkbO+oIiVJk7bfABfaWH5d7sUbsNHRXyEQx/nzugIKJwfF8dbH0+D7CWBsAAAAAgAU -dHJ1c3Rjb3Jyb290Y2VydGNhLTIAAAF8EFmtSAAFWC41MDkAAAYzMIIGLzCCBBegAwIBAgII -JaHfyjPLWQIwDQYJKoZIhvcNAQELBQAwgaQxCzAJBgNVBAYTAlBBMQ8wDQYDVQQIDAZQYW5h -bWExFDASBgNVBAcMC1BhbmFtYSBDaXR5MSQwIgYDVQQKDBtUcnVzdENvciBTeXN0ZW1zIFMu -IGRlIFIuTC4xJzAlBgNVBAsMHlRydXN0Q29yIENlcnRpZmljYXRlIEF1dGhvcml0eTEfMB0G -A1UEAwwWVHJ1c3RDb3IgUm9vdENlcnQgQ0EtMjAeFw0xNjAyMDQxMjMyMjNaFw0zNDEyMzEx -NzI2MzlaMIGkMQswCQYDVQQGEwJQQTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5h -bWEgQ2l0eTEkMCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQL -DB5UcnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAdBgNVBAMMFlRydXN0Q29yIFJv -b3RDZXJ0IENBLTIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnIG7CKqJiJJWQ -dsg4foDSq8GbZQWU9MEKENUCrO2fk8eHyLAnK0IMPQo+QVqedd2NyuCb7GgypGmSaIwLgQ5W -oD4a3SwlFIIvl9NkRvRUqdw6VC0xK5mC8tkq1+9xALgxpL56JAfDQiDyitSSBBtlVkxs1Pu2 -YVpHI7TYabS3OtB0PAx1oYxOdqHp2yqlO/rOsP9+aij9JxzIsekp8VduZLTQwRVtDr4uDkbI -XvRR/u8OYzo7cbrPb1nKDOObXUm4TOJXsZiKQlecdu/vvdFoqNL0Cbt3Nb4lggjEFixEIFap -RBF37120Hapeaz6LMvYHL1cEksr1/p3C6eizjkxLAjHZ5DxIgif3GIJ2SDpxsROhOdUuxTTC -HWKF3wP+TfSvPd9cW436cOGlfifHhi5qjxLGhF5DUVCcGZt45vz27Ud+ez1m7xMTiF88oWP7 -+ayHNZ/zgp6kPwqcMWmLmaSISo5uZk3vFsQPeSghYA2FFn3XVDjxklb9tTNMg9zXEJ9L/cb4 -Qr26fHMC4P99zVvh1Kxhe1fVSntb1IVYJ12/+CtgrKAmrhQhJ8Z3mjOAPF5GP/fDsaOGM8bo -Xg25NSyqRsGFAnWAoOsk+xWq5Gd/bnc/9ASKL3x74xdh8N0JqSDIvgmk0H5Ew7IwSjiqqewY -mgeCK9u4nBit2uBGF6zPXQIDAQABo2MwYTAdBgNVHQ4EFgQU2f4hQG6UnrybPZx9mCAZ5Yww -YrIwHwYDVR0jBBgwFoAU2f4hQG6UnrybPZx9mCAZ5YwwYrIwDwYDVR0TAQH/BAUwAwEB/zAO -BgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAJ5Fngw7tu/hOsh80QA9z+LqBrWy -OrsGS2h60COXdKcs8AjYeVrXWoSK2BKaG9l9XE1wxaX5q+WjiYndAfrs3fnpkpfbsEZC89Ni -qpX+MWcUaViQCqoL7jcjx1BRtPV+nuN79+TMQjItSQzL/0kMmx40/W5ulop5A7Zv2wnL/V9l -FDfhOPXzYRZY5LVtDQsEGz9QLX+zx3oaFoBg+Iof6Rsqxvm6ARppv9JYx1RXCI/hOWB3S6xZ -hBqI8d3LT3jX5+EzLfzuQfogsL7L9ziUwOHQhQ+77Sxzq+3+knYaZH9bDTMJBzN7Bj8RpFxw -PIXAz+OQqIN3+tvmxYxoZxBnpVIt8MSZj3+/0WvitUfW2dCFmU2Umw9Lje4AWkcdEQOsQRiv -h7dvDDqPys/cA8GiCcjl/YBeyGBCARsaU1q7N6a3vLqE6R5sGtRk2tRD/pOLS/IseRYQ1JML -iI+h2IYURpFHmygk71dSTlxCnKr3Sewn6EAes6aJInKc9Q0ztFijMDvd1GpUk74aTfOTlPf8 -hAs/hCBcNANExdqtvArBAs8e5ZTZ845b2EzwnexhF7sUMlQMAimTHpKG9n/v55IFDlndmQgu -LvqcAFLTxWYp5KeXRKQOKIETNcX2b2TmQcTVL8w0RSXPQQCWPUouwpaYT05KnJe32x+SMsj/ -D1Fu1uwJAAAAAgANYW1hem9ucm9vdGNhMQAAAXwQWa1IAAVYLjUwOQAAA0UwggNBMIICKaAD -AgECAhMGbJ/Pmb+MCjni8HiKQ+aWNlvKMA0GCSqGSIb3DQEBCwUAMDkxCzAJBgNVBAYTAlVT -MQ8wDQYDVQQKEwZBbWF6b24xGTAXBgNVBAMTEEFtYXpvbiBSb290IENBIDEwHhcNMTUwNTI2 -MDAwMDAwWhcNMzgwMTE3MDAwMDAwWjA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9u -MRkwFwYDVQQDExBBbWF6b24gUm9vdCBDQSAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEAsniAccp41eNxr0eAUHR9btjXiHb0mWj3WCFg+XSEAS+sAi2G06BDek6ypNA2ugG+ -jdtIyAcXNkz07ogjxz7rN/W1GfhJaLDe17l2OB1hnqT+gjal5UpW5EXh+f20Fvp02pybNTkv -+rAgUAZsetCAsqb5r+xHGY9QOAfcooc5WPi61an5SGcwlu6UeF5viaNRwDCGZqFFZrpU66PD -kflI3P/R6DAtfS10cDXXiCT3nsRZbrtzhxfyMkYouEP6tx2qyrTynyQOLUv3cVxeaf/qlQLL -OIquUDhv2/stYhvFxx5U4XfgZ8gPnIcj1j9AIH8ggMSATD47JCaOBK5smsiqDQIDAQABo0Iw -QDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUhBjMhTTsvAyU -lC4IWZzHshBOCggwDQYJKoZIhvcNAQELBQADggEBAJjyN1pBkKEaxXZRKCA2Iw6u5ii7qviU -rkikMH8b/CSNS7TIoZf2tvF6cMhTk8wIKOOYJc8jpPneIdN8hQmtTpp1OsILaol4dkRHGGVs -jUGOO3+ay/S1p1DXBSw36ANLrelhoAJu9fLwxbLtW7fc+pRcd54TpX9SrZXy+JM73otcW8pa -UltgrxT3S++j+59AlW0xVPxC08dGHyOt2Q9IcJrZdXhx0XJDNHVuV1nCAlwmYCnPIxkWjohD -pdTkywj7IxFD6EMpcmKhqV1eCNSQrrjYzhTC0FXyhvbEk0N3ZmHAuehB15d4YANuSnKupdF9 -uhCehmwbirlZM/jrxJC+8bkAAAACABR0cnVzdGNvcnJvb3RjZXJ0Y2EtMQAAAXwQWa1IAAVY -LjUwOQAABDQwggQwMIIDGKADAgECAgkA2pvscfMDsBkwDQYJKoZIhvcNAQELBQAwgaQxCzAJ -BgNVBAYTAlBBMQ8wDQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1BhbmFtYSBDaXR5MSQwIgYD -VQQKDBtUcnVzdENvciBTeXN0ZW1zIFMuIGRlIFIuTC4xJzAlBgNVBAsMHlRydXN0Q29yIENl -cnRpZmljYXRlIEF1dGhvcml0eTEfMB0GA1UEAwwWVHJ1c3RDb3IgUm9vdENlcnQgQ0EtMTAe -Fw0xNjAyMDQxMjMyMTZaFw0yOTEyMzExNzIzMTZaMIGkMQswCQYDVQQGEwJQQTEPMA0GA1UE -CAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEkMCIGA1UECgwbVHJ1c3RDb3IgU3lz -dGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5UcnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3Jp -dHkxHzAdBgNVBAMMFlRydXN0Q29yIFJvb3RDZXJ0IENBLTEwggEiMA0GCSqGSIb3DQEBAQUA -A4IBDwAwggEKAoIBAQC/jreV4sImEmszGcdAWAqrWaqNAKP8gMdQe47UICa6MhLYI1RJJRAi -mJ1G0sHJnk4bLiwOOPMaJWgcploF5h6LSL+YlnQ+acrptXilBrzVAF4JCvInelL8LdWx6rSJ -YSTzGhPbqc9S7Qwkurme7H4AdPqTrWwpkq5RtLvTV7+z86iNnPQkSyrWmZ70nv7AfkI65wuV -U9q3aA6QTPtwP49KLJTzJt1jaamU2BBOxUcIkJkbF025bG7vYJURjiGAtb2gc9jQsnfERepa -Jvtmdnb4Bh9hbQ9VxYO3EFZyBgel87EaAwVkDp1aitaGcBsk3v4oiivQarD8eqLcsnkOi2UP -AgMBAAGjYzBhMB0GA1UdDgQWBBTua0k8ej8N47EJt4rIqxmfczNQ5zAfBgNVHSMEGDAWgBTu -a0k8ej8N47EJt4rIqxmfczNQ5zAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAN -BgkqhkiG9w0BAQsFAAOCAQEAJRjUkY8T7o8eHRFT2i1EKRmgHmsxnk0Onq09XEFvlSskoXmY -Ojg2+7tmnkj/kJDvPdS4m7SHdT8gm85yz6FVwU1kohkGoQczDAsp5fHqq6PstQp0kMd9cvLX -XJ+R75GLt9ztZqLPjmY7vJ86AuAn3RaYwJXUCqTkgZp1lDWckF+INwatWZUKsNFn0xnKiecy -WjYcPoKoWpO+xtBkkbbP2bYYz9t+0mWjpsSOFzHB+35229OF41iyd3p2O2wvUBzn2/ZneR/1 -gpWaB6cUr4/cKCFnCdLWTVocGRyOd1zDlCQ9MmtLftR4lIO+N03OX8ceTjzgiTOVCw+lMtY8 -WnksGQAAAAIAJHNzbC5jb21yb290Y2VydGlmaWNhdGlvbmF1dGhvcml0eWVjYwAAAXwQWa1I -AAVYLjUwOQAAApEwggKNMIICFKADAgECAgh15t/LwWhbqDAKBggqhkjOPQQDAjB8MQswCQYD -VQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0b24xGDAWBgNVBAoMD1NT -TCBDb3Jwb3JhdGlvbjExMC8GA1UEAwwoU1NMLmNvbSBSb290IENlcnRpZmljYXRpb24gQXV0 -aG9yaXR5IEVDQzAeFw0xNjAyMTIxODE0MDNaFw00MTAyMTIxODE0MDNaMHwxCzAJBgNVBAYT -AlVTMQ4wDAYDVQQIDAVUZXhhczEQMA4GA1UEBwwHSG91c3RvbjEYMBYGA1UECgwPU1NMIENv -cnBvcmF0aW9uMTEwLwYDVQQDDChTU0wuY29tIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3Jp -dHkgRUNDMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAERW6pUMSmIzaeXyiNF8uWImQ/3HqOHcwI -s6JxJLqOSbkEG0eWWKstlcjtngg1yCfriYxTWOtiiv7wWw9rMVJjQTuJzezsto0Z0zQH3LvG -Bn/CRZXsy3+oI+AJ6YH680fTo2MwYTAdBgNVHQ4EFgQUgtGFczDnNQTTjgKS++Wk0cQh6M0w -DwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBSC0YVzMOc1BNOOApL75aTRxCHozTAOBgNV -HQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwIDZwAwZAIwb+frWRGkYM9hsJZ77QX5LxOR3O3l/FBr -EUZGsxwhAGK7vsPn6M0HmfkNC11yPsSqAjAfvLoL4jAk+3xtgFUKmT6ADTPlZqOzo7ul1YuP -CSymXX7i8AcIaG3SfGluX9/lamUAAAACACRzc2wuY29tcm9vdGNlcnRpZmljYXRpb25hdXRo -b3JpdHlyc2EAAAF8EFmtSAAFWC41MDkAAAXhMIIF3TCCA8WgAwIBAgIIeyyb0xaAMpkwDQYJ -KoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMRAwDgYDVQQHDAdI -b3VzdG9uMRgwFgYDVQQKDA9TU0wgQ29ycG9yYXRpb24xMTAvBgNVBAMMKFNTTC5jb20gUm9v -dCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBSU0EwHhcNMTYwMjEyMTczOTM5WhcNNDEwMjEy -MTczOTM5WjB8MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0 -b24xGDAWBgNVBAoMD1NTTCBDb3Jwb3JhdGlvbjExMC8GA1UEAwwoU1NMLmNvbSBSb290IENl -cnRpZmljYXRpb24gQXV0aG9yaXR5IFJTQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC -ggIBAPkP3aMrfcvQKv7sZ4Wm5y4bunfh4/WvpOz6Sl2RxFdHaxh3a3by/ZPkPQ/CFp4LZsNW -lJ4Xg4XOVu/yFv0AYvUiCVToZRdOQbngT0aXqhvIuG5iXmmxX9sqAn78bMrzQdjt0Oj8P2FI -7bADFB0QDksZ4LtO7IZl/zbzXmcCC52GVWH9ejjt/uIZALdvoVBidXQ8oPrIJZK0bnoix/ge -oeOy3ZExqysdBP+lSgQ36YWkMyv94tZVNHwZpEpox7Ko07fKoZOI68GXvIz5HdkihCR0xwQ9 -aqkpk8zruFvh/l8lqjRYyMEjVJ0bmBHDOJx+PYZspQ9AhnwC9FwCTyjLrnGfDzrIM/4RJTXq -/LrFYD3ZfBjVsqnTdXgDciLKOsMf7yzlLqn6niy2UUb9rwPW6mBo6oUWNmuF6R7As93EJNyA -KoFBbZQ+yODJgUEAnl6/f8UImKIYLEJAs/lvOCdLToD0PYFH4Ih86hzOtXVcUS4cK38acijn -ALXRdMbX5J+tB5O2UzU1/Dfkw/ZdFr4hc96SCvigY2q8lpJqPvi8ZVWb3vUNiSYE/CUapiVp -y8JtynziWV+XrOvvLsi81xtZPCvM8hnIk2snYxnP/Okm+Mpxm3+T/jRnhE6Z6/yzeAkzcLpm -pnbtG3PrGqUNxCITIJRWCk4sbE6x/c+cCbqiM+2HAgMBAAGjYzBhMB0GA1UdDgQWBBTdBAkH -ovV6fVJTEpKV7jiAJQ2mWTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFN0ECQei9Xp9 -UlMSkpXuOIAlDaZZMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAIBgRlCn7 -Jp0cHh5wYfGVcpNxJK1ok1iOMq8bs3AD/CUrdIWQPXhq9LmLpZc7tRiRux6n+UBbkflVma8e -EdBcHadm47GUBwwyOabqG7B52B2ccETjit3E+ZUfijhDPwGFpUenPUayvOUiaPd7nNgsPgoh -yC0zrL/FgZkxdMF1ccW+sfAjRfSda/wZY52jvATGGAslu1OJD7OAUN5F7kR/q5R4ZJjT9ijd -h9hwZXT7DrkT66cPYakylszeu+1jTBi7qUD3oFRuIIhxdRjqerQ0cuAjJ3dctpDqhiVAq+8z -D8ufgr6iIPv2tS0a5sKFsXQP+8hlAqRSAUfdSSLBv9jra6x+3uxjMxW3IwiPxg+NQVrdjsW5 -j+VFP3jbutIbQLH+cU0/4IGiul607BXgk90IH37hVZkLId6Tngr75qNJvTYw/ud3sqB1l7Ut -gYgXZSD32pAAn8lSzDLKNXz1PQ/YK9f1JmzJBjSWFupwWRoyeXkLtoh/D1JIPb9s2KJELtFO -t3JY04kTlf5Eq/jXixtunLwsoFvVagCvXzfh1foQC5ichucmj87w7G6KVwuA406ywKBjYZC6 -VWg3dGq2ktufoYYitmUnDuy2n0Jg5GfCtdpBC8TTi2EbvPofkSvXRAdeuims2cXp71NIWuuA -8ShYIc2wBlX7Jz9TkHCpBB5XJ7kAAAACABpkLXRydXN0cm9vdGNsYXNzM2NhMmV2MjAwOQAA -AXwQWa1IAAVYLjUwOQAABEcwggRDMIIDK6ADAgECAgMJg/QwDQYJKoZIhvcNAQELBQAwUDEL -MAkGA1UEBhMCREUxFTATBgNVBAoMDEQtVHJ1c3QgR21iSDEqMCgGA1UEAwwhRC1UUlVTVCBS -b290IENsYXNzIDMgQ0EgMiBFViAyMDA5MB4XDTA5MTEwNTA4NTA0NloXDTI5MTEwNTA4NTA0 -NlowUDELMAkGA1UEBhMCREUxFTATBgNVBAoMDEQtVHJ1c3QgR21iSDEqMCgGA1UEAwwhRC1U -UlVTVCBSb290IENsYXNzIDMgQ0EgMiBFViAyMDA5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A -MIIBCgKCAQEAmfGENHC6L7cwoI69fATPvmK8mf2Cl9J6CmeWOAn2EE6VInOZjdoVLecF/Blz -IreOmAC8PD2soWz71nklS63wzGTaiD4puA8J0zTdM/Vi0eHNGenuGE9MWK7iHtYMWxVa2Dq4 -xBhkHuMzsrWJd04Mv9mUaxOXbxKj/pmpBMwV7GBoNu0Ie7f1v5PtZjGDjMZxNIdOF+qvi5GN -HFZBriI3XjfyHdnRLQ0vaVGnvmamijoqvccaseEU8L46HbnPW7Fq/rSxRiCi+x47cO+TmH2M -c5byxe+FcK0pJvweBD4coNgPy1KDYnzui1OVkKlXouphBdj5TcQn+m6t7fnXUfdrpQIDAQAB -o4IBJDCCASAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU05SKTGITKhkuzK9yin0215oc -3GcwDgYDVR0PAQH/BAQDAgEGMIHdBgNVHR8EgdUwgdIwgYeggYSggYGGf2xkYXA6Ly9kaXJl -Y3RvcnkuZC10cnVzdC5uZXQvQ049RC1UUlVTVCUyMFJvb3QlMjBDbGFzcyUyMDMlMjBDQSUy -MDIlMjBFViUyMDIwMDksTz1ELVRydXN0JTIwR21iSCxDPURFP2NlcnRpZmljYXRlcmV2b2Nh -dGlvbmxpc3QwRqBEoEKGQGh0dHA6Ly93d3cuZC10cnVzdC5uZXQvY3JsL2QtdHJ1c3Rfcm9v -dF9jbGFzc18zX2NhXzJfZXZfMjAwOS5jcmwwDQYJKoZIhvcNAQELBQADggEBADTte1o8pJSI -7xoRdQcvs/48+h5RJuuH9ine4PHUxiQJ6cHPVRu0MNnOGv4GUaYVpC3vsku/ICglSdGmNnc0 -6GTfUrERx3N6zTmewq2McSHyWmuv3zxOVa+yhGUUibl3yyoxvs+jbc9vSJQyRm/ncYygpoQZ -NwfyA0UJK4Z1fN9faVcA227YpnIiS1DUdZhW37cY/0NDUK56RHvweVHXQz2n04HT8MlPudrG -l4bQgsPkQm3+sOJkTg4m50A0JrUIidcIY2M4J3UeM+puqN2fmU90TYGJgEvdmpcpXC++gUG5 -jP/qfWAGns3XPdMuoxW8qOYm5W/D3LgDIeqfFvEsVLUAAAACACRuZXR3b3Jrc29sdXRpb25z -Y2VydGlmaWNhdGVhdXRob3JpdHkAAAF8EFmtSAAFWC41MDkAAAPqMIID5jCCAs6gAwIBAgIQ -V8szb8JcFuZHFhfjkDFo4DANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJVUzEhMB8GA1UE -ChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMuMTAwLgYDVQQDEydOZXR3b3JrIFNvbHV0aW9u -cyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDYxMjAxMDAwMDAwWhcNMjkxMjMxMjM1OTU5 -WjBiMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMuMTAw -LgYDVQQDEydOZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0G -CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkvH6SMG3G2I4rC7xGzuAnlt7e+foS0zwzc7ME -L7xxjOWftiJgPl9dzgn/ggwbmlFQGiaJ3dVhXRncEg8tCqJDXRfQNJIg6nPPOCwGJgl6cvf6 -UDL4wpPTaaIjzkGxzOTVHzbRijr4jGPiFFlp7Q3Tf2vouAPlT2rlmGNpSAW+Lv8ztumXWWn4 -Zxmuk2GWRBXTcrA/vGp97Eh/jcOrqnErU2lBUzS1sLnFBgrEsEX1QV1uiUV7PTsmjHTC5dLR -fbIR1PtYMiKagMnc/Qzpf14Dl847ABSHJ3A4qY5usyd2mFHgBeMhqxrVhSI8KbWaFsWAqPS7 -azCPL0YCorEMIuDTAgMBAAGjgZcwgZQwHQYDVR0OBBYEFCEwyfsA106Y2oeqKtCnLrFAMadM -MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MFIGA1UdHwRLMEkwR6BFoEOGQWh0 -dHA6Ly9jcmwubmV0c29sc3NsLmNvbS9OZXR3b3JrU29sdXRpb25zQ2VydGlmaWNhdGVBdXRo -b3JpdHkuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQC7rkvnt1frf6ott3NHhWrB5KUd5Oc86fRZ -ZXe1eltajSU24HqXLjjAV2CDmAaDn7l2em5Q4LqILPxFzBiwmZVRDuwduIj/h1AcgsLj4DKA -v6ALR8jDMe+ZZzKATxcheQxpXN5eNK4CtSbqUN9/GGUsyfJj4akH/nxxH2szJGoeBfcFaMBq -EssuXmHLrijTfsK0ZpEmXzwuJF/LWA/rKOyvEZbz3HtvwKeI8lN3s2Berq4o2jUsbzRF0ybh -3uxbTydrFny9RAQYgrOJeRcQcT16ohZO9QHNpGxlaKFJdlxDydi8NmdspZS11My5vWo1ViHe -2MPr+8ukYEywVaCge1eyAAAAAgAVYWZmaXJtdHJ1c3RuZXR3b3JraW5nAAABfBBZrUgABVgu -NTA5AAADUDCCA0wwggI0oAMCAQICCHxPBDkc1JktMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV -BAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEfMB0GA1UEAwwWQWZmaXJtVHJ1c3QgTmV0 -d29ya2luZzAeFw0xMDAxMjkxNDA4MjRaFw0zMDEyMzExNDA4MjRaMEQxCzAJBgNVBAYTAlVT -MRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEfMB0GA1UEAwwWQWZmaXJtVHJ1c3QgTmV0d29ya2lu -ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSEzDMXLmuUbGthUqDro895lEzl -lICZy1VkRGWPZ2TiBuNcN0n2L5uEhB4t8mCdME7MhIXiLM8env42qzN3NUTYNZYaPTboeg7Y -1UehammL2fy7Oq55WtX01nG7mpAja5q3iHSHDB5fuZ4t+qtTK9y7dj6TTAgIjB6iIxzUaq0i -upkBLm1ly74kZlUkS0BEsRvX4cKFwN4QPz3tuPzx8SNT3L9ll2/Z+UBxjX29ldTOvqBeJyPe -/abQJg4AKes8RvA9YL8/UNLcJkFRnhQ3QgSjcFeoG4ftLfp77owK46lmiRnLQfndRDZhz+J3 -Rsh99vSSgTb92zTxcn7zDBa9tBUCAwEAAaNCMEAwHQYDVR0OBBYEFAcf0uec2sJuokC0sHpQ -EFB0xMi9MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUA -A4IBAQCJV7IWeqjC/dbZm5s0wpy0MhRNp6Tf7L6nvvhD25E3zrQyLlBVGjVOdkNxIO+Td04V -cC6Hw8EdbdzLtSfULFbRUlM6RNJzyMQbBWVaYpKc7kGNMdvnNOpZIdUBetdkuGQ5zcntr+1L -A0inoJkBgNxlozauZVlIT4JLyGXxVx3lWS4KP2zY0fXlCbRsVAAK4BVNh3Vtt1iWWt1t0gCg -9JtIvsM3pLo24HyHhZcaFaLeLqJbva8Y+ZBQzXBZ+CdnR8vHoAc6fdEsXWwZOma1ff2Rb4Kx -vgiT2xRH8aI3x0WePMd3r2Sok9/2aYOCYPJJQjTtWgBUhRwWNpIMXPqmrb/bAAAAAgATZ2xv -YmFsc2lnbnJvb3RjYS1yNgAAAXwQWa1IAAVYLjUwOQAABYcwggWDMIIDa6ADAgECAg5F5rsD -gzPDhWVI5v9FUTANBgkqhkiG9w0BAQwFADBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3Qg -Q0EgLSBSNjETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0x -NDEyMTAwMDAwMDBaFw0zNDEyMTAwMDAwMDBaMEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9v -dCBDQSAtIFI2MRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMIIC -IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAlQfoc8pm+ewUyns89w0I8bRFCyyCtEjG -61s8roO4QZIzFKRvf+kqzMawiGvFtonRxrL/FM5RFCHsSt0bWsbWh+5NOhUG7WRmC5KAykTe -c5RO86eJf094YwjIElBtQmYvTbl5KE1SGooagLcZgQ5+xIq8ZEwhHENo1z08isWyZtWQmrcx -BsW+4m0yBqYe+bnrqqO4v76CY1DQ8BiJ3+QPefXqoh8q0nAue+e8k7ttU+JIfIwQBzj/ZrJ3 -YX7g6ow8qrSk9vOVShIHbf2MsonP0KBhd8hYdLDUIzr3XTrKotudCd5dRC2Q8YHNV5L6frxQ -BGM032uTGL5rNrI55KwkNrfw77YcE1eTtt6y+OKFt3OiuDWqRfLgnTahb1SK8XJWbi6IxVFC -RBWU7qPFOJabTk5aC0fzBjZJdzC8cTflpuwhCHX85mEWP3fV2ZGXhAps1AJNdMAU7f05+4Py -XhShBLAL6f7uj+FuC7IIs2FmCWqxBjplllnA8DX9ydoojRoRh3CBCqiadR2eOoYFAJ7bgNYl -+dwFnidZTHY5W+r5paHYgw/R/98wEfmFzzNI9cptZBQselhP00sIScWVZBpjDnk99bOMylit -nEJFeW4OhxlcVLFltr+Mm9wT6Q1vuC7cZ27JixG1hBSKABlwg3mRl5HUGie/Nx4yB9gUYzwo -TK8CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE -FK5sBaOTE+Ki5+LXHNbH8H/IZ1OgMB8GA1UdIwQYMBaAFK5sBaOTE+Ki5+LXHNbH8H/IZ1Og -MA0GCSqGSIb3DQEBDAUAA4ICAQCDJe3o0f2VUs2ewASgkWnmXNCE3tytok/oR3jWZZipW6g8 -h3wCitFutxZz5l/AVJjVdL7BzeIRka0jGD3d4XJElrSVXsB7jpl4FkMTVlezorM7tXfcQHKs -o+ubNT6xCCGh58RDN3kyvrXnnCxMvEMpmY4w06wh4OMd+tgHM3ZUACIquU0gLnBo2uVT/INc -053y/0QMRGby0uO9RgAabQK6JV2NoTFR3VRGHE3bmZbvGhwEXKYV73jgef5d2z6qTFX9mhWp -b+Gm+99wMOnD7kJG7cKTBYn6fWN7P9BxgXwA6JiuDng0wyX7rwqfIGvdOxOPEoziQRpIenOg -d2nHtlx/gsge/lgbKCuobK1ebcAF0nu364D+JTf+AptorEJdw+71zNzwUHXSNmmc5nsE324G -abbeCglIWYfrexRgemSqaUPvkcdM7BjdbO9TLYyZ4V7ycj7PVMi9Z+ykD0xF/9O5MCMHTI8Q -v4aW2ZlatJlXHKTMuxWJU7osBQ/kxJ4ZsRg01Uyduu33H68klQR4qAO77oHl2l98i0qhkHQl -p7M+S8gsVr3HyO844lyS8Hn3nIS6dC1hASB+ftHyTwdZX4stQ1LrRgyU4fVmR3l31VRbH60k -N8tFWk6gREjI2LCZxRWECfbWSUnAZbjmGnFuoKjxguhFPmzWAtcKZ4MFWsmkEAAAAAIAFmds -b2JhbHNpZ25lY2Nyb290Y2EtcjUAAAF8EFmtSAAFWC41MDkAAAIiMIICHjCCAaSgAwIBAgIR -YFlJ4CYuu1X5CneKcflK2GwwCgYIKoZIzj0EAwMwUDEkMCIGA1UECxMbR2xvYmFsU2lnbiBF -Q0MgUm9vdCBDQSAtIFI1MRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxT -aWduMB4XDTEyMTExMzAwMDAwMFoXDTM4MDExOTAzMTQwN1owUDEkMCIGA1UECxMbR2xvYmFs -U2lnbiBFQ0MgUm9vdCBDQSAtIFI1MRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpH -bG9iYWxTaWduMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAER0UOlvt9Xb/pOdEh+J8LttV7HpI6 -SFkc8GIxLcB6KP4ap1yztsyX50XUWPrRd21DosCHZTQKH3rd6zwzocWdTaRvQZU4f8kehOvR -nkmSh5SHDDqFSmafnVmTTZdhBoZKo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUw -AwEB/zAdBgNVHQ4EFgQUPeYpSJvqB8ohREom3m7e0oPQn1kwCgYIKoZIzj0EAwMDaAAwZQIx -AOVpEslu28YxuglB4Zf4+/2a4n0Sye18ZNPLBSWLVtmg515dTguDnFt2KaAJJiFqYgIwcdK1 -j1zqO+F4CYWodZI7yFz9SO8NdCKoCOJuxUnOxwy8p2Fp8fc74SrL+SvzZpA3AAAAAgAWZ2xv -YmFsc2lnbmVjY3Jvb3RjYS1yNAAAAXwQWa1IAAVYLjUwOQAAAeUwggHhMIIBh6ADAgECAhEq -OKQclgoE3kKyKKUL6DSYAjAKBggqhkjOPQQDAjBQMSQwIgYDVQQLExtHbG9iYWxTaWduIEVD -QyBSb290IENBIC0gUjQxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNp -Z24wHhcNMTIxMTEzMDAwMDAwWhcNMzgwMTE5MDMxNDA3WjBQMSQwIgYDVQQLExtHbG9iYWxT -aWduIEVDQyBSb290IENBIC0gUjQxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkds -b2JhbFNpZ24wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS4xnnTj2wlDp8uORkcA6SumuU5 -BwkWymOxuYb4ilfBV85C+nOh92VC/x7BALJucw7/xyHlGKSq2XE/qNS5zowdo0IwQDAOBgNV -HQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUVLB7rUW44kB/+wpu+74z -yTyjhNUwCgYIKoZIzj0EAwIDSAAwRQIhANySoaATps8DsObEIZeQ+hRXLQPs7jzTbsqobHa8 -ot67AiAnqIUnNZtWxqPyR9K3bhsCABeqZ6YVkd76lOx7C/ifhAAAAAIADXN6YWZpcnJvb3Rj -YTIAAAF8EFmtSAAFWC41MDkAAAN2MIIDcjCCAlqgAwIBAgIUPopdB+xV0jLVt+O2XwHrLdzk -1uQwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCUEwxKDAmBgNVBAoMH0tyYWpvd2EgSXpi -YSBSb3psaWN6ZW5pb3dhIFMuQS4xGDAWBgNVBAMMD1NaQUZJUiBST09UIENBMjAeFw0xNTEw -MTkwNzQzMzBaFw0zNTEwMTkwNzQzMzBaMFExCzAJBgNVBAYTAlBMMSgwJgYDVQQKDB9LcmFq -b3dhIEl6YmEgUm96bGljemVuaW93YSBTLkEuMRgwFgYDVQQDDA9TWkFGSVIgUk9PVCBDQTIw -ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3vD5QqEvNQLXOYeeWyrSh2gwisPq1 -e3YAd4wLz32ohswmUeQgPYUM1ljj5/QqGJ3a0a4m7utT3PSQ1hNKDJA8w/Ta0o4NkjrcsbH/ -ON7Dui1fgLkCvUqdGw+0w8LBZwPd3BucPbOw3gAeqDRHu5rr/gsUvTaE2g0gv/pby6kWIK05 -YO4vdbbnl5z5Pv1+TW9NL++IDWr63fE9biCloBK0TXC5ztdyO4mTp4CEHCdJckm1/zuVnsHM -yAHs6A6KCpbns6aH5db5BSsNl0BwPLqsdVqc1U2dAgrSS5tmS0YHF2Wtn2yIANwiieDhZNRn -vDF5YTy7ykHNXGoAyDw4jlivAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/ -BAQDAgEGMB0GA1UdDgQWBBQuFqlKGLXLzPVvUPMjX/hd56zwyDANBgkqhkiG9w0BAQsFAAOC -AQEAtXP4A9xZWx126aMqe5Aosk3AM0+qmrHUuOQn/6mWmc5G4G18TKI4pAZw8PRBEew/R40/ -cof5O/2kbytTAOD/OblqBw7rHRz2onKQy4I9EYKL0rufKq8h5mOGnXkZ7/e7DDWQw4rtTw/1 -zBLZpD67oPwglV9PJi8RI4NOdQcPv5vRtB3pEAT+ymCPoky4rc/hkA/NrgrHXXu3UNLUYfrV -FdvXn4dRVOul4+vJhaAlIDf7js4MNIThPIGyd05DpYhfhmehPea0XGG2Ptv+tyjFogeutcrK -jSoS75ftwjCkySp6+/NNIxuZMzSgLvWpCz/UXeHPhJ/iGcJfitYgHuNztwAAAAIAE2dsb2Jh -bHNpZ25yb290Y2EtcjMAAAF8EFmtSAAFWC41MDkAAANjMIIDXzCCAkegAwIBAgILBAAAAAAB -IVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0g -UjMxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4 -MTAwMDAwWhcNMjkwMzE4MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0Eg -LSBSMzETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJ -KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8RgJD -x7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsTgHeMCOFJ0mpi -Lx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmmKPZpO/bLyCiR5Z2KYVc3 -rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zdQQ4gOsC0p6Hpsk+QLjJg6VfLuQSS -aGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZXriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPa -bumDk3F2xmmFghcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w -HQYDVR0OBBYEFI/wS3+oLkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvA -UKr+yAzv95ZURUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25s -bwMpjjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK6fBd -RoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQXmcIfeg7jLQit -Chws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecsMx86OyXShkDOOyyGeMlh -LxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpHWD9fAAAAAgATZ2xvYmFsc2lnbnJv -b3RjYS1yMgAAAXwQWa1IAAVYLjUwOQAAA74wggO6MIICoqADAgECAgsEAAAAAAEPhibmDTAN -BgkqhkiG9w0BAQUFADBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG -A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0wNjEyMTUwODAwMDBa -Fw0yMTEyMTUwODAwMDBaMEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFIyMRMw -EQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMIIBIjANBgkqhkiG9w0B -AQEFAAOCAQ8AMIIBCgKCAQEAps8kDr4ubyiZRULEqz4hVJsL03+EcPoSs8u/h1/Gf4bTsjBc -1v2t8Xvc5fhglgmSEPXQU977e35ziKxSiHtKpspJpl6op4xaEbx6guu+jOmzrJYlB5dKmSoH -L7Qed7+KD7UCfBuWuMW5Oiy81hK561l94tAGhl9eSWq1OV6INOy8eAwImIRsqM1LtKB9DHlN -8LgtyyHK1WxbfeGgKYSh+dOUScskYpEgvN0L1dnM+eonCitzkcadG6zIy+jgoPQvkItN+7A2 -G/YZeoXgbfJhE4hcn+CTClGXilrOr6vV96oJqmC93Nlf33KpYBNeAAHJSvo/pOoHAyECjoLK -A8KbjwIDAQABo4GcMIGZMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud -DgQWBBSb4gdXZxwewGoG3lm0mi3f3BmGLjA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3Js -Lmdsb2JhbHNpZ24ubmV0L3Jvb3QtcjIuY3JsMB8GA1UdIwQYMBaAFJviB1dnHB7AagbeWbSa -Ld/cGYYuMA0GCSqGSIb3DQEBBQUAA4IBAQCZgVOHHGiXhpHs4Eq4RAurgawnT9bBuBxDeLMM -mvzqLDxuYRtNSyn1nwUdJsG46YMAYkW2qQiTuakzSxiawviHiE7b3XE0GsFU2kY/4NMqq21U -IvU6Ys0gb7opidfdke7TXKI+oVtB9d/lZEMt6dU5q9Ki37eL0MCAGRxFwC2M6PgtpHRWScUF -tU8V3m5EeDmHqH6783kYkbv0b53B8Iw1jF0B+8Ntue9EbXlGMX4K/qmCwf/vq24gxFDJX51N -mxeMDOUByaBBanNT+qVQtG4lD/tMGPT9UtmOabHoEQ/eiNj7HUn3qt6VzyB4wmAS2yVAjGr8 -fkI4QGQS956B4ZMuAAAAAgAKb25hcHRlc3RjYQAAAXw8eG62AAVYLjUwOQAABUIwggU+MIID -JqADAgECAgkAnq7twKfOtZ0wDQYJKoZIhvcNAQELBQAwLDEOMAwGA1UECwwFT1NBQUYxDTAL -BgNVBAoMBE9OQVAxCzAJBgNVBAYTAlVTMB4XDTE4MDQwNTE0MTUyOFoXDTM4MDMzMTE0MTUy -OFowLDEOMAwGA1UECwwFT1NBQUYxDTALBgNVBAoMBE9OQVAxCzAJBgNVBAYTAlVTMIICIjAN -BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwDmmSBGzs2EYbh7Dkmi6HJhqSBhTIVobXbX7 -+HyptJ23SFVC/nr4QDjVirtcaJ7tFgNAr02YAUXeCu4T7pfvC8mIKGn4LJ3uwUydvrm5aHER -3FZMzYEkWuB/NScfxkLGBoKjdcfg/OUpHLYtBAkQkQLCX9FmZEJeKMy3l72Hxehlj98qQpxl -lSxY0IylOjbrrCO8D0xcuZ2BF5GPT6+sKOs2rL6G3AkPO2iIdaJg+pPqjwS8ZyCM2qOVnHs1 -Q1/wx8sMHKooXr7BFse/UYqOff9WKN3jkW/yuLJFhE6IVqe9tXqMh8GS/w9lteDZUNaxiyCn -w0C8zEr6JXxw74KTeUEjYY49lsISqk9VNhstTPqxzMCUJfBCg/MMhljBhrd5H+BgtjWA/aIR -Uc5FqDdss9qn1lfkTwNmTNM1OOi+8uTwpoKZ9xpQwmwG0N0ClxSK3PXRydHJlzWxfeATV/cO -nNAzq30Lmw5XJGENxKsqqrBv2bRKzThcBL0Wyow/dRZhDKoNdLGVQBhpfz3a7yZXWHGe3aCN -vbZGWhcwzpOi8zexKslLTAf6XWfOd3poVd+1L8bhlUhVn8t9PWKzhK2jI9ZkLDDCXLXPyolD -/OGKnk2BlPFDDiaLvDDfkNg90BA4KhqN9K8WOqyVD9w9GL8xEK7Tv2F5Vvl9CefNW2ekVBEC -AwEAAaNjMGEwHQYDVR0OBBYEFFNVM/JL69BRscF4msEoMXvv6u1JMB8GA1UdIwQYMBaAFFNV -M/JL69BRscF4msEoMXvv6u1JMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0G -CSqGSIb3DQEBCwUAA4ICAQA/H8hor3ifTbA/GmdhPL4tUsjHB2r+RrA13ohuIzMvzvOY0wOY -dwZt+hEKPw6SG6CBf0vHX8KSGleKa5ixk4VCLluWv+76/iYhuyBuaL3uP5xQcM/TMvJy9K/E -oe3LnUvCZpf1rjCQmXnMFTg7Wx38f21ZwSbAnf2W0qgEoHFz3hlzeIybnK1FYaP7SsrMsMBc -RamhnlsTk8slq4DpQMLEMt+zcXCFtLu4OCDFi9+PJIXkUI0RP3ign6byztV4e+hryI8Yq9es -ip13tcMeeokmVUqvub1LR8xvIQHxyLZG05cO33eJ9jW6GgS0TKSfh2oFKnx7O80yfChd1g8O -9N324IAV5YUtWt4EBbF3bmE+wFORkDmGlr+sD6Yq/oB/hUFWJivxzPh1kKwUKG6KhV5t72KC -Gt+MH/+op6kWM8ULKPMo3W7Qkqb/bH85GrGRM40byne4PCgg7KKZRxO1My/jZt9gPzxEpqSp -IVcT0b5nQuVooAGp+Mrj2j+2wCn5zkug2ViWUqGd607dAB2tofB2YLfoGGiCHNHWOlfvnUBx -mfZUfdDhcrKnTVwk0Ikiu5r4D5vHrOHdHJbrMgiRtEJsRP5QP7iavxYhxITea1FlWWeFQM7j -P3/9YoxXPBL1GHz+S6zOsYUjUpCjNcIcutx7dg/pFhl8553v0tdpHBd1hgAAAAIAD2Vtc2ln -bnJvb3RjYS1jMQAAAXwQWa1IAAVYLjUwOQAAA3cwggNzMIICW6ADAgECAgsArs8AusTPMvhD -sjANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJVUzETMBEGA1UECxMKZW1TaWduIFBLSTEU -MBIGA1UEChMLZU11ZGhyYSBJbmMxHDAaBgNVBAMTE2VtU2lnbiBSb290IENBIC0gQzEwHhcN -MTgwMjE4MTgzMDAwWhcNNDMwMjE4MTgzMDAwWjBWMQswCQYDVQQGEwJVUzETMBEGA1UECxMK -ZW1TaWduIFBLSTEUMBIGA1UEChMLZU11ZGhyYSBJbmMxHDAaBgNVBAMTE2VtU2lnbiBSb290 -IENBIC0gQzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDP66m58ZkFzNgoIUrz -czRRhFYQ9aBPLBLj+hOaJ9DP+XkadF8deTn8W/hwjuCSUvfkJflUg9kd08hahT9ex7YH7j7A -zpqvrFZCKjklcNa/tXs2raz2c9zN1x2Kg6X7K5AVN2scJkfcOylWk2qzwWo6nT31wZc4WAWL -HBHj5LS4XYUdg/54XwtFaBhIpUZzNDv+D8h2u8cY8wXRhvOF7ee52TKtVYjOpraRsE+sfhUj -lvY/8CA0Ft4KxsQERXl/p/2+0qmlr5zFIyr3PCFsva+PTsU6svM0EvzfgBpJpNSplfeeiV6i -iayUy6hom6+KZSfNie7djLVrKXBDoGkL5LkPAgMBAAGjQjBAMB0GA1UdDgQWBBT+oeBwHioD -OVJaQr5ckYV6GKpNtTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG -9w0BAQsFAAOCAQEAwkpW+hUheyii6eUd+/gtxDmWQUw7JyzEbBgVgMasr0dZLyYL4zaw7zv+ -Q5dJMpkSFVvfESn/q1P4u8F4D6ycU69XvWiMPWkz8KOgI2M7ZGciRK3VcctWKniSo08SMTY2 -4t7+AMSjYA8nraCwirU2elKhvSf0ICdi6E2UJBPkCgTpPKsuyEMJSsZhBOVJNH7TxMj1D8Cq -6bpUXvNjK09PUNT+uXuZjD3ALrwCK9PEQOSKBzEem84mmRP7EeqaIgwRGcdeG4FQMMiWEm7n -y0F/kTuiR7dUgBvcAMyakOrDw1AGYgwwwBVIp6hZfOGuIqLiCnoP+mKrUkzh8d/KvoMNQgAA -AAIAEmVtc2lnbmVjY3Jvb3RjYS1jMwAAAXwQWa1IAAVYLjUwOQAAAi8wggIrMIIBsaADAgEC -Agp7cbaCVrgSfJyoMAoGCCqGSM49BAMDMFoxCzAJBgNVBAYTAlVTMRMwEQYDVQQLEwplbVNp -Z24gUEtJMRQwEgYDVQQKEwtlTXVkaHJhIEluYzEgMB4GA1UEAxMXZW1TaWduIEVDQyBSb290 -IENBIC0gQzMwHhcNMTgwMjE4MTgzMDAwWhcNNDMwMjE4MTgzMDAwWjBaMQswCQYDVQQGEwJV -UzETMBEGA1UECxMKZW1TaWduIFBLSTEUMBIGA1UEChMLZU11ZGhyYSBJbmMxIDAeBgNVBAMT -F2VtU2lnbiBFQ0MgUm9vdCBDQSAtIEMzMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE/aVhrnsm -EB3ptyIwrgb0gbOxQnGVObzTUuOvr/nylzWSNkYOh5WNuTla6bvf0P7IB0E8u1Vvg6Nq+2Kw -gYkCcH1IxUrj6SJUIk2Tu0IMr3ecI6Z912ERzmXH+H/+9fKpo0IwQDAdBgNVHQ4EFgQU+1pI -0IAgQPKo6QAHaRl3p+bD9M8wDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wCgYI -KoZIzj0EAwMDaAAwZQIxALTYLwKJ/bZMYrpDThOEcrWu3Rze1rXcVo9YQFot3iBMIoPKk6h+ -7hJAx9aHT/jfhQIwHBRk5HyWgxGcsNFaYUumD0nTAPyh/OSl/3+t1zDQx3d/voEHVTBQIBT1 -VzgKqDFRAAAAAgAPZ2xvYmFsdHJ1c3QyMDIwAAABfBBZrUgABVguNTA5AAAFhjCCBYIwggNq -oAMCAQICC1pLvVr7T4pb+mXlMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNVBAYTAkFUMSMwIQYD -VQQKExplLWNvbW1lcmNlIG1vbml0b3JpbmcgR21iSDEZMBcGA1UEAxMQR0xPQkFMVFJVU1Qg -MjAyMDAeFw0yMDAyMTAwMDAwMDBaFw00MDA2MTAwMDAwMDBaME0xCzAJBgNVBAYTAkFUMSMw -IQYDVQQKExplLWNvbW1lcmNlIG1vbml0b3JpbmcgR21iSDEZMBcGA1UEAxMQR0xPQkFMVFJV -U1QgMjAyMDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK4uVq0bHO/2lY+gdxsr -02OPhE1Fog+fW0WrWXtRNPnsi4p4xd1rr73E35NFHr+ROAuuDhbnQXP427vRuFHgy4M7czhu -d4oPWWMmzacqzlT7uOLAfEfOYHw/snPywBm2ipKHNQ2QKKLkFQRjPrqv7nxezKaLULI490Fj -ys7/aY9oDpU25cy5jAnKS90xkJbIzB/9VpY0244c6iy+hS5j3aqpldP9KZUT8MiYk9ktFkeQ -EYOiOiKiKFei6/7AjCigpn3nKkI7goBjpWMfGcx8smaowtNtN2/ifgZR2UWEHxLOJFJkhQtI -gE6HsSIiMKrrrr7gAuBA6LBCgANRqrR+qkTXQ2HzomsWiUmko6QrigLEePRoisHkejaxbxuW -G3dJjdTJBnKPz1Pj3BeFIErcmCfTkSYrRx5pB6/eouTk1GsLs1581CSARylpO27orP1A69jt -cXEr8uhYHetBlyLFH9Q50CePh+MY9OCpRg31dDqCLtBuLJGjMVw7Rup7BBBWXoAd9aVl6IL8 -4geMYkX1IN5GcIahvJPTHnSmbLAs9wMMiAzL1HJThrxgRvOYasLxv0P5cCB3yjdBeVVSY41b -Ep/FaMSInazyMKu3ozGXZ62PFw9sx3PtJJRryIOa0Jo3SQSrsRbIbElJLauh0IyS8kFKeSEl -22PXtpynfkJp+zpjAgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEG -MB0GA1UdDgQWBBTcLh/RYTd55KvV1bMScWg9amicIjAfBgNVHSMEGDAWgBTcLh/RYTd55KvV -1bMScWg9amicIjANBgkqhkiG9w0BAQsFAAOCAgEAkfBCAmhA7sNowFQv3+xiw8OeiqAxKKqD -jqRWlhIQhla6l3LSVDB8rRnVHWhv+xRC2I0O87XRpeMCQl7c6EZYBzUCMOC8dErBQyr/2xrQ -sK9sw/3Ls/V/bQMuWVadLS01jLLWQxcskgrLXeiMD0twQ9CC/6jMv6SUwL6HvYrjk3vGj5sW -nSdlvHrFQoJsXAfQqcGIYETpmIUWX/iPygEQziXD+WAboMWXw9MsiDGivTDs0NDAEvHBOePl -9fjWSt00zftvwU/jAItW4pL3KLJCd3IjZ8c/ERWyxAMFvrsRewq/qG7n/1hDz5tnoIAHth3K -rW3qQRF+LXST+8K8vlFExe9oJSeA48ig1BLs2aU3HTd8tJHK2tSxloHvaFx2EEmvfqU3gLEc -Ur0zgUyP+d1l2RTNiiVY9OLFg6UJkNRsFGO1QN/rwPzEWH4NFBaHVCduVuRwhLhsMhJ+gjFD -vtfdfKGtrtarIBLvCsMQjEmWNdwLdV6xT9VPNA4RIAd1Q0XpoxHarKOZwrZ5J+K578ji9jUp -enT6xX+CBWKmCuposnlHBm7yV6gVM8b3eEo9Qntrfv73RurR647viGhb6MHZcX79ZO//Z0eI -WCUvPoYHvfuo5YKorKXTaUPNMYhJhFOSwLE5GzmDATDE8qn60AO9cjdgVh82fL05kfVtDb97 -15IAAAACABNidXlwYXNzY2xhc3Mzcm9vdGNhAAABfBBZrUgABVguNTA5AAAFXTCCBVkwggNB -oAMCAQICAQIwDQYJKoZIhvcNAQELBQAwTjELMAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBh -c3MgQVMtOTgzMTYzMzI3MSAwHgYDVQQDDBdCdXlwYXNzIENsYXNzIDMgUm9vdCBDQTAeFw0x -MDEwMjYwODI4NThaFw00MDEwMjYwODI4NThaME4xCzAJBgNVBAYTAk5PMR0wGwYDVQQKDBRC -dXlwYXNzIEFTLTk4MzE2MzMyNzEgMB4GA1UEAwwXQnV5cGFzcyBDbGFzcyAzIFJvb3QgQ0Ew -ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCl2gqVFlDjlfJenXYxBjJ6m/EQdrgA -mrVSNs0kR7CfGGS8mvb61XnYkGJMIi/eOD3W4KjpHCzbeBHpjmhRFXLH8zOH5KBdC1zgVwcq -MPXNxDd3KE0Ykea/1VL9cS1wPufGxIrj8CgL9HaYoYuHVbI6E/y3Pic3jiLjqE8q72C7Pbc5 -ww4BR5ldEk/bQ/pXoe35nb4RRyZbE5irXRaKsDccV51F/4iWNr+7ygd7b4dj19AyatZdbAzx -s2454msxLjkAJxTeOMDsGWaGEuidchYTZFLHqTcc/YIw7YQYHfSuXP9wEwDrsfUzekvWVfgF -jUtpsPWzKDZcFMRRc01rC/E0B9sXOdfcKHtr9Z/zLsFPFyoQ88zK6Ov9a6sump8tgm4E1FIB -ky09hvx+/N/vQh2ma++5IMb3vaCnlf2n5okk2MyMNGziIy/ZEhohuVWRbwuReRkMrUCIC3Di -etIO2GhIu4ITORBY6dgqB8YS21jb0jtVEEcFFWdifhhjpkY/CQ5UMl6/DWJ6J++A6NvZSwZa -N1ol0AgSd9RvCVCXPcgdw9+MRTBWxtNkq2bzwF6WnMPE78N8a4s6eX+zSc894omfoDBLhbmc -lCR5j31rqUVoDyvQ8docy2m4yklibcjQY2LdYA9Yqo+hvAWlZqLPG3ayhGSxTDlSwDC68IxL -ArC2twIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRHuM3/5W/u+LLsL04O -+SWwjjxrwzAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAAAgI0E1BJDCQGJg -7+I1TNc/rOI0kLihb3b6FhakSDcs6ZDC8jz4Cp/YgeW7W9olLKSnVXEkMvbIC/K8aviTrLIH -wl+f28zIiqq+am/hSRDMMdeAu7vI2KIOZFfqovXCqTEV0iBq7PwiASjPhriAHqnMEaU88haz -R5380oAhxMvQR3BBocqDGQgsbfJdd5yKFBPUNhyS8OUGN9ym5pCbOI9caxtGhkNCXz4BB1NU -XWV994pzoZpUWh8pQxQnwoUPtYh7GjuUtx1gp7Wc5ylpV1qbk3pDMBsD12LIQKaq/GTkSteR -UwGoIIhunF9EuctggTTsb9N92khf67SQvC2pHAusHNWiaCCABNb8sY8vu0oxDUqGHOviNikm -9drYxPJ1Yc9+rnZjSnpAZZOH+B6AjIblhtaPDvxTLGDoFmEaoj5De805YFRq9fKJJgFog0ii -M+jJBJGyETQRPurQQxkfA5OQDP9RPVf0QW7hy6C+68ljzW3M5Pg2qmid7b1dl3BEDbYONdzh -DF27oFGUy34W6xEvo5JFyExx2bzJmVJXRi9Qz701afQ9Fc4GpSwPPvaBupS7w7u/ZXjShnn/ -STsagwzw3njsyPJNTBregin4wVra7e7mJ17oRdCdHFGoaKtE49CLauP4O7vcTddk8lG+5qqr -Wukx7ga8c78TYgqfx7mXAAAAAgAfY29tb2RvcnNhY2VydGlmaWNhdGlvbmF1dGhvcml0eQAA -AXwQWa1IAAVYLjUwOQAABdwwggXYMIIDwKADAgECAhBMqvnK22Nv4B/3TthbA4adMA0GCSqG -SIb3DQEBDAUAMIGFMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVy -MRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDErMCkGA1UE -AxMiQ09NT0RPIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMDAxMTkwMDAwMDBa -Fw0zODAxMTgyMzU5NTlaMIGFMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5j -aGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDEr -MCkGA1UEAxMiQ09NT0RPIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCAiIwDQYJKoZI -hvcNAQEBBQADggIPADCCAgoCggIBAJHoVJLSClaxrA0k3cXPRGd0mSs3o30jcABxvFPfxPoq -Eo9LfxBWvZ9wcrdhf8lLDxenPeOwBGHu/xGXx/SGPgr6Plz5k+Y0etkUa+ecs4Wggnp2r3GQ -1+z9DfqcbPrfsIL0FH75vsSmL09/mX+1/GdDcr0MANaJ62ss0+2PmBwUq37l42782KjkkiTa -Q2tiuFX96sG8bLaL8w6NmuSbbGmZ+HhIMEXVreENPEVg/DKWUSe8Z8PKLrZr6kbHxyCgsR9l -3kgIuqROqfKDRjeE6+jMgUhDZ05yKptcvUwbKIpcInu0q5jZ7uBRg8MJRk5tPpn6lRfafDNX -QTyNUe0LtlyvLGMa31fIP7zpXcSbr0WZ4qNaJLS6qVY9z2+q/0lYvvCo//S4rek3+7q49As6 -+ehDQh6J2ITLE/HZu+GJYLiMKFasFB2cCudx688O3T2plqFIvTz3r7UNIkzAEYHsVjv206Li -W7eyBCJSlYCTaeiOTGXxkQMtcHQC6otnFSlpUgK7199QalVGv6CjKGF/cNDDoqosIapHziic -BkV2v4IYJ7TVrrTLUOZr9EyGcTDppt8WhuDY/0Dd+9BCiH+jMzouXB5BEYFjzhhxayvspoq3 -MVw6akfgw3lZ1iAar/JqmKpyvFdK0kuduxD8sExB5e0dPV4onZzMv7NR2qdH5YRTAgMBAAGj -QjBAMB0GA1UdDgQWBBS7r34CPfqm8TyEjq3uOJjs2TIy1DAOBgNVHQ8BAf8EBAMCAQYwDwYD -VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQwFAAOCAgEACvHVRoS3rlG7bLJNQRQAk0ycy+XA -VM+gJY4C+f2wog31IJg8Ey2sVqKw1n4Rkukuup4umnKxvRlEbGE1opq0FhJpWozh1z6kGugv -A/SuYR0QGyqki3rF/gWm4cDWyP6ero8ruj2Z+NhzCVhGbqac9Ncn05XaN4NyHNNz4KJHmQM4 -XdVJeQApHMfsmyAcByRpV3iyOfw6hKC1nHyNvy6TYie3OdoXGK69PAlo/4SbPNXWCwPjV54U -99HrT8i9hyO3tklDeYVcuuuSC6HG6GioTBaxGpkK6FMskruhCRh1DGWoe8sjtxrCKIXDG//Q -K2LvpHsJkZhnjBQBzWgGamMhdQOAiIpugcaF8qmkLef0pSQQR4PKzfSNeVixBpvnGirZnQHX -lH3tA0rK8NvoqQE+9VaZyR6OST275Qm54E9Jkj0WgkDMzFnG5jrtEi5pPGyVsf2qHXt/hr4e -DjJG+/sTj3V/TItLRmP+ADRAcMHDuaHdpnDiBLNBvOmAkepknHrhIgOpnG5vDmVPbIeHXvNu -oPl1pZtA6FOyJ51KucB3IY3/h/LevIzvF9+3SQvR8m4wCxoOTnbtEfz16Vayfb/HbQqTjKXQ -wLYdvjpOlKLXbmwLwop8+iDzxOTlzQ2oy5GSsXyF7LUUaWYOgufNzsgtplF/IcE1U4UGSl2f -rbsbX3QAAAACAA5jZXJ0dW1lYy0zODRjYQAAAXwQWa1IAAVYLjUwOQAAAmkwggJlMIIB66AD -AgECAhB4jydcgRJSIKUE0C3dunP0MAoGCCqGSM49BAMDMHQxCzAJBgNVBAYTAlBMMSEwHwYD -VQQKExhBc3NlY28gRGF0YSBTeXN0ZW1zIFMuQS4xJzAlBgNVBAsTHkNlcnR1bSBDZXJ0aWZp -Y2F0aW9uIEF1dGhvcml0eTEZMBcGA1UEAxMQQ2VydHVtIEVDLTM4NCBDQTAeFw0xODAzMjYw -NzI0NTRaFw00MzAzMjYwNzI0NTRaMHQxCzAJBgNVBAYTAlBMMSEwHwYDVQQKExhBc3NlY28g -RGF0YSBTeXN0ZW1zIFMuQS4xJzAlBgNVBAsTHkNlcnR1bSBDZXJ0aWZpY2F0aW9uIEF1dGhv -cml0eTEZMBcGA1UEAxMQQ2VydHVtIEVDLTM4NCBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IA -BMQojqsYW2q+bmQ3Y+TN7Ks698yhuA6CSdeGKZ+hlPLjYHiYgXgGTfLsmg5XYIOftOYXLxqz -XQJbiSM8whEFKqeIExjzUITXvTQsJ4lV/85M59+mHyjE8FTDuXy3U63rwqNCMEAwDwYDVR0T -AQH/BAUwAwEB/zAdBgNVHQ4EFgQUjQZmdCR2OvOJ97zWvUd9L7wQX0swDgYDVR0PAQH/BAQD -AgEGMAoGCCqGSM49BAMDA2gAMGUCMANVLabmGMR878lQbsEnD5yHr27VGwgYvZIpwe+UkXjS -OhxViWLlGwkeumRr8Xa01AIxALRChJn/q+ee+5GXJ13csFswcc5eOBpq2SXn6vdhklb46to2 -wodlli5yJS9/38MTyQAAAAIAHHNlY3VyaXR5Y29tbXVuaWNhdGlvbnJvb3RjYTIAAAF8EFmt -SAAFWC41MDkAAAN7MIIDdzCCAl+gAwIBAgIBADANBgkqhkiG9w0BAQsFADBdMQswCQYDVQQG -EwJKUDElMCMGA1UEChMcU0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4sTFRELjEnMCUGA1UECxMe -U2VjdXJpdHkgQ29tbXVuaWNhdGlvbiBSb290Q0EyMB4XDTA5MDUyOTA1MDAzOVoXDTI5MDUy -OTA1MDAzOVowXTELMAkGA1UEBhMCSlAxJTAjBgNVBAoTHFNFQ09NIFRydXN0IFN5c3RlbXMg -Q08uLExURC4xJzAlBgNVBAsTHlNlY3VyaXR5IENvbW11bmljYXRpb24gUm9vdENBMjCCASIw -DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANAVOVKxUrO6xVmCxF1SrjpDZYBLx/KWvNs2 -l9amZIyoXvDjChz335c9S672XewhtUGrzbl+dp+++T42NKA7wfYxEUV0kz1XgMX5iZnK5atq -1LXaQZAQwdbWQonCv/Q4EpVMVAX3NuRFg3sUZdbcDE3R3n4MqzvEFb46VqZab3ZpUql6ucjr -appdUtAtCms1FgkQhNBqyjoGADdH5H5XTz+L62e4iKrFvlNVspHEfbmwhRkGeC7bYRr6hfVK -kaHnFtWOojnflLhwHyg/i/xAXmODPIMqGplrz95Zajv8bxbXH/1KEOtOghY6rCcMU/Gt1SSw -awNQwS08Ft1ENCcadfsCAwEAAaNCMEAwHQYDVR0OBBYEFAqFqXdlBZh8QIH4D5csOPEK7DzP -MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBM -OqNErLlFsceTfsgLCkLfZOoc7llsCLqJX2rKSpWeeo8HxdpFcoJxDjrSzG+ntKEju/Ykn8sX -/oymzsLS28yN/HH8AynBbF0zX2S2ZTuJbxh2ePXcokgfGT+Ok+vx+hfuzU7jBBJV1uXk3fs+ -BXziHV7Gp7yXT2g69ekuCkO2r1dcYmh8t/2jioSgrGK+KwmHNPBqAbubKVY8/gA3zyNs8U6q -tnRGEmyR7jTV7JqR50S+kDFy1UkC9gLl9B/rfNmWVan/7Ir5mUf/NVoCqgTLiluHcSmRvaS0 -eg29mvVXIwAHIRc/SjnRBUkLp7Y3gaVdjKozXoEofKd9J+sAro03AAAAAgARc3RhcmZpZWxk -Y2xhc3MyY2EAAAF8EFmtSAAFWC41MDkAAAQTMIIEDzCCAvegAwIBAgIBADANBgkqhkiG9w0B -AQUFADBoMQswCQYDVQQGEwJVUzElMCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywg -SW5jLjEyMDAGA1UECxMpU3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3Jp -dHkwHhcNMDQwNjI5MTczOTE2WhcNMzQwNjI5MTczOTE2WjBoMQswCQYDVQQGEwJVUzElMCMG -A1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMpU3RhcmZpZWxk -IENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqGSIb3DQEBAQUAA4IB -DQAwggEIAoIBAQC3Msj+6XGmBIWtDBFk385N78gDGIc/oav7PKaf8MOh2tTYbitTkPskpD6E -8J7oX+zlJ0T1KKY/e97gKvDIr1MvnsoFAZMej2YcOadN+lq2cwQlZut3f+dZxkqZJRRU6ybH -838Z1TBwj6+wRir/resp7defqgSHo9T5iaU0X9tDkYI22WY8sbi5gv2cOj4QyDvvBmVmepsZ -GD3/cVE8MC5fvj13c7JdBmzDI1aaK4UmkhynArPkPw2vCHmCuDY96pzTNbO8acr1zJ3o/WSN -F4Azbl5KXZnJHoe0nRrA1W4TNSNe35tfPe/W93bC6j67eA0cQmdrBNj41tpvi/JEoAGrAgED -o4HFMIHCMB0GA1UdDgQWBBS/X7fRzt0fhvRbVazc1xDCDqmI5zCBkgYDVR0jBIGKMIGHgBS/ -X7fRzt0fhvRbVazc1xDCDqmI56FspGowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0YXJm -aWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBDbGFzcyAyIENl -cnRpZmljYXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD -ggEBAAWdP4id0ckaVaGsafPzWdqbAYcaT1epoXkJKtv3L7IezMdeatiDh6GX70k1PncGQVhi -v45YuApnP+yz3SFmH8lU+nLMPUxA2IGvd56Deruix/U0F47ZEUD0/CwqTRV/p2JdLiXTAAsg -Gh1o+Re49L2L7ShZ3U0WixeDyLJlxy16paq8U4Zt3VekyvggQQto8PT7dL5WXXp59fkdheMt -lb71cZBDzI0fmgAKhynpVSJYACPq4xJDKVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNzi -PTnNvT51cKEYWQPJIrSPnNVeKtelttQKbfi3QBFGmh95DmK/D5fs4C8fF5QAAAACABthY3Rh -bGlzYXV0aGVudGljYXRpb25yb290Y2EAAAF8EFmtSAAFWC41MDkAAAW/MIIFuzCCA6OgAwIB -AgIIVwoRl0LE48wwDQYJKoZIhvcNAQELBQAwazELMAkGA1UEBhMCSVQxDjAMBgNVBAcMBU1p -bGFuMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1ODUyMDk2NzEnMCUGA1UEAwweQWN0 -YWxpcyBBdXRoZW50aWNhdGlvbiBSb290IENBMB4XDTExMDkyMjExMjIwMloXDTMwMDkyMjEx -MjIwMlowazELMAkGA1UEBhMCSVQxDjAMBgNVBAcMBU1pbGFuMSMwIQYDVQQKDBpBY3RhbGlz -IFMucC5BLi8wMzM1ODUyMDk2NzEnMCUGA1UEAwweQWN0YWxpcyBBdXRoZW50aWNhdGlvbiBS -b290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAp8bEpSmkLO/lGMWwUKNv -UTufClrJwkg4CsIcoBh/kbWHuUA/3R1oHwiD1S0eiKD4j1aPbZkCkpAW1V8IbInX4ay8IMKx -4INRimlNAJZaby/ARH6jDuSRzVju3PvHHkVH3Se5CAGfpiEd9UEtL0z9KK3giq0itFZljoZU -j5NDKd45RnijMCO6zfB9E1fAXdKDa0hMxKufgFpbOr3JpyI/gCczWw63igxdBzcIy2zSekci -RDXFzMwujt0q7bd9Zg1fYVEiVRvjRuPjPdA1YprbrxTIW6HMiRvhMCb8oJsfgadHHwTrozmS -Bp+Z07/T6k9QnBn+locePGX2oxgkg4YQ51Q+qDp2JE+BIcXjDwL4k5RHILv+1A7TaLndxHqE -guNTVHnd25zS8gebLra8Pu2Fbe8lEfKXGkJh90qX6IuxEAf6ZYGyojnP9zz/GPvG8VqLWeIC -rHuS0E4UT1lF9gxeKF+w6D9Fz8+vm2/7hNN3WpVvrJSEnu68wEqPSpP4RCHiMUVhUE4Q2OM1 -fEwZtN4Fv6MGn8i1zeQf1xcGDXqVdFUNaBr8EBtiZJ1t4JWgw5QHVw0U5r0F+7if5t+L4sbn -fpb2U8WANFAoWPASUHEXMLrmeGO89LKtmyuy/uE5jF66CyCU3nuDuP/jVo23Eek7jPKxwV2d -pAtMK9myGPW1n0sCAwEAAaNjMGEwHQYDVR0OBBYEFFLYiDrIn3hm7YnzezhwlMkCAjbQMA8G -A1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUUtiIOsifeGbtifN7OHCUyQICNtAwDgYDVR0P -AQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQALe3KHwGCmSUyIWOYdiPcUZEim2FgKDk8T -Nd81HdTtBjHIgT5q1d07GjLukD0R0i70jsNjLiNmsGe+b7bAEzlgqqI0JZN1Ut6nna0Oh4lS -cWoWPBkdg/iaKWW+9D+a2fDzWochcYBNy+A4mz+7+uAwTc+G02UQGRjRlwKxK3JCaKygvU5a -2hi/a5iB0P2avl4VSM0RFbnAKVy06Ij3Pjaut2L9HmLecHgQHEhb2rykOLpn7VU+Xlff1ANA -TIGk0k9jpwlCCRT8AKnCgHNPLsBA2RF7SOp6AsDT6ygBJlh0wcBzIm2Tlf05fbsq4/aC4yyX -X04fkZT6/iyj2HYauE2yOE+b+h1IYHkm4vP9qdCa6HCPSXrW5b0KDtst842/6+OkfcvHlXHo -2qN8xcL4dJIEG4aspCJTQLas/kx2z/uUMsA1n3Y/buWQbqCmJqK4LL7RK4X9p2jIugErsWx0 -Hbhzlefut8cl8ABMALJ+tguLHPPAUJ4lueAI3jZm/zel0btUZCzJJ7VLkn5l/9Mt4blOvH+k -QSGQQXemOR/qnuOf0GZvBeyqdn6/axag67XH/JJULysRJyU3eExRarDzzFhdFPFqSBX/wge2 -sY0PjlxQRrM9vwGYT7JZVEc+NHt4bVaTLnPqZih4zR0Uv6CPLy64Lo7yFIrM6bV8+2ydDKXh -lgAAAAIAJXRydXN0d2F2ZWdsb2JhbGNlcnRpZmljYXRpb25hdXRob3JpdHkAAAF8EFmtSAAF -WC41MDkAAAXeMIIF2jCCA8KgAwIBAgIMBfcOhtpJ80Y1LrqyMA0GCSqGSIb3DQEBCwUAMIGI -MQswCQYDVQQGEwJVUzERMA8GA1UECAwISWxsaW5vaXMxEDAOBgNVBAcMB0NoaWNhZ28xITAf -BgNVBAoMGFRydXN0d2F2ZSBIb2xkaW5ncywgSW5jLjExMC8GA1UEAwwoVHJ1c3R3YXZlIEds -b2JhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xNzA4MjMxOTM0MTJaFw00MjA4MjMx -OTM0MTJaMIGIMQswCQYDVQQGEwJVUzERMA8GA1UECAwISWxsaW5vaXMxEDAOBgNVBAcMB0No -aWNhZ28xITAfBgNVBAoMGFRydXN0d2F2ZSBIb2xkaW5ncywgSW5jLjExMC8GA1UEAwwoVHJ1 -c3R3YXZlIEdsb2JhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEB -BQADggIPADCCAgoCggIBALldUShLPDeS0YLOvR29zd24q88KPuFd5dyqCblXAj7mY2Hf8g+C -Y66j96xz0XznswuvCAAJWX/NKSqIk4cXGIDtiLK0thAfLdZfVaITXdHG6wZWiYj+rDKd/VzD -Bcdu7oaJuogDnXIhhpCujwOl3J+IKMujkkkP7NAP4m1ET4BqstTnoApTAbqOl5F2brz81Ws2 -5kCI1nsvXwXoLG0R8+eyvpJETNKXpP7ScoFDB5zpET71ixpZfR9oWN0EACyW80OzfpgZdNmc -c9kYvkHHNHnZ9GLCQ7mzJ7Aiy/k9UscwR7PJPrhq4ufogXBeQotPJqX+OsIgbrv4Fo7NDKm0 -G2x2EOFYeUY+VM6AqFcJNykbmROPDMjWLBz7BegIlT1lRtzuzWniTY+HKE40Cz7PFNm73bZQ -mq131BnW2hqIyE4bJ3XYsgjxroMwuREOzYfwhI0Vcnyh78zyiGG69Gm7DIwLdVcEuE4qFC49 -DxweMqZiNu5m4iK4BUBjECLzMx10coos9TkpoNPnG4CELcU9402x/RpvumUHO1jsQkUm+9ja -JXLE9gCxInm943xZYkqcBW89zubWR2OZxiRvchLIrH+QtAuRcOi35hYQcRfO3gZPSEF9NUqj -ifLJS3tBEW1ntwiYTOURGa5CgNz7kAXU+FDKvuStx8KU1xad5hePrzb7AgMBAAGjQjBAMA8G -A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJngGWcNYtt2s9o9uFvo/ULSMQ6HMA4GA1UdDwEB -/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAmHNw4rDT7TnsTGDZqRKGFx6W0OhUKDtkLSGm -+J1WE2pIPU/HPinbbViDVD2HfSMF1OQc3Og4ZYbFdada2zUFvXfeuyk3QAUHw5RSn8pk3fEb -K9xGChACMf1KaA0HZJDmHvUqoai7PF35owgLEQzxPy0QlG/+4jSHg9bP5Rs1bdID4bANqKCq -RieCNqcVtgimQlRXtpla4gt5kNdXElE1GYhBaCXUNxeEFfsBctyV3lImIJgm4nb1J2/6ADtK -YdkNy1GTKv0WBpanI5ojSP5RvbbEsLFUzt5sQa0WZ37b/TjNuThOssFgy50X31ieemKyJo90 -lZvkWx3SD92YHJtZuSPTMaCm/zjdzyBP6VhWOmfD0faZmZ26NraAL4hHT4a/RDqA5Dccprrq -l5gR0IRiR2Qequ5AvzSxnI9O4fKSTx+O856X3vOmeWqJcU9LJxdI/uz0UA9PSX3MReO9ekDF -QdxhVicGaeVyQYHTtgGJoC86cnn+OjC/QezHYj6RS8fZMXZC+fc8Y+wmjHMMfRod6qh8h6jC -J3zhM0EPz8/8AKAigJ5Kp28AsEFFtyLKaEjFQqKu3R3y4G5OBVixwJAWKqQ9EEC+j2Jjg6mc -gn0tAumDMHzLJ8n9HmYAsC7TIS+OMxZsmO0QqAfWzJPP29FpHOTKyeC2nOnOcXHebD8WpHkA -AAACAApjZmNhZXZyb290AAABfBBZrUgABVguNTA5AAAFkTCCBY0wggN1oAMCAQICBBhKzNYw -DQYJKoZIhvcNAQELBQAwVjELMAkGA1UEBhMCQ04xMDAuBgNVBAoMJ0NoaW5hIEZpbmFuY2lh -bCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEVMBMGA1UEAwwMQ0ZDQSBFViBST09UMB4XDTEy -MDgwODAzMDcwMVoXDTI5MTIzMTAzMDcwMVowVjELMAkGA1UEBhMCQ04xMDAuBgNVBAoMJ0No -aW5hIEZpbmFuY2lhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEVMBMGA1UEAwwMQ0ZDQSBF -ViBST09UMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA111rzRA/HwVZ1QVNN7EO -7JgrjhUd+pNLF4IhcRBS11FkcBbCVWlNjhVtn78MG8Lgo2fWDKzPIq6vd1QqS0yKU1J6w+4u -3rNxJcHpXT3uoS+j9yo8ySMdaqsdoafx8+yg1UTPFc9yLx1jl+iZ+f2TpFSATFLUUqsuSd+Q -zbhfvj/eocpNINQl6IQpU7exiB//+tqQnwqpLUE/sfEYKe4WWSw0SRqoBteoiNIDcnoy4upo -TW4slmV7yln68uLd7jAs+8xGrMRj629/Nis0cxKUf9/MJp7xcl1QZVmPabOHXjJvwxiKtZWP -sHo33lpFO8c24e9n0TnTl1tzYhlILYccBvt0mCBJc/AF0huxoKO3G3DTiGm5WtY49GLcJYt4 -v/jofrhcyZVPX6ctuSBrz2vd9Q30grf0smYuECj2l1p7lhaPARktbG5/OVgGZIMBg4PDTZLd -MsaHpDfpFs6qLWivCoFlOnDBm61NbVTKKi1LhRuzgOZwRQ1rXjXwfzu4nOQEcIkSJZPaCpki -YGpjYE52BphOvYOtHViKJYXSx2UeLY7G37bG4X+KBCEVKXTwPpyQnQwu8Yo+WqoMCR7H1Tyj -7ZfDHjT6OPkIDuPAXSuD0VZqybaoVFMueDJnPYJ/dND74bYFYLlw244L+RNYb3FgEFIQucFB -Ce9yH2cxeP+WBY0CAwEAAaNjMGEwHwYDVR0jBBgwFoAU4/4t/SjQC7W6tqLEvwaqBYyT+y8w -DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFOP+Lf0o0Au1urai -xL8GqgWMk/svMA0GCSqGSIb3DQEBCwUAA4ICAQAlxrpr64fL3oI5lj3wRKdrhHMD3p0rT7og -f7x4ss+XsBuc89d5LvVIttL7F4jm03o/7VMT0OIvannLACMo5h43VzWJhMJ2TzQ2rWfDzkEG -iMX37tgauNYLf1D/k6oXS4zs7VJgsqQG6k7r9GsZ/ev1GuAlKprcx0E298h0BYQ5lTnWCzuk -J/oI2Fwe+ARgUhEoKAP/71NmAKVKNBZmfP0JpK6eZxpvQQtrBhObj4ZxBbQvjYlmMyl2VJoR -+Cf6sj+R4M4NG/MwGq2/Il0b078lBU3hkhp/mZ88RJPK1EBJbICH1wQ6wzJSNQ5W+KXdfcSL -DREfU8seshe2aHda4NTLyAeu9Toujje30AFLQyl3jDmXj4Ja+FHliaAY52h/XQou+6NHDj2m -I3rGAcePyF6/bYBWvookujPqn+EyEZ7x0k+A9htArzieEVB5cxISzeZsnSyIcjwwgQaRIupZ -rdoZLiLCjbmMh+BmvHMjXyFkY4BI9aA8GD2UyEhBHUC6Xv7+VjmhyM9enhlkRhDaF5G3BYCs -i5mSfeei2AcLNifnSHlgisPXE1z4ckDfSsvPmQAKAAsRldpWRQOICp9n0NV5saiNQG0NwnpA -+vNfZEeSy1O5u1nOT/3QFVMB2N/r2eZ279AjuzupebPVAinNiaOWD0o1505CwHXNB8/mLOt7 -LgAAAAIAFWRpZ2ljZXJ0dHJ1c3RlZHJvb3RnNAAAAXwQWa1IAAVYLjUwOQAABZQwggWQMIID -eKADAgECAhAFmxtXno4hMuI5B72nd3VcMA0GCSqGSIb3DQEBDAUAMGIxCzAJBgNVBAYTAlVT -MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAf -BgNVBAMTGERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBHNDAeFw0xMzA4MDExMjAwMDBaFw0zODAx -MTUxMjAwMDBaMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNV -BAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBH -NDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL/mkHNo3rvkXUo8MCIwaTPswqcl -LskhPfKK2FnC4SmnPVirdprNrnsbhA3EMB/zG6Q4FutWxpdtHauyefLKEdLkX9YFPFIPUh/G -nhWlfr6fqVcWWVVyr2iTcMKyunWZanMylNEQRBAu34LzB4TmdDttceItDBvuINXJIB1jKS3O -7F5OyJP4IWGbNOsFxl7sWxq868nPzaw0QF+xembud8hIqGZXV59UWI4MK7dPpzDZVu7Ke13j -rclPXuU15zHL2pNe3I6PgNq2kZhAkHnDeMe2scS1ahg4AxCN2NQ3pC4FfYj1gj4QkXCrVYJB -MtfbBHMqbpEBfCFM1LyuGwN1XXhm2ToxRJozQL8I11pJpMLmqaBn3aQnvKFPObURWBf3JFxG -j2T3wWmIdph2PVldQnaHiZdpekjw4KISG2aadMreSx7nDmOu5tTvkpI6nj3cAORFJYm2mkQZ -K37AlLTSYW3rM9nF30sEAMx9HJXDj/chsrIRt7t/8tWMcCxBYKqxYxhElRp2Yn72gLD76GSm -M9GJB+G9t+ZDpBi4pncB4Q+UDCEdslQpJYls5Q5SUUd0viastkF13nqsX40/ybzTQRESW+UQ -UOsxxcpyFiIJ33xMdT9j7CFfxCBRa2+xq4aLT8LWRV+dIPyhHsXAj6KxfgommfXkaS+YHS31 -2amyHeUbAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1Ud -DgQWBBTs1+OC0nFdZEzfLmc/57qYrhwPTzANBgkqhkiG9w0BAQwFAAOCAgEAu2HZfalsvhfE -kRvDoaIAjeNkaA9Wz3eucPn9mkqZucl4XAwMX+TmFClWCzZJXURj4K2clhhmGyMNPXnpbWvW -VPjSPMFDQK4dUPVS/JA7u5iZaWvHwaeoaKQn3J35J64whbn2Z006Po9ZOSJTROvIXQPK7VB6 -fWIhCoDIc2bRoAVgX+iltKevqPdtNZx8WorWojiZ83iL9E3SIAveBO6Mm0eBcg3AFDLvMFku -ruBx8lbkapdvklBtlo1oepqyNhR6BvIkuQkRUNcIsbiJeoQjYUIp5aPNoiBB19GcZNnqJqGL -FNdMGbJQQXE9P01wI4YMStyB0swylIQNCAmXHE/A7msgdDDS4Dk0EIUhFQEI6FUy3nFJ2SgX -UE3mvk3RdazQyvtBuEOlqtPDBURPLDab4vriRbgjU2wGb2dVf0a1TD9uKFp5JtKkqGKX0h7i -7UqLvBv9R0oN32dmfrJbQdA75PQ79ARj6e/CVABRoIoqyc54zNXqhwQYs86vSYiv85KZtrPm -YQ/ShQDnUBrkG5WdGaG5nLGbsQAe79APT0JsyQq87kP6OnGlyE0mpTX9iV28hWIdMtKgK1Tt -mlfB2/oQzxm3i0objwG2J5VT6LaJbVu8aNQj6ItRolb58KaAoNYes7wPD1N1KarqE3fk3oyB -Ia0HEEcRrYc9B9F1vM/zZn4AAAACACRlbnRydXN0cm9vdGNlcnRpZmljYXRpb25hdXRob3Jp -dHktZzQAAAF8EFmtSAAFWC41MDkAAAZPMIIGSzCCBDOgAwIBAgIRANm1Q3+vqTkPAAAAAFVl -rVgwDQYJKoZIhvcNAQELBQAwgb4xCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJ -bmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQL -EzAoYykgMjAxNSBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMjAw -BgNVBAMTKUVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEc0MB4XDTE1 -MDUyNzExMTExNloXDTM3MTIyNzExNDExNlowgb4xCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1F -bnRydXN0LCBJbmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1z -MTkwNwYDVQQLEzAoYykgMjAxNSBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNl -IG9ubHkxMjAwBgNVBAMTKUVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAt -IEc0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsewsQu7i0TD/pZJH4i3DumSX -bcr3DbVZwbPLqGgZ2K+EbTBwXX7zLtJTmeH+H17ZSK9dE43b/2MzTdMAArzE+NEGCJR5WIoV -3imz/f3ET+iq4qA7ec2/a0My3dl0ELn39GjUu9CH1apLiipvKgS1sqbHoHrmSKvS0VnM1n4j -5pds8ELl3FFLFUHtSUrJ3hCX1nbB76W1NhSXNdh4IjVS70O92yfbYVaCNNzLiGAMC1rlLAHG -VK/XqsEQe9IFWrhAnoanw5CGAlZSCXqc0ieCU0plUmr1POeo8pyvi73TDtTUXm6Hnmo9RR3R -XRv06QqsYJn7ibT/mCzPfB3pAqoEmh643IhuJbNsZvc8kPNXwbMv9W3y+8qh+CmdRouzavbm -Zwe+LGcKKh9asj5XxNMhIWNlUpEbsZmOeX7m640A2Vqq6nPopIICR5b+W45UYaPrL0swsIsj -dXJ8ITzI9vF01Bx7owVV7rtNOzK+mndmnqxpkCIHH2E6lr7lmk/MBTwoWdPBDFSoWWG9yHJM -6Nyfh3+9nEg2XpWjDrk4JFX8dWbrAuMINClKxuMrLzOg2qOGpRKX/YAr2hRC45K9PvJdXmd0 -LhyIRyk0X+IyqJwlN4y6mACXi0mWHv0liqzc2thddG5msP9E36EYxr5ILzeUePiVSj9/E15d -Wf10hkNjc0kCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD -VR0OBBYEFJ84xFYjwznooHFs6FRM5Og6sb9nMA0GCSqGSIb3DQEBCwUAA4ICAQAS5UKme4sP -DORGpbZgQIeMJX6tuGguW8ZAdjwD+MlZ9POrYs4QjbRaZIxowLByQzTSGwv2LFPSypBLhmb8 -qoMi9IsabyZIrHZ3CL/FmFz0Jomee8O5ZDIBf9PD3Vht7LGrhFV0d4QEJ1JrhkzO3bll/9bG -Xp+aEJlLdWr+aumXIOTkdnrG0CSqkM0gkLpHZPt/B7NTeLUKYvJzQ85BK4FqLoUWlFPUa19y -IqtRLULVAJyZv967lDtX/Zr1hstWO1uIAeV8KEsD+UmDfLJ/fOPtjqF/YFOOVZ1QNBIPt5d7 -bIdKROf1beyAN/BYGW5KaHbwH5Lk6rWS02FREAutp9lfx1/cH6NcjKF+m7ee01ZvZl4HliDt -C3T7Zk6LERXpgUl+b7DUUH8i119lAg2m9IUe2K4GS0qn0jFmwvjO5QimpAKWRGhXxNUzzxkv -FMSUHHuk2fCfDrGA4tGeEWSpiBE6doLlYsKA2KSD7ZPvfC+QsDJMlhVoSFLUmQjAJOgc47Ol -IQ6SwJAfzyBfyjs4x7dtOvPmRLgOMWuIjnDrnBdSqEGULoe256YSxXXfW8AKbnuk5F6G+TaU -33fD6Q3AOfF5u0aOq0NZJ7cguyPpVkAh7DE9ZapD8j3fcEThuk0mEDuYn/PIjhs4ViFqUZPT -kcpG2om3PVODLAgfi49T3f+sHwAAAAIAF2NlcnR1bXRydXN0ZWRuZXR3b3JrY2EyAAABfBBZ -rUgABVguNTA5AAAF1jCCBdIwggO6oAMCAQICECHW0EpPJQ/JMjf8ql4SjekwDQYJKoZIhvcN -AQENBQAwgYAxCzAJBgNVBAYTAlBMMSIwIAYDVQQKExlVbml6ZXRvIFRlY2hub2xvZ2llcyBT -LkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJDAiBgNVBAMT -G0NlcnR1bSBUcnVzdGVkIE5ldHdvcmsgQ0EgMjAiGA8yMDExMTAwNjA4Mzk1NloYDzIwNDYx -MDA2MDgzOTU2WjCBgDELMAkGA1UEBhMCUEwxIjAgBgNVBAoTGVVuaXpldG8gVGVjaG5vbG9n -aWVzIFMuQS4xJzAlBgNVBAsTHkNlcnR1bSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEkMCIG -A1UEAxMbQ2VydHVtIFRydXN0ZWQgTmV0d29yayBDQSAyMIICIjANBgkqhkiG9w0BAQEFAAOC -Ag8AMIICCgKCAgEAvfl4+ObVgAxknYYblmRnPyI6HnUBfe/7XGeMycxca6mR5rlC5SBLm9qb -e7mZXdmbgEvXhEArJ9PoujC7Pgkap0mV7ytAJMKXx6fumyXvqAoAl4Vaqp3cKcniNQfrcE1K -1sGzVrihQTib0fsxf4/gX+GxPw+OFklg1waNGPmqJhCrKtPQ0WeNG0a+RzDVLnLRxWPa52N5 -RH5LYySJhi40PylMUosqp8DikSiJucBb+R3Z5yet/5oCl8HGUJKbAiy9qbk0WQq/hEr/3/6z -n+vZnuCYI+yma3cWKtvMrTscpIfcRnNeGWJoRVfkkIJCu0LW8GHgwaM9ZqNd9BjuiMmNF0Up -mTJ1AjHuKSbIawLmtWJFfzcVWiNoidQ+3k4nsPBADLxNF8tNorMe0AZa3faTz1d1mfX6hhpn -eLO/lv403L3nUlbls+V1e9dBkQXcXWnjlQ1DufyDljmVe2yAWk8TcsbXfSl6RLpSpCrVQUYJ -IP4ioLZbMI28iQzV13D4h1L92u+sUS4Hs07+0AnacO+Y+lbmbdu1V0vc5SwlFcieLnhO+Nqc -noYsylfzGuXIkosagpZ6w7xQEmnYDlpGizrrJvojybawgb5CAKT41v4wLsfSRvbljnX98sy5 -0IdbzAYQYLuDNbdeZ95H7JlI8aShFf6tjGKOOVVPORa5sWOd/7cCAwEAAaNCMEAwDwYDVR0T -AQH/BAUwAwEB/zAdBgNVHQ4EFgQUtqFUOQLDoD+Oirz61PgcptE6Dv0wDgYDVR0PAQH/BAQD -AgEGMA0GCSqGSIb3DQEBDQUAA4ICAQBxpQ7O5Om/PzjViVrEAmH7TMUUFy2LT1NrEBf8ZYTH -EEmQ3tvHJpOIJm9w1gJeOaD3j6uWtaUTXIEUbQ6BghEbik7GT6XdYh5E3wlZ9Ft3CzfpiyDG -+ApOLlgc6zPQz4Zgydr7gC+eTGCEeD0hZNb7QR8YD+fJdXG9vVzeNIc+QbAO9rnWPwkTlhQv -3podWrlWzjU6sF9wTV7jKfEjKHJZtqvCjGYmHHcsJnY1iyinaaD5O/Uj3YUQdMmQA1aR56+6 -R9QSlxEi46JJlGznt5RLui2k2jOLTKZE/1o8xh1k2LUx5KY8eqhXC9vtYRrL8c5zd2Okh29M -UTjW5F/Hn7aBKuSFSHlYXjv42wKCZ8E528N0Sz02Hvkpk4hoW6hEGSHwp+iBDSzokza0N7LK -sBsmepolH5qagJ5LKj/7o5r+czJxwp7GcuGKaCfx5A+0xEylYZP4lxAHKjAlqbnIcbjvaMwt -fvXgfg+CqG+2umyDQ3fNipIXoZ5beBY9ReIzct3hZsqZ08nFJv0NaARGrrbZm4y+Gb6xxvIZ -41wCyizYb0oH2ck12kB18sSnGW+eQhCYdeaVi2C87cUS14rO1ZhcVpYDxe53BjX/z+TuPxNh -7tvaLYXwza6dshgJRcOSoXIX/Ee2oAss8cTeQ2gIal878HZj+8wGLKbG4g61ub4kjwAAAAIA -JGVudHJ1c3Ryb290Y2VydGlmaWNhdGlvbmF1dGhvcml0eS1nMgAAAXwQWa1IAAVYLjUwOQAA -BEIwggQ+MIIDJqADAgECAgRKU4woMA0GCSqGSIb3DQEBCwUAMIG+MQswCQYDVQQGEwJVUzEW -MBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2VlIHd3dy5lbnRydXN0Lm5ldC9s -ZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMDkgRW50cnVzdCwgSW5jLiAtIGZvciBhdXRo -b3JpemVkIHVzZSBvbmx5MTIwMAYDVQQDEylFbnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBB -dXRob3JpdHkgLSBHMjAeFw0wOTA3MDcxNzI1NTRaFw0zMDEyMDcxNzU1NTRaMIG+MQswCQYD -VQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2VlIHd3dy5lbnRy -dXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMDkgRW50cnVzdCwgSW5jLiAt -IGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTIwMAYDVQQDEylFbnRydXN0IFJvb3QgQ2VydGlm -aWNhdGlvbiBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -ALqEtnLbngxr4pnpMAGnduoyuJVBGsnaYU5Ycs/+9oJ5v3NhBgqlJ9izX9NFThxy1k4y8nKK -D/eDGdBqgIAARR6wx+eavxJXJxyjaC8Kh71qaw5eZfMcd9XUhY1wIbSzMueLotWGOQKxuNJH -zuTJScQ7p977VH1XvvDobsJ5sjoLVeJQmBYyE1wveFbBwpSz8lrkJ5qfJNfG7NCbJYLjzMLE -RcWMl3oGayoRn6kKbkg7b9vUERlC948Hv/VTX5w+9Bcs5mmsTjJMYnfqt+jluzS8GYuunFHn -t361U7EzIuVtz3A8Gvrim2e2g/SNpa9iTE3gWKxkNBID+LaNlGMkpHECAwEAAaNCMEAwDgYD -VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGpyJnrQHu995ztpUdRs -jZ+QEmarMA0GCSqGSIb3DQEBCwUAA4IBAQB5nx2WxrZ5PyKNh9OHAwRgamuaLlmJcxGsQ9H1 -E/+NOSvA8r1PcIypL+oXxAtUntQblpgzPKitYqIAdqtZaW4GHX7EuUSNmK8S1GHbChlGR/Pr -92PBQAVApdK39LWaNr+piHaIBFUEK5yHfxo3PH4tpRrY1Ileyr2sPWzYba/V83YPzTuIOCKd -bJOaxD2/ghtlP6YPXar85bIVyrWtxrw90ITo6gZysE05Mni/PhGcC6SdmiHz8JsLMHjbwdyH -Q/68Y5rKxcIcyceN/zsSWAjmtj3seixO+4OWzgw8aYdUc6RzwpP/URCsFVQB2PwFsYmhf3SD -mknX3E57ikhvi0X2AAAAAgA0aGVsbGVuaWNhY2FkZW1pY2FuZHJlc2VhcmNoaW5zdGl0dXRp -b25zZWNjcm9vdGNhMjAxNQAAAXwQWa1IAAVYLjUwOQAAAscwggLDMIICSqADAgECAgEAMAoG -CCqGSM49BAMCMIGqMQswCQYDVQQGEwJHUjEPMA0GA1UEBxMGQXRoZW5zMUQwQgYDVQQKEztI -ZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRpb25zIENlcnQuIEF1dGhv -cml0eTFEMEIGA1UEAxM7SGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0 -aW9ucyBFQ0MgUm9vdENBIDIwMTUwHhcNMTUwNzA3MTAzNzEyWhcNNDAwNjMwMTAzNzEyWjCB -qjELMAkGA1UEBhMCR1IxDzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNh -ZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3JpdHkxRDBCBgNV -BAMTO0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgRUNDIFJv -b3RDQSAyMDE1MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEkqBB6EuChFzi+DERmYZkTgklL51B -LwquNU90lbJRZGuNa+Y/cJXwBURHpnI4UHaVAlqOriie+S1Ome8sSG9MJSno0XFb3x3BdTe0 -1/p7ekKcagpWWnxpC6qACSRsfsFGo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE -AwIBBjAdBgNVHQ4EFgQUtCILgpkkAQ6cu+QO/b/7lyCTmSowCgYIKoZIzj0EAwIDZwAwZAIw -Z84WYjiirGJFp6mVJMAaJ5wyO8DA1bqp5/gEQ1OF7lIh3p31JYM+nlhLL9dnEw4hAjAF4XUB -3mjtKh9NTAkIDexLrWQXKOd1zkVlciEXyyJBDowTmDiaVG2byuJ86gJYIpEAAAACAB50d2Nh -cm9vdGNlcnRpZmljYXRpb25hdXRob3JpdHkAAAF8EFmtSAAFWC41MDkAAAN/MIIDezCCAmOg -AwIBAgIBATANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJUVzESMBAGA1UECgwJVEFJV0FO -LUNBMRAwDgYDVQQLDAdSb290IENBMSowKAYDVQQDDCFUV0NBIFJvb3QgQ2VydGlmaWNhdGlv -biBBdXRob3JpdHkwHhcNMDgwODI4MDcyNDMzWhcNMzAxMjMxMTU1OTU5WjBfMQswCQYDVQQG -EwJUVzESMBAGA1UECgwJVEFJV0FOLUNBMRAwDgYDVQQLDAdSb290IENBMSowKAYDVQQDDCFU -V0NBIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IB -DwAwggEKAoIBAQCwfnK4pAOU5qfeCTiRShFAh6d8WWQUe7UREN3+v9XAu1bihSX0NXIP+FPQ -QeFEAcK0HMMxQhZHhTMidrIKbw/lJVBPhYa+v5guEGcevhEFhgWQxFnQfHgQsIBct+HHK3XL -fJ+utdGdIzdjp9xCoi2SBBtQwXu4PhvJVgSLL1KbralW6cH/ralYhzC2gfeXRfwZVzsrb+RH -9JlF/h3x+JejiB03HFyP4HYlmlD4oFT/RJB2I9IyxsOrBr/8+7/zrX2SYgJbKdM1o5OaQ2Rg -XbL6Mv87BK9NQGr5x+PvI/1ry+UPizgN7gr8/g+YnzAx3WxSZfmLgb4i4RxYA7qRG4kHAgMB -AAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqOFsm -jd6LWvJPelSDGRjjCDWmujANBgkqhkiG9w0BAQUFAAOCAQEAPNV3PdrfibqHDAhUaiBQkr6w -QT25JmSDCi/oQMCXKCeCMErJk/9q56YAf4lCmtYR5VPOL8zy2gXE/uJQxDqGfczafhAJO5I1 -KlOy/usrBdlsXebQ79NqZp4VKIV66IIArB6nCWlWQtNoURi+VJq/REG6Sb4gumlc7rh3zc5s -H62Dlhh9DrUUOYTxKOkto557HnpyWoOzeW/vtPzQCqVYT0bf+215WfKEIlKuD8z7fDvnaspH -YcN6+NOSBB+4IIThNlQWx0DeO4pz3N/GCUzf7Nr/1FNCocnyYh0igzyXxfkZYiesZSLX0zzG -5Y6yU8xJzrww/nsOM5D77dIUkR8HrwAAAAIAEHR3Y2FnbG9iYWxyb290Y2EAAAF8EFmtSAAF -WC41MDkAAAVFMIIFQTCCAymgAwIBAgICDL4wDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMC -VFcxEjAQBgNVBAoTCVRBSVdBTi1DQTEQMA4GA1UECxMHUm9vdCBDQTEcMBoGA1UEAxMTVFdD -QSBHbG9iYWwgUm9vdCBDQTAeFw0xMjA2MjcwNjI4MzNaFw0zMDEyMzExNTU5NTlaMFExCzAJ -BgNVBAYTAlRXMRIwEAYDVQQKEwlUQUlXQU4tQ0ExEDAOBgNVBAsTB1Jvb3QgQ0ExHDAaBgNV -BAMTE1RXQ0EgR2xvYmFsIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC -AQCwBdvI64zEbooh745NnHEKH1Jw7W2CnJfF10xORUnLQEK1EjRsGcJ0pDFfhQKX7EMzClPS -nIyOt7h52yvVavKOZsTuKwEHktSz0ALfUPZVr2YOy+BHYC8rMjk1Ujoog/h7FsYYuGLWRyWR -zvAZEk2tY/XTP3VfKfChMBwqoJimFb3u/Rk28OKRQ4/6ytYQJ0lM793B8YVwm8rqqFpD/G2G -b3PpN0Wp8DbHzIh1HrtsBv+baz4X7GGqcXzGHaL3SekVtTzWoWH1EfcFbx39Eb7QMAfCKbAJ -Tibc46KokWofwpFFiFzlmLhxpRUZyXx1EcxwdE8tmx2RRP1WKKD+u4ZqyPpcC1jcxkt2yKsi -2XMPpfRaAok/T54igu6idFMqPVMnaR1sjjIsZAAmY2E2TqNGtz99sy2sbZCilaLOz9qC5wc0 -GZbpuCGqKX6mOL6OKUohZnkfs8O1CWfe1tQHRvMq2uYiN2DLgbYPoA/pyJV/v1WRBXrPPRXA -b94JlAGD1zQbzECl8LibZ9WYkTunhHiVJqRaCPgrdLQABDzfuBSO6N+pjWxnkjMdwLfS7JLI -vgm/LCkFbwJrnu+8vyq8W8BQj0FwcYeyTbcEqYSjMq+u7msXi7Kx/mzhkIyIqJdIzshNy/MG -z19qCkKxHh53L46g5pIOBvwFItIm4TFRfTLcDwIDAQABoyMwITAOBgNVHQ8BAf8EBAMCAQYw -DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAXzSBdu+WHdXltdkCY4QWwa6g -cFGn90xHNcgL1yg9iXHZqjNB6hQbbCEAwGxCGX6faVsgQt+i0trEfJdLjbDorMjupWkEmQqS -pqsnLhpNgb+E1HAerUf+/UqdM+DyucRFCCEK2mlpc3INvjT+lIutwx4116KD7+U4x6WFH6vP -NOw/KP4M8VeGTslV9xzU2KV9Bnpv1d8Q34FOIWWxtuEXeZVFBs5fzNxGiWNoRI2T9GRwoD2d -KAXDOXC4Ynsg/eTb6QihuJ49CcdP+yz4k3ZB3lLg4VfSnQO8d57+nile98FRYB/e2guyLXW3 -Q0iT5/Z5xoRdgFlglPx4mI88k1HtQJAH32RjJMtOcQWh15QaiDLxInQirqWm2BJpTGCjAu4r -7NRjkgtevi92a6O2JryPA9gK8kxkRr05YuWW6zRjESjMlfGt7+/cgFhI6Uu46mWs6fyAtbXI -RfmswZ/ZuepiiI7E8UuDEq3mi4TWnsLrgxifarsbJGAzcMzs9zLzXNl5fe+epP7JI8Mk7hWS -sT2RTyaGvWZzJBPqpK5jwa19hAM8EHiGG3njxPPyBJUgriOCxLM6AGK/5jYk4Ve6xx6QddVf -P5VhK8E7zeWzaGHQRiapIVJpLesux+t3zqY6tQMzT3bR51xUAV3LePTJDL/PEo4XLSNolOer -/qmyKwbQBM0AAAACABFnbG9iYWxzaWducm9vdHI0NgAAAXwQWa1IAAVYLjUwOQAABV4wggVa -MIIDQqADAgECAhIR0ru51yMYnkBfCp0t0N8lZ9EwDQYJKoZIhvcNAQEMBQAwRjELMAkGA1UE -BhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExHDAaBgNVBAMTE0dsb2JhbFNpZ24g -Um9vdCBSNDYwHhcNMTkwMzIwMDAwMDAwWhcNNDYwMzIwMDAwMDAwWjBGMQswCQYDVQQGEwJC -RTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEcMBoGA1UEAxMTR2xvYmFsU2lnbiBSb290 -IFI0NjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKysdDLos2Xluu1DJh2miQ1F -uimIsqQdY93TwSwJV4k5oVXpZzR3DG7kVR1SJdITa17hHam3fYkyXw2enyx6Y2BAH6awtniP -mVSWCFiu5Aa8YgUCFr+vqCMDtpQPvG5swsvVprsM6fbBAvsh3mbdF6t0Qu/wdC8l9OprVVuQ -253fXocKQPutGWv798pgiN7awY/WrtV/1DyD7tcWTINFM2sn0IbQHC1r86t98YWp9SjSre/z -hEsch/wTozpyoloRK9YncSftgS1tZoGSh7QbWHrMPwr6Rk9NeFz4K0jjBITLXfa0arNl/EKe -USYjIMs9FPmB7WUWAE8aZJdmCM+Me+MrwJ35FPIb8VZqFr8shYXNeDia60JqAjQYgxdOlFb4 -toK185bdPfO+fyB3PnsZI2ss1HJzQ1d94PjXaU8XNgT5wJBgN0Xe5gzYdI2unKJtdF1Cvgb1 -2WRuAhCsibBMOwdNQH4kxYqYgnmOpKeCII0j+idxyd/GQXSgTfaRFtxGjF8pYzFZcQzYb8K2 -Mn375l1Tpn4V/Lt1fF3s+PYXHOzHaxnL83vwKwel2Wx5VHZsnRymbg7peQyoI2qj3xswMZ+x -VHv+astmqtxl0KKeSpoHIWuBj9vEWfreIsAEnOOqWzaT6D29eqGdC3axC8ed/c+YqAbC+Cqj -oYOgtyVypQLjAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0G -A1UdDgQWBBQDXKtzgYeozLCm1ZTiNpZJ/wWZLDANBgkqhkiG9w0BAQwFAAOCAgEAfHjs9gIs -u1t+kitdOdy+2B2iQjNN+e+kKjtEaR6s2UWjTjyn2CRRslQck07E73uThWAm6glI4PW7x+lo -0rtqMXHMea4RqPCZ/eUfvC+ozFfrdsQhpkdTVU1ovwWk7tcmq2LaQzdL4sa15bKDGTrH09tN -ngh68+7PPmL7rOhgzNHHoVyDRcRFzPMXaxTJBAI+0iSmeekezqLnwVkVnx3iS5o+n3YILWvY -ulcU2oPq/oxV6dBOqcx3MbFEEXpcsT7TFEUVGGIkE9LLTc5cg8E28hC1DohtuOFWn4nelmY5 -R2Qsbk2uYnu/YHQZuFaskqwWMu2taFX+mLrTNN70yWHDDob2S4Rg7g17tTJYeZFVLIFDs3Qf -eqolnh3XoYu5zUIuBKRmg02JNbZsqDZKeSF4ItBCvNFAMZChvgTPymft9fCA02DJgyoiBdAH -O1K/DJ6qK/m75h+PJbqFjRceAv5dUARXz/4tvO9cwBqrtp8kxt9zaEiQLBT0P1Ia5NLLFMNh -ac/i+RjFujOfFKMEXblx97WU2PYzwVrBNIt8m92TOucTonBhn6+P69jFdfgzZtR0Zzo3d5zn -3aQPdkNmikPyn/sMQnhj0eIPb3vUoT10l4W3SDlB1iD80Dqz+uhvxIq6cTe+i5exeDFPs+e2 -AxPOVJ2uJVnMfzVfCPdARTF4KnoAAAACABdiYWx0aW1vcmVjeWJlcnRydXN0cm9vdAAAAXwQ -Wa1IAAVYLjUwOQAAA3swggN3MIICX6ADAgECAgQCAAC5MA0GCSqGSIb3DQEBBQUAMFoxCzAJ -BgNVBAYTAklFMRIwEAYDVQQKEwlCYWx0aW1vcmUxEzARBgNVBAsTCkN5YmVyVHJ1c3QxIjAg -BgNVBAMTGUJhbHRpbW9yZSBDeWJlclRydXN0IFJvb3QwHhcNMDAwNTEyMTg0NjAwWhcNMjUw -NTEyMjM1OTAwWjBaMQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQL -EwpDeWJlclRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MIIBIjAN -BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAowS7IquYPVfoJnKatXnUKeLh6JWAsbDjW44r -KZpk36Fd7bAJBW3bKC7OYqJi/rSI2hLrOOshncBBKwFSe4h30xyPx7q5iLVqCedz6BFAp9HM -ymKNLeWPC6ZQ0qhQwyjq9aslh4qalhypZ7g/DNX3+VITL8Ib1XBw8I/AEsoGy5rh2cozenfW -+Oy58WhEQkgT0sDCpK5eYP62pgX8tN0HWQLUWRiYY/WlY+CQDH1dsgZ684Xq69QDrl6EPl// -Fe1pvPk5NnJ1z3dSTfPJkCy5PeXJI1M/HySYIVwHmSm9xjrs526GOmuXdGMzvWgYMfB4jXa/ -/J6OXSqGp02Q3CcaOQIDAQABo0UwQzAdBgNVHQ4EFgQU5Z1ZMIJHWMys+ghUNoZ7OrUETfAw -EgYDVR0TAQH/BAgwBgEB/wIBAzAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEB -AIUMXY7kb1FoQgWg3btPJyWEA733ZP0t1zDjpBAX69opKbZ5P3b2GRMjuBAK+Vik1GFwvQRh -ahKKF9UKvcW8MHzW6QwljYZAT+zMo344xjcRT+3daDGOTNKzAXTuvnVeB0gaf3D/FlyEwHmF -uAX9f75lEaMPwAK0+FI3OQTVqTF6GL+gKvQSmfejRYLjPF71nZ61yJ58Lsiknk4IFEtt/XBt -axpjvWTmH7fO8PKfLrsbt/JQiHOSwuLjFo2aMgKrjhjd6RAR7n41q5CvPjCUetAzPadlD/X8 -jp5iz0dELAFdux21MtJH0jgu0P6B3DJqHrXuPNX854EdGcMkQupjOakAAAACABNidXlwYXNz -Y2xhc3Mycm9vdGNhAAABfBBZrUgABVguNTA5AAAFXTCCBVkwggNBoAMCAQICAQIwDQYJKoZI -hvcNAQELBQAwTjELMAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3 -MSAwHgYDVQQDDBdCdXlwYXNzIENsYXNzIDIgUm9vdCBDQTAeFw0xMDEwMjYwODM4MDNaFw00 -MDEwMjYwODM4MDNaME4xCzAJBgNVBAYTAk5PMR0wGwYDVQQKDBRCdXlwYXNzIEFTLTk4MzE2 -MzMyNzEgMB4GA1UEAwwXQnV5cGFzcyBDbGFzcyAyIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEB -AQUAA4ICDwAwggIKAoICAQDXx173wQfUd/tDIfT09Wnk7jIB26OGH+RZDbrndYNS6+ocYRVI -ux0HyoyusNyWnerDYJKGgihznFYG/0tk8AwqN0m15c8MfO7xSrtzMGXz1S+Dtn7j5/Weq2D5 -0/GdknSK5ByWrFuA6bX0MYejUfzHfqFvjlN31JfBVTOSPhgvddSthknLla9UBmzYBhONW//h -JhlZwCS6gXF5kERQaCSUX7izEfEpQWGjQcsjNtXB8TJQEE5/9IaT7ITTjrxLv1wBTgc93BSK -lAqk6nP7C1HoEwcY+g7xK9FUFX084fe0GUJnYl534KJV7LbZaRfVOq9E7UrFnuR6J3zlddeq -yyXn32sK2w9Nk06ooM17LvJZAWq3DbgHgX6LOBs45gpXmT3uIeij9QwW3YvsNI6cKhwAFReN -aIPScJ8YCM0RaNXJa1LNxEaP3LXz2FdzHumUOQS/09443rRT7Gkcon7Ej+QbcK3yovn79xZk -ZmmfSVGi4hUYZwZKf9VstU2zM+Bh612+6ZgPMtcdSzwuWgFSkQny3+qN2AZAY6oR5P7DN54U -Uj/04szyYZPR/Wdr11Kuv2irQEOgVzVTePBT+GFCB2TG12+bTDgNY6xirzaLonMKDfUhvXSq -TepyA0nbx18dYmPH/d2R7DPu9W20bjBo3sjWJrB1Xnu0ByCYoXYyuE1sTwIDAQABo0IwQDAP -BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTJgHfgYpKC9Uac87r3TMPeuKOtOTAOBgNVHQ8B -Af8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAFNfIfW6sDpSOSySsGwAye/OIO8G8pae6aR0 -f3oW/Lf1tvsVGz+rpsByXRCxce68T+OtrANtLnEur8TjraO9DBGntP9KsnsQEB+nV0GywK70 -LFnWRxCI8yFRKTDKYIavRqsd7TpbsJTeRONBCKLB7B3W/U+21kfQFAvK5sq1e3d+QR9eg8e2 -jDmWsD+WgUFvYJDi6Pn7InHZfbM9Rr+0hK+QHA+PEmqv7+4eeq4CSooXK3b+rFSJJCxPP7ay -p06MqJGX+ynGe1wtuctmtreoWxJRhbUJfmJ4cP6pamC2HQ55DP3K6iSAcsOXP/J3q0MiCsfr -tgyEgiyAa0GKCMDrpWvfmRLLitVegAyR4CYINkjF+jgRNf8lgy3yer/a/Y7+pctFLB/EiFOu -dw7ZmnbFjiwdo7rV7DKuwKqs99F6TevUB+JI9yKOsKSfas6OsrJg9KMi0CPrlFp6ad0Pv0BX -rGtZUNmjmeFu/o0BeScjFd6SnXsJTVrnS0gwWhjmCm3mj+DSu+bffG4hgsFoOU20mFhmYsxK -kF7D+icEsXkVdJnMvq0g3iZgHOtWUaaj6uSjP6f/YdzxWk1sMiND7qyo7u5KEgk8XXHCvnn6 -wodoHQv9XGnMBtCafVSZKsk5GhmvSypD82NdWljiL+Md5KnW0ArQnr/XgQnxyccmDayYFlag -AAAAAgAXZGlnaWNlcnRhc3N1cmVkaWRyb290ZzMAAAF8EFmtSAAFWC41MDkAAAJKMIICRjCC -Ac2gAwIBAgIQC6Fa+h3foLVJRK/NJKBs7DAKBggqhkjOPQQDAzBlMQswCQYDVQQGEwJVUzEV -MBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYD -VQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgRzMwHhcNMTMwODAxMTIwMDAwWhcNMzgw -MTE1MTIwMDAwWjBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYD -VQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv -b3QgRzMwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQZ57ysRGXtzbg/WPuNsVepRC0FFfLvC/8Q -dJ+1YlJfZn4f5dwbRXkLzMZTCp2NXQLZqVneAlr2lSoOjThKiknGvMYDOAdfVdp+CW7if17Q -RSAPWXYQ1qAk8C3eNvJsKTmjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGG -MB0GA1UdDgQWBBTL0L2p4ZgFUaFNN6KDec6NHSrkhDAKBggqhkjOPQQDAwNnADBkAjAlpIFF -AmsSS3V0T8gj43DydXLefInwz5FyYZ5eEJJZVrmDxxDnOOlYJjZ91eQ0hjkCMHw2U/Aw5WJj -OpnitqM7mzT6HtoQknFekROn3aRukswy1vUhZscv6pZjamVFkpUBtAAAAAIAFmNlcnR1bXRy -dXN0ZWRuZXR3b3JrY2EAAAF8EFmtSAAFWC41MDkAAAO/MIIDuzCCAqOgAwIBAgIDBETAMA0G -CSqGSIb3DQEBBQUAMH4xCzAJBgNVBAYTAlBMMSIwIAYDVQQKExlVbml6ZXRvIFRlY2hub2xv -Z2llcyBTLkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIjAg -BgNVBAMTGUNlcnR1bSBUcnVzdGVkIE5ldHdvcmsgQ0EwHhcNMDgxMDIyMTIwNzM3WhcNMjkx -MjMxMTIwNzM3WjB+MQswCQYDVQQGEwJQTDEiMCAGA1UEChMZVW5pemV0byBUZWNobm9sb2dp -ZXMgUy5BLjEnMCUGA1UECxMeQ2VydHVtIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSIwIAYD -VQQDExlDZXJ0dW0gVHJ1c3RlZCBOZXR3b3JrIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A -MIIBCgKCAQEA4/t9o3K6wvDJFIf1awFO4W5AB7ptJ11/91sts1rHUV+rpDKmYYe2bg+G0jAC -l/jXaVehGDldamR5xgFZrDwxSjh80gTSSyjoIF87B6LMTXPb865Px1bVWqeWifrzq2jUI4ZZ -J88JJ7ysbnKDHDBy3+Ci6dLhdHUZvSqeexVUBBvXQzmtVSjF4hq79MDkrjhJM8x2hZ85RdKk -nvISjFH4fOQtf/WsX+sWn7Et0brMkUJ3TCXJkDhv2/DM+44el1k+1WBO5gUo7Ul5E0u6SNsv -+XLTOcr+H9g0cvW0QM8xAcPs3hEtF10fuFDRXhmnad4HMyjKUJX5p1TLVIZQRan5SQIDAQAB -o0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQIds3LB/8k9sXN7buQvOKEN0Z19zAO -BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBAKaorSLOAT2mo/9i0Eidi15ysHhE -49wcrwn9I0j6vSrEuVUEtRCjjSfeC4Jj0O7eDDd5QVsisrCaQVymcODU0HfLI9MA4GxWL+Fp -DQ3Zqr8hgVDZBqWo/5U30Kr+4rP1mS1FhIrlQgnXdAIv94nYmem8J9RHjboNRhx3zxSkHLmk -McScKHQDNP8zGSal6Q10tz6XxnboJ5ajZt3hrvJBW8qYVoNzcOSGGtIxQbovvi0TWnZvTuhO -gQ4/WwMioBK+ZlgRSssDxLQqKi2WF+A5VLxI03YnnZotBqbJ7DnSq9ufmgsnAjUpsUCV5/no -nFWIGUbWtzT1fs45mtk48VH3TywAAAACABdkaWdpY2VydGFzc3VyZWRpZHJvb3RnMgAAAXwQ -Wa1IAAVYLjUwOQAAA5owggOWMIICfqADAgECAhALkxw61jln6mcjv8OvmvRLMA0GCSqGSIb3 -DQEBCwUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT -EHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBH -MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYD -VQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMT -G0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC -AQoCggEBANnnKC9SPzZySYiTNPP4ah4xVICfrVRBtUfflqjUr4AtuQrPdf2JpX0k+uMiDCu8 -lRcLM78ZTUEGkAC9DE0Q/ge15xxuIlUxZZe90xfSHmLz2+psUIw/hAyWz7fLA+DKbaEUTBuJ -3e0AsFJ8r5FssTgT0ekSCMAAsBwrEdp3cDabrs55h9yCcOYJdHBVaa+jaJ+/3bZ5s/KdcClV -9Kv/lWHzyUBvHdG+k7vTiCq7nb9yWlZxOz/U89EK/ijvo+7Zma8D049gt/KSobG9iYkfMM3D -pi5iM64WAndEWueBCjynRC55uD8EvFygh+Ebr1GOzews+vj+bfA6fKqL5GeVMY0CAwEAAaNC -MEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFM7DSrmZVfK4 -22C/qX69VrWXNqfWMA0GCSqGSIb3DQEBCwUAA4IBAQDKpVWM48hBbmknp3UR7zyGNm/SncZ4 -OB1plqKSaS44bJt9BNSJpbExN4rJIcyrbM2LHJrWv0jSMmbBisDzLzrvwOPUkYbRUOMD23N3 -b0o5U+3eJse1fa8rQtF1YuNKKwLHUEvgaeKWbA5EZhBEj60F6/h5rKYb6Dc0nVPJYaqiUq9K -cBaGwjrIsRNwNtjP7vQKNNVbTP0HnKK62QFyXPNNwd0OsRwNxGO+rfQU+4nsokEOTMzIV0DQ -bgOqzQyOiZmZbPA8MK8432+8o74pICerdP8TInjel1JVHoO1VCAD7q7AT1beN8zDf6oEJ7vT -d7hi2xd8nCgiE3Nszyb1iinnAAAAAgAKaXNyZ3Jvb3R4MQAAAXwQWa1IAAVYLjUwOQAABW8w -ggVrMIIDU6ADAgECAhEAghDPsNJA41lEY+C7Y4KLADANBgkqhkiG9w0BAQsFADBPMQswCQYD -VQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTAT -BgNVBAMTDElTUkcgUm9vdCBYMTAeFw0xNTA2MDQxMTA0MzhaFw0zNTA2MDQxMTA0MzhaME8x -CzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBTZWN1cml0eSBSZXNlYXJjaCBHcm91 -cDEVMBMGA1UEAxMMSVNSRyBSb290IFgxMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC -AgEAregkc/QUN/ObnitXKByHvty33ziQjG485legePd1wqL+9Wpu9gBPKNveaIZsRJO2sWP9 -FBJrvx/S6jGbIX7RMzy6SPXded+zuP8S8SGaS8GKhnFpSmZmbI9+PHC/rSkiBvPkwOaAruJL -j7eZfpQDn9NHl3yZSCNT6DiuTwpvgy7RSVeMgHS22i/QOI17A3AhG3XyMDz6j67d2mOr6xZP -wo4RS37PC+j/tXcu9LJ7SuBMEiUMcI0DKaDhUyTsE9nuGb8Qs0qMP4mjYVHerIcHlPRjcewu -4m9bmIHhiVw0eWx27zuQYnnm26SaLybF0BDhDt7ZEI4W+7f3qPfH5QIHmI82CJXn4jeWDTZ1 -nvsOcrEdm7wD+UkF2IHdBbQq1kHprAF2lQoP2N/VvRIfNS8oF2zSmMGoCWR3bkc3us6sWV5o -nX9y1onFBkEpPlk+3Sb1JMkRp1qjTEAfRqGZtac6UW6GO559cqcSBXhZ7T5ReBULA4+N0C8F -sj57ShxLcwUS/Mbq4FATfEOTdLPKdOeOHwEI0DDUW3E2tAe6wTAwXEi3gjuYpn1giqKjKYLM -ur2DBBuigwNBodYF8RvCtvCofIY7RqhIKojcdpp2vx9qpT0Zj+s482TeyCsNCij/99viFULU -ItAnXeF5/hjncIitTubZizrG3SdRbv+8ZPUzQ08CAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEG -MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26ZtuMA0GCSqG -SIb3DQEBCwUAA4ICAQBVH1ipvLKoUNAMsdgaaSAnKQisYXVcim74guVpL9X2Vku5uHMQWdMh -l37nTHH7stJgrTmoC+oXIVaF8VAOWevO4FnpuskV74adj4SA9uTpkZDcF5tiG0XwZpXSfG/C -6jvvH8/L1q4n8amwyK79fX6a+iIE6//Zf+qRKyKxFw6P8oo0W1jY/AHJVLm4JsyKiDOJTC2E -PILf7pZXBbosu/fEt8dOO4K+Mcgic3OS0cKApDk5EDMjgkw8n4ayVZgdvimGjCKbnuJrO1c6 -gnBN3AnHicsKB01s6F2Oye/Oq8e7tStORdZK0CbM5XLKCGqlleMVofek7cksX6X7/6woAi6+ -13u743F7kBbTB15GU3w3B0KM08SWnNWZtSrglRqASK5MOQfOzEekUpUrurj7rdIzU33lHU1t -1aGxx0Jv5kAnNVyjKLcHjeeNM5DnI5/7UJx5bEbVtBWzlm5+mwyWOrhSLT/WW+H7CMKE/iSo -o4narGrhGCqxqENhW9Mf3DuNdvIt6I113xczbD1T+3vLQV//3KLQYTjhlrisXYs313XVM8CZ -Ea6dQcFydYS+AkFCX2ckSJTRmye+Bz+5uE+BdFHherftnSPivuDVKAQTPDEDnt16bI/GBxjG -f95Hjj8ongQGz6VUNHe97Imb6RdD31vbX/6OHleizUCdfmIi2t4YJwAAAAIAGXVjYWV4dGVu -ZGVkdmFsaWRhdGlvbnJvb3QAAAF8EFmtSAAFWC41MDkAAAVeMIIFWjCCA0KgAwIBAgIQT9Ir -j/VkyDOeTzRYZiNwYDANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJDTjERMA8GA1UECgwI -VW5pVHJ1c3QxJTAjBgNVBAMMHFVDQSBFeHRlbmRlZCBWYWxpZGF0aW9uIFJvb3QwHhcNMTUw -MzEzMDAwMDAwWhcNMzgxMjMxMDAwMDAwWjBHMQswCQYDVQQGEwJDTjERMA8GA1UECgwIVW5p -VHJ1c3QxJTAjBgNVBAMMHFVDQSBFeHRlbmRlZCBWYWxpZGF0aW9uIFJvb3QwggIiMA0GCSqG -SIb3DQEBAQUAA4ICDwAwggIKAoICAQCpCQcoEwKwmeBkqh5DFnpzsZGgdT6o+uM4AHrsiWog -D4vFsJszA1qGxliG1cGFu0/GnEBNyr7uaZa4rYEwmnySBesFK5pI0Lh2PpbIILvSsPGP2KxF -Rv+qZ2C0d35qHzwaUnoEPQc8hQ2E0B92CvdqFN9y4zR8V05WAT558aopO2z6+I9tTcg1367r -3CTueUWnhbYFiN6IXSV8l2RnCdm/WhUFhvMJHuxYMjMR83dksHYf5BA1FxvyDrFspCqjc/wJ -Hx4yGVMR59mzLC52LqGj3n5qiAno8geK+LLNEOfic0CTuwjRP+H8C5SzJe98ptfRr5//lpr1 -kXuYC3fUfugH0mK1lTnj8/FtDw5lhIpjVMWAtuCeS31HJqcBCF3RiJ7XwzJE+oJKCmhUfzhT -A8ykADNkUVkLo4KRel7sFsLzKuZi2irbWWIQJUoqgQtHB0MGcIfS+pMRKXpITeuUx3BNr2fV -UbGAIAEBtHoIppB/TuDvB0GHr2qlXov7z1CymlSvw4m6WC31MJixNnI5fkkE/SmnTHnkBVfb -lLkWU41Gsx2VYVdWf6/wFlthWG82UBEL2KwrlRYaDh8IzTY0ZRBiZtWAXxQgXy0MoHgKaNYs -1+lvK9JKBZP8nm9rZ/+I8U6laUpSNwXqxhaN0sSZ0YIrO7o1dfdRUVjzyAfd5LQDfwIDAQAB -o0IwQDAdBgNVHQ4EFgQU2XQ65DA9DfcS3H5aBZ8eNJr34RQwDwYDVR0TAQH/BAUwAwEB/zAO -BgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBADaNl8xCFWQpN5smLNb7rhVpLGsa -GvdftvkHTFnq88nIua7Mui563MD1sC3AO6+fcAURap8lTwEpcOPlDOHqWnzcSbvBHiqB9RZL -cpHIojG5qtr8nR/zXUACE/xOHAbKsxSQVBcZEhrxH9cMaVr2cXj0lH2RC47skFSOvG+hTKv8 -dGT9cZr4QQehzZHkPJrgmzI5c6sq1WnIeJEmMX3ixzDx/BR4dxIOE/TdFpS/S2d7cFOFyrC7 -8zhNLJA5wA3CXWvp4uXViI3WLL+rG761KIcSF3Ru/H38j9CHJrAb+7lsq+KePRXBOy5nAliR -n+/4Qh8st2j1da3Ptfb/EX3C8CSlrdP6oDyp+l3cpaDvRKS+1ujl5BOWF3sGPjLtx7dCvHaj -2GU4Kzg1USEODm8uNBNA4StnDG1KQTAYI1oyVZnJF+A83vbsea0rWBmirSwiGpWOvpaQXUJX -xPkUAzUrHC1RVwinOt4/5Mi0A3PCwSaAuwtCH60NryZy2sy+s6ODWA2CxR9GUeOcGMyNm43s -Set1UNWMKFnKdDTajAshqx7qG+XH/RU+wBeq+yNuJkbL+vmxcmtpzyKEC2IPrNkZAJSidjzU -LZrtBJ4tBmIQN1IchXIbJ+XMxjHsN+xjWZsLHXbMfjKaiJUINlK73nZfdklJrX+9ZSCyycEr -dhh2n1axAAAAAgAGZWMtYWNjAAABfBBZrUgABVguNTA5AAAFWjCCBVYwggQ+oAMCAQICEO4r -PevUId4UqGKsBPPdxAEwDQYJKoZIhvcNAQEFBQAwgfMxCzAJBgNVBAYTAkVTMTswOQYDVQQK -EzJBZ2VuY2lhIENhdGFsYW5hIGRlIENlcnRpZmljYWNpbyAoTklGIFEtMDgwMTE3Ni1JKTEo -MCYGA1UECxMfU2VydmVpcyBQdWJsaWNzIGRlIENlcnRpZmljYWNpbzE1MDMGA1UECxMsVmVn -ZXUgaHR0cHM6Ly93d3cuY2F0Y2VydC5uZXQvdmVyYXJyZWwgKGMpMDMxNTAzBgNVBAsTLEpl -cmFycXVpYSBFbnRpdGF0cyBkZSBDZXJ0aWZpY2FjaW8gQ2F0YWxhbmVzMQ8wDQYDVQQDEwZF -Qy1BQ0MwHhcNMDMwMTA3MjMwMDAwWhcNMzEwMTA3MjI1OTU5WjCB8zELMAkGA1UEBhMCRVMx -OzA5BgNVBAoTMkFnZW5jaWEgQ2F0YWxhbmEgZGUgQ2VydGlmaWNhY2lvIChOSUYgUS0wODAx -MTc2LUkpMSgwJgYDVQQLEx9TZXJ2ZWlzIFB1YmxpY3MgZGUgQ2VydGlmaWNhY2lvMTUwMwYD -VQQLEyxWZWdldSBodHRwczovL3d3dy5jYXRjZXJ0Lm5ldC92ZXJhcnJlbCAoYykwMzE1MDMG -A1UECxMsSmVyYXJxdWlhIEVudGl0YXRzIGRlIENlcnRpZmljYWNpbyBDYXRhbGFuZXMxDzAN -BgNVBAMTBkVDLUFDQzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALMix0/il0KV -iEeDQPYdF/ODcyQeUfOYisOSuP9AkAVwh2DJAKm1lGUZIhUXwkNsZkSaDQQ+OW+lS3qqY7eK -RJ3ZY5GEZuAoD7pC426O9xQnk2nukQ6jXw6x62aick8SE4Zlej7bTwf0pwlg2jpCmceyf7MW -lRzH+TS1lIXVmV6gSKB+5xdluKJ1uB7z5UJ9r+3zikhkXYIUk9jA5P+zUHLydvazXUJQedCU -PmsMAL7Yaw5OKuw+0syCohhlMxN3nppdGhPYw9s9yJd67nDtp+Z823HPLZRi323W9Ti+P6WF -Chm4qNgJdUJwxOrvyw7INKgSIpgMuBOUtkvs8NCQ5ycCAwEAAaOB4zCB4DAdBgNVHREEFjAU -gRJlY19hY2NAY2F0Y2VydC5uZXQwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw -HQYDVR0OBBYEFKDDi0SqN6VFv5eAWtHxeKKb6V2NMH8GA1UdIAR4MHYwdAYLKwYBBAH1eAED -AQowZTAsBggrBgEFBQcCARYgaHR0cHM6Ly93d3cuY2F0Y2VydC5uZXQvdmVyYXJyZWwwNQYI -KwYBBQUHAgIwKRonVmVnZXUgaHR0cHM6Ly93d3cuY2F0Y2VydC5uZXQvdmVyYXJyZWwgMA0G -CSqGSIb3DQEBBQUAA4IBAQCgSFuCAfZNSLg5VTWcgHpTmdVa/7FxO8w5CZRe1trvvgFbXdMe -2P19T82gQeA0k7/L4oacN5KQVhzc6ykF5cSexzXfigzNxSFD6aqI5TXAGUJjWgJepEgYOoVv -3J28P52cwYe4emEI6XcLf3Cret3ZlyxkHoW/vHSWocN6EuwMGm6DDDzockaf+0jVXpfmsaH4 -5O9GJZScidtpOL7sXA5Wx2VR5VCIiL9C1Ss95fm6ni6zyvRzkgILvkxm6yD+ucu1mX/mthP6 -yktN2e5TRgY7xk6tk1qBfmwqS2oFRYzyIaQxkIdsZZydpWCVOlJ/9dGrCG7z7lv5iD1+uG9u -A+RCAAAAAgAmc3NsLmNvbWV2cm9vdGNlcnRpZmljYXRpb25hdXRob3JpdHllY2MAAAF8EFmt -SAAFWC41MDkAAAKYMIIClDCCAhqgAwIBAgIILCmcWxbtBZUwCgYIKoZIzj0EAwIwfzELMAkG -A1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9T -U0wgQ29ycG9yYXRpb24xNDAyBgNVBAMMK1NTTC5jb20gRVYgUm9vdCBDZXJ0aWZpY2F0aW9u -IEF1dGhvcml0eSBFQ0MwHhcNMTYwMjEyMTgxNTIzWhcNNDEwMjEyMTgxNTIzWjB/MQswCQYD -VQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0b24xGDAWBgNVBAoMD1NT -TCBDb3Jwb3JhdGlvbjE0MDIGA1UEAwwrU1NMLmNvbSBFViBSb290IENlcnRpZmljYXRpb24g -QXV0aG9yaXR5IEVDQzB2MBAGByqGSM49AgEGBSuBBAAiA2IABKoSR5CYG/vvw0AHgyBO8TCC -ogbR8pKGYfL2IWjKAMTH6kMAVIbc/R/fALhBYlzccBYy3h+Z1MzFB8gIH2EWB1E9fVwHU+M1 -OIzfzZ/ZLg1KthkuWnBaBu2+8KGwytAJKaNjMGEwHQYDVR0OBBYEFFvKXuXe0oGqzagtZFG2 -2XKbl+ZPMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUW8pe5d7SgarNqC1kUbbZcpuX -5k8wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA2gAMGUCMQCK5kCJN+vp1RPZytRrJPOw -PYdGWBrssd9v+1a6cGvHOMzosYxPD/fxZ3YOg9AeUY8CMD32IygmTMZgh5Mmm7I1HrrW9zzR -HM76JTymGoEVW/MSD2zuZYrJh6j5B+BimoxcSgAAAAIAFGRpZ2ljZXJ0Z2xvYmFscm9vdGNh -AAABfBBZrUgABVguNTA5AAADszCCA68wggKXoAMCAQICEAg74FaQQkaxoXVqyVmRx0owDQYJ -KoZIhvcNAQEFBQAwYTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcG -A1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEgMB4GA1UEAxMXRGlnaUNlcnQgR2xvYmFsIFJvb3Qg -Q0EwHhcNMDYxMTEwMDAwMDAwWhcNMzExMTEwMDAwMDAwWjBhMQswCQYDVQQGEwJVUzEVMBMG -A1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQD -ExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC -ggEBAOI74RFy3qik06NXqlCijwt3kMmipe4SzpZbAQkgzAGTp04wt1P3Q8RpAFed4o0i3YcG -QACBCc7OG4O/3807cUbi1mbHBbN2JxaPe54elX3ut0ijCNrWr3oMOQZlf0pdH7wX+Ku+7ijX -dH96eJlZhWhuXCMyS79OwOhabeNwv3cQv/wB9oXZqEQQWDKpdRjV0aK+R+InavSaM/hJCGCL -1F+0OoS/oapKTH0+z09fbHZeoEs3kZ7cIuZtzhQajmrL/s2zFGQXx1spnjK/8u760wtC1Ku3 -QTLaDNTv+IHVu41YP7Ub6EkoonDaMQTd97IW8kwKTgeo7Uo9XrV/o5DDrycCAwEAAaNjMGEw -DgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFAPeUDVW0Uy7ZvCj -4hsbw5eyPdFVMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB -BQUAA4IBAQDLnDeqSBMSCvrdRJxPUrD0364E9Xl5CKMkGPxLK4TALbnVx/70wR9Yy7htnHp0 -55gpqxG143Cgoc1MiJmTjJFw4qsPHL6Tqf9j1eQHYNOjv51bCfHVjuNT9I5j+j+n27Rm32Jm -1tFuQY3yLbXqd0qfnVjiK1nAQCPtLSiCRT55VJImmOCASKg37/DWeWAW3qzoDs1urEQXOC9J -2uFFPiq5NlPPOlAG9y7oxFdJbGEhGNUErXg8LDqAa6frrxUU6diJwbk4bOKRbIr/ZLl3JVcw -wBsko+Hc6d9HfLW0JAgFMOwtvQu/Rb9Quanz65gBEq3IiMaYNF+NCjzG6dWVlW3eAAAAAgAY -ZC10cnVzdHJvb3RjbGFzczNjYTIyMDA5AAABfBBZrUgABVguNTA5AAAENzCCBDMwggMboAMC -AQICAwmD8zANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJERTEVMBMGA1UECgwMRC1UcnVz -dCBHbWJIMScwJQYDVQQDDB5ELVRSVVNUIFJvb3QgQ2xhc3MgMyBDQSAyIDIwMDkwHhcNMDkx -MTA1MDgzNTU4WhcNMjkxMTA1MDgzNTU4WjBNMQswCQYDVQQGEwJERTEVMBMGA1UECgwMRC1U -cnVzdCBHbWJIMScwJQYDVQQDDB5ELVRSVVNUIFJvb3QgQ2xhc3MgMyBDQSAyIDIwMDkwggEi -MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTskrPekfvdZsj+jov1lBFiTU6xmvb/tsA -aKjgAxEdN1AIn01KaJQ1s1PRlGOnIFav3lF47Co980hIUD4K30ZViydtwxBNDZFSQ9iH4F1O -NrUhyl85QARfW37Mo8YrqUAe2TaE1kjzkh40RiAkwaRRjkoa71A/aV0Zf0XDxwGPUckj6HKu -tLxWCX8SyxyxrymQCslVzA/TtBrtRzVaSu2ccwQh0Kq9DBO1AMombMRrDJRalZTaUJrx/6Ur -ZjGkyTig3x0fuAku86foZ1KrlR/gRj7YpMPKWsUxgOhImp+Uaf4Z3dhzfIHKlt6O7bMyBWWE -NObm/VcQtV92vy+wEA3FAgMBAAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW -BBT92hTEnzDeIb0eQjn8q2MjSeDxhDAOBgNVHQ8BAf8EBAMCAQYwgdMGA1UdHwSByzCByDCB -gKB+oHyGemxkYXA6Ly9kaXJlY3RvcnkuZC10cnVzdC5uZXQvQ049RC1UUlVTVCUyMFJvb3Ql -MjBDbGFzcyUyMDMlMjBDQSUyMDIlMjAyMDA5LE89RC1UcnVzdCUyMEdtYkgsQz1ERT9jZXJ0 -aWZpY2F0ZXJldm9jYXRpb25saXN0MEOgQaA/hj1odHRwOi8vd3d3LmQtdHJ1c3QubmV0L2Ny -bC9kLXRydXN0X3Jvb3RfY2xhc3NfM19jYV8yXzIwMDkuY3JsMA0GCSqGSIb3DQEBCwUAA4IB -AQB/l9swyN+knH0heoBwzhQSaYgUlWBEAayy6TBPm1DCZth+jTC1cDHp4mnH83DbIBWG0A3w -vqwBdYTOfp9Nv7dgO5zzyh3iXmjYo52X5UBg0jYh/tC0uBfadKN/1N+wmAKsb2trLCUkcqFl -7iVa5eYy5/Lfq0n685BpI9sE2edcWPxl1Je+zPwuCswlKjUE+GCRFXU9Qf8jHxnIbOuCUwSm -5EwiTY2Mus5bc+xkVFBt0ZxV+2nDNsOMvDyFpmsKJg3gk5hgrn7GJJeKYV+RjmaSCYc2zYub -LT72UdRQ1FkovYPyzCh7U4Zt2CaIcNfqkc0+ucrAkG5axl50Zddc/qPiAAAAAgAsc3RhcmZp -ZWxkc2VydmljZXNyb290Y2VydGlmaWNhdGVhdXRob3JpdHktZzIAAAF8EFmtSAAFWC41MDkA -AAPzMIID7zCCAtegAwIBAgIBADANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UEBhMCVVMxEDAO -BgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoTHFN0YXJmaWVs -ZCBUZWNobm9sb2dpZXMsIEluYy4xOzA5BgNVBAMTMlN0YXJmaWVsZCBTZXJ2aWNlcyBSb290 -IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz -NTk1OVowgZgxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290 -dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTswOQYDVQQD -EzJTdGFyZmllbGQgU2VydmljZXMgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCC -ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANUMOsQq+U7i9b4Zl1+OiFOxHz/Lz58g -E20pOsgPfTz3a3Y4Y9k2YKibXlwAgLIvWX/2h/klQ4bnaRtSmpDhcePYLQ1Ob/bISdm28xpW -riu2dBTrz/sm4xq6HZYuajtYlIlHVv8loJNwU4PahHQUw2eeBGg6345AWh1KTs9DkTvnVtYA -cMtS7nt9rjrnvDH5RfbCYM8TWQIrgMw0R9+53pBlbQLPLJGmpufehRhJfGZOozptqbXuNC66 -DQO4M99H67FrjSXZm86B0UVGMpZwh94CDklDhbZsc7tk6mFBrMnUVN+HL8cisibMn1lUaJ/8 -viovxFUcdUBgF4UCVTmLfwUCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E -BAMCAQYwHQYDVR0OBBYEFJxfAN+qAdcwKziIorhtSpzyEZGDMA0GCSqGSIb3DQEBCwUAA4IB -AQBLNqaEd2ndOxmfZyMIbw5hyf2E3F/YNoHN2BtBLZ9g3ccaaNnRbobhiCPPE95Dz+I0swSd -HynVv/heyNXBve6SbzJ08pGCL72CQnqtKrcgfU28elUSwhXqvfdqlS5sdJ/PHLTyxQGjhdBy -Pq1zqwubdQxtRbeOlKyWN7Wg0I8VRw7j6IPdj/3vQQF3zCepYoUz8jcI73HPdwbeyBkdiEDP -fUYd/x7H4c7/I9vG+o1VTqkC50cRRj70/b17KSa7qWFiNyi2LSr2EIZkyXCn0q23KXB56jza -YyWf/Wi3MOxw+3WKt21gZ7IeyLnp2KhvAotnDU0mV3HaIPzBSlCNsSi6AAAAAgAOY2VydGln -bmFyb290Y2EAAAF8EFmtSAAFWC41MDkAAAZfMIIGWzCCBEOgAwIBAgIRAMrpG4nxVQMNo+ZB -bcTjpuEwDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCRlIxEjAQBgNVBAoMCURoaW15b3Rp -czEcMBoGA1UECwwTMDAwMiA0ODE0NjMwODEwMDAzNjEZMBcGA1UEAwwQQ2VydGlnbmEgUm9v -dCBDQTAeFw0xMzEwMDEwODMyMjdaFw0zMzEwMDEwODMyMjdaMFoxCzAJBgNVBAYTAkZSMRIw -EAYDVQQKDAlEaGlteW90aXMxHDAaBgNVBAsMEzAwMDIgNDgxNDYzMDgxMDAwMzYxGTAXBgNV -BAMMEENlcnRpZ25hIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDN -GDllGlmx6mQWDoyUJJV8g9PFOSbcDO8WV43X2KyjQn+Cyu3NW9sOty3tRQgXstmzy9YXUnIo -245Onoq2C/mehJpNdt4iKVzSs9IGPjA5qXSjklYcoW9MCiBtnyN6tMbaLOQdLNyzKNAT8kxO -AkmhVECe5uUFoC2EyP+YbNDrihqECB63aCPuI9Vwzm1RaRDuoXrC0SIxwoKF0vJVdlB8JXrJ -hFwLrN1CTivngqIkicuQstDuI7pmTLtipPlTWmR7fJj6o0ieD5Wupxj0auwuA0Wv8HT4Ks16 -XdG+RCYyKfHx9WzMfgIhC59vpD++nVPiz32pLHxYGpfhPTc3GGYo0kDFUYqMwy3OU4gkWGQw -FsWq4NYKpkDfePb1BHxpE4S80dGnBs8B92jAqFe7OmGtBIyT46388NtEbVncSVmurJqZNjBB -e3YzIoejwpKGbvlw7q6Hh5UbxHq9MfPU0uWZ/75I7HX1eBYdpnDBfzwboZL7z8g81sWTCo/1 -VTp2lc5ZmIoJlXcymoO6LAQ6l73UL77XbJuiyn1tJslV1c/DeVIICZkHJC1kJWumIWmbat10 -TWuXekG9qxf5kBdIjzb5LdXF2+6qhUVB+s06RbFo5jZMm5BX7CO5hwjCxAnxl4YqKE3idMDa -xIzb3+KhF1nOJFl0Mdp//TBt2dzhauH8XwIDAQABo4IBGjCCARYwDwYDVR0TAQH/BAUwAwEB -/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFBiHVuBud+4kNTxOc5of1uHieX4rMB8GA1Ud -IwQYMBaAFBiHVuBud+4kNTxOc5of1uHieX4rMEQGA1UdIAQ9MDswOQYEVR0gADAxMC8GCCsG -AQUFBwIBFiNodHRwczovL3d3d3cuY2VydGlnbmEuZnIvYXV0b3JpdGVzLzBtBgNVHR8EZjBk -MC+gLaArhilodHRwOi8vY3JsLmNlcnRpZ25hLmZyL2NlcnRpZ25hcm9vdGNhLmNybDAxoC+g -LYYraHR0cDovL2NybC5kaGlteW90aXMuY29tL2NlcnRpZ25hcm9vdGNhLmNybDANBgkqhkiG -9w0BAQsFAAOCAgEAlLieT/DjlQgi581oQfccVdV8AOItOoldaDgvUSILSo3L6btdPrtcPbEo -/uRTVRPPoZAbAh1fZkYJMyjhDSSXcNMQH+pkV5a7XdrnxIxPTGRGHVyH41neQtGbqH6mid2P -HMkwgu07nM3A6RngatgCdTer9zQoKJHyBApPNeNgJgH60BGM+RFq7q89w1DTj18zeTyGqHNF -kIwgtnJzFyO+B2XleJINugHA64wcZr+shncBlA2c5uk5jR+mUYyZDDl34bSb+hxnV29qao6p -K0xXeXpXIs/NX2NGjVxZOob4Mkdio2cNGJHc+6Zr9UhhcyNZjgKnvETq9Emd8VRY+WCv2hik -LyhF3HqgiIZd8zvn/yk1gPxkQ5Tm4xxvvq0OKmOZK8l+hfZx6AYDlf7ej0gcWtSS6Cvu5zHb -ugRqh5jnxV/vfaci9wHYTfmJ0A6aBVmknpjZbyvKcL5kwlWj9Omvw5Ip3IgWJJk8jSaYtlu3 -zM63Nwf9JtmYhST/WSMDmu2dnajkXjjO11INb9I/bbEFa0nOipFGc/T2L/Coc3cOZayhjWZS -aX5LaAzHHjcng6WMxwLkFM1JAbBzs/3GkDpv0mztO+7skb6iQ12LAEpmJURw3kAP+HwV96LO -PNdeE4yBFxgX0b3xdxA61GU5wSesVywlVP+i2k+KYTlerj1KjL0AAAACABNhdG9zdHJ1c3Rl -ZHJvb3QyMDExAAABfBBZrUgABVguNTA5AAADezCCA3cwggJfoAMCAQICCFwzy2IsX7MyMA0G -CSqGSIb3DQEBCwUAMDwxHjAcBgNVBAMMFUF0b3MgVHJ1c3RlZFJvb3QgMjAxMTENMAsGA1UE -CgwEQXRvczELMAkGA1UEBhMCREUwHhcNMTEwNzA3MTQ1ODMwWhcNMzAxMjMxMjM1OTU5WjA8 -MR4wHAYDVQQDDBVBdG9zIFRydXN0ZWRSb290IDIwMTExDTALBgNVBAoMBEF0b3MxCzAJBgNV -BAYTAkRFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlYU7l28qOy47z6bzKTW+ -zxisPqrZ+E2gPhpHubya3/L+zD5H6HqWwiSONfSpDPyC/W3BcmInvepr6+eKzFQ+kFDPgNSV -++i1gtQUxbapVSVX27FQ9rBgZFl6ac8Dt28Nvso+b3Ry6qowKnNivkmRYcgR/g4DKvdqINwC -FQ1eFWr844LBtcWdZAlso1mYByfHG5YrYXRxbEPx9zWJEOCe7FWhNyKihwQFLEd9tBy5Yilm -KMq34ZP1pJQDmblwhbXmSOqNUPzZ3sxvBw7dC3KdgDAWB5U/KA79xXVPU9Z0mrQkLo4Ckc92 -xZseVXSceCGx8C3xC5/C1ZYYH/BUInqMBwIDAQABo30wezAdBgNVHQ4EFgQUp6UGsSymCWDu -0ZfpcK68Oxls2yEwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBSnpQaxLKYJYO7Rl+lw -rrw7GWzbITAYBgNVHSAEETAPMA0GCysGAQQBsC0DBAEBMA4GA1UdDwEB/wQEAwIBhjANBgkq -hkiG9w0BAQsFAAOCAQEAJnc025RIhipBnSw+BpBgxIysC1S4H7l70wc55Po+e7I9Tu2fI72X -82tc7+79QKbfoZOhCoas7yDQeQG9ePcZ2CQxNAQBproVmsMn3NhPD8wYY/+ZDw6Ra3UW4SH8 -2CbHR7emz1hycX664U2VRzvJr22htMHsifa0Dzi14mTcJc+m2+uaXJmhxQje/eba1dZaRQzE -t8K1FO+0Ef8OFbX19dvGvetap/BWIqk8ZVTGFai9hp7Ng5ZoenGBieEL4eoRG2gIzGme7J5B -nkQyJnrihwpxPevkWqTS28XNxt5gf7nzT0SS7yq3GD6nGdkLfbE3QUKwumAd8v4JEbDwh3un -nQAAAAIAE2NlcnR1bXRydXN0ZWRyb290Y2EAAAF8EFmtSAAFWC41MDkAAAXEMIIFwDCCA6ig -AwIBAgIQHr9ZULjJgDdMBvfrVU+17TANBgkqhkiG9w0BAQ0FADB6MQswCQYDVQQGEwJQTDEh -MB8GA1UEChMYQXNzZWNvIERhdGEgU3lzdGVtcyBTLkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2Vy -dGlmaWNhdGlvbiBBdXRob3JpdHkxHzAdBgNVBAMTFkNlcnR1bSBUcnVzdGVkIFJvb3QgQ0Ew -HhcNMTgwMzE2MTIxMDEzWhcNNDMwMzE2MTIxMDEzWjB6MQswCQYDVQQGEwJQTDEhMB8GA1UE -ChMYQXNzZWNvIERhdGEgU3lzdGVtcyBTLkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNh -dGlvbiBBdXRob3JpdHkxHzAdBgNVBAMTFkNlcnR1bSBUcnVzdGVkIFJvb3QgQ0EwggIiMA0G -CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDRLY67tzbqbTeRn06TpwXkKQMlzhyC93yZn0EG -ze2jusDbCSzBfN8pfktlL5On1AFrAygYo9idBcEq2EXxkd7fO9CAAozPOA/qp1x4EaTByIVc -JdPTsuclzxFUl6s1wB52HO8AU5853BSlLCIls3Jy/I2z5T4IHhQqNwuIPMqw9MjCoa68wb4p -Z1Xi/K1ZXP69VyywkI3C7Te2fJmItdUDmj0VDT06qKhF8JVOJVkdzZhpu9PMMsmN74H+rX2J -u7pgE8pllWeg8xn2A1bUatMn4qGtg/BKEiJ3HAVz4hlxQsDsdUaakFjgao4rpUYwBI4Zshfj -vqm6f1bxJAPXsiEodg42MEx51UGamqi4NboMOvJEGyCI98Ul1z3G4z5D3Yf+xOr1Uz5MZf87 -Sst4WmsXXw3Hw09Omiqi7VdNIuJGmj8PkTQkfVXjjJU30xrwCSss0smNtA0Aq2cpKNgB9RkE -th2+dv5yXMSFytKAQd8FqKPVhJBPC/PgP5sZ0jeJP/J7UhyM9uH3PAeXjA6iWYEMspA90+NZ -Ru0PqafegGtaqge2Gcu8V/OXIXoMsSt0Puvap2ctTMSYnjYJdmZm/Bo/6khUHL4wvYBQv3y1 -zgD2DGHZ5yQD4OMBgQ692IU0iL2yNqh7XAjlRICMb/gv1SHKHRzQ+8S1h9E6Tsd2tTVItQID -AQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSM+xx1vALTn04uSNn5YFSqxLNP -+jAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQENBQADggIBAEii1QALLtA/vBzVtVRJHlpr -9OTy4EA34MwUe7nJ+jW1dReTagVphZzNTxl4WxmB82M+w85bj/UvXgF2Ez8sALnNllI5SW0E -TsXpD4YN4fqzX4IS8TrOZgYkNCvozMrnadyHncI013nR03e4qllY/p0m+jiGPp2Kh2RX5Rc6 -4vmNueMzeMGQ2Ljdt4NR5MTMI9UGfOZR0800McD2RrsLrfw9EAUqO0qRJe6M1ISHgCq8CYyq -OhNf6DR5UMEQGfnTKB7U0VEwKbOukGfWHwpjscWpxkIxYxeU72nLL/qMFH3EQxiJ2fAyQOaA -4kZf5ePBAFmo+eggvIksDkc0C+pXwlM2/KfUrzHN/gLldfq5Jwn58/U7yn2fqSLLiMmq0Uc9 -NneoWWRrJ8/vJ8HjJLWG965+Mk2weWjROeiQWMODvA8s1pfrzgzhIMfatz7DP78v3DSk+ysh -zWePS/Tj6tQ/50+6uaWTRRxmHyH6ZF5v4HaUMst19W7l9o/HuKTMqJZ9ZPskWkoDbGs4xugD -Q5r3V7mzKWmTOPQD8rv7gmsHINFSH5pkAnuYZttcTVoP0ISVoDwUQwbKytu4QTbaakRnh6+v -40URFWkIsr4WOZckbxJF0WddCajJFdr60qZfE2Efv4WstK2tBZQIgx51F9NxO5NQI1mg7TyR -VJ12AMXDuDjbAAAAAgAaaWRlbnRydXN0Y29tbWVyY2lhbHJvb3RjYTEAAAF8EFmtSAAFWC41 -MDkAAAVkMIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBK -MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVuVHJ1c3Qg -Q29tbWVyY2lhbCBSb290IENBIDEwHhcNMTQwMTE2MTgxMjIzWhcNMzQwMTE2MTgxMjIzWjBK -MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVuVHJ1c3Qg -Q29tbWVyY2lhbCBSb290IENBIDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCn -UBneP5k91DNG8W9RYYKyqU+PZ4ldhNlT3Qwo2dfw/66VQ3KZ+bVdfIrBQuExUHTRgQ18zZsh -q0PirK1ehm7zCYofWjK9ouuU+ehcCuz/mNKvcbO0U59Oh++SvL3sTzIwiEsXXlfEU8L2ApeN -2WIrvyQfYo3fw7gpS0l4PJNgiCL8mdo2yMKi1CxUAGc1bnO/AljwpN3lsKImesrgNqUZFvX9 -t++uP0D1bVoE/c40yiTcdCMbXTMTEl3EASX2MN0CXZ/g1Ue9tOsbobtJSdifWwLziuQkkORi -T0/Br4sOdBeo0XKIanoBScy0RnnGF7HamB4HWfp1IYVl3ZBWzvurpWCdxJ35UrCLvYf5jysj -CiN2O/cz4ckA82n5S6LgTrx+kzmEB/dEcH7+B1rlsazRGMzyNeVJSQjKVsk9+w8YfYs7wRPC -TY/JTw436R+hDmrfYi7LNQZReSzIJTj0+kuniVyc0uMNOYZKdHzVWYfCP04MXFL0PfdSgvHq -o6z9STQaKPNBiDoT7uje/5kdX7rL6B7yuVBgwDHTc+XvvqDtMwt0viAgxGds8AgDelWAf0ZO -lqf0Hj7h9tgJ4TNkK2PXMl6f+cB7D3hvl7yTmvmcEpB4eoCHFddydJxVdHixuuFucAS6T6C6 -aMN7/zHwcz09lCqxC0EOoP5NiGVreTO01wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYD -VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7UQZwNPwBovupHu+QucmVMiONnYwDQYJKoZIhvcN -AQELBQADggIBAA2ukDL2pkt8RHYZYR4nKM1eVO8lvOMIkPkp165oCOGUAFjvLi5+U1KMtlwH -6oi6mYtQlNeCgN9hCQCTrQ0U5s7B8jeUeLBfnLOic7iPBZM4zY0+sLj7wM+x8uwtLRvM7Kqa -s6pgghstO8OEPVeKlh6cdbjTMM1gCIOQ045U8U1mwF10A0Cj7oV+wh93nAbowacYXVKV7cnd -JZ5t+qntozo00Fl72u1Q8zW/7esUTTHHYPTa8Yec4kjixsU3+wYQ+nVZZjFHKdp2mhzpgq7v -mrlR94gjmmmVYjzlVYA211QC//G5Xc7UI2/YRYRKW2XviQzdFKcgyxilJbQN+QHwotL0AMh0 -jqEqSI5l2xPE4iUXfeu+h1sXIFRRk0pTAwvsXcoz7WL9RccvW9xYoIA55vrX/hMUpu09lEpC -dNTDd1lzzY9GvlU47/rokTLql1gEIt44w8y8bckzOmoKaT+gyOpyj4xjhiO9bTyWnpXgSUyq -orkqG5w2gXjtw+hG4iZZRHUe2XWJUc0QhJ1hYMtd+ZciTY6Y5uN/9lu7rs3KSoFrXgvzUeF0 -K+l+J6fZmUlO+KWA2yUPHGNiiskzZ2s8EIPGrd6ozRaOjfAHN3Gf8qv8QfXBi+wAN10J5U6A -7/qxXDgGpRtK4dw4LTzcqx+QGtVKnO7RcGzM7vRX+Bi6hG6HAAAAAgAbc3RhYXRkZXJuZWRl -cmxhbmRlbmV2cm9vdGNhAAABfBBZrUgABVguNTA5AAAFdDCCBXAwggNYoAMCAQICBACYlo0w -DQYJKoZIhvcNAQELBQAwWDELMAkGA1UEBhMCTkwxHjAcBgNVBAoMFVN0YWF0IGRlciBOZWRl -cmxhbmRlbjEpMCcGA1UEAwwgU3RhYXQgZGVyIE5lZGVybGFuZGVuIEVWIFJvb3QgQ0EwHhcN -MTAxMjA4MTExOTI5WhcNMjIxMjA4MTExMDI4WjBYMQswCQYDVQQGEwJOTDEeMBwGA1UECgwV -U3RhYXQgZGVyIE5lZGVybGFuZGVuMSkwJwYDVQQDDCBTdGFhdCBkZXIgTmVkZXJsYW5kZW4g -RVYgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOPHfon5JEs60jOD -NSxp7NwJpONRqCUrebgIPeCRuoSFxoWkyubJLlOkySQe/VVmcV0sxWBoBLfZwlImOIik1jtA -psLNP82Yk7NUFFiWVdVQ/oatpGN/XIf2juYnkmcXkgIDLNzWZnTt3Wf/wWGNY08Pm20XMCbv -q9IfEKD5xX8WaYEDR+0eaI1yoU2yJsa6bF9t1q/RsROOqa3zXml1Jhg+QSshf+6LXQcGnUPE -KQor/Co+hss8gzr5yQ3axZnivHhBM3bhvy9d5aSYUAwV3eD6nH84aNCypnqn0TG9fopYJ0Oz -ujOR06eYFVya5tMPddn8QZiXPqol24+SLrB7DF/xY6k3+Zt1aUwoJiXa1fIScEVV499zXjf1 -IWyQjjVaydMj69PAvnisQihYZqVGbXAC1xD5S1T8XYZKh89/ykWsEVq1IFGNL4hHlznAz7rA -QgFAmUghC2un0v2W1dG+Rp1J4AumoCJOONDBPDC8cI8sdczQxYxROz2UCGQmYX25w2WPFJwh -0Kr9F3IDj72bjOZeU565ne+Cu+G84nJBWyGU00U3lNHfCTld5yOqmh3KbagKhoWKgr5CB9by -OIJz2odb5TzTnj6nO570A7P58X0TdAL/u6Hl+gB5HKZmQYhcYFemLgnEuv2az6cfQMO7zFoK -VUs7OHZRuGOLhJQW5lbzAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD -AgEGMB0GA1UdDgQWBBT+qwCQmJ4k/KnMGor7J7i/MG6oOzANBgkqhkiG9w0BAQsFAAOCAgEA -z3csbla+TrO2hACUq0fJDdJ2x4afHQfTtrS7CHivadILSd4zxaytwogCfQa3NQLBYMm/xOiU -3tTTqRMlWv5uoq59Bdx982zwfqaN7tnXzlgX6KkprnNIh+ebym4poWRfGRP3rgYQ/1HGm01V -JU+TmRABU3XxE87HpkFB0r+IpX9F/Ky4pbUzDILE+wf2auUlhF8GysGGORHbWM13OyzCTA9e -muPwqz5hG1AkwsD08RnwESm2pRgCm9djTHCMR6MDQ1y5XUagDW//WY6+3Z9yw1sr34xbzuUM -RmySsgqjTFRCGBUSGL3a/Lp0bv/BtqBk2KlfVa6fXGp2lthzZ4f7TX9c7mnKcxD7iqn9nr02 -OElJh/QOFPDph7g/p096Wo551JPku2hShKxs6fOYcFVyMvk0qytJtc0gYuQ6emdjq5bcba6X -7PyfdlaILmbPW7bJpLDXBbrhJy+TuyYqopOwG/OOvh1Ao7k2jz6CGhpeiOpQ+Fnig0YpC+NE -XOGVtmmQmhRvl66Bz2jvmZq+tefhf/j6E0cWTMxtCEDni3hvUIJEUD9mBoqrQ4RWSg8gLYYO -9dLb0nqKS82l6E7xXiYlAVkjoH7S9n4hV9cnvBVXTKRGweCDHgxMTR9PBhni+aj0OoKhsnlD -edatb3onkAOk6iSHP9m92enyX1BJHO7s1y4AAAACACV0dWJpdGFra2FtdXNtc3Nsa29rc2Vy -dGlmaWthc2ktc3VydW0xAAABfBBZrUgABVguNTA5AAAEZzCCBGMwggNLoAMCAQICAQEwDQYJ -KoZIhvcNAQELBQAwgdIxCzAJBgNVBAYTAlRSMRgwFgYDVQQHEw9HZWJ6ZSAtIEtvY2FlbGkx -QjBABgNVBAoTOVR1cmtpeWUgQmlsaW1zZWwgdmUgVGVrbm9sb2ppayBBcmFzdGlybWEgS3Vy -dW11IC0gVFVCSVRBSzEtMCsGA1UECxMkS2FtdSBTZXJ0aWZpa2FzeW9uIE1lcmtlemkgLSBL -YW11IFNNMTYwNAYDVQQDEy1UVUJJVEFLIEthbXUgU00gU1NMIEtvayBTZXJ0aWZpa2FzaSAt -IFN1cnVtIDEwHhcNMTMxMTI1MDgyNTU1WhcNNDMxMDI1MDgyNTU1WjCB0jELMAkGA1UEBhMC -VFIxGDAWBgNVBAcTD0dlYnplIC0gS29jYWVsaTFCMEAGA1UEChM5VHVya2l5ZSBCaWxpbXNl -bCB2ZSBUZWtub2xvamlrIEFyYXN0aXJtYSBLdXJ1bXUgLSBUVUJJVEFLMS0wKwYDVQQLEyRL -YW11IFNlcnRpZmlrYXN5b24gTWVya2V6aSAtIEthbXUgU00xNjA0BgNVBAMTLVRVQklUQUsg -S2FtdSBTTSBTU0wgS29rIFNlcnRpZmlrYXNpIC0gU3VydW0gMTCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAK91MDOqu2vTmSwSN4TZjXuXgNNu5/+bUJU+kJVWQtcZfCaEjZL6 -AR06D+JkOLeMvOiI+Yskqy6j9TfkQI4YJXmDdR87/2yoxcZW+LTtikSjq2xM/B3Q3O9ovc/k -qs7wVfeiNNSDazd8HML+tQPsV868tLXF7QAPUzcqTfRPDIP7hs/L/oxOvYf5p4shV5x63wNn -iSydl2GnELhVkH8OLSc4dN/n/dpOEuNNFSICyODg/A+titfJVFDMOw/KFoCE0FFWw45Wf4ki -My/mhQq9pagbNt7T3CxtO8cTvVkjLOblpPfYC+3qkEBEqJW7k9XQgDS2RngOHwCTRuHu6fns -TxcCAwEAAaNCMEAwHQYDVR0OBBYEFGU/x4qGxjzdPFRcNfg67VIMR1fIMA4GA1UdDwEB/wQE -AwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAqP+HxMo6u4ZhcS17P -ax5qCdIiqRLHXld9c1ZkgIR6k+QJuRDNnyon4QB3vkjINaiBn+S4LMl/DrDSSzdd6rnVC140 -vfRzKcPtJhWcfghTiliN0Eso38Gz3yDz+ePjOt/MnJTYTk/Daxe393LorWYztSVTq+D4TKmd -/fINuq652arGa/mTu66ruJc8Axq6Q8aWuUVyOLOnoZY9kXt+wCFTTIft8gtUlVGT1SKlDYrx -kw4+VA6w2MlO3PIxMlbqZPnqtZ0WZkJy83/TsTFD/KSOF/FtI6uUZvit+w8IbiYtfxcHCbKM -+1DAn5aNz7b9AJ1aFJq/AkT1wcKfIl6iD6HjAAAAAgANdHJ1c3Rjb3JlY2EtMQAAAXwQWa1I -AAVYLjUwOQAABCQwggQgMIIDCKADAgECAgkAhIIsXxxi0EAwDQYJKoZIhvcNAQELBQAwgZwx -CzAJBgNVBAYTAlBBMQ8wDQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1BhbmFtYSBDaXR5MSQw -IgYDVQQKDBtUcnVzdENvciBTeXN0ZW1zIFMuIGRlIFIuTC4xJzAlBgNVBAsMHlRydXN0Q29y -IENlcnRpZmljYXRlIEF1dGhvcml0eTEXMBUGA1UEAwwOVHJ1c3RDb3IgRUNBLTEwHhcNMTYw -MjA0MTIzMjMzWhcNMjkxMjMxMTcyODA3WjCBnDELMAkGA1UEBhMCUEExDzANBgNVBAgMBlBh -bmFtYTEUMBIGA1UEBwwLUGFuYW1hIENpdHkxJDAiBgNVBAoMG1RydXN0Q29yIFN5c3RlbXMg -Uy4gZGUgUi5MLjEnMCUGA1UECwweVHJ1c3RDb3IgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRcw -FQYDVQQDDA5UcnVzdENvciBFQ0EtMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AM+P4BG1n6h2dtvfD1Tvc2Mpgq1HxqNr7f5fM/hDUekaM5ExF6B0xNSnAeaykj5qne0O+XSY -QNM/A4AGgkDoseKnUacdgyZrq976F5Er2MasHrGeGQHVl6bqDbfEVR8nfNII1XYfKRWHQDnd -OEURddCapzTgv83IUh25R34NuLvGDPZzVxZafkORH1U6xm1EBKqcqZynTIkXg66jBF5SgIse -EiURGdcMfX0xREHq26+wHO+B0CzFmiGbPe1CO1Am8uzOcWEGYiFUTn/BnT5/IIyAyyrYl2LI -gzORfbCiWg9X6DvM8iWy1Hwv7E3GoToVeue2XTX19khKNkVm1LqYWMECAwEAAaNjMGEwHQYD -VR0OBBYEFESeSPXMbUjUoEt//lkkL4OXmZqGMB8GA1UdIwQYMBaAFESeSPXMbUjUoEt//lkk -L4OXmZqGMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUA -A4IBAQAFPjVcFXCbycdzYW9yK9TCj/JDXQLOxJS5lBGDZ13iZ2x1dr+7DKo2xq1Hk2PcHn7W -3i7+6RkyOAN/FPYAcyxZsSEG4fusGJUMo/+ZlvcrJ5vVJMwd3cE64JhEsMTkPnexc6lkLPYc -AXw/XUWFwIXnJY+V3BfzPJ8abrDK4x0q6Uxj+iRhYtbafrYcbPUCHdQq3VWQ6yoRRzwuXnSy -giKlfVMfRewnkX3nIhbowGg22MbxT4BEMvnh0dEdqt6oq5wEr60gDmSYTaVrwEhYlmlN3AeM -UZOi358PPYtgtIKNqghOYkXg+QvS4OA8W95ccSclwuYDgYsQU+PHVaK0n9fmAAAAAgAPZW1z -aWducm9vdGNhLWcxAAABfBBZrUgABVguNTA5AAADmDCCA5QwggJ8oAMCAQICCjH15GIMbFjt -1tgwDQYJKoZIhvcNAQELBQAwZzELMAkGA1UEBhMCSU4xEzARBgNVBAsTCmVtU2lnbiBQS0kx -JTAjBgNVBAoTHGVNdWRocmEgVGVjaG5vbG9naWVzIExpbWl0ZWQxHDAaBgNVBAMTE2VtU2ln -biBSb290IENBIC0gRzEwHhcNMTgwMjE4MTgzMDAwWhcNNDMwMjE4MTgzMDAwWjBnMQswCQYD -VQQGEwJJTjETMBEGA1UECxMKZW1TaWduIFBLSTElMCMGA1UEChMcZU11ZGhyYSBUZWNobm9s -b2dpZXMgTGltaXRlZDEcMBoGA1UEAxMTZW1TaWduIFJvb3QgQ0EgLSBHMTCCASIwDQYJKoZI -hvcNAQEBBQADggEPADCCAQoCggEBAJNLu+lmiu6dW9U0k9AbHsPnnrhkM39jeGi0zS5xddeb -IMZNKby2aGCK9yGaVjVa83a92M2a/5NWS6VZBqGTNCndFjR1TvKBtMeWTq0ZFVJK/jxwdXDN -ryurFZozPKqzi6rNQ/316nD/7c8RO5TOTjIW0yNAKnezrzwBLGztmSyL2U5pmLL3j0GwMnhh -1g1fw/qiQJIdXBfmcD4156K3wmLiq6Q4TLU5NW/qA2n6OlRohW3W8i9DVR6RDQ7Y1WqkltET -PCx4UOg6ktIXVuU1GkAcPo0s7TnfQuCDQXTfo83ChmBIaONpC1QAi+R2aSENeU40CF4Uwsyx -t63XfHCKx4UCAwEAAaNCMEAwHQYDVR0OBBYEFPvvDYaesOPdqbnxIRd/PvzwdysaMA4GA1Ud -DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBZ//KM9Yd9 -cT2jnxtb0dr405xrNr2bqWHr3hYsdD2e5nXa17qnvEIX5z2R6+V93T6c8c+SrGxIzMIiP2k7 -xbYVL6M1xmgqHFevOe+N0DXDGAx7AFYczYsZdN6+DxLg0KqhPwI0sXDOnRjWCAMJRu5g4H62 -xEkEUX1wYLyqsv95cnqmHT1fKvjK4v05t0e5637fBCOv+pwGB+n7Y5OAQLXGbAoxKM4Mn8+z -IzWAQY1sxDd7gS+AoUBChenZOI3ooVPNAb9p6FoG8kULkPqu4b+d8q5XPKWuslb0i2VA6f0x -gSz0OQnY7muntKYdFaWY9wGB2IV981FccYjeuswfgH5KAAAAAgAPdWNhZ2xvYmFsZzJyb290 -AAABfBBZrUgABVguNTA5AAAFSjCCBUYwggMuoAMCAQICEF3fsdpao+1dvlplIGUDkO8wDQYJ -KoZIhvcNAQELBQAwPTELMAkGA1UEBhMCQ04xETAPBgNVBAoMCFVuaVRydXN0MRswGQYDVQQD -DBJVQ0EgR2xvYmFsIEcyIFJvb3QwHhcNMTYwMzExMDAwMDAwWhcNNDAxMjMxMDAwMDAwWjA9 -MQswCQYDVQQGEwJDTjERMA8GA1UECgwIVW5pVHJ1c3QxGzAZBgNVBAMMElVDQSBHbG9iYWwg -RzIgUm9vdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMXmK2987yYFJ6OBJNpv -ywH5mZqpMsIih2FBkTvLw2gbBsVMqSvBZxciHSvt+SmJk6J4vZJroKMNon7Kk7Om0Yw11XX5 -F/bPRcXleux3k6CPI64OGgN/vtTQ7S57q0YjW/8s5lR6lMAqFfDJjbB6OyTh12jiMTwGM0a2 -VBGmpS8iVCpYDQEC8foVUWdswPrXtht/0VaILxo6jTu7ghHgRwDQUoer+4Z+DyRrQJ00Z7yN -xy2Gb3k+jqk8F0t/sJnjsHFg3Av1ZMPOQ7xtcbnS3idbiujYxq7hWX3PKC01uJVWGvGyWEu3 -EjfIfLPtS4DhjfoyI7Zvt0iVCLFEToWMOgJUIC/fv1dPOzqQIdfBJjVUIOzHP0fs71q/S3rB -rTsXUFxi2A9LStwr+m68c5LN7MdQ6EGW16l+bdjpHY+KtblYkrpKkisMVv2A6wjwXiluGxwM -r4+Tia3bvaOeIcqJGezftcMa6xb+eDZM1m7QPhcckBdrJrr7ei+/ERwYDi1zA4+g5TWgWuJM -dR1x4Tk4U3hAzIOT1wqenVuPiuTl4EjkSLJHzU4qdSp78iL2yb4JkZZXeoiIrO5wrPncKeMM -HDsSTkTWp06wJsjz2RqXkWjq741GBtJWRViaPAwPg7gFJcM5zzukNIm3eRIvR8XnqZdp/KZ3 -Z7Xfe/F6ZRXkYVZlAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/ -MB0GA1UdDgQWBBSBxIzM9eQw/6UMCF+MFWchdAHf3zANBgkqhkiG9w0BAQsFAAOCAgEAE2Ui -9Y4rrUTky/+5aObDgEg9BHv6Iy967Tbass5t9uae5V9Yj8s3MqHIZbauOD01Gz68O7YE0Lz5 -SfWb94XFNrbLvPjIOdXkXwe9FVSXdMrK7U+6umR2n4G4hEVJTI1vouuxzNHDlNpEwubi6hjo -oh8nBbrX5dapzd3vdpiNAA7NG/oDt46AWA4nP1L7lKLKXmXJ1oTauTVx8ybAT3fmgSfSdzua -FG959PbQ4dOUutBXUb0nBQ3B/cgSMO5vjRErCJ3U1L+ARRSaiETaMOq0p+Pu71uC1T7WrXiS -21w889it+rhrf8Q2KLYCFYpULJywF3OO0DejFDyYlQAMKQVbnklJsV/H48vPJ2WONRe3V8gw -2UFbuRS26MIPlDGnlJjMauu14Sf1EKgB6I4SYuiIzLV/RpfAmxBmOBo2Rl8iaD3fycYTJ6tT -BqyiPIYGZW+xfrEpRJqjuklpKGmP1+VfrQSGZG8aoAzFCGLOgKPQ8+xo3r4zxxdbf4DETEyx -poSKwzu4Cc0UgboY41RXNv7bL3xHoTozyPlYO0RPscoCiQSWKGjFS7gmibvWMy9Q1f6aiboY -MpJUxlvgnfle5Q0im/ba4sghsmIhqoZAsi5k01/I434RZ0UfBf7jou+zqLPzfY/4DB8iHy1w -tLgBNHYwAOUjeKdW11AfivsG9cIZ8NAAAAACABJlbXNpZ25lY2Nyb290Y2EtZzMAAAF8EFmt -SAAFWC41MDkAAAJSMIICTjCCAdOgAwIBAgIKPPYHqWhwDtqLhDAKBggqhkjOPQQDAzBrMQsw -CQYDVQQGEwJJTjETMBEGA1UECxMKZW1TaWduIFBLSTElMCMGA1UEChMcZU11ZGhyYSBUZWNo -bm9sb2dpZXMgTGltaXRlZDEgMB4GA1UEAxMXZW1TaWduIEVDQyBSb290IENBIC0gRzMwHhcN -MTgwMjE4MTgzMDAwWhcNNDMwMjE4MTgzMDAwWjBrMQswCQYDVQQGEwJJTjETMBEGA1UECxMK -ZW1TaWduIFBLSTElMCMGA1UEChMcZU11ZGhyYSBUZWNobm9sb2dpZXMgTGltaXRlZDEgMB4G -A1UEAxMXZW1TaWduIEVDQyBSb290IENBIC0gRzMwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQj -pQy4LRL1KPOxst3iAhKAnjlfSU2fySU0WXTsuwYc58Byr+iuL+FBVIcUqEqy6HyC5ltqtdyz -dc6LBtCGI79G1Y4PPwT01xySfvalY8L1X44uT6EYGQIrMgqCZH0Wk9GjQjBAMB0GA1UdDgQW -BBR8XQKEE9TMipuBzhccLikenEhjQjAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB -/zAKBggqhkjOPQQDAwNpADBmAjEAvvNhzwIQHWSVB7gYboiFBS+DCBeQyh+KTOgNG3qxrdWB -CUfvO6wIBHxcmbHtRwfSAjEAnbpV/KlK6O3t5nYBQnvI+GDZjVGLVTv7jHvrZQnD+JbNR6iC -8hZVdyR+EhCVBCyjAAAAAgAbc2VjdXJpdHljb21tdW5pY2F0aW9ucm9vdGNhAAABfBBZrUgA -BVguNTA5AAADXjCCA1owggJCoAMCAQICAQAwDQYJKoZIhvcNAQEFBQAwUDELMAkGA1UEBhMC -SlAxGDAWBgNVBAoTD1NFQ09NIFRydXN0Lm5ldDEnMCUGA1UECxMeU2VjdXJpdHkgQ29tbXVu -aWNhdGlvbiBSb290Q0ExMB4XDTAzMDkzMDA0MjA0OVoXDTIzMDkzMDA0MjA0OVowUDELMAkG -A1UEBhMCSlAxGDAWBgNVBAoTD1NFQ09NIFRydXN0Lm5ldDEnMCUGA1UECxMeU2VjdXJpdHkg -Q29tbXVuaWNhdGlvbiBSb290Q0ExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA -s7P+f9Ntse8WfFelDG12ii9Lv2T7TO6K8PMpfPX/7irg6em6W2QimppvLDomaVEFmSbc1Rxq -ccaafR6d3XxsxoxnZ0o++HGwGSepCQymlb9LjAz6VZg72OgioUtxOHmsl5Jps4l+6iFoBpgU -lofSYTa8bSdWnlfuwMBW/TLPpNmOwiPXjajz2CWsl+RwOPS2OrSdO5cmQ6OhvElZckwjMIcB -WPZOvhxoVmavzUFdyLNNKlVGqx/aHuJAPdvNfbmSgJw33QyWZJ3cIvdki99h3hWUUhWgfVLJ -S6ghycax7cvDlWDRD/CrcPjfy01+7Nb6q9m9f1Typel5+tnWdiQocwIDAQABoz8wPTAdBgNV -HQ4EFgQUoHNJmWjchVtl45soL1efvTO8B0gwCwYDVR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMB -Af8wDQYJKoZIhvcNAQEFBQADggEBAGhAqai75E9debMFtRezYBPrxpJd4NHTav77vpttv8cF -bVkgxBzwt9qEWAJj+kgW70+lC/dKmPI/nhutR2tjzghH61I/eJyvTa741U/PmpgqEEE5UsTd -2ZsO75MBrrIuymhCJEJssLM6Ps3p2kjEFcvp+QcPklBJit0xl1/J6TeqO1lll5QyybOfPjpi -WMVJrWIOcaUyqi/GiXZDQBMTZz2iVCUQy/E68tn620lWu6b+p0E1w+CIYcmIx982ECKYWeqw -SvtWFnNurE33IqFPrR16LUUn5TDBXvLaE8slQlGVRwOMbCHMdELtU/8zi48PVwEWL8+m7slw -IhS9/b5sCwMAAAACABxjb21vZG9jZXJ0aWZpY2F0aW9uYXV0aG9yaXR5AAABfBBZrUgABVgu -NTA5AAAEITCCBB0wggMFoAMCAQICEE6BLYqCZeALAu4+NQJG5T0wDQYJKoZIhvcNAQEFBQAw -gYExCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcT -B1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMScwJQYDVQQDEx5DT01PRE8g -Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDYxMjAxMDAwMDAwWhcNMjkxMjMxMjM1OTU5 -WjCBgTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE -BxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNVBAMTHkNPTU9E -TyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC -ggEBANBAi4ty45Eb91HBG1QEmNOpv8Hmil07h/u7iM4N4y8/BpbwoilQma7bO6FXsHRRcc3t -QpFNQf6pyNhqhndEu1lml1BetNQscETP2jeVQmk8MMRxs1LwIU2h2Lo5fByeoySd8oMWmKoW -fEObFVu3rjSR/tRiJhhGmj/rwfnxkFfrrHoNi9tyMGpm1eBGo3DcaNn/BEiJd9616ftnbUHp -vDm9MtliAvGxqD1uN5ziL+LToiaLxrhVQ4jhIz6l0iQ5akerANShs6kl/g0/px2601HBC6Ta -rDjvVVAkBWVGkzRPLY2txtQhGdKOygVhcQdzR+WKGRK9BE3OTpylSKy7JvcCAwEAAaOBjjCB -izAdBgNVHQ4EFgQUC1jli8ZMFTekQKkwqSG+RzZaVv8wDgYDVR0PAQH/BAQDAgEGMA8GA1Ud -EwEB/wQFMAMBAf8wSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL2NybC5jb21vZG9jYS5jb20v -Q09NT0RPQ2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwDQYJKoZIhvcNAQEFBQADggEBAD6Y -npv2G+nXObd4rh1yGEnTh+RDgus/yar1qLXvVXwhUmX51Q3hbPQ+jJNzkS4CxE4HcW/Ajzhh -CKgegQrALyAvQYuR3EhFvPHG3rp2azPIAC0xRkzt553PiJT/M8BW6CSGJrjYODjfKmvdEszH -P0cXTKLCBpYJ1tv+PzxGQd9Y4lYPPDvBHJM12ThSrO7I7C4wTpQ1tCQfS3hp2vICOMyVUpPw -cCVZnCBnxO75i1dh9JJ2fT+EjVW36OWs1fH1GVamWvuQHK+T6+Uc1GeXXQQOvguDpheDuTAS -oMUzFQW5DfvHBXbj2EqN/DQXo8YhKL4wRTEex3i+WGE4rDviAWUAAAACABF4cmFtcGdsb2Jh -bGNhcm9vdAAAAXwQWa1IAAVYLjUwOQAABDQwggQwMIIDGKADAgECAhBQlGzsGOrVnE3Vl+91 -j6CtMA0GCSqGSIb3DQEBBQUAMIGCMQswCQYDVQQGEwJVUzEeMBwGA1UECxMVd3d3LnhyYW1w -c2VjdXJpdHkuY29tMSQwIgYDVQQKExtYUmFtcCBTZWN1cml0eSBTZXJ2aWNlcyBJbmMxLTAr -BgNVBAMTJFhSYW1wIEdsb2JhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNDExMDEx -NzE0MDRaFw0zNTAxMDEwNTM3MTlaMIGCMQswCQYDVQQGEwJVUzEeMBwGA1UECxMVd3d3Lnhy -YW1wc2VjdXJpdHkuY29tMSQwIgYDVQQKExtYUmFtcCBTZWN1cml0eSBTZXJ2aWNlcyBJbmMx -LTArBgNVBAMTJFhSYW1wIEdsb2JhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJ -KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJgkHr0VtLrfx4ylJ7Y4C2nztk6oLC4hHVxE3yFd -fiN0/l5+tEq3pq0fruAGFuKbW9lndGtdgI8pnYYb2ZwNmG12EChY5GWwf0qYeZ/gwzF+gCu1 -jMBAOxGG0MuihjZgpNUwgm3ZbtAPEgQzl19PYVrw5PmRq+cdO7zoz/RrLTR84khhHI7zYUTM -b6BKqZSwTdrnqTR6cjioQcw8lBF968imjLeGy8ozO9k9N4v7ej6GLOdz1wpXrGSbGev0DwQI -iqwDFxlk9FolIo00LLL2aB0SbdOKHhTaxI+m4iOF1XoNvWrg6ezsF7tCG2eqJe1FgyH8wcl8 -1WI++vLFLdP91GUCAwEAAaOBnzCBnDATBgkrBgEEAYI3FAIEBh4EAEMAQTALBgNVHQ8EBAMC -AYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUxk+iPQZjhAmczmLkBKyNXLXpthswNgYD -VR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC54cmFtcHNlY3VyaXR5LmNvbS9YR0NBLmNybDAQ -BgkrBgEEAYI3FQEEAwIBATANBgkqhkiG9w0BAQUFAAOCAQEAkRU5AwEbZ/tKHPkKYFuh2k2X -YvkkUyfXgmROkC7DSRsrmtz8qHhnNfEd8BG9t0jjEPYN3z/SybaqVaRIugLb3lkuFVs7nRZ9 -R9c36l9NdhI2ux/XoYEERiCjLG2pngF+PynOAJPf/cmSc4mJZJ7nK+QckSzSuc59zm8xmdPm -vtIekPAJFHlcI6tN0tohH02ZeZ3hzyefEJsciA2wimRBMbgObJAkpJtccY+6u34cG9tqgA8h -vOnbprdA9LKLqbHk75oa0D1pme6oKKPhPLPwshGcz3xA5t3nQ32i2Dq1qY3yNJnE1BDhBv0J -hBA77sRM9OwnfELCdHyCignJtAMlvAAAAAIAEXF1b3ZhZGlzcm9vdGNhM2czAAABfBBZrUgA -BVguNTA5AAAFZDCCBWAwggNIoAMCAQICFC71mwIop9t6/9Wjqe69A6DPEmodMA0GCSqGSIb3 -DQEBCwUAMEgxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMR4wHAYD -VQQDExVRdW9WYWRpcyBSb290IENBIDMgRzMwHhcNMTIwMTEyMjAyNjMyWhcNNDIwMTEyMjAy -NjMyWjBIMQswCQYDVQQGEwJCTTEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRlZDEeMBwGA1UE -AxMVUXVvVmFkaXMgUm9vdCBDQSAzIEczMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC -AgEAs8sOEGeO6hSXpzIqClY2f2hMx7NvOiMUkf8Zf6XKrO6zdp166Ysbq2sx2/oLU0yvxaUa -eTyKTP+s3yXeTtmCMgtE3srbjKyjbhaDO6ZkSzKJ+xYWOH7rQ+LTdErCYgpzCt1Js1fSsAqF -nXE83qPLwDLzATkgQxs10VOzse7Fk2mCPha1KEah3uqJCe1DuAVGiob1WUe+G28BIRC5/anS -KMoQOQnKEzbPnK2tQHR5KwI/NP/6IGl90+5h9bqz5zDQNyOGcmFFKUhZaG93pi6BvgdNb6/O -xEUTkRRwBo8fn/iHabEO78OJGevqHGH8emyK3NYDC54muhLd1FQ5qyajM+p1gdotzQ9P5APR -7xWXG2uQxQKQk2YCIbFH3ouaSoC5VY+1oi/A1jNn2n7Ep7QEROtH++ZYufcM8HsrscBwKcNA -Yi07SGncIzxI63sJealt2qgwmM+AcgOIpltGrnJ5fAgDIWWut+EcpbEqojHeZgT3wHTocd7/ -PVnMliYSi4WVVxqra3ULRD0RKDx7Ybfij2dP5ew8TGCAaVc4HgFbjVXox9/AzHcjNEl1fPaY -Eest3u1BLhQFAn/g/iDrNecRrCLOVz3eyTBtEAOFzfH/jBa1wbI+iGxgf5BPlff2La0BOQcE -+nWAfb9JUO3vycR8HOuAftu20N0T/snTnNeyl6kCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB -/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMYX0Lyo6gJD8hsGmV0rkCC515zkMA0GCSqG -SIb3DQEBCwUAA4ICAQA0YdlWtRKHVU3dozUxRrukB3K8X2Fi6KX7CzexPLaz+imdfwL1pMmo -k7d6cShpj3PhUpDa1b465bd2alaAId9d5uk6nuU+9qJpxyoKsBhH3CBwfVKjPll8wbrJyBVA -Ycpy1nCs0rfwHOSGKfDO72hj0LUgihVhmn6GmLTJwnb7zLowFsyjYcZ0E+Vr76MV6gP+E4tk -5NPB0uiE+0nREE15Zuuq/fSNMR5wFK3c3mcTTIEVYby32ZF3cRmBYLvwWKW1nAv3jyJVJ8BL -AW07mQ3UHZtjZy/Q7g3KZryUT6at7fzuY6xXP2Ulz7KGj9AI/7h2FG7e5Sfsq3i1U7m2P+gg -+dKovmFGyoeMhPP58aBomyIegSabEASRccAGH9yg07lWp+OYLX+Dnd+MK5wyjjKU8AE8Iiqf -Q8Iuw5g5Bzh7/F4AQh/zMiZ5g4T25fDBURLACx4EIwxUpUwvScVK0bZuYA1r/GuLhSRkt4kO -qyVHWzzPfkm9x+kKxtr3fg4XCNNIl9BxkvAPOT40ahx92PIirrtp9DO0pkhV0Q8OJujstgst -p4U1zf1ZyJ/RzT5aKTS5PYTOsWXUWZGRVnUhwXee+XrhYJ3TrQQY9HzrXpOPU0oiKfhIKz5N -hqxbf8sGmVlg2FhllY1E0fd/fid/fa6A9QdMtj6ccVSZBEv9WPmY9AAAAAIAEnNlY3VyZXNp -Z25yb290Y2ExMQAAAXwQWa1IAAVYLjUwOQAAA3EwggNtMIICVaADAgECAgEBMA0GCSqGSIb3 -DQEBBQUAMFgxCzAJBgNVBAYTAkpQMSswKQYDVQQKEyJKYXBhbiBDZXJ0aWZpY2F0aW9uIFNl -cnZpY2VzLCBJbmMuMRwwGgYDVQQDExNTZWN1cmVTaWduIFJvb3RDQTExMB4XDTA5MDQwODA0 -NTY0N1oXDTI5MDQwODA0NTY0N1owWDELMAkGA1UEBhMCSlAxKzApBgNVBAoTIkphcGFuIENl -cnRpZmljYXRpb24gU2VydmljZXMsIEluYy4xHDAaBgNVBAMTE1NlY3VyZVNpZ24gUm9vdENB -MTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD9d6qlHJAFO8tMmzOLWhRFpOeQ -FtHfV9IhEKQX/d+s1h+n5Nt89+zfuAPalFj9XXJ8jD9fAWd0FZbjAjyH267LAY7C82bGhUX0 -AsY6tWKyr/qcv6Tm1IAwmPMNtpOPqdTYNvKw/IrKLKEVM5Ux2sAb8u5imYZjP7/dkyqDqHa5 -Ex+3zk5ChY8i5y4a8pUJsgW1RE53oSC9qfJOCn1QrfUFDUVPRnH9KD5T+wTYLddlHUob+s87 -sDGaNW7IiwbTAJHylAhlTLE0BgB6ieLwxwNZz9XW6Kcys+aYQIbFzScSi8x7zrcRPGJgByM+ -K0BulIAJbbazb3dvNQhQ+wKHxT6JAgMBAAGjQjBAMB0GA1UdDgQWBBRb+E1PsqWG1DrS8WOa -oL4J9le33jAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUF -AAOCAQEAoKE4FmYup1YfIZwG+h3tuSLFOCbYTk/so3953kYhoYd3jwcImrKkxa8PMpgLfGYp -tpt9JVJJQ6tMLituenCvFg7jAmz7QuYYnUXYVcjoO93n4fQuCxw0XGxYSvuMiFBflRy/7asi -tWWzhbqeD7it5XobilA6Hb0NvHtUUAu5Qq9VoBiBrWWZ777knL/EhatBslRv3CXN7XjijgyN -CUndY3taaZYCIai9UlnpfTXLyFLKf4H+2WvT9xHtJd/45/mk+nKXhFMNpdAyGFF2WRRsD+vs -X4CMdUODw4WY/0yeLQ3kd4OTTrWWB4soE5uMGY1BJ0lA7t7mI0Q53KEi1roD8gAAAAIAEmFm -ZmlybXRydXN0cHJlbWl1bQAAAXwQWa1IAAVYLjUwOQAABUowggVGMIIDLqADAgECAghtjBRG -saYK7jANBgkqhkiG9w0BAQwFADBBMQswCQYDVQQGEwJVUzEUMBIGA1UECgwLQWZmaXJtVHJ1 -c3QxHDAaBgNVBAMME0FmZmlybVRydXN0IFByZW1pdW0wHhcNMTAwMTI5MTQxMDM2WhcNNDAx -MjMxMTQxMDM2WjBBMQswCQYDVQQGEwJVUzEUMBIGA1UECgwLQWZmaXJtVHJ1c3QxHDAaBgNV -BAMME0FmZmlybVRydXN0IFByZW1pdW0wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC -AQDEEt+pX/5B3d31n4rj9qzhPHiavNjwf3qgMyrcjSBbri1v55PZNnBqaM+OUaOFW2cEoBAk -b10ogsGXV9hIKRO24b6RTd+FDFMYmh4kok+P8KKFC8v0KX/SpFjuJk3Jqqh7mtn6ON5EVxXl -+IzI2UjiDRYnHR7Ig4Ult7qqVUHMAyJLLZGNi+aJr2bH6f8r6Tys2tKzw+FonIn4egBW3vRV -lWz7umTdYovfC3cy62LMJpqbu6pig0y0BnowyCm/7QZNl7kcxDEr1V+8UxIXnJlXKWZ3YSEx -By4lSZ0Y8u7zK3GMtbo5B0l3/O8ukpAFjS0vd3vvQ781u5rY+XOnLPLQV+4oTiZfj5BoCS+4 -+NwG6S6aPlGn0SLECqc4SGyz+f99q4ZX47rWhXh3ukPqSH/22L4jbR6/0TZsWFzx7qQZVBr1 -A9J25uGMvTyz00hL4sj4f5KodkacQmU+pB7BBwNaRi24l/O31bJVIe+63EwAl/sUlSczv+hD -R0bSCJkWYDuaftLm7Tjq7AEePEhWSQnHTDcAnogOwHPhb2bpckcwPhDlCwPJmkIAbMWUfmHE -it9/ghoLWcRZMnezvGBpVjn9tAZ7LNZkNtm9SO2EH36lIo8quEL0grfUU5B4Ti0a/YFvRNc7 -AXSWQuAA4i5r6sXucqy7v/7qqqj43PayeYq2ZwIDAQABo0IwQDAdBgNVHQ4EFgQUncBnpgwi -2Sb1RaumZVIRJ9hFrGMwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZI -hvcNAQEMBQADggIBALNXTRBiTjrkrOq4HK8yI8izSVpRnHYojXmqV0YX1fVS9rdE6AhEvxiE -0guAzcUS/QBVBWGHQdy1JJ48xNjI+3CeL3iWgyA23nwPaROIpXU2mAimxt+szuNY1rc+3rrz -6zRA2KKB9Xg/L9Wl/Nmi1F4EDhet/kHw5bJy+kSCM0LoLVj3VoxiP7pCsJwMXH4uZSZcU08A -snh+oQ2ZLY24HY6ixLD9YNAwpI7IBGKpxO013nqX7Q44XpIvk3ClqZxvp30THX7GCEixXmfr -UQgl6eYla1IpkZzSOXMIV96ZBrRbnRAG4cIAqLgcSgIKFNDBQcr7jDUhfYI48qlUkRk1k5Rt -ajrFstC7iYaT6JvJDzqnerih8HhG+vw3L+WKhPPf/gTZoWigLyTiCZUG1ZXK4SSW63z2kwW7 -7XPpLdF1OdfnJNvYTl9Dj57QFDm/VXBImVcxtJzuSpgDljAfYAbuGyP+gWAjGkdihaXMGTSA -b7OsGuOf8HtIrdUB2We2qXKT6i1mtbK45D08su9MjOrrB7+rNZpVhrwYprWoXrSDbGtpQNOf -3PHDaWu54W0J9PGqUHYKen16F6FVlkKZMQndYBGNBTB+5o5G0Z0U2scX5AWWjMQktRvPFAey -QPijnkGGvATQa5bIKoA0/b/vBqPdWMWFPT6P/p4p4La4CWgZHBhDAAAAAgAQZ2xvYmFsc2ln -bnJvb3RjYQAAAXwQWa1IAAVYLjUwOQAAA3kwggN1MIICXaADAgECAgsEAAAAAAEVS1rDlDAN -BgkqhkiG9w0BAQUFADBXMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1z -YTEQMA4GA1UECxMHUm9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTk4 -MDkwMTEyMDAwMFoXDTI4MDEyODEyMDAwMFowVzELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEds -b2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jvb3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24g -Um9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANoO5pmNzqPjT4p++/GL -gyVr6kgf8SqwuZURBL3wY9HiZ2bPHN3PG0gr7o2JjpqvKYBlq+nHLRLLqxxMcAehPQowzRWN -T/jd1IxQFRzvUO7ELvf86VLykX3gbdU1MI5eQ3PyQenVauOyiTpWOThvBjyIaVsqTcWnVLhs -icyb+TzK5f2J9RI8kniW1tx0bpNEYdGNx0aydQ6G6BmK1W1s1XgWlaLpyAo46/IkE09zVJMT -hTobvB40tYsFjLl3i7HbHyCRqwlTbpDOezd0uXBHkSJRYxZ5rrGuQSYIyBkr0UaqSNZkKteD -NP8sKsFsGUNKB4Xn03z2IWjv6vJSn3+TkM8CAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8G -A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGB7ZhpFDZfKiVAvfQTNNKj//P1LMA0GCSqGSIb3 -DQEBBQUAA4IBAQDWc+d8T3bQjb/suqK+NMUoMrV8/GycLCu9CZ5Tv2teqhFItuUIo7PKPWFN -00YJsz7DoONjVRvyuu+tOeFDuTij5i+KJjvvoFBW+cYK/TjNxAtwUZSXmATfw1+U1RXJFEGc -xF11ZBUN/1Uw7IaP/w3vLLljRvaq/N+8af0uEkhkmuCV8KbvKY8BsRW1DB2l/mksaSR4HrOn -HHFi7srIl6wXXYrC+EeGbirEVjGV0GeJhSv5bKZdRp0MqoLkmVHdcLfbVj1h5GrhXNb2/j3e -QcwHrmNSv1NT9Cvpx/2294JfhdJBGNuBswQcxR+kgG8VIMneDIgKHdZmVeL8SMkpJmngAAAA -AgARcXVvdmFkaXNyb290Y2EyZzMAAAF8EFmtSAAFWC41MDkAAAVkMIIFYDCCA0igAwIBAgIU -RFc0JFuBiZs18s64KztbpybwdSgwDQYJKoZIhvcNAQELBQAwSDELMAkGA1UEBhMCQk0xGTAX -BgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAcBgNVBAMTFVF1b1ZhZGlzIFJvb3QgQ0EgMiBH -MzAeFw0xMjAxMTIxODU5MzJaFw00MjAxMTIxODU5MzJaMEgxCzAJBgNVBAYTAkJNMRkwFwYD -VQQKExBRdW9WYWRpcyBMaW1pdGVkMR4wHAYDVQQDExVRdW9WYWRpcyBSb290IENBIDIgRzMw -ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQChriWyARjcV4g/Ruv5r+LrI3HimtFh -ZiFfqq8nUeVuGxbULX1QsFN3vXg6YOJkApt8hpvWGo6t/x8Vf9WVHhLL5hSEBMHfNrMWn4rj -yduYNM7YMxcoRvynyfDStNVNCXJJ+fKH46nafaF9a7I6JaltUkSs+L5u+9ymc5GQYaYDFCDy -54ejiK2toIz/pgslUiXnFgHVy7g1gQyjO/Dh4fxaXc6AcW34Sas+O7q414AB+6XrW7PFXmAq -MaCvN+ggOp+oMiwMzAkd056OXbxMmO7FGmh77FOm6RQ1o9/NgJ8MSPsc9PG/Srj61YxxSscf -rf5BmrODXfKEVu+lV0POKa2Mq1W/xPtbAd0jIaFYAI7D0GoT7RPjEiuA3GfmlbLNHiJuKvhB -1PLKFAeNilUSxmn1uIZoL1NesNKqIcGY5jDjZ1XHm26sGahVpkUG0CM62+tlXSoREfA7T8pt -9DTEceT/AFr2XK4jYIVz8eQQsSWu1ZK7E8EM4DnatDlXtas1qnIhO4M15zHfeiFuuDIIfR0y -kRVKYnLP43ehvNURG3YBZwjgQQvD6xVu+KQZ2aKrr+InUlYrAoosFCT5v0ICvybIxo/gbjh9 -Uy3l7ZizlWNof/k19N+IxWA1ksB8aRxhlRbQ694Lrz4EEEVlWFA4r0jyWbYW8jwNkALGcC4B -rTwV1wIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4E -FgQU7edvdlq/YOxJW8ald7tyFnGbxD0wDQYJKoZIhvcNAQELBQADggIBAJHfgD9DCX5xwvfr -s4iP4VGyvD11+ShdyLyZm3tdquXK4Qr36LLTn91nMX66AarHakE7kNQIXLJgapDwyM4DYvmL -7ftuKtwGTTwpD4kWilhMSA/ohGHqPHKmd+RCroijQ1h5fq7KpVMNqT1wvSAZYaRsOPxDMuHB -R//47PERIjKWnML2W2mWeyAMQ0GaW/ZZGYjeVYg3UQt4XAoeo0L9x52ID8DyeAIkVJOviYeI -yUqAHerQbj5hLja7NQ4nlv1mNDthcnPxFlxHBlRJAHpYErAK74X9sbgzdWqTHBLmYF5vHX/J -HyPLhGGfHoJE+V+tYlUkmlKY7VHnoX6XOuYvHxHaU4AshZ6rNRDbIl9qxV6XU/IyAgkwo1jw -DQHVcsaxfGl7w/U2Rcxhbl5MlMVerugOXou/983g7aEOGzPuVBj+D77vfoRrQ+NwmNtddbIN -WQeFFSM51vHfqSYP1kjHs6Yi9TM3WpVHn3u6GBVv/9YUZINJ0gpnIdsPNWNgKCLjsZWDzYWm -3S8P52dSbrsvhXz1SnPnxT7AvSESBT/8twNJAlvIJebiVDj1eYeMHVOyToV7BjjHLPj4sHKN -JeV3UvQDHEimUF+IIDBu8oJDqz2XhOdT+yHBTw8imoa4WSr2Rz0ZiC3oheGe7IUIarFsNMkd -7EgrO3jtZsSOeWmD3n+MAAAAAgAVYWZmaXJtdHJ1c3RwcmVtaXVtZWNjAAABfBBZrUgABVgu -NTA5AAACAjCCAf4wggGFoAMCAQICCHSXJYrHP3pUMAoGCCqGSM49BAMDMEUxCzAJBgNVBAYT -AlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEgMB4GA1UEAwwXQWZmaXJtVHJ1c3QgUHJlbWl1 -bSBFQ0MwHhcNMTAwMTI5MTQyMDI0WhcNNDAxMjMxMTQyMDI0WjBFMQswCQYDVQQGEwJVUzEU -MBIGA1UECgwLQWZmaXJtVHJ1c3QxIDAeBgNVBAMMF0FmZmlybVRydXN0IFByZW1pdW0gRUND -MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEDTBeGxWdA9CheTW3OjySesoVHM1i85wmXAc95VT6 -o9bMEur0FF/ojhmrLy5I5qwYQ3is0DfDvbLNLOZH4hrmY7g9Li94xE/b9A+kaExVcmuVHU4Y -QpV4zDc8keKbZSspo0IwQDAdBgNVHQ4EFgQUmq8pesARNTUmUTAAw2r+QNWu1jwwDwYDVR0T -AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwCgYIKoZIzj0EAwMDZwAwZAIwFwnzh4hQWq/I -wEK/R1/1bGqG4MQndOQ4U9cFfxs048Yvs8oJPDed1+e4RvH9oeJxAjBCWYdD1FHfutMJMlrO -iH5XPZxfQmv1By218IKT+VlvrmT6WOWLHuNjvrWBzW8CjHkAAAACABNob25na29uZ3Bvc3Ry -b290Y2EzAAABfBBZrUgABVguNTA5AAAF0zCCBc8wggO3oAMCAQICFAgWX4pMpewAyZNA38TG -riO4HFqkMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNVBAYTAkhLMRIwEAYDVQQIEwlIb25nIEtv -bmcxEjAQBgNVBAcTCUhvbmcgS29uZzEWMBQGA1UEChMNSG9uZ2tvbmcgUG9zdDEgMB4GA1UE -AxMXSG9uZ2tvbmcgUG9zdCBSb290IENBIDMwHhcNMTcwNjAzMDIyOTQ2WhcNNDIwNjAzMDIy -OTQ2WjBvMQswCQYDVQQGEwJISzESMBAGA1UECBMJSG9uZyBLb25nMRIwEAYDVQQHEwlIb25n -IEtvbmcxFjAUBgNVBAoTDUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdrb25nIFBvc3Qg -Um9vdCBDQSAzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAs4jX6s4PIE6+5tYD -be5Z/MJX3ylooYMOPmjHaFicHGBLiUMMudQVsu7BTnXptafv5ek1meTMHOdLX40zMCAzU9mm -u9U+E47pH4dJrVAtUMoYvgFYohNwlruJiFaAXPi9LDzhTFeIu9O5le/Lx/baMXQopuZUifVB -McrlJhrNguBw2jspu9UD9Zm6VfVk0WAOs4lJuIovBdKERSh8j2hQEnj8C7VTy8KYHISjnrC+ -I6Ta3MgrHtpuRR6JmNr5AC4G6Qw7cNVQJYiZy81zYPfV/zVnxaG8XqvNSrhF68hoHg0NFEYS -49JkYopCmLy0xggI+P2oTGScdgG9L6lsMw/YPyi4PGkBQoZ+acHJBsrlekZl6cLWUEEuP7fk -7WzXvyYBEaIWKUprNAaQ7BPStvtqdtI87fDWLd3hFeyjmy8syT4r5Gk7/3IlsTaGW8d/a4tV -G0rFIGE9rstQ4Qg6vrCPY0FTMAhZPJgdd7pjkXrKEFBgv/DXvJWHj5fF/pdqAZSjfFuFHSo5 -OtBUodE5cZ39Ifm1e/Di4AKPbpYkJSygHiyoxImn7+2ZBi+2CkxP26LMNxqvR4Util/ENDRM -AP0Yk2cT0TfmSLSLBsVXexmGCnnLAMlSr0L/N4/hox56PVCrYwbnFbU/tkU3lDexfvJIw3/F -df6XjUWPGqcacigaQA8CAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC -AQYwHwYDVR0jBBgwFoAUF53NHovWOStw01zUoLgfsAD8xWEwHQYDVR0OBBYEFBedzR6L1jkr -cNNc1KC4H7AA/MVhMA0GCSqGSIb3DQEBCwUAA4ICAQBW1Xtu5iIB0kKbGNUO12YjXOP+oMeS -0umUrUuixuwSfHTVSNJZFJnA67nR6/RIMFutp1dzmanT5bfRLlkkWNxoLi5i2GrkcAstIFAg -pDKV0QCYu9P99zLySa7GeuBHvm7Oy6NyOi1pXcvI6EU51PpCwRFMd12S+2r/WETl64Ger6CZ -rb6pAWbLOB0830Mf9E1utLoXRvx9/YeBeWoNMw/6L/gUuYCzXU2ql+H55BjF+NU4jCY8/fIo -4u5aSYgs33k9jp6QPL1BSjrdW/aatM4/JTB/Mn2iA5TQ3HqhUt5uk40YJv1VrL2Pm9LPr+eG -LMsfCW+jb6mE1HO/TaF0G04jYPLMDqp/pJxMJaiyZjs4/9mUMPZyhL5oVRAPxnMsFmmTB/6x -Re27olVqsNq1SgIlJ4XXt7eGRBaJbIArPpepnNV+VUzG3kUQHOrpO58DU+7uegECFnjU6MK+ -RnaIEz8iu0gSHVIAtAJ+IRoenCX08z1eHtIc+bMttvc3XMbLIU6w95lHGIXBK7pVrgbq0Aey -3KvQgpZ1ztJQ/pnnzy+f53bRYSr7Ibsx0KqfR6SyIsoWOlBXxFtDZ8VlYgNJAetD2dj4nq3P -sWMORfSgWiybLcWmwK2oR/QnTDgNLhtJO1L06IiDK1Qo1PI1UrQyg2JpZAyRnJ+X6nQW/R8R -Bpqb9AAAAAIAEmUtc3ppZ25vcm9vdGNhMjAxNwAAAXwQWa1IAAVYLjUwOQAAAkQwggJAMIIB -5aADAgECAgwBVEjvIf2XWQ31BAowCgYIKoZIzj0EAwIwcTELMAkGA1UEBhMCSFUxETAPBgNV -BAcMCEJ1ZGFwZXN0MRYwFAYDVQQKDA1NaWNyb3NlYyBMdGQuMRcwFQYDVQRhDA5WQVRIVS0y -MzU4NDQ5NzEeMBwGA1UEAwwVZS1Temlnbm8gUm9vdCBDQSAyMDE3MB4XDTE3MDgyMjEyMDcw -NloXDTQyMDgyMjEyMDcwNlowcTELMAkGA1UEBhMCSFUxETAPBgNVBAcMCEJ1ZGFwZXN0MRYw -FAYDVQQKDA1NaWNyb3NlYyBMdGQuMRcwFQYDVQRhDA5WQVRIVS0yMzU4NDQ5NzEeMBwGA1UE -AwwVZS1Temlnbm8gUm9vdCBDQSAyMDE3MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEltw9 -itiwe2/GJ75EkLGzVhV7jkMkfRqEWe5jaLLGXofQFUgeqJCtvVOi2t46kKZgX2gytYZB34db -LHvF/nx62qNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE -FIcRFQjRqsF4DLGvzsbJkO+/MATAMB8GA1UdIwQYMBaAFIcRFQjRqsF4DLGvzsbJkO+/MATA -MAoGCCqGSM49BAMCA0kAMEYCIQC1V93XilULNuGGRPrU2WiNuNwjiooN1C996nPsv01sqAIh -AMultBL657Xoz36T/PM1j29OWny0vE6y/HKqW1n559wxAAAAAgAfYWNyYWl6Zm5tdC1yY21z -ZXJ2aWRvcmVzc2VndXJvcwAAAXwQWa1IAAVYLjUwOQAAAnIwggJuMIIB86ADAgECAhBi9jJs -5cTjaFwbYt2cLp2VMAoGCCqGSM49BAMDMHgxCzAJBgNVBAYTAkVTMREwDwYDVQQKDAhGTk1U -LVJDTTEOMAwGA1UECwwFQ2VyZXMxGDAWBgNVBGEMD1ZBVEVTLVEyODI2MDA0SjEsMCoGA1UE -AwwjQUMgUkFJWiBGTk1ULVJDTSBTRVJWSURPUkVTIFNFR1VST1MwHhcNMTgxMjIwMDkzNzMz -WhcNNDMxMjIwMDkzNzMzWjB4MQswCQYDVQQGEwJFUzERMA8GA1UECgwIRk5NVC1SQ00xDjAM -BgNVBAsMBUNlcmVzMRgwFgYDVQRhDA9WQVRFUy1RMjgyNjAwNEoxLDAqBgNVBAMMI0FDIFJB -SVogRk5NVC1SQ00gU0VSVklET1JFUyBTRUdVUk9TMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE -9rpXU8jKq982SlIh5JfSg2ee8GVR0F6Hx0exWfJXR5sAApNEF2nbQsexsjoYDrRdjLNmXaE0 -+TYsSdvzRvyzRGlEE2b918X9rzZNzgNNB3HPr2oF0qJDWgpSbwEDTo6Lo0IwQDAPBgNVHRMB -Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUAbkv778RhmDyT9BBbqtzH+fS -bkkwCgYIKoZIzj0EAwMDaQAwZgIxAK5K4ytAw3QR8pWtFiPeTgwa5l2lJF5rRHv8OOJPy5xF -FxFMFCcmVTl1SgPME5CfkgIxAPpKbGCIc/PuuJhiqc4rwtmKpnAxHa+wlEzrT8bj0fNipzz/ -ky4HXEkBZ2kSAnK/5wAAAAIAEXF1b3ZhZGlzcm9vdGNhMWczAAABfBBZrUgABVguNTA5AAAF -ZDCCBWAwggNIoAMCAQICFHhYXy6tLBlL4zcHNTQTKLWW1GWTMA0GCSqGSIb3DQEBCwUAMEgx -CzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMR4wHAYDVQQDExVRdW9W -YWRpcyBSb290IENBIDEgRzMwHhcNMTIwMTEyMTcyNzQ0WhcNNDIwMTEyMTcyNzQ0WjBIMQsw -CQYDVQQGEwJCTTEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRlZDEeMBwGA1UEAxMVUXVvVmFk -aXMgUm9vdCBDQSAxIEczMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoL5QEI7p -8mxAtASchbkxytwt5BGpBDwbVcHnWDAdJLTD74XejCzhwT3fguZPrUeHbOxbScFK1buP7Ies -f4Kahuw9A5lSAdI1nqza8FPJZjzUrAIB2iTTO6gCRq+kHOP4c1h2t/YOkA218M/M+vnGTOXD -hjAKjRd+NevF37sOnMCNh+OIOIVn+j7Hq+ATnAUYmM+T9bGStPwj08/VxCdJ4J48mwiji10q -IeD8OapT2n1+zxoJU7xdBQTPoUqPi3aCDaH40scUd1uQNgeBmz4G+lJeY8WmAP6l6VIbUrWS -OXIDCWK9sGAWbqbdJcIDZt3zBNFA4k6LhvRv5YOgJ4ReBMH1kL0wPcTvqGm8OJukpJbRYtpp -wAGWrsvEUTTqDKr/IY5Zj0pc5GGap9LpKniNUT06Fe6iWY6pXN7F+ZAi5YhFcd2RmWx6nz09 -mHxe9r4WaKBergsj/FoPqiJ2LcmhEB3k00QjkIifxirm1/Was1geLzCJCBtUorWYI+wIdxyV -XWHRy4mcX6JKkZrvIapJFgiovWEoMcl0rYX22cWxi9HlEDJNX4sgOjxJHzOFWQ3bywl1Q2lz -+2txffDfxEx9xqMuyJV5y3Oijk5NJPte5AS+chumJy1JWpl611wJILd/lLlP8Q0cXohCGxG3 -55Hbnmz0at+MBpgDrcwo76VH81MCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B -Af8EBAMCAQYwHQYDVR0OBBYEFKOX1vNeohDhq0WfPBdkPO4BcJzMMA0GCSqGSIb3DQEBCwUA -A4ICAQAY+lt1/D56x193x8rfz1/DEsRAXdQyqrhq19UVFUaYI6XmkFsYmUzjrUKjgjE2iM3p -+8QElkiLAceNAc9bMwaWRmZ0HU/twba5tA1hzGN+1y53jJYcKiNoa4VXdnAzE/7hT6Yjdxj6 -GozovWXJzz/0yRfc68e8wAQuLUYvaWbDG4/+7D7TypS/dgolDal7Ahyp0DtfC8CBOj1k4b+n -LU69TcTYKcYiGNDFrHICgj+qOqI6Ipcx3Qhjw3UUuWAoLVto4BapZoIjUfXrU9gxm3vpt51L -64gWz/ldOIpJMI/t8esZ9HcaMRhNZ1RsL29l+ds97CHsXvT0i8pgZVTRcWT0+aajgTM2M3Hw -pHhfTq2DId40SY3oWayd8nZaNvIT9K/gCcdhKmz34J2uu4ZKKG8u7rR5zZAzw7N2+vXwbJ0B -kPqekPaccs9H2sMf5DUgU/JU0d9hg6YC4iU43oUyLV5zkFJdQsTOPUvh+RmEHdWiUMxB+0EU -w73WyVqjY2YCgL0FOjtHnOwAJkz1iFG/qCN/GAewC+2LJqFk02FK61yf3rOvZwOzH91tXWlo -aateOux8abzHO4VOnhW5tBVPw5V6WNfJbOlsufMpY160LPAtPe1aZeCpW0DCSJmBbZ4fBio8 -ErSLD5uiJPCmjdZ64Eu2ZJZjlYTCSs0cLiSHM2DlwwAAAAIAE2hvbmdrb25ncG9zdHJvb3Rj -YTEAAAF8EFmtSAAFWC41MDkAAAM0MIIDMDCCAhigAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAw -RzELMAkGA1UEBhMCSEsxFjAUBgNVBAoTDUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdr -b25nIFBvc3QgUm9vdCBDQSAxMB4XDTAzMDUxNTA1MTMxNFoXDTIzMDUxNTA0NTIyOVowRzEL -MAkGA1UEBhMCSEsxFjAUBgNVBAoTDUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdrb25n -IFBvc3QgUm9vdCBDQSAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArP84tulm -AknjorThkPlAj3n54r15/gK97iSSHSL22oVyaf7XPwnU3ZG1ApzQjVrhVcNQhrkpJsLj2aDx -aQMoIIBFIi1WpztUlVYiWR8o3x8gPW2iNr4joLFutbEnPzlTCeqrauh0ssJlXI6/fMN4hM2e -Fvz1Lk8gKgifd/PFHsSaUmYeSF7jEAaPIpjhZY4bXSNmO7ilMlHIhqqhqZ5/dpTCpmy3QfDV -yAY45tQM4vM7TG1QjMSDJ8EThFk9nnV0ttgCXjqQesBCNnLsak3c78QA3xMYV18meMjWCnl3 -v/evt3a5pQuEF10Q6m/hq5URX208o1xNg1vysxmKgIsLhwIDAQABoyYwJDASBgNVHRMBAf8E -CDAGAQH/AgEDMA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQUFAAOCAQEADkbVPK7ih9le -gYsCmEEIjEy82tvuJxuC52pF7BaLT4Wg87JwvVqWuspube5Gi27nKi6Wsxkz67SfqLI37pio -l7Yutmcn1KZJ/RyTZXaeQi/cImyaT/JaFTmxcdcrUehtHJjA2Sr0oYJ71clBoiMBdDhViw+5 -LmeiIAQ32pwL0xch4I+XeTRvhEgCIDMb5jREn5Fw9IBehEPCKdJsEhTkYY2sEJCehFC78JZv -RZ+K88psT/oROhUVRsPNH4NbLUES7VBnQRM9IauUiqpOfMGx+6fWtScvl6tu4B3i0RwsH0Ti -/L6RoZz71ilTc4afU9hDDl3WY4JxHYB0yvbiAmvZWgAAAAIAInVzZXJ0cnVzdGVjY2NlcnRp -ZmljYXRpb25hdXRob3JpdHkAAAF8EFmtSAAFWC41MDkAAAKTMIICjzCCAhWgAwIBAgIQXIuZ -xVqUxdJxVt7NiYDMJjAKBggqhkjOPQQDAzCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5l -dyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNU -IE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRob3Jp -dHkwHhcNMTAwMjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzAR -BgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVUaGUg -VVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBFQ0MgQ2VydGlmaWNhdGlv -biBBdXRob3JpdHkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQarFRaqfloI+d61SRvU8Za2Eur -xtW20eZzca7dnNYMYf3boIkDuAUU7FfO7l0/4iGzzvfUinngo4N+LZfQYcTxmdwlkWOrfzCj -tHDix6EznPO/LlxTsV+zfTJ/ijTjeXmjQjBAMB0GA1UdDgQWBBQ64QmG1M8ZwpZ2dEl23OA1 -xmNjmjAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAwNoADBl -AjA2Z6EWCNzklwBBHU6+4WMBzzuqQhFkoJ2UOQIReVx7Hfpkue4WQrO/isIJxOzksU0CMQDp -KmFHjFJKS04YcPbWRNZu9YO6bVi9JNlWSOrvxKJGgYhqOkbRqZtNyWHa0V1XahgAAAACABRj -eWJlcnRydXN0Z2xvYmFscm9vdAAAAXwQWa1IAAVYLjUwOQAAA6UwggOhMIICiaADAgECAgsE -AAAAAAEPhaotSDANBgkqhkiG9w0BAQUFADA7MRgwFgYDVQQKEw9DeWJlcnRydXN0LCBJbmMx -HzAdBgNVBAMTFkN5YmVydHJ1c3QgR2xvYmFsIFJvb3QwHhcNMDYxMjE1MDgwMDAwWhcNMjEx -MjE1MDgwMDAwWjA7MRgwFgYDVQQKEw9DeWJlcnRydXN0LCBJbmMxHzAdBgNVBAMTFkN5YmVy -dHJ1c3QgR2xvYmFsIFJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD4yLy9 -FFBmE//w03nsI/K3GseOhfESc6YZqhDbnKJldFp3PlF9VvbcI7bU7V9YsTdN1UkObvVqh9bS -jNInxuL/Np+YZaATTsYqZJvVkBLPFAb0O+PUKL7oDvirTkiUbY6VMRBc7aItvdU6bbIcu2DA -RksB9UmufkaK0HSNoQwCzu7854+4a2bzf0QAv2YlFCvdEDAdB5Y/TfZruI+3ewylOOveR9vV -XTn8iKfz1yp08ehaojufULqmjEU1wlBlldxjgu/dv3dNnGLJY3MW0CkPSalI8LOqt2zFpzA5 -QF2uxOJdJlPwzhwjCGGolBm6BGJA7B84cHcSBnGnMBhdJSelAgMBAAGjgaUwgaIwDgYDVR0P -AQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLYIew16zKwgTIZWMl7Pq26F -LXBXMD8GA1UdHwQ4MDYwNKAyoDCGLmh0dHA6Ly93d3cyLnB1YmxpYy10cnVzdC5jb20vY3Js -L2N0L2N0cm9vdC5jcmwwHwYDVR0jBBgwFoAUtgh7DXrMrCBMhlYyXs+rboUtcFcwDQYJKoZI -hvcNAQEFBQADggEBAFbvCiOgVE6Vl8n4idpFwdSjACX0HxOrt6OFWGnCMK3YFYot48nNgVr4 -cyNap3wF8/0iOw7RBsTbNkxzBI7lsCLkxfMupdkj47hOSiCnbgIknyJgZ3uLHXIJxTFc6Xmf -gEc9raELBxQ9R/8DaRoMC0TnYyWnf7LJuHaE7SP2fQerRX7T37O/6Yq2zaiiZytS1bdl8DlM -Y6CReZNSD1Tdg7uf0Y+nU3PDy/8w7HwEuNhEH5NfcQkit24+6hwDTp0aIGH7gTfsXvwKRavX -5xdV0KDqYJum9uOMWynCBmAUnS2XTKmTFZ1hxAFfSNZYvVYxEk4RyCHgsxGRZdu0pog4zlUA -AAACAChtaWNyb3NvZnRyc2Fyb290Y2VydGlmaWNhdGVhdXRob3JpdHkyMDE3AAABfBBZrUgA -BVguNTA5AAAFrDCCBagwggOQoAMCAQICEB7Tlwlf2LSzR3Aeqr5/RbMwDQYJKoZIhvcNAQEM -BQAwZTELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE2MDQG -A1UEAxMtTWljcm9zb2Z0IFJTQSBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDE3MB4X -DTE5MTIxODIyNTEyMloXDTQyMDcxODIzMDAyM1owZTELMAkGA1UEBhMCVVMxHjAcBgNVBAoT -FU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE2MDQGA1UEAxMtTWljcm9zb2Z0IFJTQSBSb290IENl -cnRpZmljYXRlIEF1dGhvcml0eSAyMDE3MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC -AgEAylu+lDOMKZWRFgqVvUdiwYnzmTbfRpDJpe14am9HkWj4J2dQMx2hpvvg5UOjhAJXAV2c -SECCUxC8v8c7aJC2gi3l9GXQzG0ZzJX5e6xKlK0O3ktDHYcHkhOQgINkNTkE/OXpbLO2H1CU -OGVQXBdGubaFtRy1F+jWRZ3YsiawysRwSq5gpN2z2ez8O9VXcrw/yMmy3ktr+CNsA8AFvZXH -zXM7ZoBk4xqsLvlHBfIGtptz9XgzW8eh+ycqobSakYyR0zqCPnZAtM1SYVFwKD/FxVryyYxJ -uxRbTcj/Z01MEpat9f54qJeH1/1eIIDcoUsi+9SJrbrOR5dHVXuPRchnKISVHGgw7+9J4DV7 -ZOeYsJTaTYU7PlXEKK9X854T20Ynnx6iXkSDpKXK1ROzSz/E48LmhmGkUjC5eiBPbw84U8sz -DBMrj9aavSrILbEcfUtRykfRSCdyXYfr1UXmSGWdr1KQuluiGGVXEp9oudQVa5TEaSKY9DPg -7flRjkFQyTRPdpCs/DjB2OF7uePjlOFGacsOClBrE7qsDzdatxK1kIEeVq5XIobZydLR11Hj -qzvGVf0eDtN0CtHaquppuJcoj0jEB/hSQzr0ylU1LLCmasCc+fKB4RJqwEXZZ7PO/yOiiQpU -1BS5KqjX7PmrzSVYMnmPkFuYOcQIBsGsfw49AKUCAwEAAaNUMFIwDgYDVR0PAQH/BAQDAgGG -MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFAnLWX+GsnCPGsM548DZ6b+7TbIjMBAGCSsG -AQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBDAUAA4ICAQCsrz5dwhGWiY6j55LWlxW4E6KmQi4C -zRYFWSfKIOi6uOga7E2ol1auZUOxjwCbUs1VzVM5bWJMiw1bfC5Ev4MQj/NTgoDDTzrHbhE/ -5uMWkYT7bYR/NHStiafOudfXn4Rkkr6Voa0JUzPd7grqSlGOb1WrurWURq6Mf9iiUCVlYIBG -2zMErmy1mHRUJdyT5PjjVRU9uG3DCqQSwWmFbt9k8VOZ4Up1IJ2VD+TW3APxWRjoR4myV1qU -tqnYFysXSeV2y8FWmTo3sf9pLJGRk+HfTKM3dk2hn/htHh3T+uz79EUdE23P91nlIidyK4bz -V7sw7SRN3H1Wu6Oz+DR5icHg8gJh96b8D7scFwuuQdl8vSej/S460ZOUsXMdJIuvWyCJrbdn -Znn1OsamljP+U5LIRrERkcaZf4/J1mYxIEEQhy0M1sGvNJjKZIP7E1fRwfA8eoylwf2VIaBx -wZNncRLqj4gKaRlkmSNW+6wqLnC+ZsQMhO/li/OTAfhqkJNnS7Joo7Vij+k/jHo7Xg/njLjG -fO83/XTiyE8zcuGUOW29Eq++DE5wfBtvjbMyk3NEFm3o9PfglYCPll04pPSr3gowh5PYTQBx -YkUnSzpChFt/ZbdnNFItnBZrqqjYe6NCTHHHDMo+g+Sm77cBMF5Ro3n1cGmmQUQPhrAskcY9 -6q4PhAAAAAIAD2dvZGFkZHljbGFzczJjYQAAAXwQWa1IAAVYLjUwOQAABAQwggQAMIIC6KAD -AgECAgEAMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNVBAYTAlVTMSEwHwYDVQQKExhUaGUgR28g -RGFkZHkgR3JvdXAsIEluYy4xMTAvBgNVBAsTKEdvIERhZGR5IENsYXNzIDIgQ2VydGlmaWNh -dGlvbiBBdXRob3JpdHkwHhcNMDQwNjI5MTcwNjIwWhcNMzQwNjI5MTcwNjIwWjBjMQswCQYD -VQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhH -byBEYWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIDANBgkqhkiG9w0B -AQEFAAOCAQ0AMIIBCAKCAQEA3p3X6lcYSaFb69dfSIbqvt3/5O9nHPRlaLNXcaBed7vtm0np -cIA9VhhjCG/a8szQP38CVCJUENiygdTAdT1Lf8d3wz54qxoDtSBrL2orscWIfsS7HrDB2EUn -b6o3WPeHJtfYLfapF7cfcjZOphc/ZZiS2ypuXaL+iOAL3n/ljRXh68s61eISohMt2I6vXxI9 -oAgFCLZcpWU4BEWZHqNgYHTFQaVyYhtixR9vXxpCvgJRZaiuIxhq/HgDqU1/gMP6q1r8oUCk -yhkW/rLI715zDe53vZr2eZi8sQdnohUN3aBYxkR7Cj5iKF+6QQdTWM8Rfjh0xfj/tWmQj4R0 -6pcbrwIBA6OBwDCBvTAdBgNVHQ4EFgQU0sSw0pHUTBFxs2HLPaH+3ahq1OMwgY0GA1UdIwSB -hTCBgoAU0sSw0pHUTBFxs2HLPaH+3ahq1OOhZ6RlMGMxCzAJBgNVBAYTAlVTMSEwHwYDVQQK -ExhUaGUgR28gRGFkZHkgR3JvdXAsIEluYy4xMTAvBgNVBAsTKEdvIERhZGR5IENsYXNzIDIg -Q2VydGlmaWNhdGlvbiBBdXRob3JpdHmCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUF -AAOCAQEAMkvzsso+kfwSxqEHjI53oDMGFFyQHhj3CKY9Chn5h4ARbmnklhcw/zSRY3I47swc -AaMdlCikMfZ6xFTX9uUxWAOizM5i25RFc7W/RckktdWCAq0jeWmNuLZNzs9MyjMj6ByIqp2L -QW4WySDliZ7NO9pw936ZJiAUVCWrbnOF5pshnQpsgg6o+MIM+hAebJbvhw3ED2GLre6DK5X4 -jpKEcjnrIOqD7YPNl24IvOtOJrZzK+TT9kz+JnHiYRF0Sv9XGocPdUguz1FpF6ACEmGV1dFA -shBM7sSsEEOmpZ4K1ZVimg3PiILFMgzkK59F5g2fKJyxuSpaV603D68df9u9nwAAAAIAGm1p -Y3Jvc2VjZS1zemlnbm9yb290Y2EyMDA5AAABfBBZrUgABVguNTA5AAAEDjCCBAowggLyoAMC -AQICCQDCfkMETkc/GTANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCSFUxETAPBgNVBAcM -CEJ1ZGFwZXN0MRYwFAYDVQQKDA1NaWNyb3NlYyBMdGQuMScwJQYDVQQDDB5NaWNyb3NlYyBl -LVN6aWdubyBSb290IENBIDIwMDkxHzAdBgkqhkiG9w0BCQEWEGluZm9AZS1zemlnbm8uaHUw -HhcNMDkwNjE2MTEzMDE4WhcNMjkxMjMwMTEzMDE4WjCBgjELMAkGA1UEBhMCSFUxETAPBgNV -BAcMCEJ1ZGFwZXN0MRYwFAYDVQQKDA1NaWNyb3NlYyBMdGQuMScwJQYDVQQDDB5NaWNyb3Nl -YyBlLVN6aWdubyBSb290IENBIDIwMDkxHzAdBgkqhkiG9w0BCQEWEGluZm9AZS1zemlnbm8u -aHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDp+I/zY63ahtin4EL7z5Hepib4 -maVjcK2brsozQH1tlm6hDkTu4ROdlEJSmr11hXQsqA4dk7YYt4wsqM/7XHG52uz+6H6P5C8d -sqh1h9i3oeU7z5lKRtCDGX3AoRIclW1K9NjHpU0zLoU5QHV+FHyAEphQx0FnuKCAYVSmbE4f -4J0OB+nJujPn/sBVKCwCgKcZ9Z7cVVMDl3sHSP+Z+zeKJMRZzFAQY46qqRqwhBqG+V+7sVBu -pNEKzNVxfh+nG3z1U24iX8sr5tR8Xa7WwsZM5QUB2e1X/MEjefz6yCSDlfO1alEB0HfW6RKh -+RqD+4IbubCX9HYGM0NJoP8Ltfq1AgMBAAGjgYAwfjAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud -DwEB/wQEAwIBBjAdBgNVHQ4EFgQUyw/G30JDzD3LtUgjoRp6piq7NGgwHwYDVR0jBBgwFoAU -yw/G30JDzD3LtUgjoRp6piq7NGgwGwYDVR0RBBQwEoEQaW5mb0BlLXN6aWduby5odTANBgkq -hkiG9w0BAQsFAAOCAQEAydEOXi7VzLN8Psv8Pf8NKJWTBMi/2s15uEOQ8KS+7/LvIZi81NRd -BvbuQuwwbKCqqcrxr4r6Pwtzaj7qLkB+H65UYXnrLgg31yPzjJ++HbHhpHXboOJUFLG6HCmk -GPYSuqIUFOMxNchA/7fgBXZXwRxZ8vi/5O0lYlyE8H5+H7O++bchEcwDAVZwpxCSHhs0gR6t -nBrDBDztAmHWHgbzXzqH8ivxRYflPazRx1eEvWuu3Nj5thticAs9NslC8jLXemHm0ts9z8ip -yZvc21hE1284r39406OtGnW6HME2fI8ebRzDdUauNQWm9lw9Ie5W8MmCIi16VKtww30iZYJw -lgAAAAIAMWhlbGxlbmljYWNhZGVtaWNhbmRyZXNlYXJjaGluc3RpdHV0aW9uc3Jvb3RjYTIw -MTUAAAF8EFmtSAAFWC41MDkAAAYPMIIGCzCCA/OgAwIBAgIBADANBgkqhkiG9w0BAQsFADCB -pjELMAkGA1UEBhMCR1IxDzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNh -ZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3JpdHkxQDA+BgNV -BAMTN0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgUm9vdENB -IDIwMTUwHhcNMTUwNzA3MTAxMTIxWhcNNDAwNjMwMTAxMTIxWjCBpjELMAkGA1UEBhMCR1Ix -DzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJlc2Vh -cmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3JpdHkxQDA+BgNVBAMTN0hlbGxlbmljIEFj -YWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgUm9vdENBIDIwMTUwggIiMA0GCSqG -SIb3DQEBAQUAA4ICDwAwggIKAoICAQDC+Kk/G4n8PDwEXT2QNrCROnk8ZlrvbTkBSRq0t89/ -TSNTt5AA4xMqKKYx8ZEA4yjsriFBzh/a/X0SWwGDD7mwX5nh8hKDgE0GPt+sr+ehiGsxr/CL -0BgzuNtFajT0AoAkKAoCFZVedioNmToUW/bLy1O8E00BiDeUJRtCvCLYjqOWXjrZMts+6PAQ -Ze104S+nfK8nNLspfZu2zwnI5dMK/IhlZXQK3HMcXM1AsRzUtoSMTFDPaI6oWa7CJ06CojXd -FPQf/7J31Ycvqm59JCfnxssm5uX+Zwdj2EUN3TpZZTlYepKZcj2chF6IIbjV9Cz82XBST3i4 -vTwri5WY9bPRaM8gFH5MXF/ni+X1NYEZN9cRCLdmvtNKzoNXADrDgfgXy5I2XdGj2HUb4Ysn -6npIQf1FGQatJ5lOwXBH3bWfgVMS5bGMSF0xQxfjjMZ6Y5ZLKTBOhE5iGV48zpeQpX8B653g -+IuJ3SWYPZK2fu/Z8VFRfS0myGlZYeCsargqNhEEelC9MoS+L9xy1dcdFkfkR2YgP/SWxa+O -AXqlD3pk9Q0Yh9muiNX6hME6wGkoLfINaFGq46V3xqSQDqE3izEjR8EJCOtu93ib14L8hCCZ -SRm2Ekax+0VVFqmjZaycBw/qa9wfLgZy7IaIEuQt218FL+TwA9MmM+eAws1CoRc0CwIDAQAB -o0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUcRVnyMjJ -vXVdctA4GGqd83EkVAswDQYJKoZIhvcNAQELBQADggIBAHW7bVRLqhBYRjTyYtcWNl0IXtVs -yIe9tC5G8jH4fOpCtZMWVdyhDBKg2mF+D1hYc2Ryx+hFjtyp8iY/xnmMsVMIM4GwVhO+5lFc -2JsKT0ucVlMC6U/2DWDqTUJV6HwbISHTGzrMd/K4kPFox/la/vot9L/J9UUbzjgQKjeKeaO0 -4wlshYaT/4mWJ3iBj2fjRnRUjtkNaeJK9E10A/+yd+2VZ5fkscWrv2oj6NSU4kQoYsRL4vDY -4ilrGnB+JGGTe08DMiUNRSQrlrRGar9KC/eaj8GsGsVn82800vpzY4zvFrCopEYq+OsS7HK0 -7/grfoxSwIuEVPkvPuNVqNxmsdnhX9izjFk0WaSrT2y7HxjbdavYy5LNlDhhDgcGH0tGEPEV -vo2FXDtKK4F5D7Rpn0lQl033DlZdwJVqwjbDG2jJ9SrcR5q+ss7FJej6A7na+RZukYT1HCjI -/CbM1xyQVqdfbzoEvM14iQuODy+jqk+iGxI9FghAD/FGTNeqewjBCvVtJ94Cj8rDtSvK6evI -IVM4pcw72Hc3MKJP2W/R8kCtQXoXxdZKNYm3QdV8hn9VTYNKpXMgwDqvkPGaJI7ZjnHKe7iG -2rKPmT4dEw0SEe7Uq/DpFXYC5ODfqiAeW2GFZECpkJcNrVPSWh2HagCXZWK0vm9qp/UsQu0y -rbYhnr68AAAAAgAobWljcm9zb2Z0ZWNjcm9vdGNlcnRpZmljYXRlYXV0aG9yaXR5MjAxNwAA -AXwQWa1IAAVYLjUwOQAAAl0wggJZMIIB36ADAgECAhBm8j2vh96LsUrqDFcxAcLsMAoGCCqG -SM49BAMDMGUxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24x -NjA0BgNVBAMTLU1pY3Jvc29mdCBFQ0MgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAx -NzAeFw0xOTEyMTgyMzA2NDVaFw00MjA3MTgyMzE2MDRaMGUxCzAJBgNVBAYTAlVTMR4wHAYD -VQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xNjA0BgNVBAMTLU1pY3Jvc29mdCBFQ0MgUm9v -dCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAxNzB2MBAGByqGSM49AgEGBSuBBAAiA2IABNS8 -PQJCdUETI82ABIYCUS9qqIFiC2XM9sqdHm9KZlGiA9mdkfq2FrGMbt58zdt5pi/Ou85xL+Wl -qyjsYwRmmfj68pMQBeGBKELjxmj05huEYEqJr+15DzvO8fZE9QF4wKNUMFIwDgYDVR0PAQH/ -BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMjLmXJwUgz45r6yBFcpKs9CEO01 -MBAGCSsGAQQBgjcVAQQDAgEAMAoGCCqGSM49BAMDA2gAMGUCMFjyTeoM+V9e7mApyzry29Yy -hBk/fNUvwrHMk65Quwkyxsbtfsk2lBLkaIUGohvQLwIxAJnpFrQO+lZI1KQwFpF421SMZQGK -51BmwjG3Obq4GiIHTvxrVBYg/yu150wMTaZPcwAAAAIAMWhlbGxlbmljYWNhZGVtaWNhbmRy -ZXNlYXJjaGluc3RpdHV0aW9uc3Jvb3RjYTIwMTEAAAF8EFmtSAAFWC41MDkAAAQ1MIIEMTCC -AxmgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBlTELMAkGA1UEBhMCR1IxRDBCBgNVBAoTO0hl -bGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgQ2VydC4gQXV0aG9y -aXR5MUAwPgYDVQQDEzdIZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRp -b25zIFJvb3RDQSAyMDExMB4XDTExMTIwNjEzNDk1MloXDTMxMTIwMTEzNDk1MlowgZUxCzAJ -BgNVBAYTAkdSMUQwQgYDVQQKEztIZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5z -dGl0dXRpb25zIENlcnQuIEF1dGhvcml0eTFAMD4GA1UEAxM3SGVsbGVuaWMgQWNhZGVtaWMg -YW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBSb290Q0EgMjAxMTCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAKlTAOMupvaO+mDYLZU++CwqVE7NuYRhlFhPjz2L5EPzdYmNUeTD -N9KKiE15HrcS3UN4SoqS5tdI1Q+kOilENbgH9mgdVc04UfCMJDGFr4PJfel3r+0ae50X+bOd -OFAPplp5kYCvN66m0zH7tSYJnTxa71HFK9+WXesyHgLacEnsbgzImjeN9/E2YEsmLIKe0Hjz -DQ9jpFEw4fkrJxIH2Oq9GGKYsFk3fb7u8yBRQlqD75O6aRXxYp2fmTmCobd0LovUxQt7L/DI -Cto9eQqakxylKHJzkUOap9FNhYS5qXSPFEDH3N6sQWRstBmbAmNtJGSPRLIl6s5ddAxjMlyN -h+UCAwEAAaOBiTCBhjAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU -ppFC/RNhSiOeCKQp5dgTBCPuQSUwRwYDVR0eBEAwPqA8MAWCAy5ncjAFggMuZXUwBoIELmVk -dTAGggQub3JnMAWBAy5ncjAFgQMuZXUwBoEELmVkdTAGgQQub3JnMA0GCSqGSIb3DQEBBQUA -A4IBAQAf73lB4XtuP7KMhjdCSk4cNx6NZrokgclPEg8hwAOXhiVtXdMiKahsog2p6z0GW5k6 -x8zDmjR/qw7IThzh+uTczQ2+vyT+bOdrwg3IBp5OjWEopmr95fZi6hg8TqBTnbI6nOulnJEW -tk2C4AwFSKls9cz4y51JtPACpf1wA+2KIaWuE4ZJwzNzvoc7dIsXRSZMFpGD/md9zU1jZ/rz -AxKWeAaNsWftjj++n08C9bMJL/NMh98qy5V8AcysNnq/onN694/BtZqhFLKPM58N7yLcZnuE -vUUXBj08yrl3NI/K6s8/MT7jiOOASSXIl7WdmplNsDz4SgCbZN2fOUvRJ9e4AAAAAgAiZ29k -YWRkeXJvb3RjZXJ0aWZpY2F0ZWF1dGhvcml0eS1nMgAAAXwQWa1IAAVYLjUwOQAAA8kwggPF -MIICraADAgECAgEAMA0GCSqGSIb3DQEBCwUAMIGDMQswCQYDVQQGEwJVUzEQMA4GA1UECBMH -QXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5jb20sIElu -Yy4xMTAvBgNVBAMTKEdvIERhZGR5IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIw -HhcNMDkwOTAxMDAwMDAwWhcNMzcxMjMxMjM1OTU5WjCBgzELMAkGA1UEBhMCVVMxEDAOBgNV -BAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29t -LCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAt -IEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv3FiCPH6WTT3G8kYo/eASVjp -IoMTpsUgQwE7hPHmhUmfJ+r2hBtOoLTbcJjHMgGxBT4HTu70+k8vWTAi56sZVmvigAf88xZ1 -gDlRe+X5NbZ0TqmNghPktj+pA4P6or6KFWp/3gvDthkUBcrqw6gElDtGfDIN8wBmIsiNaW02 -jBEYt9OyHGC0OPoCjM7T3UYH3go+6118yHz7sCtTpJJiaVElBWEaRIGMLKlDliPfrDqBmg4p -xRyp6V0etp6eMAo5zvGIgPtLXcwy7IViQyU0AlYnAZG0O3AqP26x6JyIAX2f1PnbU21gnb8s -51iruF9G/M7EGwM8CetJMVxpRrPgRwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud -DwEB/wQEAwIBBjAdBgNVHQ4EFgQUOpqFBxBnKLbv9r0FQW4gwZTaD94wDQYJKoZIhvcNAQEL -BQADggEBAJnbXXnV+ZdZZwNh8X47BjF1LaEgjk9lh7T3ppy82Okv0Nta7s90jHO0OELaBXv4 -AnW4/aWx1672194Ty1MQfopG0Zf6ty4rEauQsCeA+eifWuk3n6vk32yzhRedPdkkT3mRNdZf -BOuAg6uaAi21EPTYkMcEc0DtciWgqZ/snqtoEplXxo8SOgmkvUT9BhU3wZvkMqPtOOjYZPMs -fhT8Auqfzf8HaBfbIpA4LXqN0VTxaeNfM8p6PXsK48p/Xznl4nW6xXYYM84s8C9Mrfex585P -qMSbSlQGxX991QgP4hz+fhe4rF721BayQwkMTfana7SZhGXKeoji4kS+XPfqHPUAAAACAB5l -cGtpcm9vdGNlcnRpZmljYXRpb25hdXRob3JpdHkAAAF8EFmtSAAFWC41MDkAAAW0MIIFsDCC -A5igAwIBAgIQFci9ZUdcr7iXAF7kBtK8nTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJU -VzEjMCEGA1UECgwaQ2h1bmdod2EgVGVsZWNvbSBDby4sIEx0ZC4xKjAoBgNVBAsMIWVQS0kg -Um9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNDEyMjAwMjMxMjdaFw0zNDEyMjAw -MjMxMjdaMF4xCzAJBgNVBAYTAlRXMSMwIQYDVQQKDBpDaHVuZ2h3YSBUZWxlY29tIENvLiwg -THRkLjEqMCgGA1UECwwhZVBLSSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN -BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4SUP7o3biDN1Z82tH306Tm2d0y8U82N0ywEh -ajfqhFAHSyZbCUNsIZ5qyNUD9WBpj8zwIuQf5/dqIjG3LBXy4P4AakP/h2XGtRrBp0xtInAh -ijHyl3SJCRImHJ7K2RKilTza6We/CKBk49ZCt0Xvl/T29de1ShUCWH2YWEtgvM3XDZoTM1PR -Yfl61dd4s5oz9wCGzh1NlDivqOx4UXCKXBCDUSH3ET00hl7lSM2XgYI1TBnsZfZrxQWh7kcT -1rMhJ5QQCtkkO7q+RBNGMD+XPNjX12ruOzjjK9SXDrkb5wdJfzcq+Xd4z1TtW0ado4AOkUPB -1ltfFLqfpo0kR0BZv3I4sjZsN/+Z0V0OWQqraffAsgRFelQArr5T9rXn4fg8ozHSqf4hUmTF -pmfwdQcGlBSBVcYn5AGPF8Fqcde+S/uUWH1+ETOxQvdibBjWzwloPn9s9h6PYq2lY9sJpx8i -QkEeb5mKPtf5P0B6ebClAZLSnT0IFaUQAS2zMnaolQ2zepr7BxB4EW/hj8e6DyUadCrlHJhB -md8hh+iVBmoKs2pHdmX2Os+PYhcZewoozRrSgx4hxyy/vv9haLdnG7t4TY3OZ+XkwY63I2bi -nZB1NJipNiuKmpS5nezMirH4JYlcWrYvjB9teSSnUmjDhDXiZo1jDiVN1Rmy5nk3pyKdVDEC -AwEAAaNqMGgwHQYDVR0OBBYEFB4M97Zn8uGSJglFwFU5Lnc/QkqiMAwGA1UdEwQFMAMBAf8w -OQYEZyoHAAQxMC8wLQIBADAJBgUrDgMCGgUAMAcGBWcqAwAABBRFsMLHClZ87lt4DJX5GFPB -phzYEDANBgkqhkiG9w0BAQUFAAOCAgEACbODU1kBPpVJufGBuvl2ICO1J2B01GqZNF5sAFPZ -n/KmsSQHRGoqxqWOeBLoR9lYGxMqXnmbnwoqZ6YlPwZpVnPDimZI+ymBV3QGypzqKOg4ZyYr -8dW1P2WT+DZdjo2NQCCHGervJ8A9tDkPJXtoUHRVnAxZfVo9QZQlUgjgRywVMRnVvwdVxrsS -tZf0X4OFunHB2WyBEXYKCrC/gpf36j36+uwtqSiUO1bd0lEursC9CBWMd1I0ltabrNMdjmEP -NXubrjlpC2JgQCA2j6/7Nu4tCEoduL+bXPjqpRugc6bY+G7gMwRfaKonh+3ZwZCc7b3jajWv -Y9+rGNm65ulK6lCKD2GTHuItGeIwlDWSXQ62B68ZgI9HkFFLLk3dheLSClIKF5r8GrBQAuUB -o2M3IUxExJtRmREOc5wGj1QupyheRDmHVi03vYVElOEMSyycw5KFNGHLD7ibSkNS/jQ6fbjp -Kdx2qcgw+BRxgMYeNkh0IkFch4LoGHGLQYlE535YW6i4jRPpp2zDR+2zGp1iro2C6pSe3VkQ -w63d4k3jMdXH7OjysP6SHhYKGvzZ8/gntsm+HbRsZJB/9OTEW9c3rkIO3aQab3yIVMUWbuF6 -aC74Or8NpDyJO3inTmODBCEIZ43ygknQW/2xzQ+DhNQ+IIX3Sj0rnP0qCglN6oH4EZwAAAAC -ACx0cnVzdHdhdmVnbG9iYWxlY2NwMzg0Y2VydGlmaWNhdGlvbmF1dGhvcml0eQAAAXwQWa1I -AAVYLjUwOQAAAqEwggKdMIICJKADAgECAgwIvYWXbJknpIBoRzswCgYIKoZIzj0EAwMwgZEx -CzAJBgNVBAYTAlVTMREwDwYDVQQIEwhJbGxpbm9pczEQMA4GA1UEBxMHQ2hpY2FnbzEhMB8G -A1UEChMYVHJ1c3R3YXZlIEhvbGRpbmdzLCBJbmMuMTowOAYDVQQDEzFUcnVzdHdhdmUgR2xv -YmFsIEVDQyBQMzg0IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTE3MDgyMzE5MzY0M1oX -DTQyMDgyMzE5MzY0M1owgZExCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhJbGxpbm9pczEQMA4G -A1UEBxMHQ2hpY2FnbzEhMB8GA1UEChMYVHJ1c3R3YXZlIEhvbGRpbmdzLCBJbmMuMTowOAYD -VQQDEzFUcnVzdHdhdmUgR2xvYmFsIEVDQyBQMzg0IENlcnRpZmljYXRpb24gQXV0aG9yaXR5 -MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEa9oNdTUIMUcFrkWZVfEREy5K+BAxI6N+g9N/KAg6 -Jho6z5eCH4C3JwmP0Y4wxAqbDqxYBKv3Nn2UI6SbCoqLq+v9OSVm8V7+jK6NQXmdCWDOKKnT -im3z1kXU8piEOGWgo0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBgAwHQYD -VR0OBBYEFFWphInSwTK9GMtspgdOyOedvoKQMAoGCCqGSM49BAMDA2cAMGQCMDcBkpdFEn6g -8z6tGTpy3fRQkwMSvkTST0GkjJydH6P2wpLnSBT+TpulkVeuxjdyuwIwZyUKsQxe7qljkm/l -kAv+ZiLKR/2KMfeD/nq/EL4YKx6P9ikelFnvjiE3y1GYpW5LAAAAAgARZ2xvYmFsc2lnbnJv -b3RlNDYAAAF8EFmtSAAFWC41MDkAAAIPMIICCzCCAZGgAwIBAgISEdK7ujNu1LzmJGjFDYQd -mOhDMAoGCCqGSM49BAMDMEYxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52 -LXNhMRwwGgYDVQQDExNHbG9iYWxTaWduIFJvb3QgRTQ2MB4XDTE5MDMyMDAwMDAwMFoXDTQ2 -MDMyMDAwMDAwMFowRjELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2Ex -HDAaBgNVBAMTE0dsb2JhbFNpZ24gUm9vdCBFNDYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASc -DrHPt+ieUnd1NPqlRqetMhkytAepJ8qUuwzSChDH2omwlwxwEwkBjtjqR+q+soArzfwoDdus -vKSGN+1wCAB16pMLey5SnCNoIwZD7JIvU4Tb+0cUB+hflGddyXqBPCCjQjBAMA4GA1UdDwEB -/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQxCpCPtsad0kRLgLWi5h+xEk8b -lTAKBggqhkjOPQQDAwNoADBlAjEA31SQ7Zvvi5QCkxeCmb6zniz2C5GMn0oUsfZkvLtoURMM -A/cVi4RguYv/Uo7njLwcAjA8+RHUjE7AwWHCFUyqqx0LMV87HOIAl0Qx5v5zli/altP+CAez -NIm8BZ/3Hobui3AAAAACACRzdGFyZmllbGRyb290Y2VydGlmaWNhdGVhdXRob3JpdHktZzIA -AAF8EFmtSAAFWC41MDkAAAPhMIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzEL -MAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAj -BgNVBAoTHFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs -ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3 -MTIzMTIzNTk1OVowgY8xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH -EwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTIw -MAYDVQQDEylTdGFyZmllbGQgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw -DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL3twQP89o/8ArFvW59I2Z154qK3A2FWGMNH -ttfKPTUuiUP3oWmb3ooa/RMgnLRJdzIpVv257IzdIvpy3Cdhl+72WoTsbhm5iSzchFvVdPtr -X8WJpRBSiUZV9Lh1HOZ/5FSuS/hVclcCGfgXcVnrHigHdMWdSL5stPSksPNkN3mSwOxGXn/h -bVNMYq/NHwtjuzqd+/x5AJhhdM8mgkBj87JyahkNmcrUDnXMN/uLicFZ8WJ/X7NfZTD4p7dN -dloedl40wOiWVpmKs/B/pM293DIxfJHP4F8R+GuqSVzRmZTRouNjWwl2tVZi4Ut0HZbUJtQI -BFnQmA4O5t78w+wfkPECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC -AQYwHQYDVR0OBBYEFHwMMh+n2TB/xH1oo2Kooc6rB1snMA0GCSqGSIb3DQEBCwUAA4IBAQAR -WfolTwNvlJk7mh+ChTnUdgWUXuEok21iXQnCoKjUsHU48TRqneSfioYmUeYs0cYtbpUgSpIB -7LiKZ3sx4mcujJUDJi5DnUox9g61DLu34jd/IroAow57UvtruzvE03lRTs2Q9GcHGcg8RnoN -AX3FWOdt5oUwF5okxBDgBPfg8n/Uqgr/Qh037ZTlZFkSIHc40zI+OIF1lnP6aI+xy84fxez6 -nH7PfrHxBy22/L/KpL/QlwVKvOoYKAKQvVR4CSFx09F9HdkWsKlhPdAKACL8x3vLCWRFCztA -gfd9fDL1mMpYjn0q7pBZc2T5NnReJaH1ZgUufzkVqSr7UIuOhWn0AAAAAgAoc3NsLmNvbWV2 -cm9vdGNlcnRpZmljYXRpb25hdXRob3JpdHlyc2FyMgAAAXwQWa1IAAVYLjUwOQAABe8wggXr -MIID06ADAgECAghWtinNNLx49jANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCVVMxDjAM -BgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9TU0wgQ29ycG9yYXRp -b24xNzA1BgNVBAMMLlNTTC5jb20gRVYgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBS -U0EgUjIwHhcNMTcwNTMxMTgxNDM3WhcNNDIwNTMwMTgxNDM3WjCBgjELMAkGA1UEBhMCVVMx -DjAMBgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9TU0wgQ29ycG9y -YXRpb24xNzA1BgNVBAMMLlNTTC5jb20gRVYgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 -eSBSU0EgUjIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCPNmVA4dZNwNe06Uba -a+ozR81M+X19vr0tPfDbeOGGpdm6CVdo7Vc+oNAIQYPnKEEkH+NyFdABGvtecCOyy58548/F -TsaSbSbGe7uz2iedCobpgTcF/vBxcezDHOljohcUne8bZ9OFVQIC1knJzFrhsfdvMp/J1DuI -Qaicvcur2217CR+iTHKQ2isI/M88VM5nD6jPXZYZC8Tjcuut0X0dJ++S6xC/W+s7r8+A3cHS -lgRben6kqTw4dqRijqA5Xup3z10AWY9mLD4HoqMFJhFpl+qFtw+WC0vIQOFQui6Ky/cPmiLn -f5o3E83yTRNrIdHAzCLyoUb2RGmcymE1BwBv1mEIEeq6uPbps2DlTbnsnxRmyVdY282HafiK -hhIDR79mE3asd300JIWDzdeqnJAanyEsf3i3ZLjY6Kb0eLNVy4TSMsR4rqOPYd3OCFOt7Ij8 -FeSaDeafGnfOTI+4FBU9YpyGOAYAZhLkWXZaU8ACmKIQK2hEe455zjNKdqpbgRYbtYrY0AB7 -XmK0CdaGYw6mBZVJuiiLiJOyNBzYpFVutxzQ3plVOyP0IuD5KWYm7CBQd9tKC4++5QJgcEFe -1K5QOSIUJsuyO3N0VUcHeYE5qDATROUEiq6WEyVCD7lTxJv8zeQc3jz6q9YGSh9nppgwHN0s -29wYlVdmxv9ci1b1dwIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFPlg -u9Tj1TT2uPUGgCWnc9tGaaieMB0GA1UdDgQWBBT5YLvU49U09rj1BoAlp3PbRmmonjAOBgNV -HQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAFazjssKnUmOv6TEkbtmFwVRmHX75VAs -ep7xFPqr04o+/5Epj2OL2LSpVAENvpOGL/lKbcde9Vf5ylUcEr5HDzbF32q323XCRyV/ufFj -+GgtVQTR8o2wpM+8PF4feOeloCBwsATFt/dyp94iDb0zJUaMZJIm4z4uY5bam4w9+BgJ1wPM -fYaC4MoEB1FQ1/+S1Qzv2oafmdfrt69o4jkmlLpot7+D0+p6Zz1iZ64l5XLo4uTsrhL2Sys8 -n+mwQPM4VLP9t2jI2saPUTyy+5HcHOebneG3DXKP4qTEqXj56xSsxkMFwmU5KBgCw4KynQW+ -Ze2WX2V0PPsJNS57nBP9Gw9dx22BOlYPzDvhrwIvIqxGykY8oBxM1kS0Xi5cFWYJ4SYp/sZS -Ybqxc//DDJzlbGqUPxTKQBaVhPNZqaxfTGGTbdE7zKKVDCKmZ2dELrnZ0opBs2YLWvt9I6Xy -GrD/3puDlC7RP9+St5GvBTtlx6Bssc1iEsOQG+MlzjS8b3d2sRDD9wUawNavdGJIF3eSaZBh -HN6VgHRUjxgcw/MD0L+kQ3WGUxh6Ci4JHDafkf2CiiJL0Q5QJd3LAwwXyYMACE41TYqL7fAC -lGYsRH/LlSeWF60JMKy2cRduixf2HAnULTuYpXHTVBPZYPP1S2ZP+vHuIBKNtKxXsUVjoax2 -qcL7CnxeFrtkDGW4gmo4NgQZjJ1bHLk= diff --git a/kubernetes/common/cert-wrapper/templates/configmap.yaml b/kubernetes/common/cert-wrapper/templates/configmap.yaml deleted file mode 100644 index 117a4ab718..0000000000 --- a/kubernetes/common/cert-wrapper/templates/configmap.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{/* -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -{{- $suffix := "certs" }} -metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . ) | nindent 2 }} -data: -{{ tpl (.Files.Glob "resources/*").AsConfig . | indent 2 }} diff --git a/kubernetes/common/cert-wrapper/values.yaml b/kubernetes/common/cert-wrapper/values.yaml deleted file mode 100644 index fcece0e3f5..0000000000 --- a/kubernetes/common/cert-wrapper/values.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -certInitializer: - nameOverride: cert-initializer - createCertsCM: true diff --git a/kubernetes/common/certInitializer/Chart.yaml b/kubernetes/common/certInitializer/Chart.yaml deleted file mode 100644 index f083bf8f53..0000000000 --- a/kubernetes/common/certInitializer/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Template used to obtain certificates in onap -name: certInitializer -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: 'file://../common' - - name: readinessCheck - version: ~11.x-0 - repository: 'file://../readinessCheck' - - name: repositoryGenerator - version: ~11.x-0 - repository: 'file://../repositoryGenerator' diff --git a/kubernetes/common/certInitializer/resources/ingress/onboard.sh b/kubernetes/common/certInitializer/resources/ingress/onboard.sh deleted file mode 100644 index 9cc5ec580e..0000000000 --- a/kubernetes/common/certInitializer/resources/ingress/onboard.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/ -}} - -echo "*** retrieving certificates and keys" -export CRT=$(cat {{ .Values.credsPath }}/certs/tls.crt | base64 -w 0) -export KEY=$(cat {{ .Values.credsPath }}/certs/tls.key | base64 -w 0) -export CACERT=$(cat {{ .Values.credsPath }}/certs/cacert.pem | base64 -w 0) -echo "*** creating tls secret" -cat < if a different key is used, call templates with argument (dict "aafRoot" .Values. "dot" .) - # additional scripts can be defined to handle certs - addconfig: true|false - fqdn: "sdnc" - app_ns: "org.osaaf.aaf" - fqi: "sdnc@sdnc.onap.org" - fqi_namespace: org.onap.sdnc - public_fqdn: "aaf.osaaf.org" - aafDeployFqi: "deployer@people.osaaf.org" - aafDeployPass: demo123456! - cadi_latitude: "38.0" - cadi_longitude: "-72.0" - secret_uid: &aaf_secret_uid my-component-aaf-deploy-creds - - # secrets configuration, Note: create a secrets template - secrets: - - uid: *aaf_secret_uid - type: basicAuth - externalSecret: '{{ ternary (tpl (default "" .Values.aafConfig.aafDeployCredsExternalSecret) .) "aafIsDisabled" .Values.global.aafEnabled }}' - login: '{{ .Values.aafConfig.aafDeployFqi }}' - password: '{{ .Values.aafConfig.aafDeployPass }}' - passwordPolicy: required - - In deployments/jobs/stateful include: - initContainers: - {{ include "common.aaf-config" . | nindent XX}} - - containers: - volumeMounts: - {{- if .Values.global.aafEnabled }} - - mountPath: "/opt/app/osaaf" - name: {{ include "common.fullname" . }}-aaf-config - {{- end }} - volumes: - {{- include "common.aaf-config-volumes" . | nindent XX}} -*/}} -{{- define "common.aaf-config" -}} -{{- $dot := default . .dot -}} -{{- $aafRoot := default $dot.Values.aafConfig .aafRoot -}} -{{- if $dot.Values.global.aafEnabled -}} -- name: {{ include "common.name" $dot }}-aaf-readiness - image: {{ include "common.repository" $dot }}/{{ $dot.Values.global.readinessImage }} - imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - aaf-locate - - --container-name - - aaf-cm - - --container-name - - aaf-service - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi -- name: {{ include "common.name" $dot }}-aaf-config - image: {{ (default $dot.Values.repository $dot.Values.global.repository) }}/{{ $dot.Values.global.aafAgentImage }} - imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} - volumeMounts: - - mountPath: "/opt/app/osaaf" - name: {{ include "common.fullname" $dot }}-aaf-config -{{- if $aafRoot.addconfig }} - - name: aaf-add-config - mountPath: /opt/app/aaf_config/bin/aaf-add-config.sh - subPath: aaf-add-config.sh -{{- end }} - command: - - sh - - -c - - | - #!/usr/bin/env bash - /opt/app/aaf_config/bin/agent.sh -{{- if $aafRoot.addconfig }} - /opt/app/aaf_config/bin/aaf-add-config.sh -{{- end }} - env: - - name: APP_FQI - value: "{{ $aafRoot.fqi }}" - - name: aaf_locate_url - value: "https://aaf-locate.{{ $dot.Release.Namespace}}:8095" - - name: aaf_locator_container - value: "oom" - - name: aaf_locator_container_ns - value: "{{ $dot.Release.Namespace }}" - - name: aaf_locator_fqdn - value: "{{ $aafRoot.fqdn }}" - - name: aaf_locator_app_ns - value: "{{ $aafRoot.app_ns }}" - - name: DEPLOY_FQI - {{- include "common.secret.envFromSecretFast" (dict "global" $dot "uid" $aafRoot.secret_uid "key" "login") | indent 6 }} - - name: DEPLOY_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" $dot "uid" $aafRoot.secret_uid "key" "password") | indent 6 }} - #Note: want to put this on Nodes, eventually - - name: cadi_longitude - value: "{{ default "52.3" $aafRoot.cadi_longitude }}" - - name: cadi_latitude - value: "{{ default "13.2" $aafRoot.cadi_latitude }}" - #Hello specific. Clients don't don't need this, unless Registering with AAF Locator - - name: aaf_locator_public_fqdn - value: "{{ $aafRoot.public_fqdn | default "" }}" - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi -{{- end -}} -{{- end -}} - -{{- define "common.aaf-config-volume-mountpath" -}} -{{- if .Values.global.aafEnabled -}} -- mountPath: "/opt/app/osaaf" - name: {{ include "common.fullname" . }}-aaf-config -{{- end -}} -{{- end -}} - -{{- define "common.aaf-config-volumes" -}} -{{- $dot := default . .dot -}} -{{- $aafRoot := default $dot.Values.aafConfig .aafRoot -}} -{{- if $dot.Values.global.aafEnabled -}} -- name: {{ include "common.fullname" $dot }}-aaf-config - emptyDir: - medium: Memory -{{- if $aafRoot.addconfig }} -- name: aaf-add-config - configMap: - name: {{ include "common.fullname" $dot }}-aaf-add-config - defaultMode: 0700 -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/common/common/templates/_cassOp.tpl b/kubernetes/common/common/templates/_cassOp.tpl new file mode 100644 index 0000000000..b0cf8e331e --- /dev/null +++ b/kubernetes/common/common/templates/_cassOp.tpl @@ -0,0 +1,123 @@ +{{/* +# Copyright © 2022 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{/* Cassandra Data Center. */}} +{{- define "common.k8ssandraCluster" -}} +{{- $global := .Values.global }} +--- +apiVersion: k8ssandra.io/v1alpha1 +kind: K8ssandraCluster +metadata: + name: {{ .Values.k8ssandraOperator.config.clusterName }} +spec: + {{ if .Values.k8ssandraOperator.reaper.enabled -}} + reaper: + initContainerImage: + registry: {{ include "repositoryGenerator.dockerHubRepository" . }} + containerImage: + registry: {{ include "repositoryGenerator.dockerHubRepository" . }} + autoScheduling: + enabled: true + metadata: + commonLabels: + app: {{ .Values.k8ssandraOperator.config.clusterName }}-reaper + version: {{ .Values.k8ssandraOperator.cassandraVersion }} + {{- if .Values.metrics.enabled }} + telemetry: + prometheus: + enabled: true + mcac: + enabled: false + cassandra: + endpoint: + address: 0.0.0.0 + {{- end }} + {{- end }} + {{ if .Values.k8ssandraOperator.stargate.enabled -}} + stargate: + containerImage: + registry: {{ include "repositoryGenerator.dockerHubRepository" . }} + tag: {{ .Values.k8ssandraOperator.stargate.tag }} + size: {{ .Values.k8ssandraOperator.stargate.size }} + heapSize: {{ .Values.k8ssandraOperator.stargate.jvmOptions.heapSize }} + metadata: + commonLabels: + app: {{ .Values.k8ssandraOperator.config.clusterName }}-stargate + version: {{ .Values.k8ssandraOperator.cassandraVersion }} + livenessProbe: + initialDelaySeconds: 200 + periodSeconds: 10 + failureThreshold: 20 + successThreshold: 1 + timeoutSeconds: 20 + readinessProbe: + initialDelaySeconds: 200 + periodSeconds: 10 + failureThreshold: 20 + successThreshold: 1 + timeoutSeconds: 20 + {{- end }} + cassandra: + serverVersion: {{ .Values.k8ssandraOperator.cassandraVersion }} + storageConfig: + cassandraDataVolumeClaimSpec: + {{ if .Values.k8ssandraOperator.persistence.storageClassName -}} + storageClassName: {{ .Values.k8ssandraOperator.persistence.storageClassName }} + {{- end }} + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.k8ssandraOperator.persistence.size }} + superuserSecretRef: + name: {{ include "common.fullname" . }}-{{ .Values.k8ssandraOperator.config.secretName }} + {{- if .Values.metrics.enabled }} + telemetry: + prometheus: + enabled: true + mcac: + enabled: false + cassandra: + endpoint: + address: 0.0.0.0 + {{- end }} + config: + {{ if .Values.k8ssandraOperator.config.casOptions -}} + cassandraYaml: + {{ toYaml .Values.k8ssandraOperator.config.casOptions | nindent 8 }} + {{- end }} + {{ if .Values.k8ssandraOperator.config.jvmOptions -}} + jvmOptions: + {{ toYaml .Values.k8ssandraOperator.config.jvmOptions | nindent 8 }} + {{- end }} + networking: + hostNetwork: {{ .Values.k8ssandraOperator.config.hostNetwork }} + datacenters: + {{- range $datacenter := .Values.k8ssandraOperator.datacenters }} + - metadata: + name: {{ $datacenter.name }} + size: {{ $datacenter.size }} + {{- end }} + {{ if .Values.podAnnotations -}} + metadata: + pods: + annotations: + {{ toYaml .Values.podAnnotations | nindent 10 }} + commonLabels: + app: {{ .Values.k8ssandraOperator.config.clusterName }} + version: {{ .Values.k8ssandraOperator.cassandraVersion }} + {{- end }} +{{ end }} diff --git a/kubernetes/common/common/templates/_dmaapProvisioning.tpl b/kubernetes/common/common/templates/_dmaapProvisioning.tpl index 11d7501256..e7b90ea8ff 100644 --- a/kubernetes/common/common/templates/_dmaapProvisioning.tpl +++ b/kubernetes/common/common/templates/_dmaapProvisioning.tpl @@ -1,7 +1,7 @@ {{/* ################################################################################ # Copyright (C) 2021 Nordix Foundation. # -# Copyright (c) 2022 J. F. Lucas. All rights reserved. # +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. # # # # Licensed under the Apache License, Version 2.0 (the "License"); # # you may not use this file except in compliance with the License. # @@ -19,51 +19,54 @@ {{/* This template generates a Kubernetes init containers common template to enable applications to provision - DMaaP feeds (on Data Router), with associated authorization. - DMaap Bus Controller endpoints are used to provision: - - - Feed on DR, with associated user authentication. + DMaaP feeds (on Data Router) for DCAE microservices, with associated authorization. + DMaap Data Router (DR) endpoints are used to provision: + - Feeds on DR, with associated user authentication. + - Subscribers to feeds on DR, to provide DR with username, password, and URL needed to deliver + files to subscribers. common.dmaap.provisioning.initContainer: - This template make use of Dmaap Bus Controller docker image to create resources on Dmaap Data Router - microservice, with the help of dbc-client.sh script it makes use of Bus Controller API to create Feeds. - If the resource creation is successful via script response is logged back at particular location with - appropriate naming convention. - - More details can be found at : - (https://wiki.onap.org/pages/viewpage.action?pageId=103417564) + This template creates an initContainer with some associated volumes. The initContainer + (oom/kubernetes/dmaap-datarouter/drprov-client) runs a script (drprov-client.sh) that uses the + DR provisioning API to create the feeds and subscribers needed by a microservice. The script + updates the microservice's configuration to supply information needed to access the feeds. The + configuration information comes from two volumes that are created by the dcaegen2-services-common + templates. + - app-config-input: comes from a configMap generated from the microservice's values.yaml file. + It may contain references to environment variables as placeholders for feed information that + will become available after feeds are provisioned. + - app-config: this template will copy the configuration file from the app-config-input volume, + replaced the environment variable references with the actual values for feed information, based + on data returned by the DR provisioning API. The template directly references data in .Values, and indirectly (through its use of templates from the ONAP "common" collection) references data in .Release. - Parameter for _dmaapProvisioning to be defined in values.yaml + Parameters for _dmaapProvisioning to be defined in values.yaml: + # DataRouter Feed Configuration + # (Note that DR configures publishers as part of the feed.) drFeedConfig: - feedName: bulk_pm_feed - owner: dcaecm feedVersion: 0.0 - asprClassification: unclassified + classification: unclassified feedDescription: DFC Feed Creation - - # DataRouter Publisher Configuration - drPubConfig: - - feedName: bulk_pm_feed - dcaeLocationName: loc00 + publisher: + username: xyz + password: xyz # DataRouter Subscriber Configuration drSubConfig: - feedName: bulk_pm_feed + feedVersion: 0.0 decompress: True - dcaeLocationName: loc00 privilegedSubscriber: True deliveryURL: https://dcae-pm-mapper:8443/delivery - # ConfigMap Configuration for DR Feed, Dr_Publisher, Dr_Subscriber + # ConfigMap Configuration for DR Feed, Dr_Subscriber volumes: - name: feeds-config path: /opt/app/config/feeds - - name: drpub-config - path: /opt/app/config/dr_pubs - name: drsub-config path: /opt/app/config/dr_subs @@ -76,8 +79,10 @@ {{- define "common.dmaap.provisioning._volumeMounts" -}} {{- $dot := default . .dot -}} -- mountPath: /opt/app/config/cache - name: dbc-response-cache +- mountPath: /config-input + name: app-config-input +- mountPath: /config + name: app-config {{- range $name, $volume := $dot.Values.volumes }} - name: {{ $volume.name }} mountPath: {{ $volume.path }} @@ -86,8 +91,6 @@ {{- define "common.dmaap.provisioning._volumes" -}} {{- $dot := default . .dot -}} -- name: dbc-response-cache - emptyDir: {} {{- range $name, $volume := $dot.Values.volumes }} - name: {{ $volume.name }} configMap: @@ -98,73 +101,18 @@ {{- define "common.dmaap.provisioning.initContainer" -}} {{- $dot := default . .dot -}} -{{- $drFeedConfig := default $dot.Values.drFeedConfig .drFeedConfig -}} -{{- if $drFeedConfig -}} +{{- $drNeedProvisioning := or $dot.Values.drFeedConfig $dot.Values.drSubConfig -}} +{{- if $drNeedProvisioning -}} - name: {{ include "common.name" $dot }}-init-dmaap-provisioning - image: {{ include "repositoryGenerator.image.dbcClient" $dot }} + image: {{ include "repositoryGenerator.image.drProvClient" $dot }} imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} env: - - name: RESP_CACHE - value: /opt/app/config/cache - - name: REQUESTID - value: "{{ include "common.name" $dot }}-dmaap-provisioning" {{- range $cred := $dot.Values.credentials }} - name: {{ $cred.name }} {{- include "common.secret.envFromSecretFast" (dict "global" $dot "uid" $cred.uid "key" $cred.key) | nindent 4 }} {{- end }} volumeMounts: {{- include "common.dmaap.provisioning._volumeMounts" $dot | trim | nindent 2 }} - resources: {{ include "common.resources" $dot | nindent 1 }} -- name: {{ include "common.name" $dot }}-init-merge-config - image: {{ include "repositoryGenerator.image.envsubst" $dot }} - imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} - command: - - /bin/sh - args: - - -c - - | - set -uex -o pipefail - if [ -d /opt/app/config/cache ]; then - cd /opt/app/config/cache - for file in $(ls feed*); do - NUM=$(echo "$file" | sed 's/feedConfig-\([0-9]\+\)-resp.json/\1/') - export DR_LOG_URL_"$NUM"="$(grep -o '"logURL":"[^"]*' "$file" | grep -w "feedlog" | cut -d '"' -f4)" - export DR_FILES_PUBLISHER_URL_"$NUM"="$(grep -o '"publishURL":"[^"]*' "$file" | cut -d '"' -f4)" - done - for file in $(ls drpub*); do - NUM=$(echo "$file" | sed 's/drpubConfig-\([0-9]\+\)-resp.json/\1/') - export DR_FILES_PUBLISHER_ID_"$NUM"="$(grep -o '"pubId":"[^"]*' "$file" | cut -d '"' -f4)" - done - for file in $(ls drsub*); do - NUM=$(echo "$file" | sed 's/drsubConfig-\([0-9]\+\)-resp.json/\1/') - export DR_FILES_SUBSCRIBER_ID_"$NUM"="$(grep -o '"subId":"[^"]*' "$file" | cut -d '"' -f4)" - done - for file in $(ls topics*); do - NUM=$(echo "$file" | sed 's/topicsConfig-\([0-9]\+\)-resp.json/\1/') - export MR_FILES_PUBLISHER_CLIENT_ID_"$NUM"="$(grep -o '"mrClientId":"[^"]*' "$file" | cut -d '"' -f4)" - done - else - echo "No Response logged for Dmaap BusController Http POST Request..!" - fi - cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done - env: - {{- range $cred := $dot.Values.credentials }} - - name: {{ $cred.name }} - {{- include "common.secret.envFromSecretFast" (dict "global" $dot "uid" $cred.uid "key" $cred.key) | nindent 4 }} - {{- end }} - volumeMounts: - - mountPath: /opt/app/config/cache - name: dbc-response-cache - - mountPath: /config-input - name: app-config-input - - mountPath: /config - name: app-config - resources: - limits: - cpu: 200m - memory: 250Mi - requests: - cpu: 100m - memory: 200Mi + resources: {{ include "common.resources" $dot | nindent 4 }} {{- end -}} {{- end -}} \ No newline at end of file diff --git a/kubernetes/common/common/templates/_images.tpl b/kubernetes/common/common/templates/_images.tpl new file mode 100644 index 0000000000..3bbaabc006 --- /dev/null +++ b/kubernetes/common/common/templates/_images.tpl @@ -0,0 +1,121 @@ +{{/* +# Copyright © Original (https://github.com/bitnami/charts) VMware, Inc. +# Copyright © 2024 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the proper Docker Image Registry Secret Names +Original, if common way of image definition: +{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image .Values.tls.image) "context" $) -}} +*/}} +{{- define "common.imagePullSecrets" -}} +{{- $images := list }} +{{- if .Values.image }} + {{- if kindIs "map" .Values.image -}} + {{- $images = append $images ".Values.image" -}} + {{- end -}} +{{- end -}} +{{- if .Values.metrics }} + {{- if .Values.metrics.image }} + {{- if kindIs "map" .Values.metrics.image -}} + {{- $images = append $images ".Values.metrics.image" -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- include "common.images._renderPullSecrets" (dict "images" $images "context" $) -}} +{{- end -}} + +{{/* +Return the proper image name +{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global ) }} +*/}} +{{- define "common.images.image" -}} +{{- $registryName := .imageRoot.registry -}} +{{- $repositoryName := .imageRoot.repository -}} +{{- $separator := ":" -}} +{{- $termination := .imageRoot.tag | toString -}} +{{- if .global }} + {{- if .global.imageRegistry }} + {{- $registryName = .global.imageRegistry -}} + {{- end -}} +{{- end -}} +{{- if .imageRoot.digest }} + {{- $separator = "@" -}} + {{- $termination = .imageRoot.digest | toString -}} +{{- end -}} +{{- if $registryName }} + {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} +{{- else -}} + {{- printf "%s%s%s" $repositoryName $separator $termination -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names evaluating values as templates +{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }} +*/}} +{{- define "common.images._renderPullSecrets" -}} + {{- $pullSecrets := list }} + {{- $context := .context }} + {{- $images := .images }} + + {{- if $context.Values.global }} + {{- range $context.Values.global.imagePullSecrets -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues._render" (dict "value" .name "context" $context)) -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues._render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- range $image := $images -}} + {{- if contains "pullSecret" $image -}} + {{- range $pullSecret := $image.pullSecrets -}} + {{- if kindIs "map" $pullSecret -}} + {{- $pullSecrets = append $pullSecrets $pullSecret.name -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets $pullSecret -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets | uniq }} + - name: {{ . }} + {{- end }} + {{- else -}} +imagePullSecrets: [] + {{- end }} +{{- end -}} + +{{/* +Return the proper image version (ingores image revision/prerelease info & fallbacks to chart appVersion) +{{ include "common.images.version" ( dict "imageRoot" .Values.path.to.the.image "chart" .Chart ) }} +*/}} +{{- define "common.images._version" -}} +{{- $imageTag := .imageRoot.tag | toString -}} +{{/* regexp from https://github.com/Masterminds/semver/blob/23f51de38a0866c5ef0bfc42b3f735c73107b700/version.go#L41-L44 */}} +{{- if regexMatch `^([0-9]+)(\.[0-9]+)?(\.[0-9]+)?(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?$` $imageTag -}} + {{- $version := semver $imageTag -}} + {{- printf "%d.%d.%d" $version.Major $version.Minor $version.Patch -}} +{{- else -}} + {{- print .chart.AppVersion -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/common/templates/_ingress.tpl b/kubernetes/common/common/templates/_ingress.tpl index f2741079c7..ca23c75896 100644 --- a/kubernetes/common/common/templates/_ingress.tpl +++ b/kubernetes/common/common/templates/_ingress.tpl @@ -1,13 +1,311 @@ +{{/* +# Copyright © 2019-2021 Orange, Samsung +# Copyright © 2022 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{/* + Helper function to check, if Ingress is globally enabled +*/}} +{{- define "common.ingressEnabled" -}} +{{- $dot := default . .dot -}} +{{- if $dot.Values.ingress -}} +{{- if $dot.Values.global.ingress -}} +{{- if (default false $dot.Values.global.ingress.enabled) -}} +true +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* + Helper function to check, if Ingress is enabled +*/}} +{{- define "common.ingress._enabled" -}} +{{- $dot := default . .dot -}} +{{- if $dot.Values.ingress -}} +{{- if $dot.Values.global.ingress -}} +{{- if (default false $dot.Values.global.ingress.enabled) -}} +{{- if (default false $dot.Values.global.ingress.enable_all) -}} +true +{{- else -}} +{{- if $dot.Values.ingress.enabled -}} +true +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* + Helper function to check, if TLS redirect is enabled +*/}} +{{- define "common.ingress._tlsRedirect" -}} +{{- $dot := default . .dot -}} +{{- if $dot.Values.global.ingress.config }} +{{- if $dot.Values.global.ingress.config.ssl }} +{{- if eq $dot.Values.global.ingress.config.ssl "redirect" }} +true +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* + Helper function to get the Ingress Provider (default is "ingress") +*/}} +{{- define "common.ingress._provider" -}} +{{- $dot := default . .dot -}} +{{- $provider := "ingress" -}} +{{- if $dot.Values.global.ingress -}} +{{- if $dot.Values.global.ingress.provider -}} +{{- if ne $dot.Values.global.ingress.provider "" -}} +{{ $provider = $dot.Values.global.ingress.provider }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $provider -}} +{{- end -}} + +{{/* + Helper function to get the Ingress Class (default is "nginx") +*/}} +{{- define "common.ingress._class" -}} +{{- $dot := default . .dot -}} +{{- $class := "nginx" -}} +{{- if $dot.Values.global.ingress -}} +{{- if $dot.Values.global.ingress.ingressClass -}} +{{- if ne $dot.Values.global.ingress.ingressClass "" -}} +{{ $class = $dot.Values.global.ingress.ingressClass }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $class -}} +{{- end -}} + +{{/* + Helper function to get the Ingress Selector (default is "ingress") +*/}} +{{- define "common.ingress._selector" -}} +{{- $dot := default . .dot -}} +{{- $selector := "ingress" -}} +{{- if $dot.Values.global.ingress -}} +{{- if $dot.Values.global.ingress.ingressSelector -}} +{{- if ne $dot.Values.global.ingress.ingressSelector "" -}} +{{ $selector = $dot.Values.global.ingress.ingressSelector }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $selector -}} +{{- end -}} + +{{/* + Helper function to get the common Gateway, if exists +*/}} +{{- define "common.ingress._commonGateway" -}} +{{- $dot := default . .dot -}} +{{- $gateway := "-" -}} +{{- if $dot.Values.global.ingress -}} +{{- if $dot.Values.global.ingress.commonGateway -}} +{{- if $dot.Values.global.ingress.commonGateway.name -}} +{{ $gateway = $dot.Values.global.ingress.commonGateway.name }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $gateway -}} +{{- end -}} + +{{/* + Helper function to get the common Gateway HTTP Listener name, if exists +*/}} +{{- define "common.ingress._gatewayHTTPListener" -}} +{{- $dot := default . .dot -}} +{{- $listener := "http-80" -}} +{{- if $dot.Values.global.ingress -}} +{{- if $dot.Values.global.ingress.commonGateway -}} +{{- if $dot.Values.global.ingress.commonGateway.name -}} +{{ $listener = $dot.Values.global.ingress.commonGateway.httpListener }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $listener -}} +{{- end -}} + +{{/* + Helper function to get the common Gateway HTTPS Listener name, if exists +*/}} +{{- define "common.ingress._gatewayHTTPSListener" -}} +{{- $dot := default . .dot -}} +{{- $listener := "https-443" -}} +{{- if $dot.Values.global.ingress -}} +{{- if $dot.Values.global.ingress.commonGateway -}} +{{- if $dot.Values.global.ingress.commonGateway.name -}} +{{ $listener = $dot.Values.global.ingress.commonGateway.httpsListener }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $listener -}} +{{- end -}} + +{{/* + Helper function to check the existance of an override value +*/}} +{{- define "common.ingress._overrideIfDefined" -}} + {{- $currValue := .currVal }} + {{- $parent := .parent }} + {{- $var := .var }} + {{- if $parent -}} + {{- if hasKey $parent $var }} + {{- default "" (index $parent $var) }} + {{- else -}} + {{- default "" $currValue -}} + {{- end -}} + {{- else -}} + {{- default "" $currValue }} + {{- end -}} +{{- end -}} + +{{/* + Helper function to get the protocol of the service +*/}} +{{- define "common.ingress._protocol" -}} +{{- $dot := default . .dot -}} +{{- $protocol := "http" -}} +{{- if $dot.tcpRoutes }} +{{- $protocol = "tcp" -}} +{{- end -}} +{{- if $dot.udpRoutes }} +{{- $protocol = "tcp" -}} +{{- end -}} +{{- if $dot.protocol }} +{{- $protocol = (lower $dot.protocol) -}} +{{- end -}} +{{- $protocol -}} +{{- end -}} + +{{/* + Create the hostname as concatination . + - baseaddr: from component values: ingress.service.baseaddr + - baseurl: from values: global.ingress.virtualhost.baseurl + which van be overwritten in the component via: ingress.baseurlOverride +*/}} {{- define "ingress.config.host" -}} {{- $dot := default . .dot -}} {{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- $preaddr := default "" $dot.Values.global.ingress.virtualhost.preaddr -}} +{{- $preaddr := include "common.ingress._overrideIfDefined" (dict "currVal" $preaddr "parent" (default (dict) $dot.Values.ingress) "var" "preaddrOverride") -}} +{{- $postaddr := default "" $dot.Values.global.ingress.virtualhost.postaddr -}} +{{- $postaddr := include "common.ingress._overrideIfDefined" (dict "currVal" $postaddr "parent" (default (dict) $dot.Values.ingress) "var" "postaddrOverride") -}} {{- $burl := (required "'baseurl' param, set to the generic part of the fqdn, is required." $dot.Values.global.ingress.virtualhost.baseurl) -}} -{{ printf "%s.%s" $baseaddr $burl }} +{{- $burl := include "common.ingress._overrideIfDefined" (dict "currVal" $burl "parent" (default (dict) $dot.Values.ingress) "var" "baseurlOverride") -}} +{{ printf "%s%s%s.%s" $preaddr $baseaddr $postaddr $burl }} {{- end -}} +{{/* + Istio Helper function to add the tls route +*/}} +{{- define "istio.config.tls_simple" -}} +{{- $dot := default . .dot -}} + tls: +{{- if $dot.Values.global.ingress.config }} +{{- if $dot.Values.global.ingress.config.tls }} + credentialName: {{ default "ingress-tls-secret" $dot.Values.global.ingress.config.tls.secret }} +{{- else }} + credentialName: "ingress-tls-secret" +{{- end }} +{{- else }} + credentialName: "ingress-tls-secret" +{{- end }} + mode: SIMPLE +{{- end -}} + +{{/* + Istio Helper function to add the tls route +*/}} +{{- define "istio.config.tls" -}} +{{- $dot := default . .dot -}} +{{- $service := (required "'service' param, set to the specific service, is required." .service) -}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- if $service.exposedPort }} +{{- if $service.exposedProtocol }} +{{- if eq $service.exposedProtocol "TLS" }} + {{ include "istio.config.tls_simple" (dict "dot" $dot ) }} +{{- end }} +{{- end }} +{{- else }} +{{- if $dot.Values.global.ingress.config }} +{{- if $dot.Values.global.ingress.config.ssl }} +{{- if eq $dot.Values.global.ingress.config.ssl "redirect" }} + tls: + httpsRedirect: true + - port: + number: 443 + name: https + protocol: HTTPS + {{ include "istio.config.tls_simple" (dict "dot" $dot ) }} + hosts: + - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end -}} + +{{/* + Istio Helper function to add the external port of the service +*/}} +{{- define "istio.config.port" -}} +{{- $dot := default . .dot -}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- $protocol := (required "'protocol' param, set to the name of the port, is required." .protocol) -}} +{{- if $dot.exposedPort }} + number: {{ $dot.exposedPort }} +{{- if $dot.exposedProtocol }} + name: {{ $protocol }}-{{ $dot.exposedPort }} + protocol: {{ $dot.exposedProtocol }} +{{- else }} + name: {{ $protocol }} + protocol: HTTP +{{- end -}} +{{- else }} + number: 80 + name: {{ $protocol }} + protocol: HTTP +{{- end -}} +{{- end -}} + +{{/* + Create Port entry in the Gateway resource +*/}} +{{- define "istio.config.gatewayPort" -}} +{{- $dot := default . .dot -}} +{{- $service := (required "'service' param, set to the specific service, is required." .service) -}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- $protocol := (required "'protocol' param, set to the specific port, is required." .protocol) -}} + - port: + {{- include "istio.config.port" (dict "dot" $service "baseaddr" $baseaddr "protocol" $protocol) }} + hosts: + - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} + {{- include "istio.config.tls" (dict "dot" $dot "service" $service "baseaddr" $baseaddr) }} +{{- end -}} + +{{/* + Helper function to add the route to the service +*/}} {{- define "ingress.config.port" -}} {{- $dot := default . .dot -}} -{{ range .Values.ingress.service }} +{{ range $dot.Values.ingress.service }} {{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) }} - host: {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} http: @@ -28,24 +326,77 @@ {{- end }} {{- end -}} +{{/* + Istio Helper function to add the route to the service +*/}} +{{- define "istio.config.route" -}} +{{- $dot := default . .dot -}} +{{- $protocol := (required "'protocol' param, is required." .protocol) -}} +{{- if eq $protocol "tcp" }} + - match: + - port: {{ $dot.exposedPort }} + route: + - destination: + port: + {{- if $dot.plain_port }} + {{- if kindIs "string" $dot.plain_port }} + name: {{ $dot.plain_port }} + {{- else }} + number: {{ $dot.plain_port }} + {{- end }} + {{- else }} + {{- if kindIs "string" $dot.port }} + name: {{ $dot.port }} + {{- else }} + number: {{ $dot.port }} + {{- end }} + {{- end }} + host: {{ $dot.name }} +{{- else if eq $protocol "http" }} + - route: + - destination: + port: + {{- if $dot.plain_port }} + {{- if kindIs "string" $dot.plain_port }} + name: {{ $dot.plain_port }} + {{- else }} + number: {{ $dot.plain_port }} + {{- end }} + {{- else }} + {{- if kindIs "string" $dot.port }} + name: {{ $dot.port }} + {{- else }} + number: {{ $dot.port }} + {{- end }} + {{- end }} + host: {{ $dot.name }} +{{- end -}} +{{- end -}} +{{/* + Helper function to add ssl annotations +*/}} {{- define "ingress.config.annotations.ssl" -}} +{{- $class := include "common.ingress._class" (dict "dot" .) }} {{- if .Values.ingress.config -}} {{- if .Values.ingress.config.ssl -}} {{- if eq .Values.ingress.config.ssl "redirect" -}} -kubernetes.io/ingress.class: nginx -nginx.ingress.kubernetes.io/ssl-passthrough: "true" -nginx.ingress.kubernetes.io/ssl-redirect: "true" +kubernetes.io/ingress.class: {{ $class }} +{{ $class }}.ingress.kubernetes.io/ssl-passthrough: "true" +{{ $class }}.ingress.kubernetes.io/ssl-redirect: "true" {{- else if eq .Values.ingress.config.ssl "native" -}} -nginx.ingress.kubernetes.io/ssl-redirect: "true" +{{ $class }}.ingress.kubernetes.io/ssl-redirect: "true" {{- else if eq .Values.ingress.config.ssl "none" -}} -nginx.ingress.kubernetes.io/ssl-redirect: "false" +{{ $class }}.ingress.kubernetes.io/ssl-redirect: "false" {{- end -}} {{- end -}} {{- end -}} {{- end -}} +{{/* + Helper function to add annotations +*/}} {{- define "ingress.config.annotations" -}} {{- if .Values.ingress -}} {{- if .Values.ingress.annotations -}} @@ -55,56 +406,405 @@ nginx.ingress.kubernetes.io/ssl-redirect: "false" {{ include "ingress.config.annotations.ssl" . | indent 4 | trim }} {{- end -}} -{{- define "common.ingress._overrideIfDefined" -}} - {{- $currValue := .currVal }} - {{- $parent := .parent }} - {{- $var := .var }} - {{- if $parent -}} - {{- if hasKey $parent $var }} - {{- default "" (index $parent $var) }} - {{- else -}} - {{- default "" $currValue -}} - {{- end -}} - {{- else -}} - {{- default "" $currValue }} - {{- end -}} +{{/* + Create Istio Ingress resources per defined service +*/}} +{{- define "common.istioIngress" -}} +{{- $dot := default . .dot -}} +{{- $selector := include "common.ingress._selector" (dict "dot" $dot) }} +{{- $gateway := include "common.ingress._commonGateway" (dict "dot" $dot) }} +{{ range $dot.Values.ingress.service }} +{{ if or ( eq (include "common.ingress._protocol" (dict "dot" .)) "http" ) ( eq (include "common.ingress._protocol" (dict "dot" .)) "tcp" )}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) }} +{{- if eq $gateway "-" }} +--- +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + name: {{ $baseaddr }}-gateway +spec: + selector: + istio: {{ $selector }} + servers: +{{- if .tcpRoutes }} +{{ range .tcpRoutes }} + {{ include "istio.config.gatewayPort" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "tcp") | trim }} +{{ end -}} +{{- else }} + {{- if .protocol }} + {{ include "istio.config.gatewayPort" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" .protocol) | trim }} + {{- else }} + {{ include "istio.config.gatewayPort" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "http") | trim }} + {{ end }} +{{ end }} +{{ end }} +--- +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: {{ $baseaddr }}-service +spec: + hosts: + - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} + gateways: +{{- if eq $gateway "-" }} + - {{ $baseaddr }}-gateway +{{- else }} + - {{ $gateway }} +{{- end }} +{{- if .tcpRoutes }} + tcp: +{{ range .tcpRoutes }} + {{ include "istio.config.route" (dict "dot" . "protocol" "tcp") | trim }} +{{ end -}} +{{- else }} + {{- if .protocol }} + {{ .protocol }}: + {{ include "istio.config.route" (dict "dot" . "protocol" .protocol) | trim }} + {{- else }} + http: + {{ include "istio.config.route" (dict "dot" . "protocol" "http") | trim }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} {{- end -}} -{{- define "common.ingress" -}} -{{- if .Values.ingress -}} - {{- $ingressEnabled := default false .Values.ingress.enabled -}} - {{- $ingressEnabled := include "common.ingress._overrideIfDefined" (dict "currVal" $ingressEnabled "parent" (default (dict) .Values.global.ingress) "var" "enabled") }} - {{- $ingressEnabled := include "common.ingress._overrideIfDefined" (dict "currVal" $ingressEnabled "parent" .Values.ingress "var" "enabledOverride") }} - {{- if $ingressEnabled }} +{{/* + GW-API Helper function to add the tls route +*/}} +{{- define "gwapi.config.tls_simple" -}} +{{- $dot := default . .dot -}} + tls: +{{- if $dot.Values.global.ingress.config }} +{{- if $dot.Values.global.ingress.config.tls }} + certificateRefs: + - kind: Secret + group: "" + name: {{ default "ingress-tls-secret" $dot.Values.global.ingress.config.tls.secret }} +{{- else }} + certificateRefs: + - kind: Secret + group: "" + name: "ingress-tls-secret" +{{- end }} +{{- else }} + certificateRefs: + - kind: Secret + group: "" + name: "ingress-tls-secret" +{{- end }} + mode: Terminate +{{- end -}} + +{{/* + GW-API Helper function to add the tls route +*/}} +{{- define "gwapi.config.tls" -}} +{{- $dot := default . .dot -}} +{{- $service := (required "'service' param, set to the specific service, is required." .service) -}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- if $service.exposedPort }} +{{- if $service.exposedProtocol }} +{{- if eq $service.exposedProtocol "TLS" }} + {{ include "gwapi.config.tls_simple" (dict "dot" $dot ) }} +{{- end }} +{{- end }} +{{- else }} +{{- if (include "common.ingress._tlsRedirect" (dict "dot" $dot)) }} + - name: HTTPS-443 + port: 443 + protocol: HTTPS + hostname: {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} + {{ include "gwapi.config.tls_simple" (dict "dot" $dot ) }} +{{- end }} +{{- end }} +{{- end -}} + +{{/* + Create Listener entry in the Gateway resource +*/}} +{{- define "gwapi.config.listener" -}} +{{- $dot := default . .dot -}} +{{- $service := (required "'service' param, set to the specific service, is required." .service) -}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- $protocol := (required "'protocol' param, set to the specific port, is required." .protocol) -}} +{{- $port := default 80 $service.exposedPort -}} + - name: {{ $protocol }}-{{ $port }} + port: {{ $port }} +{{- if $service.exposedProtocol }} + protocol: {{ upper $service.exposedProtocol }} +{{- else }} + protocol: HTTP +{{- end }} + hostname: {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} + allowedRoutes: + namespaces: + from: All +{{- if eq $service.protocol "tcp" }} + kinds: + - kind: TCPRoute +{{- else if eq $service.protocol "tcp" }} + kinds: + - kind: UDPRoute +{{- end }} + {{- include "gwapi.config.tls" (dict "dot" $dot "service" $service "baseaddr" $baseaddr) }} +{{- end -}} + +{{/* + Create *Route entry for the Gateway-API +*/}} +{{- define "gwapi.config.route" -}} +{{- $dot := default . .dot -}} +{{- $service := (required "'service' param, set to the specific service, is required." .service) -}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- $protocol := (required "'protocol' param, set to the specific port, is required." .protocol) -}} +{{- $gateway := include "common.ingress._commonGateway" (dict "dot" $dot) -}} +{{- $namespace := default "istio-ingress" $dot.Values.global.ingress.namespace -}} +{{- $path := default "/" $service.path -}} +{{- if eq $protocol "udp" -}} +--- +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: UDPRoute +metadata: + name: {{ $baseaddr }}-{{ $service.exposedPort }}-route +spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway +{{- if eq $gateway "-" }} + name: {{ $baseaddr }}-gateway +{{- else }} + name: {{ $gateway }} +{{- end }} + namespace: {{ $namespace }} + sectionName: udp-{{ $service.exposedPort }} + rules: + - backendRefs: + - group: '' + kind: Service + name: {{ $service.name }} + port: {{ $service.port }} + weight: 1 +{{- else if eq $protocol "tcp" }} +--- +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: TCPRoute +metadata: + name: {{ $baseaddr }}-{{ $service.exposedPort }}-route +spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway +{{- if eq $gateway "-" }} + name: {{ $baseaddr }}-gateway +{{- else }} + name: {{ $gateway }} +{{- end }} + namespace: {{ $namespace }} + sectionName: tcp-{{ $service.exposedPort }} + rules: + - backendRefs: + - group: '' + kind: Service + name: {{ $service.name }} + port: {{ $service.port }} + weight: 1 +{{- else if eq $protocol "http" }} +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: {{ $baseaddr }}-http-route +spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway +{{- if eq $gateway "-" }} + name: {{ $baseaddr }}-gateway +{{- else }} + name: {{ $gateway }} +{{- end }} + namespace: {{ $namespace }} +{{- if (include "common.ingress._tlsRedirect" (dict "dot" $dot)) }} + sectionName: {{ include "common.ingress._gatewayHTTPSListener" (dict "dot" $dot) }} +{{- else }} + sectionName: {{ include "common.ingress._gatewayHTTPListener" (dict "dot" $dot) }} +{{- end }} + hostnames: + - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} + rules: + - backendRefs: + - group: '' + kind: Service + name: {{ $service.name }} + port: {{ $service.port }} + weight: 1 + matches: + - path: + type: PathPrefix + value: {{ $path }} +{{- if (include "common.ingress._tlsRedirect" (dict "dot" $dot)) }} +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: {{ $baseaddr }}-redirect-route +spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway +{{- if eq $gateway "-" }} + name: {{ $baseaddr }}-gateway +{{- else }} + name: {{ $gateway }} +{{- end }} + namespace: {{ $namespace }} + sectionName: {{ include "common.ingress._gatewayHTTPListener" (dict "dot" $dot) }} + hostnames: + - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} + rules: + - filters: + - type: RequestRedirect + requestRedirect: + scheme: https + statusCode: 301 + port: 443 + matches: + - path: + type: PathPrefix + value: {{ $path }} +{{- end }} +{{- end }} +{{- end -}} + +{{/* + Create GW-API Ingress resources per defined service +*/}} +{{- define "common.gwapiIngress" -}} +{{- $dot := default . .dot -}} +{{- $selector := include "common.ingress._selector" (dict "dot" $dot) }} +{{- $gateway := include "common.ingress._commonGateway" (dict "dot" $dot) }} +{{ range $dot.Values.ingress.service }} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) }} +{{- if eq $gateway "-" }} +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: Gateway +metadata: + name: {{ $baseaddr }}-gateway +spec: + gatewayClassName: {{ $dot.Values.global.serviceMesh.engine }} + listeners: +{{- if .tcpRoutes }} +{{ range .tcpRoutes }} + {{ include "gwapi.config.listener" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "tcp") | trim }} +{{- end -}} +{{- else if .udpRoutes }} +{{ range .udpRoutes }} + {{ include "gwapi.config.listener" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "udp") | trim }} +{{- end -}} +{{- else }} +{{- if .protocol }} + {{ include "gwapi.config.listener" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" (lower .protocol)) | trim }} +{{- else }} + {{ include "gwapi.config.listener" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "http") | trim }} +{{- end }} +{{- end }} +{{- end }} +{{- if .tcpRoutes }} +{{ range .tcpRoutes }} +{{ include "gwapi.config.route" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "tcp") | trim }} +{{- end -}} +{{- else if .udpRoutes }} +{{ range .udpRoutes }} +{{ include "gwapi.config.route" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "udp") | trim }} +{{- end -}} +{{- else }} +{{- if .protocol }} +{{ include "gwapi.config.route" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" (lower .protocol)) | trim }} +{{- else }} +{{ include "gwapi.config.route" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "http") | trim }} +{{- end }} +{{- end }} +{{- end }} +{{- end -}} + +{{/* + Create default Ingress resource +*/}} +{{- define "common.nginxIngress" -}} +{{- $dot := default . .dot -}} +{{ range $dot.Values.ingress.service }} +{{ if eq (include "common.ingress._protocol" (dict "dot" $dot)) "http" }} +{{ $baseaddr := required "baseaddr" .baseaddr }} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ include "common.fullname" . }}-ingress + name: {{ include "common.fullname" $dot }}-ingress annotations: - {{ include "ingress.config.annotations" . }} + {{ include "ingress.config.annotations" $dot }} labels: - app: {{ .Chart.Name }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + app: {{ $dot.Chart.Name }} + chart: {{ $dot.Chart.Name }}-{{ $dot.Chart.Version | replace "+" "_" }} + release: {{ include "common.release" $dot }} + heritage: {{ $dot.Release.Service }} spec: rules: - {{ include "ingress.config.port" . | trim }} -{{- if .Values.ingress.tls }} + {{ include "ingress.config.port" $dot | trim }} +{{- if $dot.Values.ingress.tls }} tls: -{{ toYaml .Values.ingress.tls | indent 4 }} -{{- end -}} -{{- if .Values.ingress.config -}} -{{- if .Values.ingress.config.tls -}} -{{- $dot := default . .dot }} +{{ toYaml $dot.Values.ingress.tls | indent 4 }} +{{- end -}} +{{- if $dot.Values.ingress.config -}} +{{- if $dot.Values.ingress.config.tls }} tls: - hosts: - {{- range .Values.ingress.service }}{{ $baseaddr := required "baseaddr" .baseaddr }} - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} - {{- end }} - secretName: {{ required "secret" (tpl (default "" .Values.ingress.config.tls.secret) $dot) }} -{{- end -}} -{{- end -}} -{{- end -}} + secretName: {{ required "secret" (tpl (default "" $dot.Values.ingress.config.tls.secret) $dot) }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} {{- end -}} + +{{/* + Create ingress template + Will create ingress template depending on the following values: + - .Values.global.ingress.enabled : enables Ingress globally + - .Values.global.ingress.enable_all : override default Ingress for all charts + - .Values.ingress.enabled : sets Ingress per chart basis + + | global.ingress.enabled | global.ingress.enable_all |ingress.enabled | result | + |------------------------|---------------------------|----------------|------------| + | false | any | any | no ingress | + | true | false | false | no ingress | + | true | true | any | ingress | + | true | false | true | ingress | + + If ServiceMesh (Ingress-Provider: Istio) is enabled the respective resources + are created: + - Gateway (optional) + - VirtualService + + If ServiceMesh (Ingress-Provider: GatewayAPI) is enabled the respective resources + are created: + - Gateway (optional) + - HTTPRoute, TCPRoute, UDPRoute (depending) + + If ServiceMesh is disabled the standard Ingress resource is creates: + - Ingress +*/}} +{{- define "common.ingress" -}} +{{- $dot := default . .dot -}} +{{- $provider := include "common.ingress._provider" (dict "dot" $dot) -}} +{{- if (include "common.ingress._enabled" (dict "dot" $dot)) }} +{{- if eq $provider "ingress" -}} +{{ include "common.nginxIngress" (dict "dot" $dot) }} +{{- else if eq $provider "istio" -}} +{{ include "common.istioIngress" (dict "dot" $dot) }} +{{- else if eq $provider "gw-api" -}} +{{ include "common.gwapiIngress" (dict "dot" $dot) }} +{{- end -}} +{{- end -}} {{- end -}} diff --git a/kubernetes/common/common/templates/_labels.tpl b/kubernetes/common/common/templates/_labels.tpl index 993fb7dfac..a690acd141 100644 --- a/kubernetes/common/common/templates/_labels.tpl +++ b/kubernetes/common/common/templates/_labels.tpl @@ -26,6 +26,12 @@ The function takes several arguments (inside a dictionary): {{- define "common.labels" -}} {{- $dot := default . .dot -}} app.kubernetes.io/name: {{ include "common.name" $dot }} +app: {{ include "common.name" $dot }} +{{- if $dot.Chart.AppVersion }} +version: "{{ $dot.Chart.AppVersion | replace "+" "_" }}" +{{- else }} +version: "{{ $dot.Chart.Version | replace "+" "_" }}" +{{- end }} {{ if not .ignoreHelmChart }} helm.sh/chart: {{ include "common.chart" $dot }} {{- end }} diff --git a/kubernetes/common/common/templates/_log.tpl b/kubernetes/common/common/templates/_log.tpl index 369c25b254..993c48239a 100644 --- a/kubernetes/common/common/templates/_log.tpl +++ b/kubernetes/common/common/templates/_log.tpl @@ -29,11 +29,11 @@ mountPath: /usr/share/filebeat/data resources: requests: - memory: "5Mi" cpu: "10m" + memory: "5Mi" limits: - memory: "20Mi" cpu: "100m" + memory: "20Mi" {{- end -}} {{- end -}} diff --git a/kubernetes/common/common/templates/_mariadb.tpl b/kubernetes/common/common/templates/_mariadb.tpl index 5021c500b0..3092298a7d 100644 --- a/kubernetes/common/common/templates/_mariadb.tpl +++ b/kubernetes/common/common/templates/_mariadb.tpl @@ -58,12 +58,27 @@ {{- include "common.mariadb.secret._secretName" (set . "uidTemplate" "common.mariadb.secret.userCredentialsUID") }} {{- end -}} +{{/* + Choose the name of the mariadb app label to use. +*/}} +{{- define "common.mariadbAppName" -}} + {{- if .Values.global.mariadbGalera.localCluster -}} + {{- index .Values "mariadb-galera" "nameOverride" -}} + {{- else -}} + {{- .Values.global.mariadbGalera.nameOverride -}} + {{- end -}} +{{- end -}} + {{/* Choose the name of the mariadb service to use. */}} {{- define "common.mariadbService" -}} {{- if .Values.global.mariadbGalera.localCluster -}} + {{- if and .Values.global.mariadbGalera.useOperator (index .Values "mariadb-galera" "mariadbOperator" "galera" "enabled") }} + {{- printf "%s-primary" (index .Values "mariadb-galera" "nameOverride") -}} + {{- else }} {{- index .Values "mariadb-galera" "nameOverride" -}} + {{- end }} {{- else -}} {{- .Values.global.mariadbGalera.service -}} {{- end -}} @@ -97,3 +112,258 @@ {{- define "common.mariadbSecretParam" -}} {{ printf "password" -}} {{- end -}} + +{{/* + Create MariaDB Database via mariadb-operator +*/}} +{{- define "common.mariadbOpDatabase" -}} +{{- $dot := default . .dot -}} +{{- $dbname := (required "'dbame' param, is required." .dbname) -}} +{{- $dbinst := (required "'dbinst' param, is required." .dbinst) -}} +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: Database +metadata: + name: {{ $dbinst }}-{{ $dbname }} +spec: + name: {{ $dbname }} + mariaDbRef: + name: {{ $dbinst }} + characterSet: utf8 + collate: utf8_general_ci + retryInterval: 5s +{{- end -}} + +{{/* + Create MariaDB User via mariadb-operator +*/}} +{{- define "common.mariadbOpUser" -}} +{{- $dot := default . .dot -}} +{{- $dbuser := (required "'dbuser' param, is required." .dbuser) -}} +{{- $dbinst := (required "'dbinst' param, is required." .dbinst) -}} +{{- $dbsecret := (required "'dbsecret' param, is required." .dbsecret) -}} +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: User +metadata: + name: {{ $dbinst }}-{{ $dbuser }} +spec: + name: {{ $dbuser }} + mariaDbRef: + name: {{ $dbinst }} + waitForIt: true + passwordSecretKeyRef: + name: {{ $dbsecret }} + key: password + # This field is immutable and defaults to 10 + maxUserConnections: 100 + retryInterval: 5s +{{- end -}} + +{{/* + Grant rights to a MariaDB User via mariadb-operator +*/}} +{{- define "common.mariadbOpGrants" -}} +{{- $dot := default . .dot -}} +{{- $dbuser := (required "'dbuser' param, is required." .dbuser) -}} +{{- $dbname := (required "'dbame' param, is required." .dbname) -}} +{{- $dbinst := (required "'dbinst' param, is required." .dbinst) -}} +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: Grant +metadata: + name: {{ $dbuser }}-{{ $dbname }}-{{ $dbinst }} +spec: + mariaDbRef: + name: {{ $dbinst }} + waitForIt: true + privileges: + - "ALL" + database: {{ $dbname }} + table: "*" + username: {{ $dbuser }} + retryInterval: 5s + grantOption: true +{{- end -}} + +{{/* + MariaDB Backup via mariadb-operator +*/}} +{{- define "common.mariadbOpBackup" -}} +{{- $dot := default . .dot -}} +{{- $dbinst := include "common.name" $dot -}} +{{- $name := default $dbinst $dot.Values.backup.nameOverride -}} +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: Backup +metadata: + name: {{ $name }} +spec: + inheritMetadata: + labels: + sidecar.istio.io/inject: 'false' + backoffLimit: 5 + logLevel: info + mariaDbRef: + name: {{ $dbinst }} + waitForIt: true + schedule: + cron: {{ $dot.Values.backup.cron }} + suspend: false + maxRetention: {{ $dot.Values.backup.maxRetention }} + storage: + {{- if eq $dot.Values.backup.storageType "PVC" }} + persistentVolumeClaim: + resources: + requests: + storage: {{ $dot.Values.backup.persistence.size }} + {{- if $dot.Values.mariadbOperator.storageClassName }} + storageClassName: {{ $dot.Values.mariadbOperator.storageClassName }} + {{- end }} + accessModes: + - {{ $dot.Values.backup.persistence.accessMode }} + {{- end }} + {{- if eq $dot.Values.backup.storageType "S3" }} + s3: {{- include "common.tplValue" ( dict "value" .Values.backup.s3 "context" $) | nindent 6 }} + {{- end }} + {{- if eq $dot.Values.backup.storageType "volume" }} + volume: {{- include "common.tplValue" ( dict "value" .Values.backup.volume "context" $) | nindent 6 }} + {{- end }} + resources: + requests: + cpu: "100m" + memory: "100Mi" + limits: + cpu: "300m" + memory: "500Mi" +{{- end -}} + +{{/* + Create a MariaDB instance via mariadb-operator +*/}} +{{- define "common.mariadbOpInstance" -}} +{{- $dot := default . .dot -}} +{{- $global := $dot.Values.global -}} +{{- $dbinst := include "common.name" $dot -}} +{{- $dbrootsecret := tpl (default (include "common.mariadb.secret.rootPassSecretName" (dict "dot" $dot "chartName" "")) $dot.Values.rootUser.externalSecret) $dot -}} +{{- $dbusersecret := tpl (default (include "common.mariadb.secret.userCredentialsSecretName" (dict "dot" $dot "chartName" "")) $dot.Values.db.externalSecret) $dot -}} +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: MariaDB +metadata: + name: {{ $dbinst }} +spec: + podSecurityContext: + runAsUser: 10001 + runAsGroup: 10001 + fsGroup: 10001 + inheritMetadata: + {{ if .Values.podAnnotations -}} + annotations: {{ toYaml .Values.podAnnotations | nindent 6 }} + {{- end }} + labels: + # temporarily test mariaDB without sidecar (fix initial Job, Backup and Metrics) + # will be obsolete with "native-sidecars" feature in K8S and Istio + sidecar.istio.io/inject: "false" + app: {{ $dbinst }} + version: {{ .Values.mariadbOperator.appVersion }} + rootPasswordSecretKeyRef: + name: {{ $dbrootsecret }} + key: password + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.mariadbOperator.image }}:{{ $dot.Values.mariadbOperator.appVersion }} + imagePullPolicy: IfNotPresent + {{- include "common.imagePullSecrets" . | nindent 2 }} + port: 3306 + replicas: {{ $dot.Values.replicaCount }} + {{- if $dot.Values.mariadbOperator.galera.enabled }} + galera: + enabled: true + sst: mariabackup + replicaThreads: 1 + agent: + image: {{ include "repositoryGenerator.githubContainerRegistry" . }}/{{ .Values.mariadbOperator.galera.agentImage }}:{{ $dot.Values.mariadbOperator.galera.agentVersion }} + imagePullPolicy: IfNotPresent + port: 5555 + kubernetesAuth: + enabled: true + authDelegatorRoleName: {{ $dbinst }}-auth + gracefulShutdownTimeout: 5s + primary: + automaticFailover: true + podIndex: 0 + recovery: + enabled: true + clusterHealthyTimeout: 30s + clusterBootstrapTimeout: 10m0s + minClusterSize: 50% + podRecoveryTimeout: 3m0s + podSyncTimeout: 3m0s + initContainer: + image: {{ include "repositoryGenerator.githubContainerRegistry" . }}/{{ $dot.Values.mariadbOperator.galera.initImage }}:{{ $dot.Values.mariadbOperator.galera.initVersion }} + imagePullPolicy: IfNotPresent + config: + reuseStorageVolume: false + volumeClaimTemplate: + {{- if .Values.mariadbOperator.persistence.storageClassName }} + storageClassName: {{ .Values.mariadbOperator.persistence.storageClassName }} + {{- end }} + resources: + requests: + storage: 50Mi + accessModes: + - ReadWriteOnce + {{- end }} + livenessProbe: + exec: + command: + - bash + - '-c' + - mariadb -u root -p"${MARIADB_ROOT_PASSWORD}" -e "SELECT 1;" + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + readinessProbe: + exec: + command: + - bash + - '-c' + - mariadb -u root -p"${MARIADB_ROOT_PASSWORD}" -e "SELECT 1;" + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + {{- if default false $dot.Values.global.metrics.enabled }} + metrics: + enabled: true + {{- end }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + tolerations: + - key: k8s.mariadb.com/ha + operator: Exists + effect: NoSchedule + podDisruptionBudget: + maxUnavailable: 50% + updateStrategy: + type: RollingUpdate + + myCnfConfigMapKeyRef: + key: my.cnf + name: {{ printf "%s-configuration" (include "common.fullname" $dot) }} + resources: {{ include "common.resources" . | nindent 4 }} + storage: + {{- if $dot.Values.mariadbOperator.persistence.storageClassName }} + storageClassName: {{ $dot.Values.mariadbOperator.persistence.storageClassName }} + {{- end }} + size: {{ $dot.Values.mariadbOperator.persistence.size | quote }} +{{- if $dot.Values.db.user }} +{{ include "common.mariadbOpUser" (dict "dot" . "dbuser" $dot.Values.db.user "dbinst" $dbinst "dbsecret" $dbusersecret) }} +{{- end }} +{{- if $dot.Values.db.name }} +{{ include "common.mariadbOpDatabase" (dict "dot" . "dbname" $dot.Values.db.name "dbinst" $dbinst) }} +{{- end }} +{{- if and $dot.Values.db.user $dot.Values.db.name }} +{{ include "common.mariadbOpGrants" (dict "dot" . "dbuser" $dot.Values.db.user "dbname" $dot.Values.db.name "dbinst" $dbinst) }} +{{- end }} +{{- end -}} diff --git a/kubernetes/common/common/templates/_pod.tpl b/kubernetes/common/common/templates/_pod.tpl index b38a7f1105..810350bfa6 100644 --- a/kubernetes/common/common/templates/_pod.tpl +++ b/kubernetes/common/common/templates/_pod.tpl @@ -45,6 +45,9 @@ - containerPort: {{ default $port.plain_port $port.internal_plain_port }} name: {{ $port.name }}-plain {{- end }} +{{- if $port.l4_protocol }} + protocol: {{ $port.l4_protocol }} +{{- end }} {{- end }} {{- end -}} diff --git a/kubernetes/common/common/templates/_postgres.tpl b/kubernetes/common/common/templates/_postgres.tpl index 45d903e574..dcd17c0312 100644 --- a/kubernetes/common/common/templates/_postgres.tpl +++ b/kubernetes/common/common/templates/_postgres.tpl @@ -63,3 +63,89 @@ {{- define "common.postgres.secret.primaryPasswordSecretName" -}} {{- include "common.postgres.secret._secretName" (set . "uidTemplate" "common.postgres.secret.primaryPasswordUID") }} {{- end -}} + +{{/* + Create postgres cluster via postgres crunchydata-operator +*/}} +{{- define "common.postgresOpInstance" -}} +{{- $dot := default . .dot -}} +{{- $global := $dot.Values.global -}} +{{- $dbinst := include "common.name" $dot -}} +--- +apiVersion: postgres-operator.crunchydata.com/v1beta1 +kind: PostgresCluster +metadata: + name: {{ $dbinst }} + labels: + app: {{ $dbinst }} + version: "5.5" +spec: + metadata: + labels: + app: {{ $dbinst }} + version: "5.5" + {{- if .Values.postgresOperator.imagePostgres }} + image: {{ .Values.postgresOperator.imagePostgres | quote }} + {{- end }} + {{- include "common.imagePullSecrets" . | nindent 2 }} + postgresVersion: {{ $dot.Values.postgresOperator.postgresVersion }} + instances: + - name: {{ default "instance1" .Values.postgresOperator.instanceName | quote }} + replicas: {{ default 2 .Values.postgresOperator.instanceReplicas }} + dataVolumeClaimSpec: + {{- if .Values.instanceStorageClassName }} + storageClassName: {{ .Values.postgresOperator.instanceStorageClassName | quote }} + {{- end }} + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: {{ default "1Gi" .Values.postgresOperator.instanceSize | quote }} + {{- if or .Values.instanceMemory .Values.postgresOperator.instanceCPU }} + resources: + limits: + cpu: {{ default "" .Values.postgresOperator.instanceCPU | quote }} + memory: {{ default "" .Values.postgresOperator.instanceMemory | quote }} + {{- end }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + postgres-operator.crunchydata.com/cluster: {{ $dbinst }} + postgres-operator.crunchydata.com/instance-set: {{ default "instance1" .Values.postgresOperator.instanceName | quote }} + proxy: + pgBouncer: + metadata: + labels: + app: {{ $dbinst }} + version: "5.5" + {{- if .Values.postgresOperator.imagePgBouncer }} + image: {{ .Values.postgresOperator.imagePgBouncer | quote }} + {{- end }} + replicas: {{ default 2 .Values.postgresOperator.bouncerReplicas }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + postgres-operator.crunchydata.com/cluster: {{ $dbinst }} + postgres-operator.crunchydata.com/role: pgbouncer + {{- if .Values.postgresOperator.monitoring }} + monitoring: + pgmonitor: + exporter: + image: {{ default "" .Values.postgresOperator.imageExporter | quote }} + {{- if .Values.postgresOperator.monitoringConfig }} +{{ toYaml .Values.monitoringConfig | indent 8 }} + {{- end }} + {{- end }} + users: + - name: postgres +{{- end -}} diff --git a/kubernetes/common/common/templates/_resources.tpl b/kubernetes/common/common/templates/_resources.tpl index fae77435a3..11177c76fb 100644 --- a/kubernetes/common/common/templates/_resources.tpl +++ b/kubernetes/common/common/templates/_resources.tpl @@ -39,21 +39,21 @@ e.g: resources: small: limits: - cpu: 200m - memory: 4Gi + cpu: "200m" + memory: "4Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "100m" + memory: "1Gi" large: limits: - cpu: 400m - memory: 8Gi + cpu: "400m" + memory: "8Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "200m" + memory: "2Gi" unlimited: {} */ -}} {{- define "common.resources" -}} {{- $flavor := include "common.flavor" . -}} -{{- toYaml (pluck $flavor .Values.resources | first) | indent 12 -}} +{{- toYaml (pluck $flavor .Values.resources | first) -}} {{- end -}} diff --git a/kubernetes/common/common/templates/_service.tpl b/kubernetes/common/common/templates/_service.tpl index f6a0f211a9..3db01396ca 100644 --- a/kubernetes/common/common/templates/_service.tpl +++ b/kubernetes/common/common/templates/_service.tpl @@ -126,14 +126,14 @@ labels: {{- include "common.labels" (dict "labels" $labels "dot" $dot) | nindent {{- else }} protocol: TCP {{- end }} +{{- if $port.app_protocol }} + appProtocol: {{ $port.app_protocol }} +{{- end }} {{- if $port.port_protocol }} name: {{ printf "%ss-%s" $port.port_protocol $port.name }} {{- else }} name: {{ $port.name }} {{- end }} -{{- if (eq $serviceType "NodePort") }} - nodePort: {{ include "common.nodePortPrefix" (dict "dot" $dot "useNodePortExt" $port.useNodePortExt) }}{{ $port.nodePort }} -{{- end }} {{- else }} - port: {{ default $port.port $port.plain_port }} targetPort: {{ $port.name }} @@ -142,20 +142,29 @@ labels: {{- include "common.labels" (dict "labels" $labels "dot" $dot) | nindent {{- else }} protocol: {{ default "TCP" $port.l4_protocol }} {{- end }} +{{- if $port.app_protocol }} + appProtocol: {{ $port.app_protocol }} +{{- end }} {{- if $port.port_protocol }} name: {{ printf "%s-%s" $port.port_protocol $port.name }} {{- else }} name: {{ $port.name }} {{- end }} {{- end }} +{{- if (eq $serviceType "NodePort") }} + nodePort: {{ include "common.nodePortPrefix" (dict "dot" $dot "useNodePortExt" $port.useNodePortExt) }}{{ $port.nodePort }} +{{- end }} {{- if (and (and (include "common.needTLS" $dot) $add_plain_port) $port.plain_port) }} {{- if (eq $serviceType "ClusterIP") }} - port: {{ $port.plain_port }} targetPort: {{ $port.name }}-plain -{{- if $port.plain_l4_port_protocol }} +{{- if $port.plain_l4_port_protocol }} protocol: {{ $port.plain_port_l4_protocol }} -{{- else }} +{{- else }} protocol: {{ default "TCP" $port.l4_protocol }} +{{- end }} +{{- if $port.app_protocol }} + appProtocol: {{ $port.app_protocol }} {{- end }} {{- if $port.port_protocol }} name: {{ printf "%s-%s" $port.port_protocol $port.name }} @@ -241,6 +250,9 @@ spec: {{- $both_tls_and_plain:= default false $dot.Values.service.both_tls_and_plain }} {{- $labels := default (dict) .labels -}} {{- $matchLabels := default (dict) .matchLabels -}} +{{- if and (include "common.ingressEnabled" $dot) (eq $serviceType "NodePort") -}} +{{- $serviceType = "ClusterIP" }} +{{- end }} {{- if (and (include "common.needTLS" $dot) $both_tls_and_plain) }} {{ include "common.genericService" (dict "suffix" $suffix "annotations" $annotations "msb_informations" $msb_informations "dot" $dot "publishNotReadyAddresses" $publishNotReadyAddresses "ports" $ports "serviceType" "ClusterIP" "add_plain_port" true $labels "matchLabels" $matchLabels) }} diff --git a/kubernetes/common/common/templates/_serviceMesh.tpl b/kubernetes/common/common/templates/_serviceMesh.tpl index a685a73627..de779f8db8 100644 --- a/kubernetes/common/common/templates/_serviceMesh.tpl +++ b/kubernetes/common/common/templates/_serviceMesh.tpl @@ -1,5 +1,6 @@ {{/* # Copyright © 2020 Amdocs, Bell Canada, Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -66,3 +67,81 @@ exit "$RCODE" fieldPath: metadata.namespace {{- end }} {{- end }} + +{{/* + Use Authorization Policies or not. +*/}} +{{- define "common.useAuthorizationPolicies" -}} +{{- if (include "common.onServiceMesh" .) }} +{{- if .Values.global.authorizationPolicies -}} +{{- if (default false .Values.global.authorizationPolicies.enabled) -}} +true +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* + Create Authorization Policy template. + If common.useAuthorizationPolicies returns true: + Will create authorization policy, provided with array of authorized principals in .Values.serviceMesh.authorizationPolicy.authorizedPrincipals + in the format: + authorizedPrincipals: + - serviceAccount: (Mandatory) + namespace: (Optional, will default to onap) + allowedOperationMethods: ("app" corresponds to a key defined in "common.labels", which is included in "common.service") + + If common.useAuthorizationPolicies returns false: + Will not create an authorization policy +*/}} +{{- define "common.authorizationPolicy" -}} +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipals := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipals -}} +{{- $defaultOperationMethods := list "GET" "POST" "PUT" "PATCH" "DELETE" -}} +{{- $relName := include "common.release" . -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ include "common.fullname" (dict "suffix" "authz" "dot" . )}} + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ include "common.name" . }} + action: ALLOW + rules: +{{- if $authorizedPrincipals }} +{{- range $principal := $authorizedPrincipals }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + methods: +{{- if $principal.allowedOperationMethods }} +{{- range $method := $principal.allowedOperationMethods }} + - {{ $method }} +{{- end }} +{{- else }} +{{- range $method := $defaultOperationMethods }} + - {{ $method }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/kubernetes/common/common/templates/_strimzikafka.tpl b/kubernetes/common/common/templates/_strimzikafka.tpl new file mode 100644 index 0000000000..a2e9c90a4f --- /dev/null +++ b/kubernetes/common/common/templates/_strimzikafka.tpl @@ -0,0 +1,135 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{/* + Create a Strimzi KafkaUser. + Usage: + include "common.kafkauser" . + + Strimzi kafka provides cluster access via its custom resource definition KafkaUser + which is deployed using its User Operator component. + See more info here - https://github.com/strimzi/strimzi-kafka-operator/blob/main/helm-charts/helm3/strimzi-kafka-operator/crds/044-Crd-kafkauser.yaml + This allows fine grained access control per user towards the kafka cluster. + See more info here - https://strimzi.io/docs/operators/latest/configuring.html#proc-configuring-kafka-user-str + + The kafka user definition is defined as part of .Values per component. + For general use by OOM components, the following list of acl types should suffice: + type: group (Used by the client app to be added to a particular kafka consumer group) + type: topic (1 or more kafka topics that the client needs to access. Commonly [Read,Write]) + + Note: The template will use the following default values. + + spec.authentication.type: scram-sha-512 (dictated by the available broker listeners on the kafka cluster) + spec.authorization.type: simple (Only type supported by strimzi at present) + spec.authorization.acls.resource.patternType: literal + + Example: + + kafkaUser: + acls: + - name: sdc (mandatory) + suffix: mysuffix (optional. Will be appended (with a hyphen) to the "name" entry. ie "sdc-mysuffix") + type: group (mandatory. Type "group" is used by the client as it's kafka consumer group) + operations: [Read] (mandatory. List of at least 1) + - name: SDC-DISTR + type: topic + patternType: prefix (optional. In this example, the user will be provided Read and Write access to all topics named "SDC-DISTR*") + operations: [Read, Write] +*/}} +{{- define "common.kafkauser" -}} +{{- $global := .global }} +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaUser +metadata: + name: {{ include "common.name" . }}-ku + labels: + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: + authentication: + type: {{ .Values.kafkaUser.authenticationType | default "scram-sha-512" }} + authorization: + type: {{ .Values.kafkaUser.authorizationType | default "simple" }} + acls: + {{- range $acl := .Values.kafkaUser.acls }} + - resource: + type: {{ $acl.type }} + patternType: {{ $acl.patternType | default "literal" }} + name: {{ ternary (printf "%s-%s" $acl.name $acl.suffix) $acl.name (hasKey $acl "suffix") }} + operations: + {{- range $operation := $acl.operations }} + - {{ . }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* + Create a Strimzi KafkaTopic. + Usage: + include "common.kafkatopic" . + + Strimzi kafka provides kafka topic management via its custom resource definition KafkaTopic + which is deployed using its Topic Operator component. + See more info here - https://github.com/strimzi/strimzi-kafka-operator/blob/main/helm-charts/helm3/strimzi-kafka-operator/crds/043-Crd-kafkatopic.yaml + + Note: KafkaTopic names should adhere to kubernetes object naming conventions - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/ + maximum length of 253 characters and consist of lower case alphanumeric characters, -, and . + + Note: The template will use the following default values. + + spec.config.retention.ms: 7200000 (defaults to 2 hrs retention for kafka topic logs) + spec.config.segment.bytes: 1073741824 (defaults to 1gb) + spec.partitions: 6 (defaults to (2 * (default.replication.factor)) defined by the strimzi broker conf) + spec.replicas: 3 (defaults to default.replication.factor defined by the strimzi broker conf. Must be > 0 and <= (num of broker replicas)) + + The kafka topic definition is defined as part of .Values per component. + + Example: + + kafkaTopic: + - name: my-new-topic (mandatory) + retentionMs: 7200000 (optional. Defaults to 2hrs) + segmentBytes: 1073741824 (optional. Defaults to 1gb) + suffix: my-suffix (optional. Will be appended (with a hyphen) to the "name" value. ie "my-new-topic-my-suffix") + - name: my.other.topic + suffix: some.other-suffix +*/}} +{{- define "common.kafkatopic" -}} +{{- $global := .global }} +{{- range $topic := .Values.kafkaTopic }} +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaTopic +metadata: + {{- if (hasKey $topic "strimziTopicName") }} + name: {{ ($topic.strimziTopicName) }}-kt + {{- else }} + name: {{ ($topic.name) | lower }}-kt + {{- end }} + labels: + strimzi.io/cluster: {{ include "common.release" $ }}-strimzi +spec: + {{- if (hasKey $topic "partitions") }} + partitions: {{ $topic.partitions }} + {{- end }} + {{- if (hasKey $topic "replicas") }} + replicas: {{ $topic.replicas }} + {{- end }} + topicName: {{ ternary (printf "%s-%s" $topic.name $topic.suffix) $topic.name (hasKey $topic "suffix") }} + config: + retention.ms: {{ $topic.retentionMs | default "7200000" }} + segment.bytes: {{ $topic.segmentBytes | default "1073741824"}} +--- +{{- end }} +{{- end -}} diff --git a/kubernetes/common/common/templates/_tplvalues.tpl b/kubernetes/common/common/templates/_tplvalues.tpl new file mode 100644 index 0000000000..0c6dbec859 --- /dev/null +++ b/kubernetes/common/common/templates/_tplvalues.tpl @@ -0,0 +1,49 @@ +{{/* +# Copyright © Original (https://github.com/bitnami/charts) VMware, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Renders a value that contains template perhaps with scope if the scope is present. +Usage: +{{ include "common.tplvalues._render" ( dict "value" .Values.path.to.the.Value "context" $ ) }} +{{ include "common.tplvalues._render" ( dict "value" .Values.path.to.the.Value "context" $ "scope" $app ) }} +*/}} +{{- define "common.tplvalues._render" -}} +{{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }} +{{- if contains "{{" (toJson .value) }} + {{- if .scope }} + {{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }} + {{- else }} + {{- tpl $value .context }} + {{- end }} +{{- else }} + {{- $value }} +{{- end }} +{{- end -}} + +{{/* +Merge a list of values that contains template after rendering them. +Merge precedence is consistent with http://masterminds.github.io/sprig/dicts.html#merge-mustmerge +Usage: +{{ include "common.tplvalues._merge" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }} +*/}} +{{- define "common.tplvalues._merge" -}} +{{- $dst := dict -}} +{{- range .values -}} +{{- $dst = include "common.tplvalues._render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | merge $dst -}} +{{- end -}} +{{ $dst | toYaml }} +{{- end -}} diff --git a/kubernetes/common/dgbuilder/.helmignore b/kubernetes/common/dgbuilder/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/common/dgbuilder/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/common/dgbuilder/Chart.yaml b/kubernetes/common/dgbuilder/Chart.yaml deleted file mode 100644 index 1a1b8e2d86..0000000000 --- a/kubernetes/common/dgbuilder/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: D.G. Builder application -name: dgbuilder -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: 'file://../common' - - name: certInitializer - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: 'file://../repositoryGenerator' - - name: serviceAccount - version: ~11.x-0 - repository: 'file://../serviceAccount' diff --git a/kubernetes/common/dgbuilder/resources/config/customSettings.js b/kubernetes/common/dgbuilder/resources/config/customSettings.js deleted file mode 100644 index b6a1a8636a..0000000000 --- a/kubernetes/common/dgbuilder/resources/config/customSettings.js +++ /dev/null @@ -1,61 +0,0 @@ -/* Copyright © 2017 AT&T, Amdocs, Bell Canada -* -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ - -module.exports={ - "name": "Release sdnc1.0", - "emailAddress": "dguser@onap.org", - "uiPort": 3100, - "mqttReconnectTime": 15000, - "serialReconnectTime": 15000, - "debugMaxLength": 1000, - "htmlPath": "releases/sdnc1.0/html/", - "xmlPath": "releases/sdnc1.0/xml/", - "flowFile": "releases/sdnc1.0/flows/flows.json", - "sharedDir": "releases/sdnc1.0/flows/shared", - "userDir": "releases/sdnc1.0", - "httpAuth": { - "user": "${HTTP_USER}", - "pass": "${HTTP_PASSWORD}" - }, - "dbHost": "{{.Values.config.dbServiceName}}.{{ include "common.namespace" . }}", - "dbPort": "3306", - "dbName": "{{.Values.config.db.dbName}}", - "dbUser": "${DB_USER}", - "dbPassword": "${DB_PASSWORD}", - "gitLocalRepository": "", - "restConfUrl": "http://localhost:8181/restconf/operations/SLI-API:execute-graph", - "restConfUser": "${REST_CONF_USER}", - "restConfPassword": "${REST_CONF_PASSWORD}", - "formatXML": "Y", - "formatJSON": "Y", - "httpRoot": "/", - "disableEditor": false, - "httpAdminRoot": "/", - "httpAdminAuth": { - "user": "${HTTP_ADMIN_USER}", - "pass": "${HTTP_ADMIN_PASSWORD}" - }, - "httpNodeRoot": "/", - "httpNodeAuth": { - "user": "${HTTP_NODE_USER}", - "pass": "${HTTP_NODE_PASSWORD}" - }, - "uiHost": "0.0.0.0", - "version": "0.9.1", - {{ if .Values.global.aafEnabled }} - "enableHttps" : true, - {{ end }} - "performGitPull": "N" -} diff --git a/kubernetes/common/dgbuilder/templates/deployment.yaml b/kubernetes/common/dgbuilder/templates/deployment.yaml deleted file mode 100644 index 6538ad0836..0000000000 --- a/kubernetes/common/dgbuilder/templates/deployment.yaml +++ /dev/null @@ -1,144 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - command: - - sh - args: - - -c - - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" - env: - - name: DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "login") | indent 10 }} - - name: DB_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "password") | indent 10 }} - - name: HTTP_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "http-user-creds" "key" "login") | indent 10 }} - - name: HTTP_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "http-user-creds" "key" "password") | indent 10 }} - - name: HTTP_ADMIN_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "admin-creds" "key" "login") | indent 10 }} - - name: HTTP_ADMIN_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "admin-creds" "key" "password") | indent 10 }} - - name: HTTP_NODE_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "node-creds" "key" "login") | indent 10 }} - - name: HTTP_NODE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "node-creds" "key" "password") | indent 10 }} - - name: REST_CONF_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restconf-creds" "key" "login") | indent 10 }} - - name: REST_CONF_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restconf-creds" "key" "password") | indent 10 }} - volumeMounts: - - mountPath: /config-input - name: config-input - - mountPath: /config - name: config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 6 }} - - command: - - /app/ready.py - args: - - --container-name - - {{ .Values.config.dbPodName }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["/bin/bash"] - args: ["-c", "cd /opt/onap/ccsdk/dgbuilder/ && {{ if .Values.global.aafEnabled}} cp /opt/app/osaaf/local/node-*.pem certs && {{end}}./start.sh sdnc1.0 && wait"] - ports: - - containerPort: {{ .Values.service.internalPort }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: SDNC_CONFIG_DIR - value: /opt/onap/sdnc/data/properties - volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: config - mountPath: /opt/app/application.properties - subPath: application.properties - - name: config - mountPath: /opt/onap/ccsdk/dgbuilder/releases/sdnc1.0/conf/svclogic.properties - subPath: svclogic.properties - - name: config - mountPath: /opt/onap/ccsdk/dgbuilder/svclogic/svclogic.properties - subPath: svclogic.properties - - name: config - mountPath: /opt/onap/ccsdk/dgbuilder/releases/sdnc1.0/customSettings.js - subPath: customSettings.js - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: -{{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - - name: config-input - configMap: - name: {{ include "common.fullname" . }}-config - - name: config - emptyDir: - medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/common/dgbuilder/templates/service.yaml b/kubernetes/common/dgbuilder/templates/service.yaml deleted file mode 100644 index bfe8b0aeb5..0000000000 --- a/kubernetes/common/dgbuilder/templates/service.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/common/dgbuilder/values.yaml b/kubernetes/common/dgbuilder/values.yaml deleted file mode 100644 index ddad8d7360..0000000000 --- a/kubernetes/common/dgbuilder/values.yaml +++ /dev/null @@ -1,193 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Global configuration default values that can be inherited by -# all subcharts. -################################################################# -global: - # Change to an unused port prefix range to prevent port conflicts - # with other instances running within the same k8s cluster - nodePortPrefix: 302 - - # image pull policy - pullPolicy: Always - - # default mount path root directory referenced - # by persistent volumes and log files - persistence: - mountPath: /dockerdata-nfs - - # flag to enable debugging - application support required - debugEnabled: true - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: 'db-root-password' - type: password - externalSecret: '{{ tpl (default "" .Values.config.db.rootPasswordExternalSecret) . }}' - password: '{{ .Values.config.db.rootPassword }}' - - uid: 'db-user-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' - login: '{{ .Values.config.db.userName }}' - password: '{{ .Values.config.db.userPassword }}' - - uid: 'http-user-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.httpCredsExternalSecret) . }}' - login: '{{ .Values.config.httpUser }}' - password: '{{ .Values.config.dgUserPassword }}' - - uid: 'admin-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.adminCredsExternalSecret) . }}' - login: '{{ .Values.config.adminUser }}' - password: '{{ .Values.config.dgUserPassword }}' - - uid: 'node-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.nodeCredsExternalSecret) . }}' - login: '{{ .Values.config.nodeUser }}' - password: '{{ .Values.config.dgUserPassword }}' - - uid: 'restconf-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.restconfCredsExternalSecret) . }}' - login: '{{ .Values.config.restconfUser }}' - password: '{{ .Values.config.restconfPassword }}' - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/ccsdk-dgbuilder-image:1.3.4 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -config: - db: - dbName: sdnctl - # unused for now to preserve the API - rootPassword: openECOMP1.0 - # rootPasswordExternalSecret: some secret - userName: sdnctl - # unused for now to preserve the API - userPassword: gamma - # userCredentialsExternalSecret: some secret - httpUser: dguser - # unused for now to preserve the API - httpPassword: cc03e747a6afbbcbf8be7668acfebee5 - # httpCredsExternalSecret: some secret - adminUser: dguser - # unused for now to preserve the API - adminPassword: cc03e747a6afbbcbf8be7668acfebee5 - # adminCredsExternalSecret: some secret - nodeUser: dguser - # unused for now to preserve the API - nodePassword: cc03e747a6afbbcbf8be7668acfebee5 - # nodeCredsExternalSecret: some secret - restconfUser: admin - # unused for now to preserve the API - restconfPassword: admin - # restconfCredsExternalSecret: some secret - - dbPodName: mysql-db - dbServiceName: sdnc-dbhost - # MD5 hash of dguser password ( default: test123 ) - dgUserPassword: cc03e747a6afbbcbf8be7668acfebee5 - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: NodePort - name: dgbuilder - portName: http - externalPort: 3000 - internalPort: 3100 - nodePort: 28 - -ingress: - enabled: false - service: - - baseaddr: "dgbuilder" - name: "dgbuilder" - port: 3000 - config: - ssl: "redirect" - - # dependency / sub-chart configuration -certInitializer: - nameOverride: dgbuilder-cert-initializer - truststoreMountpath: /opt/onap/ccsdk/dgbuilder/certs - fqdn: "sdnc" - app_ns: "org.osaaf.aaf" - fqi: "sdnc@sdnc.onap.org" - fqi_namespace: org.onap.sdnc - public_fqdn: "dgbuilder.onap.org" - aafDeployFqi: "deployer@people.osaaf.org" - aafDeployPass: demo123456! - cadi_latitude: "38.0" - cadi_longitude: "-72.0" - credsPath: /opt/app/osaaf/local - aaf_add_config: > - cd /opt/app/osaaf/local; - /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} | grep cadi_keystore_password= | cut -d= -f 2 > {{ .Values.credsPath }}/.pass 2>&1 ; - cp {{ .Values.fqi_namespace }}.crt node-cert.pem; - cp {{ .Values.fqi_namespace }}.key node-key.pem; - chmod go+r node-*.pem - -#Resource Limit flavor -By Default using small -flavor: small -#segregation for different envionment (Small and Large) - -resources: - small: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - large: - limits: - cpu: 4 - memory: 8Gi - requests: - cpu: 2 - memory: 4Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dgbuilder - roles: - - read diff --git a/kubernetes/common/elasticsearch/Chart.yaml b/kubernetes/common/elasticsearch/Chart.yaml index cd187ffdbd..82c8ccd056 100644 --- a/kubernetes/common/elasticsearch/Chart.yaml +++ b/kubernetes/common/elasticsearch/Chart.yaml @@ -18,26 +18,23 @@ apiVersion: v2 description: ONAP elasticsearch name: elasticsearch -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../common' - name: master - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/master' - name: data - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/data' condition: elasticsearch.data.enabled,data.enabled - name: curator - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/curator' condition: elasticsearch.curator.enabled,curator.enabled - - name: certInitializer - version: ~11.x-0 - repository: 'file://../certInitializer' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../repositoryGenerator' diff --git a/kubernetes/common/elasticsearch/Makefile b/kubernetes/common/elasticsearch/Makefile index 51d7de122c..ef273d0e9b 100644 --- a/kubernetes/common/elasticsearch/Makefile +++ b/kubernetes/common/elasticsearch/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := dist resources templates charts docker HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -36,12 +42,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/common/elasticsearch/components/Makefile b/kubernetes/common/elasticsearch/components/Makefile index 1ea8433a9c..79ba2fb47e 100644 --- a/kubernetes/common/elasticsearch/components/Makefile +++ b/kubernetes/common/elasticsearch/components/Makefile @@ -17,9 +17,15 @@ OUTPUT_DIR := $(ROOT_DIR)/../../dist PACKAGE_DIR := $(OUTPUT_DIR)/packages SECRET_DIR := $(OUTPUT_DIR)/secrets -EXCLUDES := soHelpers +EXCLUDES := HELM_BIN := helm -HELM_CHARTS := soHelpers $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + +HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -36,12 +42,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/common/elasticsearch/components/curator/Chart.yaml b/kubernetes/common/elasticsearch/components/curator/Chart.yaml index 21017c4999..39780f2e83 100644 --- a/kubernetes/common/elasticsearch/components/curator/Chart.yaml +++ b/kubernetes/common/elasticsearch/components/curator/Chart.yaml @@ -18,12 +18,12 @@ apiVersion: v2 description: ONAP elasticsearch curator name: curator -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../../../common' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../../../repositoryGenerator' \ No newline at end of file diff --git a/kubernetes/common/elasticsearch/components/curator/values.yaml b/kubernetes/common/elasticsearch/components/curator/values.yaml index 62964ff973..00f113b5bb 100644 --- a/kubernetes/common/elasticsearch/components/curator/values.yaml +++ b/kubernetes/common/elasticsearch/components/curator/values.yaml @@ -123,11 +123,11 @@ resources: # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits: {} - # cpu: 100m - # memory: 128Mi + # cpu: "100m" + # memory: "100Mi" requests: {} - # cpu: 100m - # memory: 128Mi + # cpu: "100m" + # memory: "100Mi" priorityClassName: "" # extraVolumes and extraVolumeMounts allows you to mount other volumes # Example Use Case: mount ssl certificates when elasticsearch has tls enabled diff --git a/kubernetes/common/elasticsearch/components/data/Chart.yaml b/kubernetes/common/elasticsearch/components/data/Chart.yaml index fc890719cb..d49a21085b 100644 --- a/kubernetes/common/elasticsearch/components/data/Chart.yaml +++ b/kubernetes/common/elasticsearch/components/data/Chart.yaml @@ -18,12 +18,12 @@ apiVersion: v2 description: ONAP elasticsearch data name: data -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../../../common' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../../../repositoryGenerator' diff --git a/kubernetes/common/elasticsearch/components/data/templates/statefulset.yaml b/kubernetes/common/elasticsearch/components/data/templates/statefulset.yaml index a7278ba104..e6c5a87f5c 100644 --- a/kubernetes/common/elasticsearch/components/data/templates/statefulset.yaml +++ b/kubernetes/common/elasticsearch/components/data/templates/statefulset.yaml @@ -34,8 +34,7 @@ spec: template: metadata: {{- include "common.templateMetadata" (dict "labels" $labels "dot" .) | nindent 6 }} spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} {{- if .Values.affinity }} affinity: {{- include "common.tplValue" (dict "value" .Values.affinity "context" $) | nindent 8 }} {{- end }} diff --git a/kubernetes/common/elasticsearch/components/data/values.yaml b/kubernetes/common/elasticsearch/components/data/values.yaml index 1dc9ab8588..3f9992aaba 100644 --- a/kubernetes/common/elasticsearch/components/data/values.yaml +++ b/kubernetes/common/elasticsearch/components/data/values.yaml @@ -105,11 +105,11 @@ resources: ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. limits: {} - # cpu: 100m - # memory: 128Mi + # cpu: "100m" + # memory: "100Mi" requests: - cpu: 25m - memory: 1152Mi + cpu: "25m" + memory: "1.1Gi" ## Elasticsearch data container's liveness and readiness probes ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## diff --git a/kubernetes/common/elasticsearch/components/master/Chart.yaml b/kubernetes/common/elasticsearch/components/master/Chart.yaml index 43fe42f62b..73d59075e3 100644 --- a/kubernetes/common/elasticsearch/components/master/Chart.yaml +++ b/kubernetes/common/elasticsearch/components/master/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: ONAP elasticsearch master name: master -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../../../common' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../../../repositoryGenerator' diff --git a/kubernetes/common/elasticsearch/components/master/templates/statefulset.yaml b/kubernetes/common/elasticsearch/components/master/templates/statefulset.yaml index 85ea2bbc54..8ee0fc50db 100644 --- a/kubernetes/common/elasticsearch/components/master/templates/statefulset.yaml +++ b/kubernetes/common/elasticsearch/components/master/templates/statefulset.yaml @@ -32,8 +32,7 @@ spec: template: metadata: {{- include "common.templateMetadata" (dict "labels" $labels "dot" .) | nindent 6 }} spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} {{- if .Values.affinity }} affinity: {{- include "common.tplValue" (dict "value" .Values.affinity "context" $) | nindent 8 }} {{- end }} diff --git a/kubernetes/common/elasticsearch/components/master/values.yaml b/kubernetes/common/elasticsearch/components/master/values.yaml index 2eae0de4c0..a3a219ee31 100644 --- a/kubernetes/common/elasticsearch/components/master/values.yaml +++ b/kubernetes/common/elasticsearch/components/master/values.yaml @@ -22,6 +22,8 @@ global: backup: mountPath: /dockerdata-nfs/backup storageClass: + serviceMesh: + enabled: false ################################################################# # Application configuration defaults. @@ -106,13 +108,13 @@ resources: ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. limits: - cpu: 250m - memory: 1536Mi - # cpu: 100m - # memory: 128Mi + cpu: "250m" + memory: "1.5Gi" + # cpu: "100m" + # memory: "100Mi" requests: - cpu: 5m - memory: 310Mi + cpu: "5m" + memory: "300Mi" ## Elasticsearch master-eligible container's liveness and readiness probes ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## diff --git a/kubernetes/common/elasticsearch/templates/configmap-server-block.yaml b/kubernetes/common/elasticsearch/templates/configmap-server-block.yaml index 49ce0ef76a..e7520aeed6 100644 --- a/kubernetes/common/elasticsearch/templates/configmap-server-block.yaml +++ b/kubernetes/common/elasticsearch/templates/configmap-server-block.yaml @@ -21,11 +21,5 @@ kind: ConfigMap metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }} data: server-block.conf: |- -{{ if .Values.global.aafEnabled }} -{{ .Values.nginx.serverBlock.https | indent 4 }} -{{ else }} {{ .Values.nginx.serverBlock.http | indent 4 }} - - -{{ end }} {{- end -}} diff --git a/kubernetes/common/elasticsearch/templates/coordinating-deploy.yaml b/kubernetes/common/elasticsearch/templates/coordinating-deploy.yaml index 05e09cb696..0bc6de2b9b 100644 --- a/kubernetes/common/elasticsearch/templates/coordinating-deploy.yaml +++ b/kubernetes/common/elasticsearch/templates/coordinating-deploy.yaml @@ -30,8 +30,7 @@ spec: template: metadata: {{- include "common.templateMetadata" (dict "labels" $labels "dot" .) | nindent 6 }} spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} {{- if .Values.affinity }} affinity: {{- include "common.tplValue" (dict "value" .Values.affinity "context" $) | nindent 8 }} {{- end }} @@ -64,7 +63,6 @@ spec: securityContext: privileged: true {{- end }} - {{ include "common.certInitializer.initContainer" . | nindent 8 }} containers: - name: {{ include "common.name" . }}-nginx @@ -85,7 +83,6 @@ spec: - name: nginx-server-block mountPath: /opt/bitnami/nginx/conf/server_blocks {{- end }} - {{- include "common.certInitializer.volumeMount" . | nindent 10 }} - name: {{ include "common.name" . }}-elasticsearch image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} @@ -172,4 +169,3 @@ spec: configMap: name: {{ include "common.fullname" . }}-nginx-server-block {{- end }} - {{ include "common.certInitializer.volumes" . | nindent 8 }} diff --git a/kubernetes/common/elasticsearch/values.yaml b/kubernetes/common/elasticsearch/values.yaml index 6c46f32c96..7851f2804f 100644 --- a/kubernetes/common/elasticsearch/values.yaml +++ b/kubernetes/common/elasticsearch/values.yaml @@ -17,7 +17,6 @@ # Global configuration defaults. ################################################################# global: - aafEnabled: true nodePortPrefix: 302 clusterName: cluster.local @@ -95,11 +94,11 @@ resources: ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. limits: {} - # cpu: 100m - # memory: 128Mi + # cpu: "100m" + # memory: "100Mi" requests: - cpu: 25m - memory: 256Mi + cpu: "25m" + memory: "200Mi" ## Elasticsearch coordinating-only container's liveness and readiness probes ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## @@ -260,30 +259,6 @@ service: ## Provide functionality to use RBAC ## -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: elasticsearch-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: "elastic" - app_ns: "org.osaaf.aaf" - fqi_namespace: "org.onap.elastic" - fqi: "elastic@elastic.onap.org" - public_fqdn: "aaf.osaaf.org" - cadi_longitude: "0.0" - cadi_latitude: "0.0" - credsPath: /opt/app/osaaf/local - aaf_add_config: > - cd {{ .Values.credsPath }}; - mkdir -p certs; - keytool -exportcert -rfc -file certs/cacert.pem -keystore {{ .Values.fqi_namespace }}.trust.jks -alias ca_local_0 -storepass $cadi_truststore_password; - openssl pkcs12 -in {{ .Values.fqi_namespace }}.p12 -out certs/cert.pem -passin pass:$cadi_keystore_password_p12 -passout pass:$cadi_keystore_password_p12; - cp {{ .Values.fqi_namespace }}.key certs/key.pem; - chmod -R 755 certs; - ################################################################# # subcharts configuration defaults. ################################################################# diff --git a/kubernetes/common/etcd-init/Chart.yaml b/kubernetes/common/etcd-init/Chart.yaml index b4c36c368e..166b4172d3 100644 --- a/kubernetes/common/etcd-init/Chart.yaml +++ b/kubernetes/common/etcd-init/Chart.yaml @@ -17,12 +17,15 @@ apiVersion: v2 description: Chart for etcd init job name: etcd-init -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../common' - name: repositoryGenerator - version: ~11.x-0 - repository: 'file://../repositoryGenerator' \ No newline at end of file + version: ~13.x-0 + repository: 'file://../repositoryGenerator' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/common/etcd-init/templates/job.yaml b/kubernetes/common/etcd-init/templates/job.yaml index 9d7dcc26da..71f912e201 100644 --- a/kubernetes/common/etcd-init/templates/job.yaml +++ b/kubernetes/common/etcd-init/templates/job.yaml @@ -27,6 +27,12 @@ spec: backoffLimit: {{ .Values.backoffLimit }} template: metadata: + annotations: + # Workarround to exclude K8S API from istio communication + # as init-container (readinessCheck) does not work with the + # Istio CNI plugin, see: + # (https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers) + traffic.sidecar.istio.io/excludeOutboundPorts: "443" labels: app: {{ include "common.name" . }} release: {{ include "common.release" . }} @@ -37,8 +43,8 @@ spec: command: - /app/ready.py args: - - --container-name - - {{ .Values.etcd.containerName }} + - --service-name + - {{ .Values.etcd.serviceName }} env: - name: NAMESPACE valueFrom: @@ -47,6 +53,13 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} @@ -86,11 +99,7 @@ spec: value: "{{ .Values.config.appRole }}" - name: KEY_PREFIX value: "{{ .Values.config.keyPrefix }}" - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - resources: {{ include "common.resources" . | nindent 12 }} + resources: {{ include "common.resources" . | nindent 10 }} {{ include "common.waitForJobContainer" . | indent 6 | trim }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} @@ -98,10 +107,6 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 10 }} {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} restartPolicy: Never - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/common/etcd-init/values.yaml b/kubernetes/common/etcd-init/values.yaml index 6ccfb3e5d7..33e34fd086 100644 --- a/kubernetes/common/etcd-init/values.yaml +++ b/kubernetes/common/etcd-init/values.yaml @@ -59,20 +59,26 @@ flavor: small resources: small: limits: - cpu: 100m - memory: 500Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 10m - memory: 10Mi + cpu: "10m" + memory: "10Mi" large: limits: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" requests: - cpu: 20m - memory: 20Mi + cpu: "20m" + memory: "20Mi" unlimited: {} +#Pods Service Account +serviceAccount: + nameOverride: etcd-init + roles: + - read + wait_for_job_container: containers: - '{{ include "common.name" . }}' diff --git a/kubernetes/common/etcd/Chart.yaml b/kubernetes/common/etcd/Chart.yaml index 44649199fa..02fc2c0603 100644 --- a/kubernetes/common/etcd/Chart.yaml +++ b/kubernetes/common/etcd/Chart.yaml @@ -17,7 +17,7 @@ apiVersion: v2 name: etcd home: https://github.com/coreos/etcd -version: 11.0.0 +version: 13.0.0 appVersion: 2.2.5 description: Distributed reliable key-value store for the most critical data of a distributed system. @@ -27,8 +27,8 @@ sources: dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../common' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../repositoryGenerator' diff --git a/kubernetes/common/etcd/templates/service.yaml b/kubernetes/common/etcd/templates/service.yaml index 04fc93af00..006378f631 100644 --- a/kubernetes/common/etcd/templates/service.yaml +++ b/kubernetes/common/etcd/templates/service.yaml @@ -19,7 +19,6 @@ kind: Service metadata: annotations: service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" -metadata: name: {{ include "common.servicename" . }} labels: heritage: "{{ .Release.Service }}" @@ -34,6 +33,6 @@ spec: port: {{ .Values.service.clientInternalPort }} clusterIP: None selector: - app: {{ include "common.name" . }} - release: "{{ include "common.release" . }}" + app.kubernetes.io/name: {{ include "common.name" . }} + app.kubernetes.io/instance: {{ include "common.release" . }} diff --git a/kubernetes/common/etcd/templates/statefulset.yaml b/kubernetes/common/etcd/templates/statefulset.yaml index ff11da309a..722a27d791 100644 --- a/kubernetes/common/etcd/templates/statefulset.yaml +++ b/kubernetes/common/etcd/templates/statefulset.yaml @@ -15,26 +15,13 @@ */}} apiVersion: apps/v1 kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - labels: - heritage: "{{ .Release.Service }}" - release: "{{ include "common.release" . }}" - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - app: {{ include "common.name" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - serviceName: {{ include "common.servicename" .}} + selector: {{- include "common.selectors" . | nindent 4 }} + serviceName: {{ include "common.servicename" . }} replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} template: - metadata: - labels: - heritage: "{{ .Release.Service }}" - release: "{{ include "common.release" . }}" - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - app: {{ include "common.name" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: {{- if .Values.affinity }} affinity: @@ -48,8 +35,7 @@ spec: tolerations: {{ toYaml .Values.tolerations | indent 8 }} {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.googleK8sRepository" . }}/{{ .Values.image }} @@ -67,8 +53,7 @@ spec: periodSeconds: {{ .Values.liveness.periodSeconds }} timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} {{ end -}} - resources: -{{ include "common.resources" . | indent 10 }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: INITIAL_CLUSTER_SIZE value: {{ .Values.replicaCount | quote }} diff --git a/kubernetes/common/logConfiguration/Chart.yaml b/kubernetes/common/logConfiguration/Chart.yaml index 5b9286ddb8..a5790a4d62 100644 --- a/kubernetes/common/logConfiguration/Chart.yaml +++ b/kubernetes/common/logConfiguration/Chart.yaml @@ -17,9 +17,9 @@ apiVersion: v2 description: Template used to create same STDOUT log configuration name: logConfiguration -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../common' diff --git a/kubernetes/common/mariadb-galera/Chart.yaml b/kubernetes/common/mariadb-galera/Chart.yaml index ddbaacca40..c5bb0aaf94 100644 --- a/kubernetes/common/mariadb-galera/Chart.yaml +++ b/kubernetes/common/mariadb-galera/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: Chart for MariaDB Galera cluster name: mariadb-galera -version: 11.0.0 +version: 13.2.0 keywords: - mariadb - mysql @@ -29,14 +29,15 @@ keywords: dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../common' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../readinessCheck' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../repositoryGenerator' - name: serviceAccount - version: ~11.x-0 - repository: 'file://../serviceAccount' \ No newline at end of file + version: ~13.x-0 + repository: 'file://../serviceAccount' + condition: global.mariadbGalera.enableServiceAccount \ No newline at end of file diff --git a/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml b/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml index 4248cfe85c..877e6faaa6 100644 --- a/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml +++ b/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml @@ -15,6 +15,9 @@ # limitations under the License. */}} +{{- if and .Values.backup.enabled .Values.global.mariadbGalera.useOperator }} +{{ include "common.mariadbOpBackup" . }} +{{ else }} {{- if and .Values.backup.enabled .Values.persistence.enabled }} apiVersion: batch/v1beta1 kind: CronJob @@ -29,6 +32,13 @@ spec: jobTemplate: spec: template: + metadata: + annotations: + # Workarround to exclude K8S API from istio communication + # as init-container (readinessCheck) does not work with the + # Istio CNI plugin, see: + # (https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers) + traffic.sidecar.istio.io/excludeOutboundPorts: "443" spec: serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} {{ include "common.podSecurityContext" . | indent 10 | trim}} @@ -77,7 +87,7 @@ spec: env: - name: DB_PASS {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.mariadb.secret.rootPassUID" .) "key" "password") | indent 18 }} - resources: {{ include "common.resources" . | nindent 12 }} + resources: {{ include "common.resources" . | nindent 16 }} volumeMounts: - name: backup-dir mountPath: /backup @@ -148,23 +158,16 @@ spec: ls -tr | grep backup | head -$filestoDelete | xargs rm -rf fi fi - resources: {{ include "common.resources" . | nindent 12 }} + resources: {{ include "common.resources" . | nindent 16 }} volumeMounts: - mountPath: /bitnami/mariadb/data name: tmp-data - mountPath: /opt/bitnami/mariadb/tmp name: tmp - - mountPath: /etc/localtime - name: localtime - readOnly: true - name: backup-dir mountPath: /backup - imagePullSecrets: - - name: {{ include "common.namespace" . }}-docker-registry-key + {{- include "common.imagePullSecrets" . | nindent 10 }} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: data persistentVolumeClaim: {{- if .Values.persistence.existingClaim }} @@ -180,3 +183,4 @@ spec: - name: tmp emptyDir: {} {{- end }} +{{- end }} diff --git a/kubernetes/common/mariadb-galera/templates/backup/pv.yaml b/kubernetes/common/mariadb-galera/templates/backup/pv.yaml index 30eb74b059..d5e26109e7 100644 --- a/kubernetes/common/mariadb-galera/templates/backup/pv.yaml +++ b/kubernetes/common/mariadb-galera/templates/backup/pv.yaml @@ -14,6 +14,8 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} + +{{- if not .Values.global.mariadbGalera.useOperator }} {{- if .Values.backup.enabled }} {{- if and .Values.backup.persistence.enabled (not .Values.backup.persistence.existingClaim) -}} {{- if eq "True" (include "common.needPV" .) -}} @@ -41,3 +43,4 @@ spec: {{- end -}} {{- end -}} {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mariadb-galera/templates/backup/pvc.yaml b/kubernetes/common/mariadb-galera/templates/backup/pvc.yaml index 5dd8a3f52f..4c2bfcd389 100644 --- a/kubernetes/common/mariadb-galera/templates/backup/pvc.yaml +++ b/kubernetes/common/mariadb-galera/templates/backup/pvc.yaml @@ -14,6 +14,8 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} + +{{- if not .Values.global.mariadbGalera.useOperator }} {{- if .Values.backup.enabled }} {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} --- @@ -45,3 +47,4 @@ spec: {{- end -}} {{- end -}} {{- end -}} +{{- end -}} \ No newline at end of file diff --git a/kubernetes/common/mariadb-galera/templates/configmap.yaml b/kubernetes/common/mariadb-galera/templates/configmap.yaml index c95a234fb7..0aa0a63f0a 100644 --- a/kubernetes/common/mariadb-galera/templates/configmap.yaml +++ b/kubernetes/common/mariadb-galera/templates/configmap.yaml @@ -15,7 +15,20 @@ # limitations under the License. */}} -{{ if .Values.mariadbConfiguration }} +{{- if .Values.global.mariadbGalera.useOperator }} +{{ if .Values.mariadbOpConfiguration }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-configuration" (include "common.fullname" .) }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +data: + my.cnf: | +{{ .Values.mariadbOpConfiguration | indent 4 }} +{{- end }} +{{- else }} +{{ if .Values.mariadbConfiguration }} apiVersion: v1 kind: ConfigMap metadata: @@ -25,4 +38,5 @@ metadata: data: my.cnf: | {{ .Values.mariadbConfiguration | indent 4 }} +{{- end }} {{- end }} \ No newline at end of file diff --git a/kubernetes/common/mariadb-galera/templates/mariadb.yaml b/kubernetes/common/mariadb-galera/templates/mariadb.yaml new file mode 100644 index 0000000000..ce09c9ff06 --- /dev/null +++ b/kubernetes/common/mariadb-galera/templates/mariadb.yaml @@ -0,0 +1,19 @@ +{{/* +# Copyright © 2023 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if .Values.global.mariadbGalera.useOperator }} +{{ include "common.mariadbOpInstance" . }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/mariadb-galera/templates/metrics-svc.yaml b/kubernetes/common/mariadb-galera/templates/metrics-svc.yaml index 841aab3e17..d37aeb1751 100644 --- a/kubernetes/common/mariadb-galera/templates/metrics-svc.yaml +++ b/kubernetes/common/mariadb-galera/templates/metrics-svc.yaml @@ -14,7 +14,9 @@ # limitations under the License. */}} -{{- if default false .Values.global.metrics.enabled }} +{{- if not .Values.global.mariadbGalera.useOperator }} +{{- if default false .Values.global.metrics.enabled }} +--- apiVersion: v1 kind: Service metadata: @@ -31,4 +33,5 @@ spec: port: {{ .Values.metrics.service.port }} targetPort: tcp-metrics selector: {{- include "common.matchLabels" . | nindent 4 }} -{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/mariadb-galera/templates/pdb.yaml b/kubernetes/common/mariadb-galera/templates/pdb.yaml index 4697934879..734f03f237 100644 --- a/kubernetes/common/mariadb-galera/templates/pdb.yaml +++ b/kubernetes/common/mariadb-galera/templates/pdb.yaml @@ -14,17 +14,19 @@ # limitations under the License. */}} -{{- if .Values.podDisruptionBudget.create }} -apiVersion: policy/v1beta1 +{{- if not .Values.global.mariadbGalera.useOperator }} +{{- if .Values.podDisruptionBudget.create }} +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: -{{- if .Values.podDisruptionBudget.minAvailable }} +{{- if .Values.podDisruptionBudget.minAvailable }} minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} -{{- end }} -{{- if .Values.podDisruptionBudget.maxUnavailable }} +{{- end }} +{{- if .Values.podDisruptionBudget.maxUnavailable }} maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} -{{- end }} +{{- end }} selector: matchLabels: {{- include "common.matchLabels" . | nindent 6 }} -{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/mariadb-galera/templates/pv.yaml b/kubernetes/common/mariadb-galera/templates/pv.yaml index 54a02cf2db..129b5b26c7 100644 --- a/kubernetes/common/mariadb-galera/templates/pv.yaml +++ b/kubernetes/common/mariadb-galera/templates/pv.yaml @@ -15,4 +15,6 @@ # limitations under the License. */}} +{{- if not .Values.global.mariadbGalera.useOperator }} {{ include "common.replicaPV" . }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/mariadb-galera/templates/service.yaml b/kubernetes/common/mariadb-galera/templates/service.yaml index 9b4c05ef70..e1a910557f 100644 --- a/kubernetes/common/mariadb-galera/templates/service.yaml +++ b/kubernetes/common/mariadb-galera/templates/service.yaml @@ -15,11 +15,13 @@ # limitations under the License. */}} +{{- if not .Values.global.mariadbGalera.useOperator }} {{ include "common.service" . }} --- {{ include "common.headlessService" . }} +{{- end }} {{- if (include "common.onServiceMesh" .) }} -{{- if eq (default "istio" .Values.global.serviceMesh.engine) "istio" }} +{{- if eq (default "istio" .Values.global.serviceMesh.engine) "istio" }} --- apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication @@ -29,9 +31,13 @@ metadata: spec: selector: matchLabels: - app.kubernetes.io/name: {{ include "common.servicename" . }} + app: {{ include "common.servicename" . }} portLevelMtls: - {{ .Values.service.internalPort }}: + '{{ .Values.service.internalPort }}': +{{- if .Values.mariadbOperator.galera.enabled }} + mode: STRICT +{{- else }} mode: DISABLE -{{- end}} -{{- end}} +{{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/common/mariadb-galera/templates/servicemonitor.yaml b/kubernetes/common/mariadb-galera/templates/servicemonitor.yaml index 6d1ed40e13..4cbf7b394f 100644 --- a/kubernetes/common/mariadb-galera/templates/servicemonitor.yaml +++ b/kubernetes/common/mariadb-galera/templates/servicemonitor.yaml @@ -14,6 +14,8 @@ # limitations under the License. */}} -{{- if .Values.metrics.serviceMonitor.enabled }} +{{- if not .Values.global.mariadbGalera.useOperator }} +{{- if .Values.metrics.serviceMonitor.enabled }} {{ include "common.serviceMonitor" . }} -{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/mariadb-galera/templates/statefulset.yaml b/kubernetes/common/mariadb-galera/templates/statefulset.yaml index c95b572465..70cc0c34bd 100644 --- a/kubernetes/common/mariadb-galera/templates/statefulset.yaml +++ b/kubernetes/common/mariadb-galera/templates/statefulset.yaml @@ -18,6 +18,7 @@ # limitations under the License. */}} +{{- if not .Values.global.mariadbGalera.useOperator }} apiVersion: apps/v1 kind: StatefulSet metadata: {{- include "common.resourceMetadata" . | nindent 2 }} @@ -220,8 +221,7 @@ spec: {{ include "common.containerSecurityContext" . | indent 10 | trim }} resources: {{- toYaml .Values.metrics.resources | nindent 12 }} {{- end }} - imagePullSecrets: - - name: {{ include "common.namespace" . }}-docker-registry-key + {{- include "common.imagePullSecrets" . | nindent 6 }} {{- if .Values.schedulerName }} schedulerName: {{ .Values.schedulerName | quote }} {{- end }} @@ -266,3 +266,4 @@ spec: volumeClaimTemplates: - {{ include "common.PVCTemplate" (dict "dot" . "suffix" "data" "persistenceInfos" .Values.persistence) | indent 6 | trim }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml index e9fe577233..3d9725cb43 100644 --- a/kubernetes/common/mariadb-galera/values.yaml +++ b/kubernetes/common/mariadb-galera/values.yaml @@ -15,6 +15,25 @@ # See the License for the specific language governing permissions and # limitations under the License. +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + persistence: + mountPath: /dockerdata-nfs + backup: + mountPath: /dockerdata-nfs/backup + clusterDomain: cluster.local + metrics: {} + mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true + # if useOperator set to "true", set "enableServiceAccount to "false" + # as the SA is created by the Operator + enableServiceAccount: false + nameOverride: mariadb-galera + service: mariadb-galera ################################################################# # Secrets metaconfig @@ -35,21 +54,111 @@ secrets: login: '{{ .Values.galera.mariabackup.user }}' password: '{{ .Values.galera.mariabackup.password }}' +mariadbOperator: + image: mariadb + appVersion: 11.2.2 + persistence: + #storageClassName: default + size: 3Gi + galera: + enabled: true + agentImage: mariadb-operator/mariadb-operator + agentVersion: v0.0.27 + initImage: mariadb-operator/mariadb-operator + initVersion: v0.0.27 + +## String to partially override common.names.fullname template (will maintain the release name) +## +nameOverride: mariadb-galera + +## Custom db configuration +## +db: + ## MariaDB username and password + ## Password is ignored if externalSecret is specified. + ## If not set, password will be "randomly" generated + ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#creating-a-database-user-on-first-run + ## + user: my-user + # password: + # externalSecret: + ## Database to create + ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#creating-a-database-on-first-run + ## + # name: my_database + +## Desired number of cluster nodes +## +replicaCount: 3 + +## Additional pod annotations for MariaDB Galera pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## -> here required to enable mariadb-galera in istio +## +podAnnotations: + # sidecar.istio.io/inject: "false" + traffic.sidecar.istio.io/excludeInboundPorts: "4444,4567,4568" + traffic.sidecar.istio.io/includeInboundPorts: '*' + traffic.sidecar.istio.io/excludeOutboundPorts: "4444,4567,4568,443" + +mariadbOpConfiguration: |- + [mysqld] + max_allowed_packet=256M + lower_case_table_names = 1 + + ## Character set + collation_server=utf8_unicode_ci + init_connect='SET NAMES utf8' + character_set_server=utf8 + + ## MyISAM + key_buffer_size=32M + myisam_recover_options=FORCE,BACKUP + + ## Safety + skip_host_cache + skip_name_resolve + max_allowed_packet=16M + max_connect_errors=1000000 + sql_mode=STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_AUTO_VALUE_ON_ZERO,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE,ONLY_FULL_GROUP_BY + sysdate_is_now=1 + + ## Caches and Limits + tmp_table_size=32M + max_heap_table_size=32M + # Re-enabling as now works with Maria 10.1.2 + query_cache_type=1 + query_cache_limit=4M + query_cache_size=256M + max_connections=500 + thread_cache_size=50 + open_files_limit=65535 + table_definition_cache=4096 + table_open_cache=4096 + + ## InnoDB + innodb=FORCE + innodb_strict_mode=1 + # Mandatory per https://github.com/codership/documentation/issues/25 + innodb_autoinc_lock_mode=2 + # Per https://www.percona.com/blog/2006/08/04/innodb-double-write/ + innodb_doublewrite=1 + innodb_flush_method=O_DIRECT + innodb_log_files_in_group=2 + innodb_log_file_size=128M + innodb_flush_log_at_trx_commit=1 + innodb_file_per_table=1 + # 80% Memory is default reco. + # Need to re-evaluate when DB size grows + innodb_buffer_pool_size=2G + innodb_file_format=Barracuda + +########################################################################################## +# !!! the following configuration entries are ignored, when mariadbOperator is enabled !!! +########################################################################################## # bitnami image doesn't support well single quote in password passwordStrengthOverride: basic -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - persistence: - mountPath: /dockerdata-nfs - backup: - mountPath: /dockerdata-nfs/backup - clusterDomain: cluster.local - metrics: {} - image: bitnami/mariadb-galera:10.5.8 ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -66,10 +175,6 @@ debug: true ## actions performed on the databases are tried to be done before actual start. init_sleep_time: 5 -## String to partially override common.names.fullname template (will maintain the release name) -## -nameOverride: mariadb-galera - ## Use an alternate scheduler, e.g. "stork". ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ ## @@ -129,22 +234,6 @@ rootUser: # password: # externalSecret: -## Custom db configuration -## -db: - ## MariaDB username and password - ## Password is ignored if externalSecret is specified. - ## If not set, password will be "randomly" generated - ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#creating-a-database-user-on-first-run - ## - user: my-user - # password: - # externalSecret: - ## Database to create - ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#creating-a-database-on-first-run - ## - # name: my_database - ## Galera configuration ## galera: @@ -178,8 +267,16 @@ galera: ## For this reason the db data pvc needs to have accessMode: ReadWriteMany. backup: enabled: false + # used in the mariadb-operator to override the backup name (default is DBName) + # nameOverride: + # defines the backup job execution period cron: "00 00 * * *" + # used by mariadb-operator to set the max retention time + maxRetention: 720h retentionPeriod: 3 + # used by mariadb-operator to set the backup storage type (PVC, S3, volume) + storageType: PVC + # configuration used for PVC backup storage persistence: ## If true, use a Persistent Volume Claim, If false, use emptyDir ## @@ -208,11 +305,32 @@ backup: ## Persistent Volume size ## size: 2Gi - + # requires mariadb-operator v0.24.0 + # configuration used for S3 backup storage + # see: https://github.com/mariadb-operator/mariadb-operator/blob/main/docs/BACKUP.md + s3: + bucket: backups + endpoint: minio.minio.svc.cluster.local:9000 + #region: us-east-1 + accessKeyIdSecretKeyRef: + name: minio + key: access-key-id + secretAccessKeySecretKeyRef: + name: minio + key: secret-access-key + tls: + enabled: false + caSecretKeyRef: + name: minio-ca + key: ca.crt + # configuration used for kubernetes volumes as backup storage + # see: https://github.com/mariadb-operator/mariadb-operator/blob/main/docs/BACKUP.md + volume: {} readinessCheck: wait_for: - - '{{ include "common.name" . }}' + services: + - '{{ include "common.servicename" . }}' ## TLS configuration ## @@ -368,26 +486,12 @@ mariadbConfiguration: |- ## ## extraFlags: "--max-connect-errors=1000 --max_connections=155" -## Desired number of cluster nodes -## -replicaCount: 3 - ## updateStrategy for MariaDB Master StatefulSet ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies ## updateStrategy: type: RollingUpdate -## Additional pod annotations for MariaDB Galera pods -## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ -## -> here required to enable mariadb-galera in istio -## -podAnnotations: - # sidecar.istio.io/inject: "false" - traffic.sidecar.istio.io/excludeInboundPorts: "4444,4567,4568" - traffic.sidecar.istio.io/includeInboundPorts: '*' - traffic.sidecar.istio.io/excludeOutboundPorts: "4444,4567,4568" - ## Pod affinity preset ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity ## Allowed values: soft, hard @@ -488,18 +592,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 500m - memory: 2Gi + cpu: "500m" + memory: "2Gi" large: limits: - cpu: 2 - memory: 6Gi + cpu: "2" + memory: "6Gi" requests: - cpu: 1 - memory: 3Gi + cpu: "1" + memory: "3Gi" unlimited: {} ## MariaDB Galera containers' liveness and readiness probes @@ -564,11 +668,11 @@ metrics: # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits: - cpu: 0.5 - memory: 256Mi + cpu: "0.5" + memory: "200Mi" requests: - cpu: 0.5 - memory: 256Mi + cpu: "0.5" + memory: "200Mi" ## MariaDB Galera metrics container's liveness and readiness probes ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## diff --git a/kubernetes/common/mariadb-init/Chart.yaml b/kubernetes/common/mariadb-init/Chart.yaml index b9fa78f814..fa89a669d2 100644 --- a/kubernetes/common/mariadb-init/Chart.yaml +++ b/kubernetes/common/mariadb-init/Chart.yaml @@ -17,12 +17,18 @@ apiVersion: v2 description: Chart for MariaDB Galera init job name: mariadb-init -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../common' - name: repositoryGenerator - version: ~11.x-0 - repository: 'file://../repositoryGenerator' \ No newline at end of file + version: ~13.x-0 + repository: 'file://../repositoryGenerator' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/common/mariadb-init/templates/job.yaml b/kubernetes/common/mariadb-init/templates/job.yaml index e911d46d12..4bb142d001 100644 --- a/kubernetes/common/mariadb-init/templates/job.yaml +++ b/kubernetes/common/mariadb-init/templates/job.yaml @@ -31,26 +31,18 @@ spec: backoffLimit: 20 template: metadata: + annotations: + # Workarround to exclude K8S API from istio communication + # as init-container (readinessCheck) does not work with the + # Istio CNI plugin, see: + # (https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers) + traffic.sidecar.istio.io/excludeOutboundPorts: "443" labels: app: {{ include "common.name" . }} release: {{ include "common.release" . }} name: {{ include "common.name" . }} spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --container-name - - {{ default .Values.global.mariadbGalera.nameOverride .Values.mariadbGalera.containerName }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.image.mariadb" . }} @@ -82,17 +74,13 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" $root "uid" $db "key" "password") | indent 10 }} {{ end }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - name: mariadb-init mountPath: /db_init/ {{- if or .Values.dbScriptConfigMap .Values.dbScript }} - name: mariadb-conf mountPath: /db_config/ {{- end }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 10 }} {{ include "common.waitForJobContainer" . | indent 6 | trim }} {{- if .Values.nodeSelector }} nodeSelector: @@ -102,10 +90,8 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime {{- if or .Values.dbScriptConfigMap .Values.dbScript }} - name: mariadb-conf configMap: @@ -121,5 +107,4 @@ spec: name: {{ include "mariadbInit.configMap" . }} defaultMode: 0755 restartPolicy: Never - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/common/mariadb-init/tests/job_test.yaml b/kubernetes/common/mariadb-init/tests/job_test.yaml index 170eaf3c96..cff8f947f8 100644 --- a/kubernetes/common/mariadb-init/tests/job_test.yaml +++ b/kubernetes/common/mariadb-init/tests/job_test.yaml @@ -36,7 +36,7 @@ tests: content: mariadb-galera - equal: path: spec.template.spec.initContainers[0].image - value: nexus3.onap.org:10001/onap/oom/readiness:3.0.1 + value: nexus3.onap.org:10001/onap/oom/readiness:6.0.3 - equal: path: spec.template.spec.initContainers[0].imagePullPolicy value: IfNotPresent diff --git a/kubernetes/common/mariadb-init/values.yaml b/kubernetes/common/mariadb-init/values.yaml index 9104dd84d6..57dfb400c4 100644 --- a/kubernetes/common/mariadb-init/values.yaml +++ b/kubernetes/common/mariadb-init/values.yaml @@ -63,6 +63,27 @@ mariadbGalera: {} # userRootSecret: some-secret-name # userRootSecretKey: password +# These are default settings, required for a chart compilation with "local" cluster +# setting. These values need to be overwritten in the component's values.yaml, e.g. +# global: +# mariadbGalera: &mariadbGalera +# #This flag allows SO to instantiate its own mariadb-galera cluster +# localCluster: true +# service: nbi-galera +# internalPort: 3306 +# nameOverride: nbi-galera +# mariadb-init: +# mariadb-galera: +# nameOverride: nbi-galera +# service: +# internalPort: 3306 +mariadb-galera: + service: + internalPort: 3306 + nameOverride: mariadb-galera + mariadbOperator: + galera: + enabled: false config: userPassword: Ci@shsOd3pky1Vji @@ -104,20 +125,31 @@ flavor: small resources: small: limits: - cpu: 100m - memory: 500Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 10m - memory: 10Mi + cpu: "10m" + memory: "10Mi" large: limits: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" requests: - cpu: 20m - memory: 20Mi + cpu: "20m" + memory: "20Mi" unlimited: {} +#Pods Service Account +serviceAccount: + nameOverride: mariadb-init + roles: + - read + wait_for_job_container: containers: - '{{ include "common.name" . }}' + +readinessCheck: + wait_for: + services: + - '{{ include "common.mariadbService" . }}' diff --git a/kubernetes/common/mongo/.helmignore b/kubernetes/common/mongo/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/common/mongo/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/common/mongo/Chart.yaml b/kubernetes/common/mongo/Chart.yaml deleted file mode 100644 index 229da3530f..0000000000 --- a/kubernetes/common/mongo/Chart.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright © 2018, 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: MongoDB Server -name: mongo -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: 'file://../common' - - name: repositoryGenerator - version: ~11.x-0 - repository: 'file://../repositoryGenerator' \ No newline at end of file diff --git a/kubernetes/common/mongo/templates/pv.yaml b/kubernetes/common/mongo/templates/pv.yaml deleted file mode 100644 index 9d40144ed5..0000000000 --- a/kubernetes/common/mongo/templates/pv.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- $global := . }} -{{- if and $global.Values.persistence.enabled (not $global.Values.persistence.existingClaim) }} -{{- if eq "True" (include "common.needPV" .) -}} -{{- range $i := until (int $global.Values.replicaCount)}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" $global }}-data-{{ $i }} - namespace: {{ include "common.namespace" $global }} - labels: - app: {{ include "common.fullname" $global }} - chart: "{{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" $global }}" - heritage: "{{ $global.Release.Service }}" - name: {{ include "common.fullname" $global }} -spec: - capacity: - storage: {{ $global.Values.persistence.size}} - accessModes: - - {{ $global.Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ $global.Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" $global }}-data" - hostPath: - path: {{ $global.Values.global.persistence.mountPath | default $global.Values.persistence.mountPath }}/{{ include "common.release" $global }}/{{ $global.Values.persistence.mountSubPath }}-{{$i}} -{{if ne $i (int $global.Values.replicaCount) }} ---- -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/common/mongo/templates/service.yaml b/kubernetes/common/mongo/templates/service.yaml deleted file mode 100644 index e8894c2b59..0000000000 --- a/kubernetes/common/mongo/templates/service.yaml +++ /dev/null @@ -1,74 +0,0 @@ -{{/* -# Copyright © 2018 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - ports: - - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - clusterIP: None ---- -# Client service for connecting to any Mongo instance for reads. -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }}-read - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} -spec: - ports: - - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} ---- -{{ if .Values.geoEnabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }}-nodeport - namespace: {{ include "common.namespace" . }} - labels: - statefulset.kubernetes.io/pod-name: {{ include "common.fullname" . }}-0 -spec: - ports: - - name: {{ .Values.service.internalPort }} - port: {{ .Values.service.internalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.externalPort1 }} - - name: {{ .Values.xtrabackup.internalPort }} - port: {{ .Values.xtrabackup.internalPort }} - targetPort: {{ .Values.xtrabackup.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.externalPort2 }} - type: NodePort - selector: - statefulset.kubernetes.io/pod-name: {{ include "common.fullname" . }}-0 - release: {{ include "common.release" . }} -{{ end }} diff --git a/kubernetes/common/mongo/templates/statefulset.yaml b/kubernetes/common/mongo/templates/statefulset.yaml deleted file mode 100644 index e156db27db..0000000000 --- a/kubernetes/common/mongo/templates/statefulset.yaml +++ /dev/null @@ -1,127 +0,0 @@ -{{/* -# Copyright © 2018 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - serviceName: {{ .Values.service.name }} - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: -{{ include "common.podSecurityContext" . | indent 6 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - initContainers: - # we shouldn't need this but for unknown reason, it's fsGroup is not - # applied - - name: fix-permission - command: - - /bin/sh - args: - - -c - - | - chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /data - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - securityContext: - runAsUser: 0 - volumeMounts: - - name: {{ include "common.fullname" . }}-data - mountPath: /data - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - docker-entrypoint.sh - args: - - --nounixsocket - env: - - name: MONGO_INITDB_DATABASE - value: "{{ .Values.config.dbName }}" - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - exec: - command: - - mongo - - --eval - - "db.adminCommand('ping')" - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - {{end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: - - name: {{ include "common.fullname" . }}-data - mountPath: /data/db - resources: {{ include "common.resources" . | nindent 12 }} -{{ include "common.containerSecurityContext" . | indent 10 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - {{- if .Values.persistence.enabled }} - volumeClaimTemplates: - - metadata: - name: {{ include "common.fullname" . }}-data - labels: - name: {{ include "common.fullname" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - spec: - accessModes: - - {{ .Values.persistence.accessMode | quote }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} - {{- else }} - volumes: - - name: {{ include "common.fullname" . }}-data - emptyDir: {} - {{- end }} diff --git a/kubernetes/common/mongo/values.yaml b/kubernetes/common/mongo/values.yaml deleted file mode 100644 index caab71890d..0000000000 --- a/kubernetes/common/mongo/values.yaml +++ /dev/null @@ -1,121 +0,0 @@ -# Copyright © 2018 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - persistence: {} - - -################################################################# -# Application configuration defaults. -################################################################# - -image: library/mongo:4.4.10 -pullPolicy: Always - -# application configuration -config: - dbName: mongo -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 5 - periodSeconds: 10 - -## Persist data to a persitent volume -persistence: - enabled: false - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - volumeReclaimPolicy: Retain - - ## database data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - accessMode: ReadWriteOnce - size: 1Gi - mountPath: /dockerdata-nfs - mountSubPath: "mongo/data" - -service: - name: mongo - portName: mongo - internalPort: 27017 - # nfs provisioner ports - nfsPort: 2049 - mountdPort: 20048 - rpcbindPort: 111 - rpcbindUdpPort: 111 - -securityContext: - user_id: 999 - group_id: 999 - -ingress: - enabled: false - - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # - # Example: - # Configure resource requests and limits - # ref: http://kubernetes.io/docs/user-guide/compute-resources/ - # Minimum memory for development is 2 CPU cores and 4GB memory - # Minimum memory for production is 4 CPU cores and 8GB memory -resources: - small: - limits: - cpu: 100m - memory: 200Mi - requests: - cpu: 10m - memory: 50Mi - large: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - unlimited: {} - -sdnctlPrefix: mongo - -geoEnabled: false -geoSiteId: 1 diff --git a/kubernetes/common/mongodb/.helmignore b/kubernetes/common/mongodb/.helmignore new file mode 100644 index 0000000000..fb56657ab4 --- /dev/null +++ b/kubernetes/common/mongodb/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# img folder +img/ diff --git a/kubernetes/common/mongodb/Chart.yaml b/kubernetes/common/mongodb/Chart.yaml new file mode 100644 index 0000000000..73c8bab5c2 --- /dev/null +++ b/kubernetes/common/mongodb/Chart.yaml @@ -0,0 +1,43 @@ +# Copyright VMware, Inc. +# SPDX-License-Identifier: APACHE-2.0 + +annotations: + category: Database + licenses: Apache-2.0 + images: | + - name: kubectl + image: docker.io/bitnami/kubectl:1.29.2-debian-12-r1 + - name: mongodb + image: docker.io/bitnami/mongodb:7.0.5-debian-12-r4 + - name: mongodb-exporter + image: docker.io/bitnami/mongodb-exporter:0.40.0-debian-12-r11 + - name: nginx + image: docker.io/bitnami/nginx:1.25.4-debian-12-r1 + - name: os-shell + image: docker.io/bitnami/os-shell:12-debian-12-r15 +apiVersion: v2 +appVersion: 7.0.5 +dependencies: +- name: common + repository: 'file://./common' + #repository: oci://registry-1.docker.io/bitnamicharts + tags: + - bitnami-common + version: 2.x.x +description: MongoDB(R) is a relational open source NoSQL database. Easy to use, it stores data in JSON-like documents. Automated scalability and high-performance. Ideal for developing cloud native applications. +home: https://bitnami.com +icon: https://bitnami.com/assets/stacks/mongodb/img/mongodb-stack-220x234.png +keywords: +- mongodb +- database +- nosql +- cluster +- replicaset +- replication +maintainers: +- name: VMware, Inc. + url: https://github.com/bitnami/charts +name: mongodb +sources: +- https://github.com/bitnami/charts/tree/main/bitnami/mongodb +version: 14.12.2 diff --git a/kubernetes/common/mongodb/README.md b/kubernetes/common/mongodb/README.md new file mode 100644 index 0000000000..065e047fdc --- /dev/null +++ b/kubernetes/common/mongodb/README.md @@ -0,0 +1,1120 @@ + + +# MongoDB(R) packaged by Bitnami + +MongoDB(R) is a relational open source NoSQL database. Easy to use, it stores data in JSON-like documents. Automated scalability and high-performance. Ideal for developing cloud native applications. + +[Overview of MongoDB®](http://www.mongodb.org) + +Disclaimer: The respective trademarks mentioned in the offering are owned by the respective companies. We do not provide a commercial license for any of these products. This listing has an open-source license. MongoDB(R) is run and maintained by MongoDB, which is a completely separate project from Bitnami. + +## TL;DR + +```console +helm install my-release oci://registry-1.docker.io/bitnamicharts/mongodb +``` + +Looking to use MongoDBreg; in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. + +## Introduction + +This chart bootstraps a [MongoDB(®)](https://github.com/bitnami/containers/tree/main/bitnami/mongodb) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. + +## Prerequisites + +- Kubernetes 1.23+ +- Helm 3.8.0+ +- PV provisioner support in the underlying infrastructure + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```console +helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/mongodb +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + +The command deploys MongoDB(®) on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```console +helm delete my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Architecture + +This chart allows installing MongoDB(®) using two different architecture setups: `standalone` or `replicaset`. Use the `architecture` parameter to choose the one to use: + +```console +architecture="standalone" +architecture="replicaset" +``` + +### Standalone architecture + +The *standalone* architecture installs a deployment (or StatefulSet) with one MongoDB® server (it cannot be scaled): + +```text + ---------------- + | MongoDB® | + | svc | + ---------------- + | + v + ------------ + |MongoDB®| + | Server | + | Pod | + ----------- +``` + +### Replicaset architecture + +The chart also supports the *replicaset* architecture with and without a MongoDB(®) Arbiter: + +When the MongoDB(®) Arbiter is enabled, the chart installs two StatefulSets: A StatefulSet with N MongoDB(®) servers (organised with one primary and N-1 secondary nodes), and a StatefulSet with one MongoDB(®) arbiter node (it cannot be scaled). + +```text + ---------------- ---------------- ---------------- ------------- + | MongoDB® 0 | | MongoDB® 1 | | MongoDB® N | | Arbiter | + | external svc | | external svc | | external svc | | svc | + ---------------- ---------------- ---------------- ------------- + | | | | + v v v v + ---------------- ---------------- ---------------- -------------- + | MongoDB® 0 | | MongoDB® 1 | | MongoDB® N | | MongoDB® | + | Server | | Server | | Server | | Arbiter | + | Pod | | Pod | | Pod | | Pod | + ---------------- ---------------- ---------------- -------------- + primary secondary secondary +``` + +The PSA model is useful when the third Availability Zone cannot hold a full MongoDB(®) instance. The MongoDB(®) Arbiter as decision maker is lightweight and can run alongside other workloads. + +> NOTE: An update takes your MongoDB(®) replicaset offline if the Arbiter is enabled and the number of MongoDB(®) replicas is two. Helm applies updates to the StatefulSets for the MongoDB(®) instance and the Arbiter at the same time so you lose two out of three quorum votes. + +Without the Arbiter, the chart deploys a single statefulset with N MongoDB(®) servers (organised with one primary and N-1 secondary nodes). + +```text + ---------------- ---------------- ---------------- + | MongoDB® 0 | | MongoDB® 1 | | MongoDB® N | + | external svc | | external svc | | external svc | + ---------------- ---------------- ---------------- + | | | + v v v + ---------------- ---------------- ---------------- + | MongoDB® 0 | | MongoDB® 1 | | MongoDB® N | + | Server | | Server | | Server | + | Pod | | Pod | | Pod | + ---------------- ---------------- ---------------- + primary secondary secondary +``` + +There are no services load balancing requests between MongoDB(®) nodes; instead, each node has an associated service to access them individually. + +> NOTE: Although the first replica is initially assigned the primary role, any of the secondary nodes can become the primary if it is down, or during upgrades. Do not make any assumption about what replica has the primary role. Instead, configure your MongoDB(®) client with the list of MongoDB(®) hostnames so it can dynamically choose the node to send requests. + +## Parameters + +### Global parameters + +| Name | Description | Value | +| -------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ----- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.namespaceOverride` | Override the namespace for resource deployed by the chart, but can itself be overridden by the local namespaceOverride | `""` | + +### Common parameters + +| Name | Description | Value | +| ------------------------- | --------------------------------------------------------------------------------------------------------- | --------------- | +| `nameOverride` | String to partially override mongodb.fullname template (will maintain the release name) | `""` | +| `fullnameOverride` | String to fully override mongodb.fullname template | `""` | +| `namespaceOverride` | String to fully override common.names.namespace | `""` | +| `kubeVersion` | Force target Kubernetes version (using Helm capabilities if not set) | `""` | +| `clusterDomain` | Default Kubernetes cluster domain | `cluster.local` | +| `extraDeploy` | Array of extra objects to deploy with the release | `[]` | +| `commonLabels` | Add labels to all the deployed resources (sub-charts are not considered). Evaluated as a template | `{}` | +| `commonAnnotations` | Common annotations to add to all Mongo resources (sub-charts are not considered). Evaluated as a template | `{}` | +| `topologyKey` | Override common lib default topology key. If empty - "kubernetes.io/hostname" is used | `""` | +| `serviceBindings.enabled` | Create secret for service binding (Experimental) | `false` | +| `enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | +| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | +| `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` | +| `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` | + +### MongoDB(®) parameters + +| Name | Description | Value | +| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------- | +| `image.registry` | MongoDB(®) image registry | `REGISTRY_NAME` | +| `image.repository` | MongoDB(®) image registry | `REPOSITORY_NAME/mongodb` | +| `image.digest` | MongoDB(®) image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | MongoDB(®) image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `image.debug` | Set to true if you would like to see extra information on logs | `false` | +| `schedulerName` | Name of the scheduler (other than default) to dispatch pods | `""` | +| `architecture` | MongoDB(®) architecture (`standalone` or `replicaset`) | `standalone` | +| `useStatefulSet` | Set to true to use a StatefulSet instead of a Deployment (only when `architecture=standalone`) | `false` | +| `auth.enabled` | Enable authentication | `true` | +| `auth.rootUser` | MongoDB(®) root user | `root` | +| `auth.rootPassword` | MongoDB(®) root password | `""` | +| `auth.usernames` | List of custom users to be created during the initialization | `[]` | +| `auth.passwords` | List of passwords for the custom users set at `auth.usernames` | `[]` | +| `auth.databases` | List of custom databases to be created during the initialization | `[]` | +| `auth.username` | DEPRECATED: use `auth.usernames` instead | `""` | +| `auth.password` | DEPRECATED: use `auth.passwords` instead | `""` | +| `auth.database` | DEPRECATED: use `auth.databases` instead | `""` | +| `auth.replicaSetKey` | Key used for authentication in the replicaset (only when `architecture=replicaset`) | `""` | +| `auth.existingSecret` | Existing secret with MongoDB(®) credentials (keys: `mongodb-passwords`, `mongodb-root-password`, `mongodb-metrics-password`, `mongodb-replica-set-key`) | `""` | +| `tls.enabled` | Enable MongoDB(®) TLS support between nodes in the cluster as well as between mongo clients and nodes | `false` | +| `tls.mTLS.enabled` | IF TLS support is enabled, require clients to provide certificates | `true` | +| `tls.autoGenerated` | Generate a custom CA and self-signed certificates | `true` | +| `tls.existingSecret` | Existing secret with TLS certificates (keys: `mongodb-ca-cert`, `mongodb-ca-key`) | `""` | +| `tls.caCert` | Custom CA certificated (base64 encoded) | `""` | +| `tls.caKey` | CA certificate private key (base64 encoded) | `""` | +| `tls.pemChainIncluded` | Flag to denote that the Certificate Authority (CA) certificates are bundled with the endpoint cert. | `false` | +| `tls.standalone.existingSecret` | Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. | `""` | +| `tls.replicaset.existingSecrets` | Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. | `[]` | +| `tls.hidden.existingSecrets` | Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. | `[]` | +| `tls.arbiter.existingSecret` | Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. | `""` | +| `tls.image.registry` | Init container TLS certs setup image registry | `REGISTRY_NAME` | +| `tls.image.repository` | Init container TLS certs setup image repository | `REPOSITORY_NAME/nginx` | +| `tls.image.digest` | Init container TLS certs setup image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `tls.image.pullPolicy` | Init container TLS certs setup image pull policy | `IfNotPresent` | +| `tls.image.pullSecrets` | Init container TLS certs specify docker-registry secret names as an array | `[]` | +| `tls.extraDnsNames` | Add extra dns names to the CA, can solve x509 auth issue for pod clients | `[]` | +| `tls.mode` | Allows to set the tls mode which should be used when tls is enabled (options: `allowTLS`, `preferTLS`, `requireTLS`) | `requireTLS` | +| `tls.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if tls.resources is set (tls.resources is recommended for production). | `none` | +| `tls.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `tls.securityContext` | Init container generate-tls-cert Security context | `{}` | +| `automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `hostAliases` | Add deployment host aliases | `[]` | +| `replicaSetName` | Name of the replica set (only when `architecture=replicaset`) | `rs0` | +| `replicaSetHostnames` | Enable DNS hostnames in the replicaset config (only when `architecture=replicaset`) | `true` | +| `enableIPv6` | Switch to enable/disable IPv6 on MongoDB(®) | `false` | +| `directoryPerDB` | Switch to enable/disable DirectoryPerDB on MongoDB(®) | `false` | +| `systemLogVerbosity` | MongoDB(®) system log verbosity level | `0` | +| `disableSystemLog` | Switch to enable/disable MongoDB(®) system log | `false` | +| `disableJavascript` | Switch to enable/disable MongoDB(®) server-side JavaScript execution | `false` | +| `enableJournal` | Switch to enable/disable MongoDB(®) Journaling | `true` | +| `configuration` | MongoDB(®) configuration file to be used for Primary and Secondary nodes | `""` | + +### replicaSetConfigurationSettings settings applied during runtime (not via configuration file) + +| Name | Description | Value | +| ----------------------------------------------- | --------------------------------------------------------------------------------------------------- | ------- | +| `replicaSetConfigurationSettings.enabled` | Enable MongoDB(®) Switch to enable/disable configuring MongoDB(®) run time rs.conf settings | `false` | +| `replicaSetConfigurationSettings.configuration` | run-time rs.conf settings | `{}` | +| `existingConfigmap` | Name of existing ConfigMap with MongoDB(®) configuration for Primary and Secondary nodes | `""` | +| `initdbScripts` | Dictionary of initdb scripts | `{}` | +| `initdbScriptsConfigMap` | Existing ConfigMap with custom initdb scripts | `""` | +| `command` | Override default container command (useful when using custom images) | `[]` | +| `args` | Override default container args (useful when using custom images) | `[]` | +| `extraFlags` | MongoDB(®) additional command line flags | `[]` | +| `extraEnvVars` | Extra environment variables to add to MongoDB(®) pods | `[]` | +| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` | +| `extraEnvVarsSecret` | Name of existing Secret containing extra env vars (in case of sensitive data) | `""` | + +### MongoDB(®) statefulset parameters + +| Name | Description | Value | +| --------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `annotations` | Additional labels to be added to the MongoDB(®) statefulset. Evaluated as a template | `{}` | +| `labels` | Annotations to be added to the MongoDB(®) statefulset. Evaluated as a template | `{}` | +| `replicaCount` | Number of MongoDB(®) nodes | `2` | +| `updateStrategy.type` | Strategy to use to replace existing MongoDB(®) pods. When architecture=standalone and useStatefulSet=false, | `RollingUpdate` | +| `podManagementPolicy` | Pod management policy for MongoDB(®) | `OrderedReady` | +| `podAffinityPreset` | MongoDB(®) Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `podAntiAffinityPreset` | MongoDB(®) Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `nodeAffinityPreset.type` | MongoDB(®) Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `nodeAffinityPreset.key` | MongoDB(®) Node label key to match Ignored if `affinity` is set. | `""` | +| `nodeAffinityPreset.values` | MongoDB(®) Node label values to match. Ignored if `affinity` is set. | `[]` | +| `affinity` | MongoDB(®) Affinity for pod assignment | `{}` | +| `nodeSelector` | MongoDB(®) Node labels for pod assignment | `{}` | +| `tolerations` | MongoDB(®) Tolerations for pod assignment | `[]` | +| `topologySpreadConstraints` | MongoDB(®) Spread Constraints for Pods | `[]` | +| `lifecycleHooks` | LifecycleHook for the MongoDB(®) container(s) to automate configuration before or after startup | `{}` | +| `terminationGracePeriodSeconds` | MongoDB(®) Termination Grace Period | `""` | +| `podLabels` | MongoDB(®) pod labels | `{}` | +| `podAnnotations` | MongoDB(®) Pod annotations | `{}` | +| `priorityClassName` | Name of the existing priority class to be used by MongoDB(®) pod(s) | `""` | +| `runtimeClassName` | Name of the runtime class to be used by MongoDB(®) pod(s) | `""` | +| `podSecurityContext.enabled` | Enable MongoDB(®) pod(s)' Security Context | `true` | +| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `podSecurityContext.fsGroup` | Group ID for the volumes of the MongoDB(®) pod(s) | `1001` | +| `podSecurityContext.sysctls` | sysctl settings of the MongoDB(®) pod(s)' | `[]` | +| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `none` | +| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `containerPorts.mongodb` | MongoDB(®) container port | `27017` | +| `livenessProbe.enabled` | Enable livenessProbe | `true` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `20` | +| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `10` | +| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `readinessProbe.enabled` | Enable readinessProbe | `true` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `startupProbe.enabled` | Enable startupProbe | `false` | +| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | +| `startupProbe.periodSeconds` | Period seconds for startupProbe | `20` | +| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `10` | +| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | +| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `customLivenessProbe` | Override default liveness probe for MongoDB(®) containers | `{}` | +| `customReadinessProbe` | Override default readiness probe for MongoDB(®) containers | `{}` | +| `customStartupProbe` | Override default startup probe for MongoDB(®) containers | `{}` | +| `initContainers` | Add additional init containers for the hidden node pod(s) | `[]` | +| `sidecars` | Add additional sidecar containers for the MongoDB(®) pod(s) | `[]` | +| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MongoDB(®) container(s) | `[]` | +| `extraVolumes` | Optionally specify extra list of additional volumes to the MongoDB(®) statefulset | `[]` | +| `pdb.create` | Enable/disable a Pod Disruption Budget creation for MongoDB(®) pod(s) | `false` | +| `pdb.minAvailable` | Minimum number/percentage of MongoDB(®) pods that must still be available after the eviction | `1` | +| `pdb.maxUnavailable` | Maximum number/percentage of MongoDB(®) pods that may be made unavailable after the eviction | `""` | + +### Traffic exposure parameters + +| Name | Description | Value | +| ------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | +| `service.nameOverride` | MongoDB(®) service name | `""` | +| `service.type` | Kubernetes Service type (only for standalone architecture) | `ClusterIP` | +| `service.portName` | MongoDB(®) service port name (only for standalone architecture) | `mongodb` | +| `service.ports.mongodb` | MongoDB(®) service port. | `27017` | +| `service.nodePorts.mongodb` | Port to bind to for NodePort and LoadBalancer service types (only for standalone architecture) | `""` | +| `service.clusterIP` | MongoDB(®) service cluster IP (only for standalone architecture) | `""` | +| `service.externalIPs` | Specify the externalIP value ClusterIP service type (only for standalone architecture) | `[]` | +| `service.loadBalancerIP` | loadBalancerIP for MongoDB(®) Service (only for standalone architecture) | `""` | +| `service.loadBalancerClass` | loadBalancerClass for MongoDB(®) Service (only for standalone architecture) | `""` | +| `service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer (only for standalone architecture) | `[]` | +| `service.allocateLoadBalancerNodePorts` | Wheter to allocate node ports when service type is LoadBalancer | `true` | +| `service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `service.annotations` | Provide any additional annotations that may be required | `{}` | +| `service.externalTrafficPolicy` | service external traffic policy (only for standalone architecture) | `Local` | +| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `service.headless.annotations` | Annotations for the headless service. | `{}` | +| `externalAccess.enabled` | Enable Kubernetes external cluster access to MongoDB(®) nodes (only for replicaset architecture) | `false` | +| `externalAccess.autoDiscovery.enabled` | Enable using an init container to auto-detect external IPs by querying the K8s API | `false` | +| `externalAccess.autoDiscovery.image.registry` | Init container auto-discovery image registry | `REGISTRY_NAME` | +| `externalAccess.autoDiscovery.image.repository` | Init container auto-discovery image repository | `REPOSITORY_NAME/kubectl` | +| `externalAccess.autoDiscovery.image.digest` | Init container auto-discovery image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `externalAccess.autoDiscovery.image.pullPolicy` | Init container auto-discovery image pull policy | `IfNotPresent` | +| `externalAccess.autoDiscovery.image.pullSecrets` | Init container auto-discovery image pull secrets | `[]` | +| `externalAccess.autoDiscovery.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if externalAccess.autoDiscovery.resources is set (externalAccess.autoDiscovery.resources is recommended for production). | `none` | +| `externalAccess.autoDiscovery.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `externalAccess.externalMaster.enabled` | Use external master for bootstrapping | `false` | +| `externalAccess.externalMaster.host` | External master host to bootstrap from | `""` | +| `externalAccess.externalMaster.port` | Port for MongoDB(®) service external master host | `27017` | +| `externalAccess.service.type` | Kubernetes Service type for external access. Allowed values: NodePort, LoadBalancer or ClusterIP | `LoadBalancer` | +| `externalAccess.service.portName` | MongoDB(®) port name used for external access when service type is LoadBalancer | `mongodb` | +| `externalAccess.service.ports.mongodb` | MongoDB(®) port used for external access when service type is LoadBalancer | `27017` | +| `externalAccess.service.loadBalancerIPs` | Array of load balancer IPs for MongoDB(®) nodes | `[]` | +| `externalAccess.service.loadBalancerClass` | loadBalancerClass when service type is LoadBalancer | `""` | +| `externalAccess.service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` | +| `externalAccess.service.allocateLoadBalancerNodePorts` | Wheter to allocate node ports when service type is LoadBalancer | `true` | +| `externalAccess.service.externalTrafficPolicy` | MongoDB(®) service external traffic policy | `Local` | +| `externalAccess.service.nodePorts` | Array of node ports used to configure MongoDB(®) advertised hostname when service type is NodePort | `[]` | +| `externalAccess.service.domain` | Domain or external IP used to configure MongoDB(®) advertised hostname when service type is NodePort | `""` | +| `externalAccess.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `externalAccess.service.annotations` | Service annotations for external access | `{}` | +| `externalAccess.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `externalAccess.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `externalAccess.hidden.enabled` | Enable Kubernetes external cluster access to MongoDB(®) hidden nodes | `false` | +| `externalAccess.hidden.service.type` | Kubernetes Service type for external access. Allowed values: NodePort or LoadBalancer | `LoadBalancer` | +| `externalAccess.hidden.service.portName` | MongoDB(®) port name used for external access when service type is LoadBalancer | `mongodb` | +| `externalAccess.hidden.service.ports.mongodb` | MongoDB(®) port used for external access when service type is LoadBalancer | `27017` | +| `externalAccess.hidden.service.loadBalancerIPs` | Array of load balancer IPs for MongoDB(®) nodes | `[]` | +| `externalAccess.hidden.service.loadBalancerClass` | loadBalancerClass when service type is LoadBalancer | `""` | +| `externalAccess.hidden.service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` | +| `externalAccess.hidden.service.allocateLoadBalancerNodePorts` | Wheter to allocate node ports when service type is LoadBalancer | `true` | +| `externalAccess.hidden.service.externalTrafficPolicy` | MongoDB(®) service external traffic policy | `Local` | +| `externalAccess.hidden.service.nodePorts` | Array of node ports used to configure MongoDB(®) advertised hostname when service type is NodePort. Length must be the same as replicaCount | `[]` | +| `externalAccess.hidden.service.domain` | Domain or external IP used to configure MongoDB(®) advertised hostname when service type is NodePort | `""` | +| `externalAccess.hidden.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `externalAccess.hidden.service.annotations` | Service annotations for external access | `{}` | +| `externalAccess.hidden.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `externalAccess.hidden.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | + +### Network policy parameters + +| Name | Description | Value | +| -------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | +| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| `persistence.enabled` | Enable MongoDB(®) data persistence using PVC | `true` | +| `persistence.name` | Name of the PVC and mounted volume | `datadir` | +| `persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | +| `persistence.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `""` | +| `persistence.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` | +| `persistence.storageClass` | PVC Storage Class for MongoDB(®) data volume | `""` | +| `persistence.accessModes` | PV Access Mode | `["ReadWriteOnce"]` | +| `persistence.size` | PVC Storage Request for MongoDB(®) data volume | `8Gi` | +| `persistence.annotations` | PVC annotations | `{}` | +| `persistence.mountPath` | Path to mount the volume at | `/bitnami/mongodb` | +| `persistence.subPath` | Subdirectory of the volume to mount at | `""` | +| `persistence.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | +| `persistence.volumeClaimTemplates.requests` | Custom PVC requests attributes | `{}` | +| `persistence.volumeClaimTemplates.dataSource` | Add dataSource to the VolumeClaimTemplate | `{}` | +| `persistentVolumeClaimRetentionPolicy.enabled` | Enable Persistent volume retention policy for MongoDB(®) Statefulset | `false` | +| `persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | +| `persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | + +### Backup parameters + +| Name | Description | Value | +| ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | +| `backup.enabled` | Enable the logical dump of the database "regularly" | `false` | +| `backup.cronjob.schedule` | Set the cronjob parameter schedule | `@daily` | +| `backup.cronjob.concurrencyPolicy` | Set the cronjob parameter concurrencyPolicy | `Allow` | +| `backup.cronjob.failedJobsHistoryLimit` | Set the cronjob parameter failedJobsHistoryLimit | `1` | +| `backup.cronjob.successfulJobsHistoryLimit` | Set the cronjob parameter successfulJobsHistoryLimit | `3` | +| `backup.cronjob.startingDeadlineSeconds` | Set the cronjob parameter startingDeadlineSeconds | `""` | +| `backup.cronjob.ttlSecondsAfterFinished` | Set the cronjob parameter ttlSecondsAfterFinished | `""` | +| `backup.cronjob.restartPolicy` | Set the cronjob parameter restartPolicy | `OnFailure` | +| `backup.cronjob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `backup.cronjob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `backup.cronjob.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `backup.cronjob.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `backup.cronjob.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `backup.cronjob.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `backup.cronjob.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `backup.cronjob.command` | Set backup container's command to run | `[]` | +| `backup.cronjob.labels` | Set the cronjob labels | `{}` | +| `backup.cronjob.annotations` | Set the cronjob annotations | `{}` | +| `backup.cronjob.storage.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `""` | +| `backup.cronjob.storage.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` | +| `backup.cronjob.storage.storageClass` | PVC Storage Class for the backup data volume | `""` | +| `backup.cronjob.storage.accessModes` | PV Access Mode | `["ReadWriteOnce"]` | +| `backup.cronjob.storage.size` | PVC Storage Request for the backup data volume | `8Gi` | +| `backup.cronjob.storage.annotations` | PVC annotations | `{}` | +| `backup.cronjob.storage.mountPath` | Path to mount the volume at | `/backup/mongodb` | +| `backup.cronjob.storage.subPath` | Subdirectory of the volume to mount at | `""` | +| `backup.cronjob.storage.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | + +### RBAC parameters + +| Name | Description | Value | +| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `serviceAccount.create` | Enable creation of ServiceAccount for MongoDB(®) pods | `true` | +| `serviceAccount.name` | Name of the created serviceAccount | `""` | +| `serviceAccount.annotations` | Additional Service Account annotations | `{}` | +| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` | +| `rbac.create` | Whether to create & use RBAC resources or not | `false` | +| `rbac.rules` | Custom rules to create following the role specification | `[]` | +| `podSecurityPolicy.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` | +| `podSecurityPolicy.allowPrivilegeEscalation` | Enable privilege escalation | `false` | +| `podSecurityPolicy.privileged` | Allow privileged | `false` | +| `podSecurityPolicy.spec` | Specify the full spec to use for Pod Security Policy | `{}` | + +### Volume Permissions parameters + +| Name | Description | Value | +| -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` | +| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `volumePermissions.securityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `volumePermissions.securityContext.runAsUser` | User ID for the volumePermissions container | `0` | + +### Arbiter parameters + +| Name | Description | Value | +| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `arbiter.enabled` | Enable deploying the arbiter | `true` | +| `arbiter.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `arbiter.hostAliases` | Add deployment host aliases | `[]` | +| `arbiter.configuration` | Arbiter configuration file to be used | `""` | +| `arbiter.existingConfigmap` | Name of existing ConfigMap with Arbiter configuration | `""` | +| `arbiter.command` | Override default container command (useful when using custom images) | `[]` | +| `arbiter.args` | Override default container args (useful when using custom images) | `[]` | +| `arbiter.extraFlags` | Arbiter additional command line flags | `[]` | +| `arbiter.extraEnvVars` | Extra environment variables to add to Arbiter pods | `[]` | +| `arbiter.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` | +| `arbiter.extraEnvVarsSecret` | Name of existing Secret containing extra env vars (in case of sensitive data) | `""` | +| `arbiter.annotations` | Additional labels to be added to the Arbiter statefulset | `{}` | +| `arbiter.labels` | Annotations to be added to the Arbiter statefulset | `{}` | +| `arbiter.topologySpreadConstraints` | MongoDB(®) Spread Constraints for arbiter Pods | `[]` | +| `arbiter.lifecycleHooks` | LifecycleHook for the Arbiter container to automate configuration before or after startup | `{}` | +| `arbiter.terminationGracePeriodSeconds` | Arbiter Termination Grace Period | `""` | +| `arbiter.updateStrategy.type` | Strategy that will be employed to update Pods in the StatefulSet | `RollingUpdate` | +| `arbiter.podManagementPolicy` | Pod management policy for MongoDB(®) | `OrderedReady` | +| `arbiter.schedulerName` | Name of the scheduler (other than default) to dispatch pods | `""` | +| `arbiter.podAffinityPreset` | Arbiter Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `arbiter.podAntiAffinityPreset` | Arbiter Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `arbiter.nodeAffinityPreset.type` | Arbiter Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `arbiter.nodeAffinityPreset.key` | Arbiter Node label key to match Ignored if `affinity` is set. | `""` | +| `arbiter.nodeAffinityPreset.values` | Arbiter Node label values to match. Ignored if `affinity` is set. | `[]` | +| `arbiter.affinity` | Arbiter Affinity for pod assignment | `{}` | +| `arbiter.nodeSelector` | Arbiter Node labels for pod assignment | `{}` | +| `arbiter.tolerations` | Arbiter Tolerations for pod assignment | `[]` | +| `arbiter.podLabels` | Arbiter pod labels | `{}` | +| `arbiter.podAnnotations` | Arbiter Pod annotations | `{}` | +| `arbiter.priorityClassName` | Name of the existing priority class to be used by Arbiter pod(s) | `""` | +| `arbiter.runtimeClassName` | Name of the runtime class to be used by Arbiter pod(s) | `""` | +| `arbiter.podSecurityContext.enabled` | Enable Arbiter pod(s)' Security Context | `true` | +| `arbiter.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `arbiter.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `arbiter.podSecurityContext.fsGroup` | Group ID for the volumes of the Arbiter pod(s) | `1001` | +| `arbiter.podSecurityContext.sysctls` | sysctl settings of the Arbiter pod(s)' | `[]` | +| `arbiter.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `arbiter.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `arbiter.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `arbiter.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `arbiter.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `arbiter.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `arbiter.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `arbiter.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `arbiter.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `arbiter.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `arbiter.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if arbiter.resources is set (arbiter.resources is recommended for production). | `none` | +| `arbiter.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `arbiter.containerPorts.mongodb` | MongoDB(®) arbiter container port | `27017` | +| `arbiter.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `arbiter.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `arbiter.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `20` | +| `arbiter.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `10` | +| `arbiter.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `arbiter.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `arbiter.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `arbiter.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `arbiter.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `20` | +| `arbiter.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `10` | +| `arbiter.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `arbiter.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `arbiter.startupProbe.enabled` | Enable startupProbe | `false` | +| `arbiter.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | +| `arbiter.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `arbiter.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `arbiter.startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | +| `arbiter.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `arbiter.customLivenessProbe` | Override default liveness probe for Arbiter containers | `{}` | +| `arbiter.customReadinessProbe` | Override default readiness probe for Arbiter containers | `{}` | +| `arbiter.customStartupProbe` | Override default startup probe for Arbiter containers | `{}` | +| `arbiter.initContainers` | Add additional init containers for the Arbiter pod(s) | `[]` | +| `arbiter.sidecars` | Add additional sidecar containers for the Arbiter pod(s) | `[]` | +| `arbiter.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Arbiter container(s) | `[]` | +| `arbiter.extraVolumes` | Optionally specify extra list of additional volumes to the Arbiter statefulset | `[]` | +| `arbiter.pdb.create` | Enable/disable a Pod Disruption Budget creation for Arbiter pod(s) | `false` | +| `arbiter.pdb.minAvailable` | Minimum number/percentage of Arbiter pods that should remain scheduled | `1` | +| `arbiter.pdb.maxUnavailable` | Maximum number/percentage of Arbiter pods that may be made unavailable | `""` | +| `arbiter.service.nameOverride` | The arbiter service name | `""` | +| `arbiter.service.ports.mongodb` | MongoDB(®) service port | `27017` | +| `arbiter.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `arbiter.service.annotations` | Provide any additional annotations that may be required | `{}` | +| `arbiter.service.headless.annotations` | Annotations for the headless service. | `{}` | + +### Hidden Node parameters + +| Name | Description | Value | +| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------- | +| `hidden.enabled` | Enable deploying the hidden nodes | `false` | +| `hidden.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `hidden.hostAliases` | Add deployment host aliases | `[]` | +| `hidden.configuration` | Hidden node configuration file to be used | `""` | +| `hidden.existingConfigmap` | Name of existing ConfigMap with Hidden node configuration | `""` | +| `hidden.command` | Override default container command (useful when using custom images) | `[]` | +| `hidden.args` | Override default container args (useful when using custom images) | `[]` | +| `hidden.extraFlags` | Hidden node additional command line flags | `[]` | +| `hidden.extraEnvVars` | Extra environment variables to add to Hidden node pods | `[]` | +| `hidden.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` | +| `hidden.extraEnvVarsSecret` | Name of existing Secret containing extra env vars (in case of sensitive data) | `""` | +| `hidden.annotations` | Additional labels to be added to thehidden node statefulset | `{}` | +| `hidden.labels` | Annotations to be added to the hidden node statefulset | `{}` | +| `hidden.topologySpreadConstraints` | MongoDB(®) Spread Constraints for hidden Pods | `[]` | +| `hidden.lifecycleHooks` | LifecycleHook for the Hidden container to automate configuration before or after startup | `{}` | +| `hidden.replicaCount` | Number of hidden nodes (only when `architecture=replicaset`) | `1` | +| `hidden.terminationGracePeriodSeconds` | Hidden Termination Grace Period | `""` | +| `hidden.updateStrategy.type` | Strategy that will be employed to update Pods in the StatefulSet | `RollingUpdate` | +| `hidden.podManagementPolicy` | Pod management policy for hidden node | `OrderedReady` | +| `hidden.schedulerName` | Name of the scheduler (other than default) to dispatch pods | `""` | +| `hidden.podAffinityPreset` | Hidden node Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `hidden.podAntiAffinityPreset` | Hidden node Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `hidden.nodeAffinityPreset.type` | Hidden Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `hidden.nodeAffinityPreset.key` | Hidden Node label key to match Ignored if `affinity` is set. | `""` | +| `hidden.nodeAffinityPreset.values` | Hidden Node label values to match. Ignored if `affinity` is set. | `[]` | +| `hidden.affinity` | Hidden node Affinity for pod assignment | `{}` | +| `hidden.nodeSelector` | Hidden node Node labels for pod assignment | `{}` | +| `hidden.tolerations` | Hidden node Tolerations for pod assignment | `[]` | +| `hidden.podLabels` | Hidden node pod labels | `{}` | +| `hidden.podAnnotations` | Hidden node Pod annotations | `{}` | +| `hidden.priorityClassName` | Name of the existing priority class to be used by hidden node pod(s) | `""` | +| `hidden.runtimeClassName` | Name of the runtime class to be used by hidden node pod(s) | `""` | +| `hidden.podSecurityContext.enabled` | Enable Hidden pod(s)' Security Context | `true` | +| `hidden.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `hidden.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `hidden.podSecurityContext.fsGroup` | Group ID for the volumes of the Hidden pod(s) | `1001` | +| `hidden.podSecurityContext.sysctls` | sysctl settings of the Hidden pod(s)' | `[]` | +| `hidden.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `hidden.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `hidden.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `hidden.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `hidden.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `hidden.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `hidden.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `hidden.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `hidden.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `hidden.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `hidden.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if hidden.resources is set (hidden.resources is recommended for production). | `none` | +| `hidden.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `hidden.containerPorts.mongodb` | MongoDB(®) hidden container port | `27017` | +| `hidden.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `hidden.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `hidden.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `20` | +| `hidden.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `10` | +| `hidden.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `hidden.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `hidden.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `hidden.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `hidden.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `20` | +| `hidden.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `10` | +| `hidden.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `hidden.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `hidden.startupProbe.enabled` | Enable startupProbe | `false` | +| `hidden.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | +| `hidden.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `hidden.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `hidden.startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | +| `hidden.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `hidden.customLivenessProbe` | Override default liveness probe for hidden node containers | `{}` | +| `hidden.customReadinessProbe` | Override default readiness probe for hidden node containers | `{}` | +| `hidden.customStartupProbe` | Override default startup probe for MongoDB(®) containers | `{}` | +| `hidden.initContainers` | Add init containers to the MongoDB(®) Hidden pods. | `[]` | +| `hidden.sidecars` | Add additional sidecar containers for the hidden node pod(s) | `[]` | +| `hidden.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the hidden node container(s) | `[]` | +| `hidden.extraVolumes` | Optionally specify extra list of additional volumes to the hidden node statefulset | `[]` | +| `hidden.pdb.create` | Enable/disable a Pod Disruption Budget creation for hidden node pod(s) | `false` | +| `hidden.pdb.minAvailable` | Minimum number/percentage of hidden node pods that should remain scheduled | `1` | +| `hidden.pdb.maxUnavailable` | Maximum number/percentage of hidden node pods that may be made unavailable | `""` | +| `hidden.persistence.enabled` | Enable hidden node data persistence using PVC | `true` | +| `hidden.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | +| `hidden.persistence.storageClass` | PVC Storage Class for hidden node data volume | `""` | +| `hidden.persistence.accessModes` | PV Access Mode | `["ReadWriteOnce"]` | +| `hidden.persistence.size` | PVC Storage Request for hidden node data volume | `8Gi` | +| `hidden.persistence.annotations` | PVC annotations | `{}` | +| `hidden.persistence.mountPath` | The path the volume will be mounted at, useful when using different MongoDB(®) images. | `/bitnami/mongodb` | +| `hidden.persistence.subPath` | The subdirectory of the volume to mount to, useful in dev environments | `""` | +| `hidden.persistence.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | +| `hidden.persistence.volumeClaimTemplates.requests` | Custom PVC requests attributes | `{}` | +| `hidden.persistence.volumeClaimTemplates.dataSource` | Set volumeClaimTemplate dataSource | `{}` | +| `hidden.service.portName` | MongoDB(®) service port name | `mongodb` | +| `hidden.service.ports.mongodb` | MongoDB(®) service port | `27017` | +| `hidden.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `hidden.service.annotations` | Provide any additional annotations that may be required | `{}` | +| `hidden.service.headless.annotations` | Annotations for the headless service. | `{}` | + +### Metrics parameters + +| Name | Description | Value | +| -------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------- | +| `metrics.enabled` | Enable using a sidecar Prometheus exporter | `false` | +| `metrics.image.registry` | MongoDB(®) Prometheus exporter image registry | `REGISTRY_NAME` | +| `metrics.image.repository` | MongoDB(®) Prometheus exporter image repository | `REPOSITORY_NAME/mongodb-exporter` | +| `metrics.image.digest` | MongoDB(®) image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | MongoDB(®) Prometheus exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `metrics.username` | String with username for the metrics exporter | `""` | +| `metrics.password` | String with password for the metrics exporter | `""` | +| `metrics.compatibleMode` | Enables old style mongodb-exporter metrics | `true` | +| `metrics.collector.all` | Enable all collectors. Same as enabling all individual metrics | `false` | +| `metrics.collector.diagnosticdata` | Boolean Enable collecting metrics from getDiagnosticData | `true` | +| `metrics.collector.replicasetstatus` | Boolean Enable collecting metrics from replSetGetStatus | `true` | +| `metrics.collector.dbstats` | Boolean Enable collecting metrics from dbStats | `false` | +| `metrics.collector.topmetrics` | Boolean Enable collecting metrics from top admin command | `false` | +| `metrics.collector.indexstats` | Boolean Enable collecting metrics from $indexStats | `false` | +| `metrics.collector.collstats` | Boolean Enable collecting metrics from $collStats | `false` | +| `metrics.collector.collstatsColls` | List of \.\ to get $collStats | `[]` | +| `metrics.collector.indexstatsColls` | List - List of \.\ to get $indexStats | `[]` | +| `metrics.collector.collstatsLimit` | Number - Disable collstats, dbstats, topmetrics and indexstats collector if there are more than \ collections. 0=No limit | `0` | +| `metrics.extraFlags` | String with extra flags to the metrics exporter | `""` | +| `metrics.command` | Override default container command (useful when using custom images) | `[]` | +| `metrics.args` | Override default container args (useful when using custom images) | `[]` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` | +| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `metrics.containerPort` | Port of the Prometheus metrics container | `9216` | +| `metrics.service.annotations` | Annotations for Prometheus Exporter pods. Evaluated as a template. | `{}` | +| `metrics.service.type` | Type of the Prometheus metrics service | `ClusterIP` | +| `metrics.service.ports.metrics` | Port of the Prometheus metrics service | `9216` | +| `metrics.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `15` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `10` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `10` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.startupProbe.enabled` | Enable startupProbe | `false` | +| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | +| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | +| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `metrics.customLivenessProbe` | Override default liveness probe for MongoDB(®) containers | `{}` | +| `metrics.customReadinessProbe` | Override default readiness probe for MongoDB(®) containers | `{}` | +| `metrics.customStartupProbe` | Override default startup probe for MongoDB(®) containers | `{}` | +| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the metrics container(s) | `[]` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` | +| `metrics.serviceMonitor.namespace` | Namespace which Prometheus is running in | `""` | +| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` | +| `metrics.serviceMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping. | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | MetricsRelabelConfigs to apply to samples before ingestion. | `[]` | +| `metrics.serviceMonitor.labels` | Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with | `{}` | +| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | +| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | +| `metrics.prometheusRule.enabled` | Set this to true to create prometheusRules for Prometheus operator | `false` | +| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRules will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.namespace` | Namespace where prometheusRules resource should be created | `""` | +| `metrics.prometheusRule.rules` | Rules to be created, check values for an example | `[]` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +helm install my-release \ + --set auth.rootPassword=secretpassword,auth.username=my-user,auth.password=my-password,auth.database=my-database \ + oci://REGISTRY_NAME/REPOSITORY_NAME/mongodb +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + +The above command sets the MongoDB(®) `root` account password to `secretpassword`. Additionally, it creates a standard database user named `my-user`, with the password `my-password`, who has access to a database named `my-database`. + +> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```console +helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/mongodb +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. +> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/mongodb/values.yaml) + +## Configuration and installation details + +### Resource requests and limits + +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + +### [Rolling vs Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Customize a new MongoDB instance + +The [Bitnami MongoDB(®) image](https://github.com/bitnami/containers/tree/main/bitnami/mongodb) supports the use of custom scripts to initialize a fresh instance. In order to execute the scripts, two options are available: + +- Specify them using the `initdbScripts` parameter as dict. +- Define an external Kubernetes ConfigMap with all the initialization scripts by setting the `initdbScriptsConfigMap` parameter. Note that this will override the previous option. + +The allowed script extensions are `.sh` and `.js`. + +### Replicaset: Access MongoDB(®) nodes from outside the cluster + +In order to access MongoDB(®) nodes from outside the cluster when using a replicaset architecture, a specific service per MongoDB(®) pod will be created. There are two ways of configuring external access: + +- Using LoadBalancer services +- Using NodePort services. + +#### Use LoadBalancer services + +Two alternatives are available to use *LoadBalancer* services: + +- Use random load balancer IP addresses using an *initContainer* that waits for the IP addresses to be ready and discovers them automatically. An example deployment configuration is shown below: + + ```text + architecture=replicaset + replicaCount=2 + externalAccess.enabled=true + externalAccess.service.type=LoadBalancer + externalAccess.service.port=27017 + externalAccess.autoDiscovery.enabled=true + serviceAccount.create=true + rbac.create=true + ``` + + > NOTE: This option requires creating RBAC rules on clusters where RBAC policies are enabled. + +- Manually specify the load balancer IP addresses. An example deployment configuration is shown below, with the placeholder EXTERNAL-IP-ADDRESS-X used in place of the load balancer IP addresses: + + ```text + architecture=replicaset + replicaCount=2 + externalAccess.enabled=true + externalAccess.service.type=LoadBalancer + externalAccess.service.port=27017 + externalAccess.service.loadBalancerIPs[0]='EXTERNAL-IP-ADDRESS-1' + externalAccess.service.loadBalancerIPs[1]='EXTERNAL-IP-ADDRESS-2' + ``` + + > NOTE: This option requires knowing the load balancer IP addresses, so that each MongoDB® node's advertised hostname is configured with it. + +#### Use NodePort services + +Manually specify the node ports to use. An example deployment configuration is shown below, with the placeholder NODE-PORT-X used in place of the node ports: + +```text +architecture=replicaset +replicaCount=2 +externalAccess.enabled=true +externalAccess.service.type=NodePort +externalAccess.service.nodePorts[0]='NODE-PORT-1' +externalAccess.service.nodePorts[1]='NODE-PORT-2' +``` + +> NOTE: This option requires knowing the node ports that will be exposed, so each MongoDB® node's advertised hostname is configured with it. + +The pod will try to get the external IP address of the node using the command `curl -s https://ipinfo.io/IP-ADDRESS` unless the `externalAccess.service.domain` parameter is set. + +### Bootstrapping with an External Cluster + +This chart is equipped with the ability to bring online a set of Pods that connect to an existing MongoDB(®) deployment that lies outside of Kubernetes. This effectively creates a hybrid MongoDB(®) Deployment where both Pods in Kubernetes and Instances such as Virtual Machines can partake in a single MongoDB(®) Deployment. This is helpful in situations where one may be migrating MongoDB(®) from Virtual Machines into Kubernetes, for example. To take advantage of this, use the following as an example configuration: + +```yaml +externalAccess: + externalMaster: + enabled: true + host: external-mongodb-0.internal +``` + +:warning: To bootstrap MongoDB(®) with an external master that lies outside of Kubernetes, be sure to set up external access using any of the suggested methods in this chart to have connectivity between the MongoDB(®) members. :warning: + +### Add extra environment variables + +To add extra environment variables (useful for advanced operations like custom init scripts), use the `extraEnvVars` property. + +```yaml +extraEnvVars: + - name: LOG_LEVEL + value: error +``` + +Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the `extraEnvVarsCM` or the `extraEnvVarsSecret` properties. + +### Use Sidecars and Init Containers + +If additional containers are needed in the same pod (such as additional metrics or logging exporters), they can be defined using the `sidecars` config parameter. + +```yaml +sidecars: +- name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter (where available), as shown in the example below: + +```yaml +service: + extraPorts: + - name: extraPort + port: 11311 + targetPort: 11311 +``` + +> NOTE: This Helm chart already includes sidecar containers for the Prometheus exporters (where applicable). These can be activated by adding the `--enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers. + +If additional init containers are needed in the same pod, they can be defined using the `initContainers` parameter. Here is an example: + +```yaml +initContainers: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +Learn more about [sidecar containers](https://kubernetes.io/docs/concepts/workloads/pods/) and [init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/). + +### Persistence + +The [Bitnami MongoDB(®)](https://github.com/bitnami/containers/tree/main/bitnami/mongodb) image stores the MongoDB(®) data and configurations at the `/bitnami/mongodb` path of the container. + +The chart mounts a [Persistent Volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) at this location. The volume is created using dynamic volume provisioning. + +If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). + +### Backup and restore MongoDB(R) deployments + +Two different approaches are available to back up and restore Bitnami MongoDB® Helm chart deployments on Kubernetes: + +- Back up the data from the source deployment and restore it in a new deployment using MongoDB® built-in backup/restore tools. +- Back up the persistent volumes from the source deployment and attach them to a new deployment using Velero, a Kubernetes backup/restore tool. + +#### Method 1: Backup and restore data using MongoDB® built-in tools + +This method involves the following steps: + +- Use the *mongodump* tool to create a snapshot of the data in the source cluster. +- Create a new MongoDB® Cluster deployment and forward the MongoDB® Cluster service port for the new deployment. +- Restore the data using the *mongorestore* tool to import the backup to the new cluster. + +> NOTE: Under this approach, it is important to create the new deployment on the destination cluster using the same credentials as the original deployment on the source cluster. + +#### Method 2: Back up and restore persistent data volumes + +This method involves copying the persistent data volumes for the MongoDB® nodes and reusing them in a new deployment with [Velero](https://velero.io/), an open source Kubernetes backup/restore tool. This method is only suitable when: + +- The Kubernetes provider is [supported by Velero](https://velero.io/docs/latest/supported-providers/). +- Both clusters are on the same Kubernetes provider, as this is a requirement of [Velero's native support for migrating persistent volumes](https://velero.io/docs/latest/migration-case/). +- The restored deployment on the destination cluster will have the same name, namespace, topology and credentials as the original deployment on the source cluster. + +This method involves the following steps: + +- Install Velero on the source and destination clusters. +- Use Velero to back up the PersistentVolumes (PVs) used by the deployment on the source cluster. +- Use Velero to restore the backed-up PVs on the destination cluster. +- Create a new deployment on the destination cluster with the same chart, deployment name, credentials and other parameters as the original. This new deployment will use the restored PVs and hence the original data. + +Refer to our detailed [tutorial on backing up and restoring MongoDB® chart deployments on Kubernetes](https://docs.bitnami.com/tutorials/backup-restore-data-mongodb-kubernetes/), which covers both these approaches, for more information. + +### Use custom Prometheus rules + +Custom Prometheus rules can be defined for the Prometheus Operator by using the `prometheusRule` parameter. A basic configuration example is shown below: + +```text + metrics: + enabled: true + prometheusRule: + enabled: true + rules: + - name: rule1 + rules: + - alert: HighRequestLatency + expr: job:request_latency_seconds:mean5m{job="myjob"} > 0.5 + for: 10m + labels: + severity: page + annotations: + summary: High request latency +``` + +### Enable SSL/TLS + +This chart supports enabling SSL/TLS between nodes in the cluster, as well as between MongoDB(®) clients and nodes, by setting the `MONGODB_EXTRA_FLAGS` and `MONGODB_CLIENT_EXTRA_FLAGS` container environment variables, together with the correct `MONGODB_ADVERTISED_HOSTNAME`. To enable full TLS encryption, set the `tls.enabled` parameter to `true`. + +#### Generate the self-signed certificates via pre-install Helm hooks + +The `secrets-ca.yaml` file utilizes the Helm "pre-install" hook to ensure that the certificates will only be generated on chart install. + +The `genCA()` function will create a new self-signed x509 certificate authority. The `genSignedCert()` function creates an object with the certificate and key, which are base64-encoded and used in a YAML-like object. The `genSignedCert()` function is passed the CN, an empty IP list (the nil part), the validity and the CA created previously. + +A Kubernetes Secret is used to hold the signed certificate created above, and the `initContainer` sets up the rest. Using Helm's hook annotations ensures that the certificates will only be generated on chart install. This will prevent overriding the certificates if the chart is upgraded. + +#### Use your own CA + +To use your own CA, set `tls.caCert` and `tls.caKey` with appropriate base64 encoded data. The `secrets-ca.yaml` file will utilize this data to create the Secret. + +> NOTE: Currently, only RSA private keys are supported. + +#### Access the cluster + +To access the cluster, enable the init container which generates the MongoDB(®) server/client PEM key needed to access the cluster. Please be sure to include the `$my_hostname` section with your actual hostname, and the alternative hostnames section should contain the hostnames that should be allowed access to the MongoDB(®) replicaset. Additionally, if external access is enabled, the load balancer IP addresses are added to the alternative names list. + +> NOTE: You will be generating self-signed certificates for the MongoDB(®) deployment. The init container generates a new MongoDB(®) private key which will be used to create a Certificate Authority (CA) and the public certificate for the CA. The Certificate Signing Request will be created as well and signed using the private key of the CA previously created. Finally, the PEM bundle will be created using the private key and public certificate. This process will be repeated for each node in the cluster. + +#### Start the cluster + +After the certificates have been generated and made available to the containers at the correct mount points, the MongoDB(®) server will be started with TLS enabled. The options for the TLS mode will be one of `disabled`, `allowTLS`, `preferTLS`, or `requireTLS`. This value can be changed via the `MONGODB_EXTRA_FLAGS` field using the `tlsMode` parameter. The client should now be able to connect to the TLS-enabled cluster with the provided certificates. + +### Set Pod affinity + +This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod affinity in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. + +## Troubleshooting + +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). + +## Upgrading + +If authentication is enabled, it's necessary to set the `auth.rootPassword` (also `auth.replicaSetKey` when using a replicaset architecture) when upgrading for readiness/liveness probes to work properly. When you install this chart for the first time, some notes will be displayed providing the credentials you must use under the 'Credentials' section. Please note down the password, and run the command below to upgrade your chart: + +```console +helm upgrade my-release oci://REGISTRY_NAME/REPOSITORY_NAME/mongodb --set auth.rootPassword=[PASSWORD] (--set auth.replicaSetKey=[REPLICASETKEY]) +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. +> Note: you need to substitute the placeholders [PASSWORD] and [REPLICASETKEY] with the values obtained in the installation notes. + +### To 12.0.0 + +This major release renames several values in this chart and adds missing features, in order to be inline with the rest of assets in the Bitnami charts repository. + +Affected values: + +- `strategyType` is replaced by `updateStrategy` +- `service.port` is renamed to `service.ports.mongodb` +- `service.nodePort` is renamed to `service.nodePorts.mongodb` +- `externalAccess.service.port` is renamed to `externalAccess.hidden.service.ports.mongodb` +- `rbac.role.rules` is renamed to `rbac.rules` +- `externalAccess.hidden.service.port` is renamed ot `externalAccess.hidden.service.ports.mongodb` +- `hidden.strategyType` is replaced by `hidden.updateStrategy` +- `metrics.serviceMonitor.relabellings` is renamed to `metrics.serviceMonitor.relabelings`(typo fixed) +- `metrics.serviceMonitor.additionalLabels` is renamed to `metrics.serviceMonitor.labels` + +Additionally also updates the MongoDB image dependency to it newest major, 5.0 + +### To 11.0.0 + +In this version, the mongodb-exporter bundled as part of this Helm chart was updated to a new version which, even it is not a major change, can contain breaking changes (from `0.11.X` to `0.30.X`). +Please visit the release notes from the upstream project at + +### To 10.0.0 + +[On November 13, 2020, Helm v2 support formally ended](https://github.com/helm/charts#status-of-the-project). This major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +### To 9.0.0 + +MongoDB(®) container images were updated to `4.4.x` and it can affect compatibility with older versions of MongoDB(®). Refer to the following guides to upgrade your applications: + +- [Standalone](https://docs.mongodb.com/manual/release-notes/4.4-upgrade-standalone/) +- [Replica Set](https://docs.mongodb.com/manual/release-notes/4.4-upgrade-replica-set/) + +### To 8.0.0 + +- Architecture used to configure MongoDB(®) as a replicaset was completely refactored. Now, both primary and secondary nodes are part of the same statefulset. +- Chart labels were adapted to follow the Helm charts best practices. +- This version introduces `bitnami/common`, a [library chart](https://helm.sh/docs/topics/library_charts/#helm) as a dependency. More documentation about this new utility could be found [here](https://github.com/bitnami/charts/tree/main/bitnami/common#bitnami-common-library-chart). Please, make sure that you have updated the chart dependencies before executing any upgrade. +- Several parameters were renamed or disappeared in favor of new ones on this major version. These are the most important ones: + - `replicas` is renamed to `replicaCount`. + - Authentication parameters are reorganized under the `auth.*` parameter: + - `usePassword` is renamed to `auth.enabled`. + - `mongodbRootPassword`, `mongodbUsername`, `mongodbPassword`, `mongodbDatabase`, and `replicaSet.key` are now `auth.rootPassword`, `auth.username`, `auth.password`, `auth.database`, and `auth.replicaSetKey` respectively. + - `securityContext.*` is deprecated in favor of `podSecurityContext` and `containerSecurityContext`. + - Parameters prefixed with `mongodb` are renamed removing the prefix. E.g. `mongodbEnableIPv6` is renamed to `enableIPv6`. + - Parameters affecting Arbiter nodes are reorganized under the `arbiter.*` parameter. + +Consequences: + +- Backwards compatibility is not guaranteed. To upgrade to `8.0.0`, install a new release of the MongoDB(®) chart, and migrate your data by creating a backup of the database, and restoring it on the new release. + +### To 7.0.0 + +From this version, the way of setting the ingress rules has changed. Instead of using `ingress.paths` and `ingress.hosts` as separate objects, you should now define the rules as objects inside the `ingress.hosts` value, for example: + +```yaml +ingress: + hosts: + - name: mongodb.local + path: / +``` + +### To 6.0.0 + +From this version, `mongodbEnableIPv6` is set to `false` by default in order to work properly in most k8s clusters, if you want to use IPv6 support, you need to set this variable to `true` by adding `--set mongodbEnableIPv6=true` to your `helm` command. +You can find more information in the [`bitnami/mongodb` image README](https://github.com/bitnami/containers/tree/main/bitnami/mongodb#readme). + +### To 5.0.0 + +When enabling replicaset configuration, backwards compatibility is not guaranteed unless you modify the labels used on the chart's statefulsets. +Use the workaround below to upgrade from versions previous to 5.0.0. The following example assumes that the release name is `my-release`: + +```console +kubectl delete statefulset my-release-mongodb-arbiter my-release-mongodb-primary my-release-mongodb-secondary --cascade=false +``` + +### Add extra deployment options + +To add extra deployments (useful for advanced features like sidecars), use the `extraDeploy` property. + +In the example below, you can find how to use a example here for a [MongoDB replica set pod labeler sidecar](https://github.com/combor/k8s-mongo-labeler-sidecar) to identify the primary pod and dynamically label it as the primary node: + +```yaml +extraDeploy: + - apiVersion: v1 + kind: Service + metadata: + name: mongodb-primary + namespace: default + labels: + app.kubernetes.io/component: mongodb + app.kubernetes.io/instance: mongodb + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mongodb + spec: + type: NodePort + externalTrafficPolicy: Cluster + ports: + - name: mongodb-primary + port: 30001 + nodePort: 30001 + protocol: TCP + targetPort: mongodb + selector: + app.kubernetes.io/component: mongodb + app.kubernetes.io/instance: mongodb + app.kubernetes.io/name: mongodb + primary: "true" +``` + +## License + +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. \ No newline at end of file diff --git a/kubernetes/common/mongodb/common/.helmignore b/kubernetes/common/mongodb/common/.helmignore new file mode 100644 index 0000000000..7c7c21d659 --- /dev/null +++ b/kubernetes/common/mongodb/common/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +# img folder +img/ diff --git a/kubernetes/common/mongodb/common/Chart.yaml b/kubernetes/common/mongodb/common/Chart.yaml new file mode 100644 index 0000000000..5a844bc7aa --- /dev/null +++ b/kubernetes/common/mongodb/common/Chart.yaml @@ -0,0 +1,26 @@ +# Copyright VMware, Inc. +# SPDX-License-Identifier: APACHE-2.0 + +annotations: + category: Infrastructure + licenses: Apache-2.0 +apiVersion: v2 +# Please make sure that version and appVersion are always the same. +appVersion: 2.16.1 +description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. +home: https://bitnami.com +icon: https://bitnami.com/downloads/logos/bitnami-mark.png +keywords: + - common + - helper + - template + - function + - bitnami +maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts +name: common +sources: + - https://github.com/bitnami/charts +type: library +version: 2.17.0 diff --git a/kubernetes/common/mongodb/common/README.md b/kubernetes/common/mongodb/common/README.md new file mode 100644 index 0000000000..0d01a1e064 --- /dev/null +++ b/kubernetes/common/mongodb/common/README.md @@ -0,0 +1,235 @@ +# Bitnami Common Library Chart + +A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between Bitnami charts. + +## TL;DR + +```yaml +dependencies: + - name: common + version: 2.x.x + repository: oci://registry-1.docker.io/bitnamicharts +``` + +```console +helm dependency update +``` + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }} +data: + myvalue: "Hello World" +``` + +Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. + +## Introduction + +This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. + +## Prerequisites + +- Kubernetes 1.23+ +- Helm 3.8.0+ + +## Parameters + +## Special input schemas + +### ImageRoot + +```yaml +registry: + type: string + description: Docker registry where the image is located + example: docker.io + +repository: + type: string + description: Repository and image name + example: bitnami/nginx + +tag: + type: string + description: image tag + example: 1.16.1-debian-10-r63 + +pullPolicy: + type: string + description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + +pullSecrets: + type: array + items: + type: string + description: Optionally specify an array of imagePullSecrets (evaluated as templates). + +debug: + type: boolean + description: Set to true if you would like to see extra information on logs + example: false + +## An instance would be: +# registry: docker.io +# repository: bitnami/nginx +# tag: 1.16.1-debian-10-r63 +# pullPolicy: IfNotPresent +# debug: false +``` + +### Persistence + +```yaml +enabled: + type: boolean + description: Whether enable persistence. + example: true + +storageClass: + type: string + description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning. + example: "-" + +accessMode: + type: string + description: Access mode for the Persistent Volume Storage. + example: ReadWriteOnce + +size: + type: string + description: Size the Persistent Volume Storage. + example: 8Gi + +path: + type: string + description: Path to be persisted. + example: /bitnami + +## An instance would be: +# enabled: true +# storageClass: "-" +# accessMode: ReadWriteOnce +# size: 8Gi +# path: /bitnami +``` + +### ExistingSecret + +```yaml +name: + type: string + description: Name of the existing secret. + example: mySecret +keyMapping: + description: Mapping between the expected key name and the name of the key in the existing secret. + type: object + +## An instance would be: +# name: mySecret +# keyMapping: +# password: myPasswordKey +``` + +#### Example of use + +When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets. + +```yaml +# templates/secret.yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }} + labels: + app: {{ include "common.names.fullname" . }} +type: Opaque +data: + password: {{ .Values.password | b64enc | quote }} + +# templates/dpl.yaml +--- +... + env: + - name: PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }} + key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }} +... + +# values.yaml +--- +name: mySecret +keyMapping: + password: myPasswordKey +``` + +### ValidateValue + +#### NOTES.txt + +```console +{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}} + +{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} +``` + +If we force those values to be empty we will see some alerts + +```console +helm install test mychart --set path.to.value00="",path.to.value01="" + 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: + + export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 -d) + + 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value: + + export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 -d) +``` + +## Upgrading + +### To 1.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +#### What changes were introduced in this major version? + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts + +#### Considerations when upgrading to this version + +- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +#### Useful links + +- +- +- + +## License + +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/kubernetes/common/mongodb/common/templates/_affinities.tpl b/kubernetes/common/mongodb/common/templates/_affinities.tpl new file mode 100644 index 0000000000..e85b1df454 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_affinities.tpl @@ -0,0 +1,139 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a soft nodeAffinity definition +{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.soft" -}} +preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} + weight: 1 +{{- end -}} + +{{/* +Return a hard nodeAffinity definition +{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.hard" -}} +requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} +{{- end -}} + +{{/* +Return a nodeAffinity definition +{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.nodes.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.nodes.hard" . -}} + {{- end -}} +{{- end -}} + +{{/* +Return a topologyKey definition +{{ include "common.affinities.topologyKey" (dict "topologyKey" "BAR") -}} +*/}} +{{- define "common.affinities.topologyKey" -}} +{{ .topologyKey | default "kubernetes.io/hostname" -}} +{{- end -}} + +{{/* +Return a soft podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.soft" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "context" $) -}} +*/}} +{{- define "common.affinities.pods.soft" -}} +{{- $component := default "" .component -}} +{{- $customLabels := default (dict) .customLabels -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}} +preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + weight: 1 + {{- range $extraPodAffinityTerms }} + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := .extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + weight: {{ .weight | default 1 -}} + {{- end -}} +{{- end -}} + +{{/* +Return a hard podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.hard" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "context" $) -}} +*/}} +{{- define "common.affinities.pods.hard" -}} +{{- $component := default "" .component -}} +{{- $customLabels := default (dict) .customLabels -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}} +requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + {{- range $extraPodAffinityTerms }} + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := .extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + {{- end -}} +{{- end -}} + +{{/* +Return a podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.pods" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.pods.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.pods.hard" . -}} + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_capabilities.tpl b/kubernetes/common/mongodb/common/templates/_capabilities.tpl new file mode 100644 index 0000000000..115674af87 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_capabilities.tpl @@ -0,0 +1,229 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the target Kubernetes version +*/}} +{{- define "common.capabilities.kubeVersion" -}} +{{- if .Values.global }} + {{- if .Values.global.kubeVersion }} + {{- .Values.global.kubeVersion -}} + {{- else }} + {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} + {{- end -}} +{{- else }} +{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for poddisruptionbudget. +*/}} +{{- define "common.capabilities.policy.apiVersion" -}} +{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "policy/v1beta1" -}} +{{- else -}} +{{- print "policy/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "common.capabilities.networkPolicy.apiVersion" -}} +{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for cronjob. +*/}} +{{- define "common.capabilities.cronjob.apiVersion" -}} +{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "batch/v1beta1" -}} +{{- else -}} +{{- print "batch/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for daemonset. +*/}} +{{- define "common.capabilities.daemonset.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "common.capabilities.deployment.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for statefulset. +*/}} +{{- define "common.capabilities.statefulset.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apps/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "common.capabilities.ingress.apiVersion" -}} +{{- if .Values.ingress -}} +{{- if .Values.ingress.apiVersion -}} +{{- .Values.ingress.apiVersion -}} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end }} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for RBAC resources. +*/}} +{{- define "common.capabilities.rbac.apiVersion" -}} +{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "rbac.authorization.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "rbac.authorization.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for CRDs. +*/}} +{{- define "common.capabilities.crd.apiVersion" -}} +{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiextensions.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiextensions.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for APIService. +*/}} +{{- define "common.capabilities.apiService.apiVersion" -}} +{{- if semverCompare "<1.10-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiregistration.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiregistration.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for Horizontal Pod Autoscaler. +*/}} +{{- define "common.capabilities.hpa.apiVersion" -}} +{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}} +{{- if .beta2 -}} +{{- print "autoscaling/v2beta2" -}} +{{- else -}} +{{- print "autoscaling/v2beta1" -}} +{{- end -}} +{{- else -}} +{{- print "autoscaling/v2" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for Vertical Pod Autoscaler. +*/}} +{{- define "common.capabilities.vpa.apiVersion" -}} +{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}} +{{- if .beta2 -}} +{{- print "autoscaling/v2beta2" -}} +{{- else -}} +{{- print "autoscaling/v2beta1" -}} +{{- end -}} +{{- else -}} +{{- print "autoscaling/v2" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if PodSecurityPolicy is supported +*/}} +{{- define "common.capabilities.psp.supported" -}} +{{- if semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if AdmissionConfiguration is supported +*/}} +{{- define "common.capabilities.admissionConfiguration.supported" -}} +{{- if semverCompare ">=1.23-0" (include "common.capabilities.kubeVersion" .) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for AdmissionConfiguration. +*/}} +{{- define "common.capabilities.admissionConfiguration.apiVersion" -}} +{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiserver.config.k8s.io/v1alpha1" -}} +{{- else if semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiserver.config.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiserver.config.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for PodSecurityConfiguration. +*/}} +{{- define "common.capabilities.podSecurityConfiguration.apiVersion" -}} +{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "pod-security.admission.config.k8s.io/v1alpha1" -}} +{{- else if semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "pod-security.admission.config.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "pod-security.admission.config.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the used Helm version is 3.3+. +A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. +This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error. +**To be removed when the catalog's minimun Helm version is 3.3** +*/}} +{{- define "common.capabilities.supportsHelmVersion" -}} +{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_errors.tpl b/kubernetes/common/mongodb/common/templates/_errors.tpl new file mode 100644 index 0000000000..07ded6f64d --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_errors.tpl @@ -0,0 +1,28 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Through error when upgrading using empty passwords values that must not be empty. + +Usage: +{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}} +{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}} +{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }} + +Required password params: + - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error. + - context - Context - Required. Parent context. +*/}} +{{- define "common.errors.upgrade.passwords.empty" -}} + {{- $validationErrors := join "" .validationErrors -}} + {{- if and $validationErrors .context.Release.IsUpgrade -}} + {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}} + {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}} + {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}} + {{- $errorString = print $errorString "\n%s" -}} + {{- printf $errorString $validationErrors | fail -}} + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_images.tpl b/kubernetes/common/mongodb/common/templates/_images.tpl new file mode 100644 index 0000000000..1bcb779df5 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_images.tpl @@ -0,0 +1,117 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper image name +{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global ) }} +*/}} +{{- define "common.images.image" -}} +{{- $registryName := .imageRoot.registry -}} +{{- $repositoryName := .imageRoot.repository -}} +{{- $separator := ":" -}} +{{- $termination := .imageRoot.tag | toString -}} +{{- if .global }} + {{- if .global.imageRegistry }} + {{- $registryName = .global.imageRegistry -}} + {{- end -}} +{{- end -}} +{{- if .imageRoot.digest }} + {{- $separator = "@" -}} + {{- $termination = .imageRoot.digest | toString -}} +{{- end -}} +{{- if $registryName }} + {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} +{{- else -}} + {{- printf "%s%s%s" $repositoryName $separator $termination -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) +{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }} +*/}} +{{- define "common.images.pullSecrets" -}} + {{- $pullSecrets := list }} + + {{- if .global }} + {{- range .global.imagePullSecrets -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets .name -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end }} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets .name -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets | uniq }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names evaluating values as templates +{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }} +*/}} +{{- define "common.images.renderPullSecrets" -}} + {{- $pullSecrets := list }} + {{- $context := .context }} + + {{- if $context.Values.global }} + {{- range $context.Values.global.imagePullSecrets -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets | uniq }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Return the proper image version (ingores image revision/prerelease info & fallbacks to chart appVersion) +{{ include "common.images.version" ( dict "imageRoot" .Values.path.to.the.image "chart" .Chart ) }} +*/}} +{{- define "common.images.version" -}} +{{- $imageTag := .imageRoot.tag | toString -}} +{{/* regexp from https://github.com/Masterminds/semver/blob/23f51de38a0866c5ef0bfc42b3f735c73107b700/version.go#L41-L44 */}} +{{- if regexMatch `^([0-9]+)(\.[0-9]+)?(\.[0-9]+)?(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?$` $imageTag -}} + {{- $version := semver $imageTag -}} + {{- printf "%d.%d.%d" $version.Major $version.Minor $version.Patch -}} +{{- else -}} + {{- print .chart.AppVersion -}} +{{- end -}} +{{- end -}} + diff --git a/kubernetes/common/mongodb/common/templates/_ingress.tpl b/kubernetes/common/mongodb/common/templates/_ingress.tpl new file mode 100644 index 0000000000..efa5b85c72 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_ingress.tpl @@ -0,0 +1,73 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Generate backend entry that is compatible with all Kubernetes API versions. + +Usage: +{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }} + +Params: + - serviceName - String. Name of an existing service backend + - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.ingress.backend" -}} +{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}} +{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}} +serviceName: {{ .serviceName }} +servicePort: {{ .servicePort }} +{{- else -}} +service: + name: {{ .serviceName }} + port: + {{- if typeIs "string" .servicePort }} + name: {{ .servicePort }} + {{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }} + number: {{ .servicePort | int }} + {{- end }} +{{- end -}} +{{- end -}} + +{{/* +Print "true" if the API pathType field is supported +Usage: +{{ include "common.ingress.supportsPathType" . }} +*/}} +{{- define "common.ingress.supportsPathType" -}} +{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the ingressClassname field is supported +Usage: +{{ include "common.ingress.supportsIngressClassname" . }} +*/}} +{{- define "common.ingress.supportsIngressClassname" -}} +{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if cert-manager required annotations for TLS signed +certificates are set in the Ingress annotations +Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations +Usage: +{{ include "common.ingress.certManagerRequest" ( dict "annotations" .Values.path.to.the.ingress.annotations ) }} +*/}} +{{- define "common.ingress.certManagerRequest" -}} +{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") (hasKey .annotations "kubernetes.io/tls-acme") }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_labels.tpl b/kubernetes/common/mongodb/common/templates/_labels.tpl new file mode 100644 index 0000000000..d90a6cdc0c --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_labels.tpl @@ -0,0 +1,46 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Kubernetes standard labels +{{ include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) -}} +*/}} +{{- define "common.labels.standard" -}} +{{- if and (hasKey . "customLabels") (hasKey . "context") -}} +{{- $default := dict "app.kubernetes.io/name" (include "common.names.name" .context) "helm.sh/chart" (include "common.names.chart" .context) "app.kubernetes.io/instance" .context.Release.Name "app.kubernetes.io/managed-by" .context.Release.Service -}} +{{- with .context.Chart.AppVersion -}} +{{- $_ := set $default "app.kubernetes.io/version" . -}} +{{- end -}} +{{ template "common.tplvalues.merge" (dict "values" (list .customLabels $default) "context" .context) }} +{{- else -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +helm.sh/chart: {{ include "common.names.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- with .Chart.AppVersion }} +app.kubernetes.io/version: {{ . | quote }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Labels used on immutable fields such as deploy.spec.selector.matchLabels or svc.spec.selector +{{ include "common.labels.matchLabels" (dict "customLabels" .Values.podLabels "context" $) -}} + +We don't want to loop over custom labels appending them to the selector +since it's very likely that it will break deployments, services, etc. +However, it's important to overwrite the standard labels if the user +overwrote them on metadata.labels fields. +*/}} +{{- define "common.labels.matchLabels" -}} +{{- if and (hasKey . "customLabels") (hasKey . "context") -}} +{{ merge (pick (include "common.tplvalues.render" (dict "value" .customLabels "context" .context) | fromYaml) "app.kubernetes.io/name" "app.kubernetes.io/instance") (dict "app.kubernetes.io/name" (include "common.names.name" .context) "app.kubernetes.io/instance" .context.Release.Name ) | toYaml }} +{{- else -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_names.tpl b/kubernetes/common/mongodb/common/templates/_names.tpl new file mode 100644 index 0000000000..a222924f14 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_names.tpl @@ -0,0 +1,71 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "common.names.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "common.names.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "common.names.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified dependency name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +Usage: +{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }} +*/}} +{{- define "common.names.dependency.fullname" -}} +{{- if .chartValues.fullnameOverride -}} +{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .chartName .chartValues.nameOverride -}} +{{- if contains $name .context.Release.Name -}} +{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts. +*/}} +{{- define "common.names.namespace" -}} +{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a fully qualified app name adding the installation's namespace. +*/}} +{{- define "common.names.fullname.namespace" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) (include "common.names.namespace" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_resources.tpl b/kubernetes/common/mongodb/common/templates/_resources.tpl new file mode 100644 index 0000000000..5eb56caa39 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_resources.tpl @@ -0,0 +1,50 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a resource request/limit object based on a given preset. +These presets are for basic testing and not meant to be used in production +{{ include "common.resources.preset" (dict "type" "nano") -}} +*/}} +{{- define "common.resources.preset" -}} +{{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}} +{{- $presets := dict + "nano" (dict + "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi") + ) + "micro" (dict + "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi") + ) + "small" (dict + "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi") + ) + "medium" (dict + "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi") + ) + "large" (dict + "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi") + ) + "xlarge" (dict + "requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi") + ) + "2xlarge" (dict + "requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi") + ) + }} +{{- if hasKey $presets .type -}} +{{- index $presets .type | toYaml -}} +{{- else -}} +{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_secrets.tpl b/kubernetes/common/mongodb/common/templates/_secrets.tpl new file mode 100644 index 0000000000..84dbe38036 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_secrets.tpl @@ -0,0 +1,182 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Generate secret name. + +Usage: +{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret + - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.secrets.name" -}} +{{- $name := (include "common.names.fullname" .context) -}} + +{{- if .defaultNameSuffix -}} +{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- with .existingSecret -}} +{{- if not (typeIs "string" .) -}} +{{- with .name -}} +{{- $name = . -}} +{{- end -}} +{{- else -}} +{{- $name = . -}} +{{- end -}} +{{- end -}} + +{{- printf "%s" $name -}} +{{- end -}} + +{{/* +Generate secret key. + +Usage: +{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret + - key - String - Required. Name of the key in the secret. +*/}} +{{- define "common.secrets.key" -}} +{{- $key := .key -}} + +{{- if .existingSecret -}} + {{- if not (typeIs "string" .existingSecret) -}} + {{- if .existingSecret.keyMapping -}} + {{- $key = index .existingSecret.keyMapping $.key -}} + {{- end -}} + {{- end }} +{{- end -}} + +{{- printf "%s" $key -}} +{{- end -}} + +{{/* +Generate secret password or retrieve one if already created. + +Usage: +{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - providedValues - List - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - length - int - Optional - Length of the generated random password. + - strong - Boolean - Optional - Whether to add symbols to the generated random password. + - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. + - context - Context - Required - Parent context. + - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. + - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. + - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. +The order in which this function returns a secret password: + 1. Already existing 'Secret' resource + (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) + 2. Password provided via the values.yaml + (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned) + 3. Randomly generated secret password + (A new random secret password with the length specified in the 'length' parameter will be generated and returned) + +*/}} +{{- define "common.secrets.passwords.manage" -}} + +{{- $password := "" }} +{{- $subchart := "" }} +{{- $chartName := default "" .chartName }} +{{- $passwordLength := default 10 .length }} +{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} +{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }} +{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} +{{- if $secretData }} + {{- if hasKey $secretData .key }} + {{- $password = index $secretData .key | b64dec }} + {{- else if not (eq .failOnNew false) }} + {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString }} + {{- end -}} +{{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString }} +{{- else }} + + {{- if .context.Values.enabled }} + {{- $subchart = $chartName }} + {{- end -}} + + {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} + {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} + {{- $passwordValidationErrors := list $requiredPasswordError -}} + {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} + + {{- if .strong }} + {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} + {{- $password = randAscii $passwordLength }} + {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} + {{- else }} + {{- $password = randAlphaNum $passwordLength }} + {{- end }} +{{- end -}} +{{- if not .skipB64enc }} +{{- $password = $password | b64enc }} +{{- end -}} +{{- if .skipQuote -}} +{{- printf "%s" $password -}} +{{- else -}} +{{- printf "%s" $password | quote -}} +{{- end -}} +{{- end -}} + +{{/* +Reuses the value from an existing secret, otherwise sets its value to a default value. + +Usage: +{{ include "common.secrets.lookup" (dict "secret" "secret-name" "key" "keyName" "defaultValue" .Values.myValue "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - defaultValue - String - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - context - Context - Required - Parent context. + +*/}} +{{- define "common.secrets.lookup" -}} +{{- $value := "" -}} +{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data -}} +{{- if and $secretData (hasKey $secretData .key) -}} + {{- $value = index $secretData .key -}} +{{- else if .defaultValue -}} + {{- $value = .defaultValue | toString | b64enc -}} +{{- end -}} +{{- if $value -}} +{{- printf "%s" $value -}} +{{- end -}} +{{- end -}} + +{{/* +Returns whether a previous generated secret already exists + +Usage: +{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - context - Context - Required - Parent context. +*/}} +{{- define "common.secrets.exists" -}} +{{- $secret := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret) }} +{{- if $secret }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_storage.tpl b/kubernetes/common/mongodb/common/templates/_storage.tpl new file mode 100644 index 0000000000..16405a0f8b --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_storage.tpl @@ -0,0 +1,28 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper Storage Class +{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} +*/}} +{{- define "common.storage.class" -}} + +{{- $storageClass := .persistence.storageClass -}} +{{- if .global -}} + {{- if .global.storageClass -}} + {{- $storageClass = .global.storageClass -}} + {{- end -}} +{{- end -}} + +{{- if $storageClass -}} + {{- if (eq "-" $storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" $storageClass -}} + {{- end -}} +{{- end -}} + +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_tplvalues.tpl b/kubernetes/common/mongodb/common/templates/_tplvalues.tpl new file mode 100644 index 0000000000..a8ed7637ef --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_tplvalues.tpl @@ -0,0 +1,38 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Renders a value that contains template perhaps with scope if the scope is present. +Usage: +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ ) }} +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ "scope" $app ) }} +*/}} +{{- define "common.tplvalues.render" -}} +{{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }} +{{- if contains "{{" (toJson .value) }} + {{- if .scope }} + {{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }} + {{- else }} + {{- tpl $value .context }} + {{- end }} +{{- else }} + {{- $value }} +{{- end }} +{{- end -}} + +{{/* +Merge a list of values that contains template after rendering them. +Merge precedence is consistent with http://masterminds.github.io/sprig/dicts.html#merge-mustmerge +Usage: +{{ include "common.tplvalues.merge" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }} +*/}} +{{- define "common.tplvalues.merge" -}} +{{- $dst := dict -}} +{{- range .values -}} +{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | merge $dst -}} +{{- end -}} +{{ $dst | toYaml }} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_utils.tpl b/kubernetes/common/mongodb/common/templates/_utils.tpl new file mode 100644 index 0000000000..1deefa1a26 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_utils.tpl @@ -0,0 +1,77 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Print instructions to get a secret value. +Usage: +{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }} +*/}} +{{- define "common.utils.secret.getvalue" -}} +{{- $varname := include "common.utils.fieldToEnvVar" . -}} +export {{ $varname }}=$(kubectl get secret --namespace {{ include "common.names.namespace" .context | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 -d) +{{- end -}} + +{{/* +Build env var name given a field +Usage: +{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }} +*/}} +{{- define "common.utils.fieldToEnvVar" -}} + {{- $fieldNameSplit := splitList "-" .field -}} + {{- $upperCaseFieldNameSplit := list -}} + + {{- range $fieldNameSplit -}} + {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}} + {{- end -}} + + {{ join "_" $upperCaseFieldNameSplit }} +{{- end -}} + +{{/* +Gets a value from .Values given +Usage: +{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }} +*/}} +{{- define "common.utils.getValueFromKey" -}} +{{- $splitKey := splitList "." .key -}} +{{- $value := "" -}} +{{- $latestObj := $.context.Values -}} +{{- range $splitKey -}} + {{- if not $latestObj -}} + {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}} + {{- end -}} + {{- $value = ( index $latestObj . ) -}} + {{- $latestObj = $value -}} +{{- end -}} +{{- printf "%v" (default "" $value) -}} +{{- end -}} + +{{/* +Returns first .Values key with a defined value or first of the list if all non-defined +Usage: +{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }} +*/}} +{{- define "common.utils.getKeyFromList" -}} +{{- $key := first .keys -}} +{{- $reverseKeys := reverse .keys }} +{{- range $reverseKeys }} + {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }} + {{- if $value -}} + {{- $key = . }} + {{- end -}} +{{- end -}} +{{- printf "%s" $key -}} +{{- end -}} + +{{/* +Checksum a template at "path" containing a *single* resource (ConfigMap,Secret) for use in pod annotations, excluding the metadata (see #18376). +Usage: +{{ include "common.utils.checksumTemplate" (dict "path" "/configmap.yaml" "context" $) }} +*/}} +{{- define "common.utils.checksumTemplate" -}} +{{- $obj := include (print .context.Template.BasePath .path) .context | fromYaml -}} +{{ omit $obj "apiVersion" "kind" "metadata" | toYaml | sha256sum }} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_warnings.tpl b/kubernetes/common/mongodb/common/templates/_warnings.tpl new file mode 100644 index 0000000000..0f763cd827 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_warnings.tpl @@ -0,0 +1,82 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Warning about using rolling tag. +Usage: +{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }} +*/}} +{{- define "common.warnings.rollingTag" -}} + +{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} +WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://docs.bitnami.com/tutorials/understand-rolling-tags-containers +{{- end }} +{{- end -}} + +{{/* +Warning about not setting the resource object in all deployments. +Usage: +{{ include "common.warnings.resources" (dict "sections" (list "path1" "path2") context $) }} +Example: +{{- include "common.warnings.resources" (dict "sections" (list "csiProvider.provider" "server" "volumePermissions" "") "context" $) }} +The list in the example assumes that the following values exist: + - csiProvider.provider.resources + - server.resources + - volumePermissions.resources + - resources +*/}} +{{- define "common.warnings.resources" -}} +{{- $values := .context.Values -}} +{{- $printMessage := false -}} +{{ $affectedSections := list -}} +{{- range .sections -}} + {{- if eq . "" -}} + {{/* Case where the resources section is at the root (one main deployment in the chart) */}} + {{- if not (index $values "resources") -}} + {{- $affectedSections = append $affectedSections "resources" -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Case where the are multiple resources sections (more than one main deployment in the chart) */}} + {{- $keys := split "." . -}} + {{/* We iterate through the different levels until arriving to the resource section. Example: a.b.c.resources */}} + {{- $section := $values -}} + {{- range $keys -}} + {{- $section = index $section . -}} + {{- end -}} + {{- if not (index $section "resources") -}} + {{/* If the section has enabled=false or replicaCount=0, do not include it */}} + {{- if and (hasKey $section "enabled") -}} + {{- if index $section "enabled" -}} + {{/* enabled=true */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else if and (hasKey $section "replicaCount") -}} + {{/* We need a casting to int because number 0 is not treated as an int by default */}} + {{- if (gt (index $section "replicaCount" | int) 0) -}} + {{/* replicaCount > 0 */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Default case, add it to the affected sections */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if $printMessage }} + +WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs: +{{- range $affectedSections }} + - {{ . }} +{{- end }} ++info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/validations/_cassandra.tpl b/kubernetes/common/mongodb/common/templates/validations/_cassandra.tpl new file mode 100644 index 0000000000..eda9aada56 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/validations/_cassandra.tpl @@ -0,0 +1,77 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Cassandra required passwords are not empty. + +Usage: +{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret" + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.cassandra.passwords" -}} + {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}} + {{- $enabled := include "common.cassandra.values.enabled" . -}} + {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}} + {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.cassandra.values.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.cassandra.dbUser.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.dbUser.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled cassandra. + +Usage: +{{ include "common.cassandra.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.cassandra.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.cassandra.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key dbUser + +Usage: +{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.key.dbUser" -}} + {{- if .subchart -}} + cassandra.dbUser + {{- else -}} + dbUser + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/validations/_mariadb.tpl b/kubernetes/common/mongodb/common/templates/validations/_mariadb.tpl new file mode 100644 index 0000000000..17d83a2fd4 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/validations/_mariadb.tpl @@ -0,0 +1,108 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MariaDB required passwords are not empty. + +Usage: +{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mariadb.passwords" -}} + {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mariadb.values.enabled" . -}} + {{- $architecture := include "common.mariadb.values.architecture" . -}} + {{- $authPrefix := include "common.mariadb.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mariadb. + +Usage: +{{ include "common.mariadb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mariadb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mariadb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.key.auth" -}} + {{- if .subchart -}} + mariadb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/validations/_mongodb.tpl b/kubernetes/common/mongodb/common/templates/validations/_mongodb.tpl new file mode 100644 index 0000000000..bbb445b861 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/validations/_mongodb.tpl @@ -0,0 +1,113 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MongoDB® required passwords are not empty. + +Usage: +{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MongoDB® values are stored, e.g: "mongodb-passwords-secret" + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mongodb.passwords" -}} + {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mongodb.values.enabled" . -}} + {{- $authPrefix := include "common.mongodb.values.key.auth" . -}} + {{- $architecture := include "common.mongodb.values.architecture" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}} + {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}} + + {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") (eq $authEnabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }} + {{- if and $valueUsername $valueDatabase -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replicaset") -}} + {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mongodb. + +Usage: +{{ include "common.mongodb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mongodb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mongodb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.key.auth" -}} + {{- if .subchart -}} + mongodb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/validations/_mysql.tpl b/kubernetes/common/mongodb/common/templates/validations/_mysql.tpl new file mode 100644 index 0000000000..ca3953f868 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/validations/_mysql.tpl @@ -0,0 +1,108 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MySQL required passwords are not empty. + +Usage: +{{ include "common.validations.values.mysql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MySQL values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mysql.passwords" -}} + {{- $existingSecret := include "common.mysql.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mysql.values.enabled" . -}} + {{- $architecture := include "common.mysql.values.architecture" . -}} + {{- $authPrefix := include "common.mysql.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mysql-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mysql-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mysql-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mysql.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mysql.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mysql. + +Usage: +{{ include "common.mysql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mysql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mysql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mysql.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mysql.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mysql.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.key.auth" -}} + {{- if .subchart -}} + mysql.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/validations/_postgresql.tpl b/kubernetes/common/mongodb/common/templates/validations/_postgresql.tpl new file mode 100644 index 0000000000..8c9aa570e2 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/validations/_postgresql.tpl @@ -0,0 +1,134 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate PostgreSQL required passwords are not empty. + +Usage: +{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret" + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.postgresql.passwords" -}} + {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}} + {{- $enabled := include "common.postgresql.values.enabled" . -}} + {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}} + {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}} + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}} + + {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}} + {{- if (eq $enabledReplication "true") -}} + {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to decide whether evaluate global values. + +Usage: +{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }} +Params: + - key - String - Required. Field to be evaluated within global, e.g: "existingSecret" +*/}} +{{- define "common.postgresql.values.use.global" -}} + {{- if .context.Values.global -}} + {{- if .context.Values.global.postgresql -}} + {{- index .context.Values.global.postgresql .key | quote -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.postgresql.values.existingSecret" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.existingSecret" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}} + + {{- if .subchart -}} + {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}} + {{- else -}} + {{- default (.context.Values.existingSecret | quote) $globalValue -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled postgresql. + +Usage: +{{ include "common.postgresql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key postgressPassword. + +Usage: +{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.postgressPassword" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}} + + {{- if not $globalValue -}} + {{- if .subchart -}} + postgresql.postgresqlPassword + {{- else -}} + postgresqlPassword + {{- end -}} + {{- else -}} + global.postgresql.postgresqlPassword + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled.replication. + +Usage: +{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.enabled.replication" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.replication.enabled -}} + {{- else -}} + {{- printf "%v" .context.Values.replication.enabled -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key replication.password. + +Usage: +{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.replicationPassword" -}} + {{- if .subchart -}} + postgresql.replication.password + {{- else -}} + replication.password + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/validations/_redis.tpl b/kubernetes/common/mongodb/common/templates/validations/_redis.tpl new file mode 100644 index 0000000000..fc0d208dd4 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/validations/_redis.tpl @@ -0,0 +1,81 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Redis® required passwords are not empty. + +Usage: +{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret" + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.redis.passwords" -}} + {{- $enabled := include "common.redis.values.enabled" . -}} + {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}} + {{- $standarizedVersion := include "common.redis.values.standarized.version" . }} + + {{- $existingSecret := ternary (printf "%s%s" $valueKeyPrefix "auth.existingSecret") (printf "%s%s" $valueKeyPrefix "existingSecret") (eq $standarizedVersion "true") }} + {{- $existingSecretValue := include "common.utils.getValueFromKey" (dict "key" $existingSecret "context" .context) }} + + {{- $valueKeyRedisPassword := ternary (printf "%s%s" $valueKeyPrefix "auth.password") (printf "%s%s" $valueKeyPrefix "password") (eq $standarizedVersion "true") }} + {{- $valueKeyRedisUseAuth := ternary (printf "%s%s" $valueKeyPrefix "auth.enabled") (printf "%s%s" $valueKeyPrefix "usePassword") (eq $standarizedVersion "true") }} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $useAuth := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUseAuth "context" .context) -}} + {{- if eq $useAuth "true" -}} + {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled redis. + +Usage: +{{ include "common.redis.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.redis.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.redis.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right prefix path for the values + +Usage: +{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.redis.values.keys.prefix" -}} + {{- if .subchart -}}redis.{{- else -}}{{- end -}} +{{- end -}} + +{{/* +Checks whether the redis chart's includes the standarizations (version >= 14) + +Usage: +{{ include "common.redis.values.standarized.version" (dict "context" $) }} +*/}} +{{- define "common.redis.values.standarized.version" -}} + + {{- $standarizedAuth := printf "%s%s" (include "common.redis.values.keys.prefix" .) "auth" -}} + {{- $standarizedAuthValues := include "common.utils.getValueFromKey" (dict "key" $standarizedAuth "context" .context) }} + + {{- if $standarizedAuthValues -}} + {{- true -}} + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/validations/_validations.tpl b/kubernetes/common/mongodb/common/templates/validations/_validations.tpl new file mode 100644 index 0000000000..31ceda871f --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/validations/_validations.tpl @@ -0,0 +1,51 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate values must not be empty. + +Usage: +{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}} +{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" +*/}} +{{- define "common.validations.values.multiple.empty" -}} + {{- range .required -}} + {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}} + {{- end -}} +{{- end -}} + +{{/* +Validate a value must not be empty. + +Usage: +{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" + - subchart - String - Optional - Name of the subchart that the validated password is part of. +*/}} +{{- define "common.validations.values.single.empty" -}} + {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }} + {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }} + + {{- if not $value -}} + {{- $varname := "my-value" -}} + {{- $getCurrentValue := "" -}} + {{- if and .secret .field -}} + {{- $varname = include "common.utils.fieldToEnvVar" . -}} + {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}} + {{- end -}} + {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}} + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/values.yaml b/kubernetes/common/mongodb/common/values.yaml new file mode 100644 index 0000000000..36b8aba71a --- /dev/null +++ b/kubernetes/common/mongodb/common/values.yaml @@ -0,0 +1,9 @@ +# Copyright VMware, Inc. +# SPDX-License-Identifier: APACHE-2.0 + +## bitnami/common +## It is required by CI/CD tools and processes. +## @skip exampleValue +## + +exampleValue: common-chart diff --git a/kubernetes/common/mongodb/templates/NOTES.txt b/kubernetes/common/mongodb/templates/NOTES.txt new file mode 100644 index 0000000000..89a693ea34 --- /dev/null +++ b/kubernetes/common/mongodb/templates/NOTES.txt @@ -0,0 +1,203 @@ +CHART NAME: {{ .Chart.Name }} +CHART VERSION: {{ .Chart.Version }} +APP VERSION: {{ .Chart.AppVersion }} + +{{- if .Values.diagnosticMode.enabled }} +The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with: + + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }} + +Get the list of pods by executing: + + kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} + +Access the pod you want to debug by executing + + kubectl exec --namespace {{ .Release.Namespace }} -ti -- bash + +In order to replicate the container startup scripts execute this command: + + /opt/bitnami/scripts/mongodb/entrypoint.sh /opt/bitnami/scripts/mongodb/run.sh + +{{- else }} + +{{- $replicaCount := int .Values.replicaCount }} +{{- $portNumber := int .Values.service.ports.mongodb }} +{{- $fullname := include "mongodb.fullname" . }} +{{- $releaseNamespace := include "mongodb.namespace" . }} +{{- $clusterDomain := .Values.clusterDomain }} +{{- $loadBalancerIPListLength := len .Values.externalAccess.service.loadBalancerIPs }} +{{- $mongoList := list }} +{{- range $e, $i := until $replicaCount }} +{{- $mongoList = append $mongoList (printf "%s-%d.%s-headless.%s.svc.%s:%d" $fullname $i $fullname $releaseNamespace $clusterDomain $portNumber) }} +{{- end }} + +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled (not .Values.externalAccess.autoDiscovery.enabled) (not (eq $replicaCount $loadBalancerIPListLength )) (eq .Values.externalAccess.service.type "LoadBalancer") }} + +#################################################################################### +### ERROR: You enabled external access to MongoDB® nodes without specifying ### +### the array of load balancer IPs for MongoDB® nodes. ### +#################################################################################### + +This deployment will be incomplete until you configure the array of load balancer +IPs for MongoDB® nodes. To complete your deployment follow the steps below: + +1. Wait for the load balancer IPs (it may take a few minutes for them to be available): + + kubectl get svc --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "mongodb.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=mongodb" -w + +2. Obtain the load balancer IPs and upgrade your chart: + + {{- range $e, $i := until $replicaCount }} + LOAD_BALANCER_IP_{{ add $i 1 }}="$(kubectl get svc --namespace {{ $releaseNamespace }} {{ $fullname }}-{{ $i }}-external -o jsonpath='{.status.loadBalancer.ingress[0].ip}')" + {{- end }} + +3. Upgrade you chart: + + helm upgrade --namespace {{ .Release.Namespace }} {{ .Release.Name }} oci://registry-1.docker.io/bitnamicharts/{{ .Chart.Name }} \ + --set mongodb.replicaCount={{ $replicaCount }} \ + --set mongodb.externalAccess.enabled=true \ + {{- range $i, $e := until $replicaCount }} + --set mongodb.externalAccess.service.loadBalancerIPs[{{ $i }}]=$LOAD_BALANCER_IP_{{ add $i 1 }} \ + {{- end }} + --set mongodb.externalAccess.service.type=LoadBalancer + +{{- else }} + +{{- if and (or (and (eq .Values.architecture "standalone") (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort"))) (and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled)) (not .Values.auth.enabled) }} +------------------------------------------------------------------------------- + WARNING + + By not enabling "mongodb.auth.enabled" you have most likely exposed the + MongoDB® service externally without any authentication mechanism. + + For security reasons, we strongly suggest that you enable authentiation + setting the "mongodb.auth.enabled" parameter to "true". + +------------------------------------------------------------------------------- +{{- end }} + +** Please be patient while the chart is being deployed ** + +MongoDB® can be accessed on the following DNS name(s) and ports from within your cluster: + +{{- if eq .Values.architecture "replicaset" }} +{{ join "\n" $mongoList | nindent 4 }} +{{- else }} + + {{ $fullname }}.{{ $releaseNamespace }}.svc.{{ .Values.clusterDomain }} + +{{- end }} + +{{- if .Values.auth.enabled }} + +To get the root password run: + + export MONGODB_ROOT_PASSWORD=$(kubectl get secret --namespace {{ template "mongodb.namespace" . }} {{ template "mongodb.secretName" . }} -o jsonpath="{.data.mongodb-root-password}" | base64 -d) + +{{- end }} +{{- $customUsers := include "mongodb.customUsers" . -}} +{{- $customDatabases := include "mongodb.customDatabases" . -}} +{{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} +{{- $customUsersList := splitList "," $customUsers }} +{{- range $index, $user := $customUsersList }} + +To get the password for "{{ $user }}" run: + + export MONGODB_PASSWORD=$(kubectl get secret --namespace {{ include "mongodb.namespace" $ }} {{ include "mongodb.secretName" $ }} -o jsonpath="{.data.mongodb-passwords}" | base64 -d | awk -F',' '{print ${{ add 1 $index }}}') + +{{- end }} +{{- end }} + +To connect to your database, create a MongoDB® client container: + + kubectl run --namespace {{ template "mongodb.namespace" . }} {{ template "mongodb.fullname" . }}-client --rm --tty -i --restart='Never' --env="MONGODB_ROOT_PASSWORD=$MONGODB_ROOT_PASSWORD" --image {{ template "mongodb.image" . }} --command -- bash + +Then, run the following command: + + {{- if eq .Values.architecture "replicaset" }} + mongosh admin --host "{{ join "," $mongoList }}" {{- if .Values.auth.enabled }} --authenticationDatabase admin -u $MONGODB_ROOT_USER -p $MONGODB_ROOT_PASSWORD{{- end }} + {{- else }} + mongosh admin --host "{{ template "mongodb.service.nameOverride" . }}" {{- if .Values.auth.enabled }} --authenticationDatabase admin -u $MONGODB_ROOT_USER -p $MONGODB_ROOT_PASSWORD{{- end }} + {{- end }} + +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled }} + +To connect to your database nodes from outside, you need to add both primary and secondary nodes hostnames/IPs to your Mongo client. To obtain them, follow the instructions below: + +{{- if eq "NodePort" .Values.externalAccess.service.type }} +{{- if .Values.externalAccess.service.domain }} + + MongoDB® nodes domain: Use your provided hostname to reach MongoDB® nodes, {{ .Values.externalAccess.service.domain }} + +{{- else }} + + MongoDB® nodes domain: you can reach MongoDB® nodes on any of the K8s nodes external IPs. + + kubectl get nodes -o wide + +{{- end }} + + MongoDB® nodes port: You will have a different node port for each MongoDB® node. You can get the list of configured node ports using the command below: + + echo "$(kubectl get svc --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "mongodb.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=mongodb,pod" -o jsonpath='{.items[*].spec.ports[0].nodePort}' | tr ' ' '\n')" + +{{- else if contains "LoadBalancer" .Values.externalAccess.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IPs to be available. + Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "mongodb.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=mongodb,pod" -w' + + MongoDB® nodes domain: You will have a different external IP for each MongoDB® node. You can get the list of external IPs using the command below: + + echo "$(kubectl get svc --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "mongodb.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=mongodb,pod" -o jsonpath='{.items[*].status.loadBalancer.ingress[0].ip}' | tr ' ' '\n')" + + MongoDB® nodes port: {{ .Values.externalAccess.service.ports.mongodb }} + +{{- end }} + +{{- else if eq .Values.architecture "standalone" }} + +To connect to your database from outside the cluster execute the following commands: + +{{- if contains "NodePort" .Values.service.type }} + + export NODE_IP=$(kubectl get nodes --namespace {{ template "mongodb.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get --namespace {{ template "mongodb.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "mongodb.service.nameOverride" . }}) + mongo --host $NODE_IP --port $NODE_PORT {{- if .Values.auth.enabled }} --authenticationDatabase admin -p $MONGODB_ROOT_PASSWORD{{- end }} + +{{- else if contains "LoadBalancer" .Values.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status with: 'kubectl get svc --namespace {{ template "mongodb.namespace" . }} -w {{ template "mongodb.service.nameOverride" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ template "mongodb.namespace" . }} {{ template "mongodb.service.nameOverride" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") + mongosh --host $SERVICE_IP --port {{ $portNumber }} {{- if .Values.auth.enabled }} --authenticationDatabase admin -p $MONGODB_ROOT_PASSWORD{{- end }} + +{{- else if contains "ClusterIP" .Values.service.type }} + + kubectl port-forward --namespace {{ template "mongodb.namespace" . }} svc/{{ template "mongodb.service.nameOverride" . }} {{ $portNumber }}:{{ $portNumber }} & + mongosh --host 127.0.0.1 {{- if .Values.auth.enabled }} --authenticationDatabase admin -p $MONGODB_ROOT_PASSWORD{{- end }} + +{{- end }} +{{- end }} +{{- end }} + +{{- if .Values.metrics.enabled }} + +To access the MongoDB® Prometheus metrics, get the MongoDB® Prometheus URL by running: + + kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ printf "%s-metrics" (include "mongodb.fullname" .) }} {{ .Values.metrics.service.ports.metrics }}:{{ .Values.metrics.service.ports.metrics }} & + echo "Prometheus Metrics URL: http://127.0.0.1:{{ .Values.metrics.service.ports.metrics }}/metrics" + +Then, open the obtained URL in a browser. + +{{- end }} +{{- end }} +{{- include "common.warnings.rollingTag" .Values.image }} +{{- include "common.warnings.rollingTag" .Values.metrics.image }} +{{- include "common.warnings.rollingTag" .Values.externalAccess.autoDiscovery.image }} +{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} +{{- include "common.warnings.rollingTag" .Values.tls.image }} +{{- include "mongodb.validateValues" . }} +{{- include "common.warnings.resources" (dict "sections" (list "arbiter" "externalAccess.autoDiscovery" "hidden" "metrics" "" "tls" "volumePermissions") "context" $) }} diff --git a/kubernetes/common/mongodb/templates/_helpers.tpl b/kubernetes/common/mongodb/templates/_helpers.tpl new file mode 100644 index 0000000000..b6bbb1f781 --- /dev/null +++ b/kubernetes/common/mongodb/templates/_helpers.tpl @@ -0,0 +1,514 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "mongodb.name" -}} +{{- include "common.names.name" . -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "mongodb.fullname" -}} +{{- include "common.names.fullname" . -}} +{{- end -}} + +{{/* +Create a default mongo service name which can be overridden. +*/}} +{{- define "mongodb.service.nameOverride" -}} + {{- if and .Values.service .Values.service.nameOverride -}} + {{- print .Values.service.nameOverride -}} + {{- else -}} + {{- if eq .Values.architecture "replicaset" -}} + {{- printf "%s-headless" (include "mongodb.fullname" .) -}} + {{- else -}} + {{- printf "%s" (include "mongodb.fullname" .) -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Create a default mongo arbiter service name which can be overridden. +*/}} +{{- define "mongodb.arbiter.service.nameOverride" -}} + {{- if and .Values.arbiter.service .Values.arbiter.service.nameOverride -}} + {{- print .Values.arbiter.service.nameOverride -}} + {{- else -}} + {{- printf "%s-arbiter-headless" (include "mongodb.fullname" .) -}} + {{- end }} +{{- end }} + +{{/* +Return the proper MongoDB® image name +*/}} +{{- define "mongodb.image" -}} +{{- include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) -}} +{{- end -}} + +{{/* +Return the proper image name (for the metrics image) +*/}} +{{- define "mongodb.metrics.image" -}} +{{- include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) -}} +{{- end -}} + +{{/* +Return the proper image name (for the init container volume-permissions image) +*/}} +{{- define "mongodb.volumePermissions.image" -}} +{{- include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) -}} +{{- end -}} + +{{/* +Return the proper image name (for the init container auto-discovery image) +*/}} +{{- define "mongodb.externalAccess.autoDiscovery.image" -}} +{{- include "common.images.image" (dict "imageRoot" .Values.externalAccess.autoDiscovery.image "global" .Values.global) -}} +{{- end -}} + +{{/* +Return the proper image name (for the TLS Certs image) +*/}} +{{- define "mongodb.tls.image" -}} +{{- include "common.images.image" (dict "imageRoot" .Values.tls.image "global" .Values.global) -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "mongodb.imagePullSecrets" -}} +{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image .Values.tls.image) "context" $) -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts. +*/}} +{{- define "mongodb.namespace" -}} + {{- if and .Values.global .Values.global.namespaceOverride -}} + {{- print .Values.global.namespaceOverride -}} + {{- else -}} + {{- print .Release.Namespace -}} + {{- end }} +{{- end -}} +{{- define "mongodb.serviceMonitor.namespace" -}} + {{- if .Values.metrics.serviceMonitor.namespace -}} + {{- print .Values.metrics.serviceMonitor.namespace -}} + {{- else -}} + {{- include "mongodb.namespace" . -}} + {{- end }} +{{- end -}} +{{- define "mongodb.prometheusRule.namespace" -}} + {{- if .Values.metrics.prometheusRule.namespace -}} + {{- print .Values.metrics.prometheusRule.namespace -}} + {{- else -}} + {{- include "mongodb.namespace" . -}} + {{- end }} +{{- end -}} + +{{/* +Returns the proper service account name depending if an explicit service account name is set +in the values file. If the name is not set it will default to either mongodb.fullname if serviceAccount.create +is true or default otherwise. +*/}} +{{- define "mongodb.serviceAccountName" -}} + {{- if .Values.serviceAccount.create -}} + {{- default (include "mongodb.fullname" .) (print .Values.serviceAccount.name) -}} + {{- else -}} + {{- default "default" (print .Values.serviceAccount.name) -}} + {{- end -}} +{{- end -}} + +{{/* +Return the list of custom users to create during the initialization (string format) +*/}} +{{- define "mongodb.customUsers" -}} + {{- $customUsers := list -}} + {{- if .Values.auth.username -}} + {{- $customUsers = append $customUsers .Values.auth.username }} + {{- end }} + {{- range .Values.auth.usernames }} + {{- $customUsers = append $customUsers . }} + {{- end }} + {{- printf "%s" (default "" (join "," $customUsers)) -}} +{{- end -}} + +{{/* +Return the list of passwords for the custom users (string format) +*/}} +{{- define "mongodb.customPasswords" -}} + {{- $customPasswords := list -}} + {{- if .Values.auth.password -}} + {{- $customPasswords = append $customPasswords .Values.auth.password }} + {{- end }} + {{- range .Values.auth.passwords }} + {{- $customPasswords = append $customPasswords . }} + {{- end }} + {{- printf "%s" (default "" (join "," $customPasswords)) -}} +{{- end -}} + +{{/* +Return the list of custom databases to create during the initialization (string format) +*/}} +{{- define "mongodb.customDatabases" -}} + {{- $customDatabases := list -}} + {{- if .Values.auth.database -}} + {{- $customDatabases = append $customDatabases .Values.auth.database }} + {{- end }} + {{- range .Values.auth.databases }} + {{- $customDatabases = append $customDatabases . }} + {{- end }} + {{- printf "%s" (default "" (join "," $customDatabases)) -}} +{{- end -}} + +{{/* +Return the configmap with the MongoDB® configuration +*/}} +{{- define "mongodb.configmapName" -}} +{{- if .Values.existingConfigmap -}} + {{- printf "%s" (tpl .Values.existingConfigmap $) -}} +{{- else -}} + {{- printf "%s" (include "mongodb.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for MongoDB® +*/}} +{{- define "mongodb.createConfigmap" -}} +{{- if and .Values.configuration (not .Values.existingConfigmap) }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Return the secret with MongoDB® credentials +*/}} +{{- define "mongodb.secretName" -}} + {{- if .Values.auth.existingSecret -}} + {{- printf "%s" (tpl .Values.auth.existingSecret $) -}} + {{- else -}} + {{- printf "%s" (include "mongodb.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{/* +Return true if a secret object should be created for MongoDB® +*/}} +{{- define "mongodb.createSecret" -}} +{{- if and .Values.auth.enabled (not .Values.auth.existingSecret) }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Get the initialization scripts ConfigMap name. +*/}} +{{- define "mongodb.initdbScriptsCM" -}} +{{- if .Values.initdbScriptsConfigMap -}} +{{- printf "%s" .Values.initdbScriptsConfigMap -}} +{{- else -}} +{{- printf "%s-init-scripts" (include "mongodb.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if the Arbiter should be deployed +*/}} +{{- define "mongodb.arbiter.enabled" -}} +{{- if and (eq .Values.architecture "replicaset") .Values.arbiter.enabled }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Return the configmap with the MongoDB® configuration for the Arbiter +*/}} +{{- define "mongodb.arbiter.configmapName" -}} +{{- if .Values.arbiter.existingConfigmap -}} + {{- printf "%s" (tpl .Values.arbiter.existingConfigmap $) -}} +{{- else -}} + {{- printf "%s-arbiter" (include "mongodb.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for MongoDB® Arbiter +*/}} +{{- define "mongodb.arbiter.createConfigmap" -}} +{{- if and (eq .Values.architecture "replicaset") .Values.arbiter.enabled .Values.arbiter.configuration (not .Values.arbiter.existingConfigmap) }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if the Hidden should be deployed +*/}} +{{- define "mongodb.hidden.enabled" -}} +{{- if and (eq .Values.architecture "replicaset") .Values.hidden.enabled }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the configmap with the MongoDB® configuration for the Hidden +*/}} +{{- define "mongodb.hidden.configmapName" -}} +{{- if .Values.hidden.existingConfigmap -}} + {{- printf "%s" (tpl .Values.hidden.existingConfigmap $) -}} +{{- else -}} + {{- printf "%s-hidden" (include "mongodb.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for MongoDB® Hidden +*/}} +{{- define "mongodb.hidden.createConfigmap" -}} +{{- if and (include "mongodb.hidden.enabled" .) .Values.hidden.enabled .Values.hidden.configuration (not .Values.hidden.existingConfigmap) }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Compile all warnings into a single message, and call fail. +*/}} +{{- define "mongodb.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "mongodb.validateValues.pspAndRBAC" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.architecture" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.customUsersDBs" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.customUsersDBsLength" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.externalAccessServiceType" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.loadBalancerIPsListLength" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.nodePortListLength" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.externalAccessAutoDiscoveryRBAC" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.replicaset.existingSecrets" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.hidden.existingSecrets" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}} +{{- end -}} +{{- end -}} + +{{/* Validate RBAC is created when using PSP */}} +{{- define "mongodb.validateValues.pspAndRBAC" -}} +{{- if and (.Values.podSecurityPolicy.create) (not .Values.rbac.create) -}} +mongodb: podSecurityPolicy.create, rbac.create + Both podSecurityPolicy.create and rbac.create must be true, if you want + to create podSecurityPolicy +{{- end -}} +{{- end -}} + +{{/* Validate values of MongoDB® - must provide a valid architecture */}} +{{- define "mongodb.validateValues.architecture" -}} +{{- if and (ne .Values.architecture "standalone") (ne .Values.architecture "replicaset") -}} +mongodb: architecture + Invalid architecture selected. Valid values are "standalone" and + "replicaset". Please set a valid architecture (--set mongodb.architecture="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - both auth.usernames and auth.databases are necessary +to create a custom user and database during 1st initialization +*/}} +{{- define "mongodb.validateValues.customUsersDBs" -}} +{{- $customUsers := include "mongodb.customUsers" . -}} +{{- $customDatabases := include "mongodb.customDatabases" . -}} +{{- if or (and (empty $customUsers) (not (empty $customDatabases))) (and (not (empty $customUsers)) (empty $customDatabases)) }} +mongodb: auth.usernames, auth.databases + Both auth.usernames and auth.databases must be provided to create + custom users and databases during 1st initialization. + Please set both of them (--set auth.usernames[0]="xxxx",auth.databases[0]="yyyy") +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - both auth.usernames and auth.databases arrays should have the same length +to create a custom user and database during 1st initialization +*/}} +{{- define "mongodb.validateValues.customUsersDBsLength" -}} +{{- if ne (len .Values.auth.usernames) (len .Values.auth.databases) }} +mongodb: auth.usernames, auth.databases + Both auth.usernames and auth.databases arrays should have the same length +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - service type for external access +*/}} +{{- define "mongodb.validateValues.externalAccessServiceType" -}} +{{- if and (eq .Values.architecture "replicaset") (not (eq .Values.externalAccess.service.type "NodePort")) (not (eq .Values.externalAccess.service.type "LoadBalancer")) (not (eq .Values.externalAccess.service.type "ClusterIP")) -}} +mongodb: externalAccess.service.type + Available service type for external access are NodePort, LoadBalancer or ClusterIP. +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - number of replicas must be the same than LoadBalancer IPs list +*/}} +{{- define "mongodb.validateValues.loadBalancerIPsListLength" -}} +{{- $replicaCount := int .Values.replicaCount }} +{{- $loadBalancerListLength := len .Values.externalAccess.service.loadBalancerIPs }} +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled (not .Values.externalAccess.autoDiscovery.enabled ) (eq .Values.externalAccess.service.type "LoadBalancer") (not (eq $replicaCount $loadBalancerListLength )) -}} +mongodb: .Values.externalAccess.service.loadBalancerIPs + Number of replicas and loadBalancerIPs array length must be the same. +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - number of replicas must be the same than NodePort list +*/}} +{{- define "mongodb.validateValues.nodePortListLength" -}} +{{- $replicaCount := int .Values.replicaCount }} +{{- $nodePortListLength := len .Values.externalAccess.service.nodePorts }} +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled (eq .Values.externalAccess.service.type "NodePort") (not (eq $replicaCount $nodePortListLength )) -}} +mongodb: .Values.externalAccess.service.nodePorts + Number of replicas and nodePorts array length must be the same. +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - RBAC should be enabled when autoDiscovery is enabled +*/}} +{{- define "mongodb.validateValues.externalAccessAutoDiscoveryRBAC" -}} +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (not .Values.rbac.create ) }} +mongodb: rbac.create + By specifying "externalAccess.enabled=true" and "externalAccess.autoDiscovery.enabled=true" + an initContainer will be used to autodetect the external IPs/ports by querying the + K8s API. Please note this initContainer requires specific RBAC resources. You can create them + by specifying "--set rbac.create=true". +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - Number of replicaset secrets must be the same than number of replicaset nodes. +*/}} +{{- define "mongodb.validateValues.replicaset.existingSecrets" -}} +{{- if and .Values.tls.enabled (eq .Values.architecture "replicaset") (not (empty .Values.tls.replicaset.existingSecrets)) }} +{{- $nbSecrets := len .Values.tls.replicaset.existingSecrets -}} +{{- if not (eq $nbSecrets (int .Values.replicaCount)) }} +mongodb: tls.replicaset.existingSecrets + tls.replicaset.existingSecrets Number of secrets and number of replicaset nodes must be the same. +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - Number of hidden secrets must be the same than number of hidden nodes. +*/}} +{{- define "mongodb.validateValues.hidden.existingSecrets" -}} +{{- if and .Values.tls.enabled (include "mongodb.hidden.enabled" .) (not (empty .Values.tls.hidden.existingSecrets)) }} +{{- $nbSecrets := len .Values.tls.hidden.existingSecrets -}} +{{- if not (eq $nbSecrets (int .Values.hidden.replicaCount)) }} +mongodb: tls.hidden.existingSecrets + tls.hidden.existingSecrets Number of secrets and number of hidden nodes must be the same. +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® exporter URI string - auth.enabled and/or tls.enabled must be enabled or it defaults +*/}} +{{- define "mongodb.mongodb_exporter.uri" -}} + {{- $tlsEnabled := .Values.tls.enabled -}} + {{- $mTlsEnabled := and $tlsEnabled .Values.tls.mTLS.enabled -}} + {{- $tlsArgs := "" -}} + {{- if $tlsEnabled -}} + {{- $tlsCertKeyFile := ternary "&tlsCertificateKeyFile=/certs/mongodb.pem" "" $mTlsEnabled -}} + {{- $tlsArgs = printf "tls=true%s&tlsCAFile=/certs/mongodb-ca-cert" $tlsCertKeyFile -}} + {{- end -}} + {{- if .Values.metrics.username -}} + {{- $uriAuth := ternary "$(echo $MONGODB_METRICS_USERNAME | sed -r \"s/@/%40/g;s/:/%3A/g\"):$(echo $MONGODB_METRICS_PASSWORD | sed -r \"s/@/%40/g;s/:/%3A/g\")@" "" .Values.auth.enabled -}} + {{- printf "mongodb://%slocalhost:%d/admin?%s" $uriAuth (int .Values.containerPorts.mongodb) $tlsArgs -}} + {{- else -}} + {{- $uriAuth := ternary "$MONGODB_ROOT_USER:$(echo $MONGODB_ROOT_PASSWORD | sed -r \"s/@/%40/g;s/:/%3A/g\")@" "" .Values.auth.enabled -}} + {{- printf "mongodb://%slocalhost:%d/admin?%s" $uriAuth (int .Values.containerPorts.mongodb) $tlsArgs -}} + {{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiGroup for PodSecurityPolicy. +*/}} +{{- define "podSecurityPolicy.apiGroup" -}} +{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "policy" -}} +{{- else -}} +{{- print "extensions" -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a TLS secret object should be created +*/}} +{{- define "mongodb.createTlsSecret" -}} +{{- if and .Values.tls.enabled (not .Values.tls.existingSecret) (include "mongodb.autoGenerateCerts" .) }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the secret containing MongoDB® TLS certificates +*/}} +{{- define "mongodb.tlsSecretName" -}} +{{- $secretName := .Values.tls.existingSecret -}} +{{- if $secretName -}} + {{- printf "%s" (tpl $secretName $) -}} +{{- else -}} + {{- printf "%s-ca" (include "mongodb.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if certificates must be auto generated +*/}} +{{- define "mongodb.autoGenerateCerts" -}} +{{- $standalone := (eq .Values.architecture "standalone") | ternary (not .Values.tls.standalone.existingSecret) true -}} +{{- $replicaset := (eq .Values.architecture "replicaset") | ternary (empty .Values.tls.replicaset.existingSecrets) true -}} +{{- $arbiter := (eq (include "mongodb.arbiter.enabled" .) "true") | ternary (not .Values.tls.arbiter.existingSecret) true -}} +{{- $hidden := (eq (include "mongodb.hidden.enabled" .) "true") | ternary (empty .Values.tls.hidden.existingSecrets) true -}} +{{- if and $standalone $replicaset $arbiter $hidden -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Generate argument list for mongodb-exporter +reference: https://github.com/percona/mongodb_exporter/blob/main/REFERENCE.md +*/}} +{{- define "mongodb.exporterArgs" -}} +{{- with .Values.metrics.collector -}} +{{- ternary " --collect-all" "" .all -}} +{{- ternary " --collector.diagnosticdata" "" .diagnosticdata -}} +{{- ternary " --collector.replicasetstatus" "" .replicasetstatus -}} +{{- ternary " --collector.dbstats" "" .dbstats -}} +{{- ternary " --collector.topmetrics" "" .topmetrics -}} +{{- ternary " --collector.indexstats" "" .indexstats -}} +{{- ternary " --collector.collstats" "" .collstats -}} +{{- if .collstatsColls -}} +{{- " --mongodb.collstats-colls=" -}} +{{- join "," .collstatsColls -}} +{{- end -}} +{{- if .indexstatsColls -}} +{{- " --mongodb.indexstats-colls=" -}} +{{- join "," .indexstatsColls -}} +{{- end -}} +{{- $limitArg := print " --collector.collstats-limit=" .collstatsLimit -}} +{{- ne (print .collstatsLimit) "0" | ternary $limitArg "" -}} +{{- end -}} +{{- ternary " --compatible-mode" "" .Values.metrics.compatibleMode -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/templates/arbiter/configmap.yaml b/kubernetes/common/mongodb/templates/arbiter/configmap.yaml new file mode 100644 index 0000000000..79fbfe5480 --- /dev/null +++ b/kubernetes/common/mongodb/templates/arbiter/configmap.yaml @@ -0,0 +1,20 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.arbiter.createConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-arbiter" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: arbiter + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + mongodb.conf: |- + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.configuration "context" $) | nindent 4 }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/arbiter/headless-svc.yaml b/kubernetes/common/mongodb/templates/arbiter/headless-svc.yaml new file mode 100644 index 0000000000..003bebb2ad --- /dev/null +++ b/kubernetes/common/mongodb/templates/arbiter/headless-svc.yaml @@ -0,0 +1,31 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.arbiter.enabled" .) }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "mongodb.arbiter.service.nameOverride" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: arbiter + {{- if or .Values.arbiter.service.headless.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.arbiter.service.headless.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + clusterIP: None + ports: + - name: tcp-mongodb + port: {{ .Values.arbiter.service.ports.mongodb }} + targetPort: mongodb + {{- if .Values.arbiter.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.arbiter.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: arbiter +{{- end }} diff --git a/kubernetes/common/mongodb/templates/arbiter/pdb.yaml b/kubernetes/common/mongodb/templates/arbiter/pdb.yaml new file mode 100644 index 0000000000..37b5c198af --- /dev/null +++ b/kubernetes/common/mongodb/templates/arbiter/pdb.yaml @@ -0,0 +1,28 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (include "mongodb.arbiter.enabled" .) .Values.arbiter.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ printf "%s-arbiter" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: arbiter + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.arbiter.pdb.minAvailable }} + minAvailable: {{ .Values.arbiter.pdb.minAvailable }} + {{- end }} + {{- if .Values.arbiter.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.arbiter.pdb.maxUnavailable }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.arbiter.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: arbiter +{{- end }} diff --git a/kubernetes/common/mongodb/templates/arbiter/statefulset.yaml b/kubernetes/common/mongodb/templates/arbiter/statefulset.yaml new file mode 100644 index 0000000000..269863f3ec --- /dev/null +++ b/kubernetes/common/mongodb/templates/arbiter/statefulset.yaml @@ -0,0 +1,310 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.arbiter.enabled" .) }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ printf "%s-arbiter" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.arbiter.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: arbiter + {{- if or .Values.arbiter.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.arbiter.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + serviceName: {{ include "mongodb.arbiter.service.nameOverride" . }} + podManagementPolicy: {{ .Values.arbiter.podManagementPolicy }} + {{- if .Values.arbiter.updateStrategy }} + updateStrategy: {{- toYaml .Values.arbiter.updateStrategy | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.arbiter.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: arbiter + template: + metadata: + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: arbiter + {{- if or (include "mongodb.arbiter.createConfigmap" .) .Values.arbiter.podAnnotations }} + annotations: + {{- if (include "mongodb.arbiter.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/arbiter/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.arbiter.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.podAnnotations "context" $) | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- include "mongodb.imagePullSecrets" . | nindent 6 }} + {{- if .Values.arbiter.schedulerName }} + schedulerName: {{ .Values.arbiter.schedulerName | quote }} + {{- end }} + serviceAccountName: {{ template "mongodb.serviceAccountName" . }} + {{- if .Values.arbiter.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.arbiter.podAffinityPreset "component" "arbiter" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.arbiter.podAntiAffinityPreset "component" "arbiter" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.arbiter.nodeAffinityPreset.type "key" .Values.arbiter.nodeAffinityPreset.key "values" .Values.arbiter.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.arbiter.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.nodeSelector "context" $) | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.arbiter.automountServiceAccountToken }} + {{- if .Values.arbiter.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.arbiter.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.arbiter.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.arbiter.priorityClassName }} + priorityClassName: {{ .Values.arbiter.priorityClassName }} + {{- end }} + {{- if .Values.arbiter.runtimeClassName }} + runtimeClassName: {{ .Values.arbiter.runtimeClassName }} + {{- end }} + {{- if .Values.arbiter.podSecurityContext.enabled }} + securityContext: {{- omit .Values.arbiter.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{ if .Values.arbiter.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.arbiter.terminationGracePeriodSeconds }} + {{- end }} + enableServiceLinks: {{ .Values.enableServiceLinks }} + initContainers: + {{- if .Values.arbiter.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.tls.enabled .Values.arbiter.enabled }} + - name: generate-tls-certs + image: {{ include "mongodb.tls.image" . }} + imagePullPolicy: {{ .Values.tls.image.pullPolicy | quote }} + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + mountPath: /certs/CAs + {{- else }} + - name: mongodb-certs-0 + mountPath: /certs-0 + {{- end }} + - name: certs + mountPath: /certs + - name: common-scripts + mountPath: /bitnami/scripts + command: + - /bitnami/scripts/generate-certs.sh + args: + - -s {{ include "mongodb.arbiter.service.nameOverride" . }} + {{- end }} + containers: + - name: mongodb-arbiter + image: {{ include "mongodb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.arbiter.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.arbiter.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.arbiter.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.arbiter.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.args "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.arbiter.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: K8S_SERVICE_NAME + value: "{{ include "mongodb.arbiter.service.nameOverride" . }}" + - name: MONGODB_REPLICA_SET_MODE + value: "arbiter" + - name: MONGODB_INITIAL_PRIMARY_HOST + value: {{ printf "%s-0.%s.$(MY_POD_NAMESPACE).svc.%s" (include "mongodb.fullname" .) (include "mongodb.service.nameOverride" .) .Values.clusterDomain }} + - name: MONGODB_REPLICA_SET_NAME + value: {{ .Values.replicaSetName | quote }} + - name: MONGODB_ADVERTISED_HOSTNAME + value: "$(MY_POD_NAME).$(K8S_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.{{ .Values.clusterDomain }}" + - name: MONGODB_PORT_NUMBER + value: {{ .Values.arbiter.containerPorts.mongodb | quote }} + - name: MONGODB_ENABLE_IPV6 + value: {{ ternary "yes" "no" .Values.enableIPv6 | quote }} + {{- if .Values.auth.enabled }} + - name: MONGODB_INITIAL_PRIMARY_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_INITIAL_PRIMARY_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + - name: MONGODB_REPLICA_SET_KEY + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-replica-set-key + {{- end }} + - name: ALLOW_EMPTY_PASSWORD + value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} + {{- $extraFlags := .Values.arbiter.extraFlags | join " " -}} + {{- if and .Values.tls.enabled .Values.arbiter.enabled }} + {{- if .Values.tls.mTLS.enabled }} + {{- $extraFlags = printf "--tlsCAFile=/certs/mongodb-ca-cert %s" $extraFlags }} + {{- end }} + {{- $extraFlags = printf "--tlsMode=%s --tlsCertificateKeyFile=/certs/mongodb.pem %s" .Values.tls.mode $extraFlags }} + {{- end }} + {{- if ne $extraFlags "" }} + - name: MONGODB_EXTRA_FLAGS + value: {{ $extraFlags | quote }} + {{- end }} + {{- if and .Values.tls.enabled .Values.arbiter.enabled }} + - name: MONGODB_CLIENT_EXTRA_FLAGS + value: --tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert + {{- end }} + {{- if .Values.arbiter.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.arbiter.extraEnvVarsCM .Values.arbiter.extraEnvVarsSecret }} + envFrom: + {{- if .Values.arbiter.extraEnvVarsCM }} + - configMapRef: + name: {{ tpl .Values.arbiter.extraEnvVarsCM . | quote }} + {{- end }} + {{- if .Values.arbiter.extraEnvVarsSecret }} + - secretRef: + name: {{ tpl .Values.arbiter.extraEnvVarsSecret . | quote }} + {{- end }} + {{- end }} + ports: + - containerPort: {{ .Values.arbiter.containerPorts.mongodb }} + name: mongodb + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.arbiter.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.arbiter.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.arbiter.livenessProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: mongodb + {{- end }} + {{- if .Values.arbiter.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.arbiter.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.arbiter.readinessProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: mongodb + {{- end }} + {{- if .Values.arbiter.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.arbiter.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.arbiter.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: mongodb + {{- end }} + {{- end }} + {{- if .Values.arbiter.resources }} + resources: {{- toYaml .Values.arbiter.resources | nindent 12 }} + {{- else if ne .Values.arbiter.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.arbiter.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/logs + subPath: app-logs-dir + {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap }} + - name: config + mountPath: /opt/bitnami/mongodb/conf/mongodb.conf + subPath: mongodb.conf + {{- end }} + {{- if and .Values.tls.enabled .Values.arbiter.enabled }} + - name: certs + mountPath: /certs + {{- end }} + {{- if .Values.arbiter.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.arbiter.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: empty-dir + emptyDir: {} + {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap .Values.arbiter.extraVolumes .Values.tls.enabled }} + - name: common-scripts + configMap: + name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} + defaultMode: 0555 + {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap }} + - name: config + configMap: + name: {{ include "mongodb.arbiter.configmapName" . }} + {{- end }} + {{- if and .Values.tls.enabled .Values.arbiter.enabled }} + - name: certs + emptyDir: {} + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + secret: + secretName: {{ template "mongodb.tlsSecretName" . }} + items: + - key: mongodb-ca-cert + path: mongodb-ca-cert + mode: 0600 + - key: mongodb-ca-key + path: mongodb-ca-key + mode: 0600 + {{- else }} + - name: mongodb-certs-0 + secret: + secretName: {{ include "common.tplvalues.render" ( dict "value" .Values.tls.arbiter.existingSecret "context" $) }} + defaultMode: 256 + {{- end }} + {{- end }} + {{- if .Values.arbiter.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.extraVolumes "context" $) | nindent 8 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/backup/cronjob.yaml b/kubernetes/common/mongodb/templates/backup/cronjob.yaml new file mode 100644 index 0000000000..79466e919e --- /dev/null +++ b/kubernetes/common/mongodb/templates/backup/cronjob.yaml @@ -0,0 +1,204 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.backup.enabled }} +apiVersion: batch/v1 +kind: CronJob +metadata: + name: {{ include "mongodb.fullname" . }}-mongodump + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: mongodump + {{- if .Values.backup.cronjob.labels }} + {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.labels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.backup.cronjob.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.backup.cronjob.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.backup.cronjob.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + schedule: {{ quote .Values.backup.cronjob.schedule }} + concurrencyPolicy: {{ .Values.backup.cronjob.concurrencyPolicy }} + failedJobsHistoryLimit: {{ .Values.backup.cronjob.failedJobsHistoryLimit }} + successfulJobsHistoryLimit: {{ .Values.backup.cronjob.successfulJobsHistoryLimit }} + {{- if .Values.backup.cronjob.startingDeadlineSeconds }} + startingDeadlineSeconds: {{ .Values.backup.cronjob.startingDeadlineSeconds }} + {{- end }} + jobTemplate: + spec: + {{- if .Values.backup.cronjob.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.backup.cronjob.ttlSecondsAfterFinished }} + {{- end }} + template: + metadata: + labels: {{- include "common.labels.standard" . | nindent 12 }} + app.kubernetes.io/component: mongodump + {{- if .Values.backup.cronjob.labels }} + {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.labels "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 12 }} + {{- end }} + {{- if or .Values.backup.cronjob.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.backup.cronjob.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.backup.cronjob.annotations "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 12 }} + {{- end }} + {{- end }} + spec: + {{- include "mongodb.imagePullSecrets" . | nindent 10 }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + enableServiceLinks: {{ .Values.enableServiceLinks }} + {{- if .Values.tls.enabled }} + initContainers: + - name: generate-tls-certs + image: {{ include "mongodb.tls.image" . }} + imagePullPolicy: {{ .Values.tls.image.pullPolicy | quote }} + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + mountPath: /certs/CAs + {{- else }} + - name: mongodb-certs-0 + mountPath: /certs-0 + {{- end }} + - name: certs + mountPath: /certs + - name: common-scripts + mountPath: /bitnami/scripts + command: + - /bitnami/scripts/generate-certs.sh + args: + - -s {{ include "mongodb.service.nameOverride" . }} + {{- if .Values.externalAccess.service.loadBalancerIPs }} + - -i {{ join "," .Values.externalAccess.service.loadBalancerIPs }} + {{- end }} + {{- if .Values.tls.extraDnsNames }} + - -n {{ join "," .Values.tls.extraDnsNames }} + {{- end }} + {{- if .Values.tls.resources }} + resources: {{- toYaml .Values.tls.resources | nindent 16 }} + {{- else if ne .Values.tls.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.tls.resourcesPreset) | nindent 16 }} + {{- end }} + {{- end }} + containers: + - name: {{ include "mongodb.fullname" . }}-mongodump + image: {{ include "mongodb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + env: + {{- if .Values.auth.enabled }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + {{- end }} + - name: MONGODB_SERVICE_NAME + value: {{ include "mongodb.service.nameOverride" . }} + - name: MONGODB_PORT_NUMBER + value: {{ .Values.containerPorts.mongodb | quote }} + - name: MONGODUMP_DIR + value: {{ .Values.backup.cronjob.storage.mountPath }} + {{- if .Values.tls.enabled }} + - name: MONGODB_CLIENT_EXTRA_FLAGS + value: --ssl --sslPEMKeyFile=/certs/mongodb.pem --sslCAFile=/certs/mongodb-ca-cert + {{- end }} + {{- if .Values.backup.cronjob.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.command "context" $) | nindent 14 }} + {{- else }} + command: + - /bin/sh + - -c + - "mongodump {{- if .Values.auth.enabled }} --username=${MONGODB_ROOT_USER} --password=${MONGODB_ROOT_PASSWORD} --authenticationDatabase=admin {{- end }} --host=${MONGODB_SERVICE_NAME} --port=${MONGODB_PORT_NUMBER} ${MONGODB_CLIENT_EXTRA_FLAGS} {{- if (eq $.Values.architecture "replicaset") }}--oplog{{- end }} --gzip --archive=${MONGODUMP_DIR}/mongodump-$(date '+%Y-%m-%d-%H-%M').gz" + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + mountPath: /certs/CAs + {{- else }} + - name: mongodb-certs-0 + mountPath: /certs-0 + {{- end }} + {{- end }} + - name: datadir + mountPath: {{ .Values.backup.cronjob.storage.mountPath }} + subPath: {{ .Values.backup.cronjob.storage.subPath }} + {{- if .Values.backup.cronjob.containerSecurityContext.enabled }} + securityContext: + {{- include "common.tplvalues.render" ( dict "value" ( omit .Values.backup.cronjob.containerSecurityContext "enabled" ) "context" $) | nindent 14 }} + {{- end }} + restartPolicy: {{ .Values.backup.cronjob.restartPolicy }} + volumes: + - name: empty-dir + emptyDir: {} + - name: common-scripts + configMap: + name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} + defaultMode: 0550 + {{- if .Values.tls.enabled }} + - name: certs + emptyDir: {} + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + secret: + secretName: {{ template "mongodb.tlsSecretName" . }} + items: + - key: mongodb-ca-cert + path: mongodb-ca-cert + mode: 0600 + - key: mongodb-ca-key + path: mongodb-ca-key + mode: 0600 + {{- else }} + - name: mongodb-certs-0 + secret: + secretName: {{ include "common.tplvalues.render" ( dict "value" .Values.tls.standalone.existingSecret "context" $) }} + defaultMode: 256 + {{- end }} + {{- end }} + {{- if .Values.backup.cronjob.storage.existingClaim }} + - name: datadir + persistentVolumeClaim: + claimName: {{ printf "%s" (tpl .Values.backup.cronjob.storage.existingClaim .) }} + {{- else }} + - name: datadir + persistentVolumeClaim: + claimName: {{ include "mongodb.fullname" . }}-mongodump + {{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/backup/pvc.yaml b/kubernetes/common/mongodb/templates/backup/pvc.yaml new file mode 100644 index 0000000000..caefc05f30 --- /dev/null +++ b/kubernetes/common/mongodb/templates/backup/pvc.yaml @@ -0,0 +1,41 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.backup.enabled (not .Values.backup.cronjob.storage.existingClaim) -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "mongodb.fullname" . }}-mongodump + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: mongodump + {{- if .Values.backup.cronjob.labels }} + {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.labels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.backup.cronjob.annotations .Values.commonAnnotations .Values.backup.cronjob.storage.resourcePolicy}} + annotations: + {{- if .Values.backup.cronjob.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.backup.cronjob.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.backup.cronjob.storage.resourcePolicy }} + helm.sh/resource-policy: {{ .Values.backup.cronjob.storage.resourcePolicy | quote }} + {{- end }} + {{- end }} +spec: + accessModes: + {{- range .Values.backup.cronjob.storage.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.backup.cronjob.storage.size | quote }} + {{ include "common.storage.class" (dict "persistence" .Values.backup.cronjob.storage "global" .Values.global) | nindent 2 }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/common-scripts-cm.yaml b/kubernetes/common/mongodb/templates/common-scripts-cm.yaml new file mode 100644 index 0000000000..bf5feadbf8 --- /dev/null +++ b/kubernetes/common/mongodb/templates/common-scripts-cm.yaml @@ -0,0 +1,146 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + {{- $fullname := include "mongodb.fullname" . }} + startup-probe.sh: | + #!/bin/bash + {{- if .Values.tls.enabled }} + # Probes are using localhost/127.0.0.1 to tests if the service is up, ready or healthy. If TLS is enabled, we shouldn't validate the certificate hostname. + TLS_OPTIONS='--tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert--tlsAllowInvalidHostnames' + {{- end }} + exec mongosh $TLS_OPTIONS --port $MONGODB_PORT_NUMBER --eval 'if (!(db.hello().isWritablePrimary || db.hello().secondary)) { throw new Error("Not ready") }' + readiness-probe.sh: | + #!/bin/bash + {{- if .Values.tls.enabled }} + # Probes are using localhost/127.0.0.1 to tests if the service is up, ready or healthy. If TLS is enabled, we shouldn't validate the certificate hostname. + TLS_OPTIONS='--tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert --tlsAllowInvalidHostnames' + {{- end }} + # Run the proper check depending on the version + [[ $(mongod -version | grep "db version") =~ ([0-9]+\.[0-9]+\.[0-9]+) ]] && VERSION=${BASH_REMATCH[1]} + . /opt/bitnami/scripts/libversion.sh + VERSION_MAJOR="$(get_sematic_version "$VERSION" 1)" + VERSION_MINOR="$(get_sematic_version "$VERSION" 2)" + VERSION_PATCH="$(get_sematic_version "$VERSION" 3)" + readiness_test='db.isMaster().ismaster || db.isMaster().secondary' + if [[ ( "$VERSION_MAJOR" -ge 5 ) || ( "$VERSION_MAJOR" -ge 4 && "$VERSION_MINOR" -ge 4 && "$VERSION_PATCH" -ge 2 ) ]]; then + readiness_test='db.hello().isWritablePrimary || db.hello().secondary' + fi + exec mongosh $TLS_OPTIONS --port $MONGODB_PORT_NUMBER --eval "if (!(${readiness_test})) { throw new Error(\"Not ready\") }" + ping-mongodb.sh: | + #!/bin/bash + {{- if .Values.tls.enabled }} + # Probes are using localhost/127.0.0.1 to tests if the service is up, ready or healthy. If TLS is enabled, we shouldn't validate the certificate hostname. + TLS_OPTIONS='--tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert --tlsAllowInvalidHostnames' + {{- end }} + exec mongosh $TLS_OPTIONS --port $MONGODB_PORT_NUMBER --eval "db.adminCommand('ping')" + {{- if .Values.tls.enabled }} + generate-certs.sh: | + #!/bin/bash + {{- if (include "mongodb.autoGenerateCerts" .) }} + additional_ips=() + additional_names=() + while getopts "i:n:s:" flag + do + case "${flag}" in + i) read -a additional_ips <<< ${OPTARG//,/ } ;; + n) read -a additional_names <<< ${OPTARG//,/ } ;; + s) svc=${OPTARG// /} ;; + \?) exit 1 ;; + esac + done + + my_hostname=$(hostname) + cp /certs/CAs/* /certs/ + cat >/certs/openssl.cnf <>/certs/openssl.cnf <>/certs/openssl.cnf < /certs/mongodb.pem + cd /certs/ + shopt -s extglob + rm -rf !(mongodb-ca-cert|mongodb.pem|CAs|openssl.cnf) + chmod 0600 mongodb-ca-cert mongodb.pem + {{- else }} + {{- if eq .Values.architecture "standalone" }} + ID="0" + {{- else }} + if [[ "$MY_POD_NAME" =~ "arbiter-0"$ ]]; then + ID="0" + elif [[ "$MY_POD_NAME" =~ "hidden-"[0-9]{1,}$ ]]; then + ID="${MY_POD_NAME#"{{ printf "%s-hidden-" $fullname }}"}" + else + ID="${MY_POD_NAME#"{{ $fullname }}-"}" + fi + {{- end }} + + {{- if .Values.tls.pemChainIncluded }} + #Split the pem chain by the END CERTIFICATE string and store in files /certs/xx00, /certs/xx01 etc. + cat /certs-${ID}/tls.crt | csplit - -s -z '/\-*END CERTIFICATE\-*/+1' '{*}' -f /certs/xx + + #Use first certificate as leaf node and combine with key to store in pem file + cat "/certs/xx00" "/certs-${ID}/tls.key" > "/certs/mongodb.pem" + + #Use remaining intermediate certificates for ca.crt + echo $(find /certs/ -not -name 'xx00' -name 'xx*') | sort | xargs cat > "/certs/mongodb-ca-cert" + + rm -rf /certs/xx* + {{- else }} + cat "/certs-${ID}/tls.crt" "/certs-${ID}/tls.key" > "/certs/mongodb.pem" + cp "/certs-${ID}/ca.crt" "/certs/mongodb-ca-cert" + {{- end }} + + chmod 0600 /certs/mongodb-ca-cert /certs/mongodb.pem + {{- end }} + {{- end }} diff --git a/kubernetes/common/mongodb/templates/configmap.yaml b/kubernetes/common/mongodb/templates/configmap.yaml new file mode 100644 index 0000000000..7d11e087ff --- /dev/null +++ b/kubernetes/common/mongodb/templates/configmap.yaml @@ -0,0 +1,20 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.createConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + mongodb.conf: |- + {{- include "common.tplvalues.render" (dict "value" .Values.configuration "context" $) | nindent 4 }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/extra-list.yaml b/kubernetes/common/mongodb/templates/extra-list.yaml new file mode 100644 index 0000000000..2d35a580e8 --- /dev/null +++ b/kubernetes/common/mongodb/templates/extra-list.yaml @@ -0,0 +1,9 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/hidden/configmap.yaml b/kubernetes/common/mongodb/templates/hidden/configmap.yaml new file mode 100644 index 0000000000..a83087367e --- /dev/null +++ b/kubernetes/common/mongodb/templates/hidden/configmap.yaml @@ -0,0 +1,20 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.hidden.createConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-hidden" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: hidden + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + mongodb.conf: |- + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.configuration "context" $) | nindent 4 }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/hidden/external-access-svc.yaml b/kubernetes/common/mongodb/templates/hidden/external-access-svc.yaml new file mode 100644 index 0000000000..6cbbb40bfc --- /dev/null +++ b/kubernetes/common/mongodb/templates/hidden/external-access-svc.yaml @@ -0,0 +1,69 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (include "mongodb.hidden.enabled" .) .Values.externalAccess.hidden.enabled }} +{{- $fullName := include "mongodb.fullname" . }} +{{- $replicaCount := .Values.hidden.replicaCount | int }} +{{- $root := . }} + +{{- range $i, $e := until $replicaCount }} +{{- $targetPod := printf "%s-hidden-%d" (printf "%s" $fullName) $i }} +{{- $_ := set $ "targetPod" $targetPod }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-hidden-%d-external" $fullName $i }} + namespace: {{ include "mongodb.namespace" $ }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $root.Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: hidden + pod: {{ $targetPod }} + {{- if or $root.Values.externalAccess.hidden.service.annotations $root.Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list $root.Values.externalAccess.hidden.service.annotations $root.Values.commonAnnotations ) "context" $ ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ $root.Values.externalAccess.hidden.service.type }} + {{- if eq $root.Values.externalAccess.hidden.service.type "LoadBalancer" }} + {{- if not (empty $root.Values.externalAccess.hidden.service.loadBalancerIPs) }} + loadBalancerIP: {{ index $root.Values.externalAccess.hidden.service.loadBalancerIPs $i }} + {{- end }} + {{- if $root.Values.externalAccess.hidden.service.loadBalancerClass }} + loadBalancerClass: {{ $root.Values.externalAccess.hidden.service.loadBalancerClass }} + {{- end }} + {{- if $root.Values.externalAccess.hidden.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml $root.Values.externalAccess.hidden.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + allocateLoadBalancerNodePorts: {{ $root.Values.externalAccess.hidden.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if (or (eq $root.Values.externalAccess.hidden.service.type "LoadBalancer") (eq $root.Values.externalAccess.hidden.service.type "NodePort")) }} + externalTrafficPolicy: {{ $root.Values.externalAccess.hidden.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if $root.Values.externalAccess.hidden.service.sessionAffinity }} + sessionAffinity: {{ $root.Values.externalAccess.hidden.service.sessionAffinity }} + {{- end }} + {{- if $root.Values.externalAccess.hidden.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" $root.Values.externalAccess.hidden.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + publishNotReadyAddresses: true + ports: + - name: {{ $root.Values.externalAccess.hidden.service.portName | quote }} + port: {{ $root.Values.externalAccess.hidden.service.ports.mongodb }} + {{- if not (empty $root.Values.externalAccess.hidden.service.nodePorts) }} + {{- $nodePort := index $root.Values.externalAccess.hidden.service.nodePorts $i }} + nodePort: {{ $nodePort }} + {{- else }} + nodePort: null + {{- end }} + targetPort: mongodb + {{- if $root.Values.externalAccess.hidden.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" $root.Values.externalAccess.hidden.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list $root.Values.hidden.podLabels $root.Values.commonLabels ) "context" $ ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: hidden + statefulset.kubernetes.io/pod-name: {{ $targetPod }} +--- +{{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/hidden/headless-svc.yaml b/kubernetes/common/mongodb/templates/hidden/headless-svc.yaml new file mode 100644 index 0000000000..49b6845c7e --- /dev/null +++ b/kubernetes/common/mongodb/templates/hidden/headless-svc.yaml @@ -0,0 +1,32 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.hidden.enabled" .) }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-hidden-headless" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: hidden + {{- if or .Values.hidden.service.headless.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.hidden.service.headless.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + clusterIP: None + publishNotReadyAddresses: true + ports: + - name: {{ .Values.hidden.service.portName | quote }} + port: {{ .Values.hidden.service.ports.mongodb }} + targetPort: mongodb + {{- if .Values.hidden.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.hidden.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: hidden +{{- end }} diff --git a/kubernetes/common/mongodb/templates/hidden/pdb.yaml b/kubernetes/common/mongodb/templates/hidden/pdb.yaml new file mode 100644 index 0000000000..5420a93275 --- /dev/null +++ b/kubernetes/common/mongodb/templates/hidden/pdb.yaml @@ -0,0 +1,28 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (include "mongodb.hidden.enabled" .) .Values.hidden.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ printf "%s-hidden" (include "mongodb.fullname" . )}} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: hidden + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.hidden.pdb.minAvailable }} + minAvailable: {{ .Values.hidden.pdb.minAvailable }} + {{- end }} + {{- if .Values.hidden.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.hidden.pdb.maxUnavailable }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.hidden.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: hidden +{{- end }} diff --git a/kubernetes/common/mongodb/templates/hidden/statefulset.yaml b/kubernetes/common/mongodb/templates/hidden/statefulset.yaml new file mode 100644 index 0000000000..5b2a807d84 --- /dev/null +++ b/kubernetes/common/mongodb/templates/hidden/statefulset.yaml @@ -0,0 +1,601 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.hidden.enabled" .) }} +{{- $replicaCount := int .Values.hidden.replicaCount }} +{{- $loadBalancerIPListLength := len .Values.externalAccess.hidden.service.loadBalancerIPs }} +{{- if not (and .Values.externalAccess.hidden.enabled (not .Values.externalAccess.autoDiscovery.enabled) (not (eq $replicaCount $loadBalancerIPListLength )) (eq .Values.externalAccess.hidden.service.type "LoadBalancer")) }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ printf "%s-hidden" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.hidden.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: hidden + {{- if or .Values.hidden.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.hidden.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + serviceName: {{ printf "%s-hidden-headless" (include "mongodb.fullname" .) }} + podManagementPolicy: {{ .Values.hidden.podManagementPolicy }} + replicas: {{ .Values.hidden.replicaCount }} + {{- if .Values.hidden.updateStrategy }} + updateStrategy: {{- toYaml .Values.hidden.updateStrategy | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.hidden.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: hidden + template: + metadata: + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: hidden + {{- if or (include "mongodb.hidden.createConfigmap" .) .Values.hidden.podAnnotations }} + annotations: + {{- if (include "mongodb.hidden.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/hidden/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.hidden.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.podAnnotations "context" $) | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- include "mongodb.imagePullSecrets" . | nindent 6 }} + {{- if .Values.hidden.schedulerName }} + schedulerName: {{ .Values.hidden.schedulerName | quote }} + {{- end }} + serviceAccountName: {{ template "mongodb.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.hidden.automountServiceAccountToken }} + {{- if .Values.hidden.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.hidden.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.hidden.podAffinityPreset "component" "hidden" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.hidden.podAntiAffinityPreset "component" "hidden" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.hidden.nodeAffinityPreset.type "key" .Values.hidden.nodeAffinityPreset.key "values" .Values.hidden.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.hidden.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.hidden.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.hidden.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.hidden.priorityClassName }} + priorityClassName: {{ .Values.hidden.priorityClassName }} + {{- end }} + {{- if .Values.hidden.runtimeClassName }} + runtimeClassName: {{ .Values.hidden.runtimeClassName }} + {{- end }} + {{- if .Values.hidden.podSecurityContext.enabled }} + securityContext: {{- omit .Values.hidden.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{ if .Values.hidden.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.hidden.terminationGracePeriodSeconds }} + {{- end }} + enableServiceLinks: {{ .Values.enableServiceLinks }} + {{- if or .Values.hidden.initContainers (and .Values.volumePermissions.enabled .Values.hidden.persistence.enabled) (and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled) .Values.tls.enabled }} + initContainers: + {{- if .Values.hidden.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.volumePermissions.enabled .Values.hidden.persistence.enabled }} + - name: volume-permissions + image: {{ include "mongodb.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + args: + - -ec + - | + mkdir -p {{ printf "%s/%s" .Values.hidden.persistence.mountPath (default "" .Values.hidden.persistence.subPath) }} + chown {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ printf "%s/%s" .Values.hidden.persistence.mountPath (default "" .Values.hidden.persistence.subPath) }} + find {{ printf "%s/%s" .Values.hidden.persistence.mountPath (default "" .Values.hidden.persistence.subPath) }} -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- else if ne .Values.volumePermissions.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: datadir + mountPath: {{ .Values.hidden.persistence.mountPath }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: generate-tls-certs + image: {{ include "mongodb.tls.image" . }} + imagePullPolicy: {{ .Values.tls.image.pullPolicy | quote }} + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + volumeMounts: + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + mountPath: /certs/CAs + {{- else }} + {{- range $index, $_ := .Values.tls.hidden.existingSecrets }} + - name: mongodb-certs-{{ $index }} + mountPath: /certs-{{ $index }} + {{- end }} + {{- end }} + - name: certs + mountPath: /certs + - name: common-scripts + mountPath: /bitnami/scripts + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + command: + - /bitnami/scripts/generate-certs.sh + args: + - -s {{ printf "%s-hidden-headless" (include "mongodb.fullname" .) }} + {{- if .Values.externalAccess.hidden.service.loadBalancerIPs }} + - -i {{ join "," .Values.externalAccess.hidden.service.loadBalancerIPs }} + {{- end }} + {{- if .Values.tls.extraDnsNames }} + - -n {{ join "," .Values.tls.extraDnsNames }} + {{- end }} + {{- if .Values.tls.resources }} + resources: {{- toYaml .Values.tls.resources | nindent 12 }} + {{- else if ne .Values.tls.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.tls.resourcesPreset) | nindent 12 }} + {{- end }} + {{- end }} + {{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }} + - name: auto-discovery + image: {{ include "mongodb.externalAccess.autoDiscovery.image" . }} + imagePullPolicy: {{ .Values.externalAccess.autoDiscovery.image.pullPolicy | quote }} + command: + - /scripts/auto-discovery.sh + # We need the service account token for contacting the k8s API + automountServiceAccountToken: true + env: + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: SHARED_FILE + value: "/shared/info.txt" + {{- if .Values.externalAccess.autoDiscovery.resources }} + resources: {{- toYaml .Values.externalAccess.autoDiscovery.resources | nindent 12 }} + {{- else if ne .Values.externalAccess.autoDiscovery.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.externalAccess.autoDiscovery.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: shared + mountPath: /shared + - name: scripts + mountPath: /scripts/auto-discovery.sh + subPath: auto-discovery.sh + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- end }} + {{- end }} + containers: + - name: mongodb + image: {{ include "mongodb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.hidden.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.hidden.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.hidden.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.command "context" $) | nindent 12 }} + {{- else }} + command: + - /scripts/setup-hidden.sh + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.hidden.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.args "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.hidden.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + {{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }} + - name: SHARED_FILE + value: "/shared/info.txt" + {{- end }} + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: K8S_SERVICE_NAME + value: "{{ include "mongodb.service.nameOverride" . }}" + - name: K8S_HIDDEN_NODE_SERVICE_NAME + value: "{{ include "mongodb.fullname" . }}-hidden-headless" + - name: MONGODB_REPLICA_SET_MODE + value: "hidden" + - name: MONGODB_INITIAL_PRIMARY_HOST + value: {{ printf "%s-0.$(K8S_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.%s" (include "mongodb.fullname" .) .Values.clusterDomain }} + - name: MONGODB_REPLICA_SET_NAME + value: {{ .Values.replicaSetName | quote }} + {{- if and .Values.replicaSetHostnames (not .Values.externalAccess.hidden.enabled) }} + - name: MONGODB_ADVERTISED_HOSTNAME + value: "$(MY_POD_NAME).$(K8S_HIDDEN_NODE_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.{{ .Values.clusterDomain }}" + {{- end }} + {{- $customUsers := include "mongodb.customUsers" . -}} + {{- $customDatabases := include "mongodb.customDatabases" . -}} + {{- if not (empty $customUsers) }} + - name: MONGODB_EXTRA_USERNAMES + value: {{ $customUsers | quote }} + {{- end }} + {{- if not (empty $customDatabases) }} + - name: MONGODB_EXTRA_DATABASES + value: {{ $customDatabases | quote }} + {{- end }} + {{- if .Values.auth.enabled }} + {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} + - name: MONGODB_EXTRA_PASSWORDS + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-passwords + {{- end }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + - name: MONGODB_REPLICA_SET_KEY + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-replica-set-key + {{- end }} + {{- if and .Values.metrics.enabled (not (empty .Values.metrics.username)) }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + {{- if .Values.auth.enabled }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + - name: ALLOW_EMPTY_PASSWORD + value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} + - name: MONGODB_SYSTEM_LOG_VERBOSITY + value: {{ .Values.systemLogVerbosity | quote }} + - name: MONGODB_DISABLE_SYSTEM_LOG + value: {{ ternary "yes" "no" .Values.disableSystemLog | quote }} + - name: MONGODB_DISABLE_JAVASCRIPT + value: {{ ternary "yes" "no" .Values.disableJavascript | quote }} + - name: MONGODB_ENABLE_JOURNAL + value: {{ ternary "yes" "no" .Values.enableJournal | quote }} + - name: MONGODB_PORT_NUMBER + value: {{ .Values.hidden.containerPorts.mongodb | quote }} + - name: MONGODB_ENABLE_IPV6 + value: {{ ternary "yes" "no" .Values.enableIPv6 | quote }} + - name: MONGODB_ENABLE_DIRECTORY_PER_DB + value: {{ ternary "yes" "no" .Values.directoryPerDB | quote }} + {{- $extraFlags := .Values.hidden.extraFlags | join " " -}} + {{- if .Values.tls.enabled }} + {{- if .Values.tls.mTLS.enabled }} + {{- $extraFlags = printf "--tlsCAFile=/certs/mongodb-ca-cert %s" $extraFlags }} + {{- end }} + {{- $extraFlags = printf "--tlsMode=%s --tlsCertificateKeyFile=/certs/mongodb.pem %s" .Values.tls.mode $extraFlags }} + {{- end }} + {{- if ne $extraFlags "" }} + - name: MONGODB_EXTRA_FLAGS + value: {{ $extraFlags | quote }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: MONGODB_CLIENT_EXTRA_FLAGS + value: --tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert + {{- end }} + {{- if .Values.hidden.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.hidden.extraEnvVarsCM .Values.hidden.extraEnvVarsSecret }} + envFrom: + {{- if .Values.hidden.extraEnvVarsCM }} + - configMapRef: + name: {{ tpl .Values.hidden.extraEnvVarsCM . | quote }} + {{- end }} + {{- if .Values.hidden.extraEnvVarsSecret }} + - secretRef: + name: {{ tpl .Values.hidden.extraEnvVarsSecret . | quote }} + {{- end }} + {{- end }} + ports: + - containerPort: {{ .Values.hidden.containerPorts.mongodb }} + name: mongodb + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.hidden.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.hidden.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.hidden.livenessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/ping-mongodb.sh + {{- end }} + {{- if .Values.hidden.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.hidden.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.hidden.readinessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/ping-mongodb.sh + {{- end }} + {{- if .Values.hidden.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.hidden.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.hidden.startupProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/startup-probe.sh + {{- end }} + {{- end }} + {{- if .Values.hidden.resources }} + resources: {{- toYaml .Values.hidden.resources | nindent 12 }} + {{- else if ne .Values.hidden.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.hidden.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: datadir + mountPath: {{ .Values.hidden.persistence.mountPath }} + subPath: {{ .Values.hidden.persistence.subPath }} + - name: common-scripts + mountPath: /bitnami/scripts + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + mountPath: /docker-entrypoint-initdb.d + {{- end }} + {{- if or .Values.hidden.configuration .Values.hidden.existingConfigmap }} + - name: config + mountPath: /opt/bitnami/mongodb/conf/mongodb.conf + subPath: mongodb.conf + {{- end }} + - name: scripts + mountPath: /scripts/setup-hidden.sh + subPath: setup-hidden.sh + {{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }} + - name: shared + mountPath: /shared + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/logs + subPath: app-logs-dir + {{- if .Values.hidden.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ template "mongodb.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.metrics.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + - -ec + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.metrics.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.args "context" $) | nindent 12 }} + {{- else }} + args: + - | + /bin/mongodb_exporter {{ include "mongodb.exporterArgs" $ }} --mongodb.direct-connect --mongodb.global-conn-pool --mongodb.uri "{{ include "mongodb.mongodb_exporter.uri" . }}" {{ .Values.metrics.extraFlags }} + {{- end }} + env: + {{- if .Values.auth.enabled }} + {{- if not .Values.metrics.username }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + {{- else }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + - name: empty-dir + mountPath: /opt/bitnami/redis-cluster/tmp + subPath: app-tmp-dir + {{- if .Values.metrics.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + ports: + - name: metrics + containerPort: 9216 + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.metrics.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: metrics + {{- end }} + {{- if .Values.metrics.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: metrics + {{- end }} + {{- if .Values.metrics.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: metrics + {{- end }} + {{- end }} + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.hidden.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: empty-dir + emptyDir: {} + - name: common-scripts + configMap: + name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} + defaultMode: 0555 + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + configMap: + name: {{ template "mongodb.initdbScriptsCM" . }} + {{- end }} + {{- if or .Values.hidden.configuration .Values.hidden.existingConfigmap }} + - name: config + configMap: + name: {{ include "mongodb.hidden.configmapName" . }} + {{- end }} + {{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }} + - name: shared + emptyDir: {} + {{- end }} + - name: scripts + configMap: + name: {{ printf "%s-scripts" (include "mongodb.fullname" .) }} + defaultMode: 0755 + {{- if .Values.hidden.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.extraVolumes "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + emptyDir: {} + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + secret: + secretName: {{ template "mongodb.tlsSecretName" . }} + items: + - key: mongodb-ca-cert + path: mongodb-ca-cert + mode: 0600 + - key: mongodb-ca-key + path: mongodb-ca-key + mode: 0600 + {{- else }} + {{- range $index, $secret := .Values.tls.hidden.existingSecrets }} + - name: mongodb-certs-{{ $index }} + secret: + secretName: {{ include "common.tplvalues.render" ( dict "value" $secret "context" $) }} + defaultMode: 256 + {{- end }} + {{- end }} + {{- end }} + {{- if not .Values.hidden.persistence.enabled }} + - name: datadir + {{- if .Values.hidden.persistence.medium }} + emptyDir: + medium: {{ .Values.hidden.persistence.medium | quote }} + {{- else }} + emptyDir: {} + {{- end }} + {{- else }} + volumeClaimTemplates: + - metadata: + name: datadir + {{- if .Values.hidden.persistence.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.persistence.annotations "context" $) | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.hidden.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.hidden.persistence.size | quote }} + {{- if .Values.hidden.persistence.volumeClaimTemplates.requests }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.persistence.volumeClaimTemplates.requests "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.hidden.persistence.volumeClaimTemplates.dataSource }} + dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.persistence.volumeClaimTemplates.dataSource "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.hidden.persistence.volumeClaimTemplates.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.persistence.volumeClaimTemplates.selector "context" $) | nindent 10 }} + {{- end }} + {{ include "common.storage.class" (dict "persistence" .Values.hidden.persistence "global" .Values.global) }} + {{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/initialization-configmap.yaml b/kubernetes/common/mongodb/templates/initialization-configmap.yaml new file mode 100644 index 0000000000..7086e0bf73 --- /dev/null +++ b/kubernetes/common/mongodb/templates/initialization-configmap.yaml @@ -0,0 +1,19 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.initdbScripts (not .Values.initdbScriptsConfigMap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-init-scripts" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: +{{- include "common.tplvalues.render" (dict "value" .Values.initdbScripts "context" .) | nindent 2 }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/metrics-svc.yaml b/kubernetes/common/mongodb/templates/metrics-svc.yaml new file mode 100644 index 0000000000..f21401eef7 --- /dev/null +++ b/kubernetes/common/mongodb/templates/metrics-svc.yaml @@ -0,0 +1,31 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-metrics" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: metrics + {{- if or .Values.metrics.service.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.metrics.service.type }} + ports: + - port: {{ .Values.metrics.service.ports.metrics }} + targetPort: metrics + protocol: TCP + name: http-metrics + {{- if .Values.metrics.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb +{{- end }} diff --git a/kubernetes/common/mongodb/templates/networkpolicy.yaml b/kubernetes/common/mongodb/templates/networkpolicy.yaml new file mode 100644 index 0000000000..f6d62ca867 --- /dev/null +++ b/kubernetes/common/mongodb/templates/networkpolicy.yaml @@ -0,0 +1,83 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if or .Values.annotations .Values.commonAnnotation }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: mongodb + policyTypes: + - Ingress + - Egress + {{- if .Values.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow connection to other cluster pods + - ports: + - port: {{ .Values.containerPorts.mongodb }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.rts.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.containerPorts.mongodb }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.metrics.containerPort }} + {{- end }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: mongodb + {{- $ingressNSMatchLabels := coalesce .Values.networkPolicy.ingressNSMatchLabels .Values.networkPolicy.namespaceSelector }} + {{- if $ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := $ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- $ingressNSPodMatchLabels := coalesce .Values.networkPolicy.ingressNSPodMatchLabels .Values.networkPolicy.podSelector }} + {{- if $ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := $ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- $extraIngress := coalesce .Values.networkPolicy.extraIngress .Values.networkPolicy.customRules }} + {{- if $extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" $extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/mongodb/templates/prometheusrule.yaml b/kubernetes/common/mongodb/templates/prometheusrule.yaml new file mode 100644 index 0000000000..00df349fcd --- /dev/null +++ b/kubernetes/common/mongodb/templates/prometheusrule.yaml @@ -0,0 +1,23 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.prometheusRule.namespace" . }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.metrics.prometheusRule.additionalLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.prometheusRule.additionalLabels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + groups: + - name: {{ include "mongodb.fullname" . }} + rules: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.rules "context" $ ) | nindent 8 }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/psp.yaml b/kubernetes/common/mongodb/templates/psp.yaml new file mode 100644 index 0000000000..61c452b48b --- /dev/null +++ b/kubernetes/common/mongodb/templates/psp.yaml @@ -0,0 +1,51 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (include "common.capabilities.psp.supported" .) .Values.podSecurityPolicy.create }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: +{{- if .Values.podSecurityPolicy.spec }} +{{ include "common.tplvalues.render" ( dict "value" .Values.podSecurityPolicy.spec "context" $ ) | nindent 2 }} +{{- else }} + allowPrivilegeEscalation: {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }} + fsGroup: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.podSecurityContext.fsGroup }} + max: {{ .Values.podSecurityContext.fsGroup }} + hostIPC: false + hostNetwork: false + hostPID: false + privileged: {{ .Values.podSecurityPolicy.privileged }} + readOnlyRootFilesystem: false + requiredDropCapabilities: + - ALL + runAsUser: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.containerSecurityContext.runAsUser }} + max: {{ .Values.containerSecurityContext.runAsUser }} + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.containerSecurityContext.runAsUser }} + max: {{ .Values.containerSecurityContext.runAsUser }} + volumes: + - 'configMap' + - 'secret' + - 'emptyDir' + - 'persistentVolumeClaim' +{{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/replicaset/external-access-svc.yaml b/kubernetes/common/mongodb/templates/replicaset/external-access-svc.yaml new file mode 100644 index 0000000000..3bc9900597 --- /dev/null +++ b/kubernetes/common/mongodb/templates/replicaset/external-access-svc.yaml @@ -0,0 +1,69 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled (not (eq .Values.externalAccess.service.type "ClusterIP")) }} +{{- $fullName := include "mongodb.fullname" . }} +{{- $replicaCount := .Values.replicaCount | int }} +{{- $root := . }} + +{{- range $i, $e := until $replicaCount }} +{{- $targetPod := printf "%s-%d" (printf "%s" $fullName) $i }} +{{- $_ := set $ "targetPod" $targetPod }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-%d-external" $fullName $i }} + namespace: {{ include "mongodb.namespace" $ }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $root.Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + pod: {{ $targetPod }} + {{- if or $root.Values.externalAccess.service.annotations $root.Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list $root.Values.externalAccess.service.annotations $root.Values.commonAnnotations ) "context" $ ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ $root.Values.externalAccess.service.type }} + {{- if eq $root.Values.externalAccess.service.type "LoadBalancer" }} + {{- if not (empty $root.Values.externalAccess.service.loadBalancerIPs) }} + loadBalancerIP: {{ index $root.Values.externalAccess.service.loadBalancerIPs $i }} + {{- end }} + {{- if and (eq $root.Values.externalAccess.service.type "LoadBalancer") $root.Values.externalAccess.service.loadBalancerClass }} + loadBalancerClass: {{ $root.Values.externalAccess.service.loadBalancerClass }} + {{- end }} + {{- if $root.Values.externalAccess.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml $root.Values.externalAccess.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + allocateLoadBalancerNodePorts: {{ $root.Values.externalAccess.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if (or (eq $root.Values.externalAccess.service.type "LoadBalancer") (eq $root.Values.externalAccess.service.type "NodePort")) }} + externalTrafficPolicy: {{ $root.Values.externalAccess.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if $root.Values.externalAccess.service.sessionAffinity }} + sessionAffinity: {{ $root.Values.externalAccess.service.sessionAffinity }} + {{- end }} + {{- if $root.Values.externalAccess.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" $root.Values.externalAccess.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + publishNotReadyAddresses: true + ports: + - name: {{ $root.Values.externalAccess.service.portName | quote }} + port: {{ $root.Values.externalAccess.service.ports.mongodb }} + {{- if not (empty $root.Values.externalAccess.service.nodePorts) }} + {{- $nodePort := index $root.Values.externalAccess.service.nodePorts $i }} + nodePort: {{ $nodePort }} + {{- else }} + nodePort: null + {{- end }} + targetPort: mongodb + {{- if $root.Values.externalAccess.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" $root.Values.externalAccess.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list $root.Values.podLabels $root.Values.commonLabels ) "context" $ ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + statefulset.kubernetes.io/pod-name: {{ $targetPod }} +--- +{{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/replicaset/headless-svc.yaml b/kubernetes/common/mongodb/templates/replicaset/headless-svc.yaml new file mode 100644 index 0000000000..bf7a3d91e0 --- /dev/null +++ b/kubernetes/common/mongodb/templates/replicaset/headless-svc.yaml @@ -0,0 +1,32 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if eq .Values.architecture "replicaset" }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "mongodb.service.nameOverride" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if or .Values.commonAnnotations .Values.service.headless.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.headless.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + clusterIP: None + publishNotReadyAddresses: true + ports: + - name: {{ .Values.service.portName | quote }} + port: {{ .Values.service.ports.mongodb }} + targetPort: mongodb + {{- if .Values.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb +{{- end }} diff --git a/kubernetes/common/mongodb/templates/replicaset/pdb.yaml b/kubernetes/common/mongodb/templates/replicaset/pdb.yaml new file mode 100644 index 0000000000..5bbd31074e --- /dev/null +++ b/kubernetes/common/mongodb/templates/replicaset/pdb.yaml @@ -0,0 +1,28 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (eq .Values.architecture "replicaset") .Values.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.pdb.minAvailable }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- end }} + {{- if .Values.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: mongodb +{{- end }} diff --git a/kubernetes/common/mongodb/templates/replicaset/scripts-configmap.yaml b/kubernetes/common/mongodb/templates/replicaset/scripts-configmap.yaml new file mode 100644 index 0000000000..00b2502092 --- /dev/null +++ b/kubernetes/common/mongodb/templates/replicaset/scripts-configmap.yaml @@ -0,0 +1,317 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if eq .Values.architecture "replicaset" }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-scripts" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + {{- $fullname := include "mongodb.fullname" . }} + {{- $releaseNamespace := include "mongodb.namespace" . }} + {{- if and .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} + auto-discovery.sh: |- + #!/bin/bash + + SVC_NAME="${MY_POD_NAME}-external" + + # Auxiliary functions + retry_while() { + local -r cmd="${1:?cmd is missing}" + local -r retries="${2:-12}" + local -r sleep_time="${3:-5}" + local return_value=1 + + read -r -a command <<< "$cmd" + for ((i = 1 ; i <= retries ; i+=1 )); do + "${command[@]}" && return_value=0 && break + sleep "$sleep_time" + done + return $return_value + } + k8s_svc_lb_ip() { + local namespace=${1:?namespace is missing} + local service=${2:?service is missing} + local service_ip=$(kubectl get svc "$service" -n "$namespace" -o jsonpath="{.status.loadBalancer.ingress[0].ip}") + local service_hostname=$(kubectl get svc "$service" -n "$namespace" -o jsonpath="{.status.loadBalancer.ingress[0].hostname}") + + if [[ -n ${service_ip} ]]; then + echo "${service_ip}" + else + echo "${service_hostname}" + fi + } + k8s_svc_lb_ip_ready() { + local namespace=${1:?namespace is missing} + local service=${2:?service is missing} + [[ -n "$(k8s_svc_lb_ip "$namespace" "$service")" ]] + } + # Wait until LoadBalancer IP is ready + retry_while "k8s_svc_lb_ip_ready {{ $releaseNamespace }} $SVC_NAME" || exit 1 + # Obtain LoadBalancer external IP + k8s_svc_lb_ip "{{ $releaseNamespace }}" "$SVC_NAME" | tee "$SHARED_FILE" + {{- end }} + setup.sh: |- + #!/bin/bash + + . /opt/bitnami/scripts/mongodb-env.sh + . /opt/bitnami/scripts/libfs.sh + . /opt/bitnami/scripts/liblog.sh + . /opt/bitnami/scripts/libvalidations.sh + + {{- if .Values.externalAccess.enabled }} + {{- if eq .Values.externalAccess.service.type "LoadBalancer" }} + {{- if .Values.externalAccess.autoDiscovery.enabled }} + export MONGODB_ADVERTISED_HOSTNAME="$(<${SHARED_FILE})" + {{- else }} + ID="${MY_POD_NAME#"{{ $fullname }}-"}" + export MONGODB_ADVERTISED_HOSTNAME=$(echo '{{ .Values.externalAccess.service.loadBalancerIPs }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))") + {{- end }} + {{- else if eq .Values.externalAccess.service.type "NodePort" }} + ID="${MY_POD_NAME#"{{ $fullname }}-"}" + if is_empty_value "$MONGODB_ADVERTISED_PORT_NUMBER"; then + export MONGODB_ADVERTISED_PORT_NUMBER=$(echo '{{ .Values.externalAccess.service.nodePorts }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))") + fi + {{- if .Values.externalAccess.service.domain }} + export MONGODB_ADVERTISED_HOSTNAME={{ .Values.externalAccess.service.domain }} + {{- else }} + export MONGODB_ADVERTISED_HOSTNAME=$MY_POD_HOST_IP + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.replicaSetConfigurationSettings.enabled }} + # placed here before root password env is overwritten + # makes no assumption about starting state + # ensures that any stepDown or non-default starting state is handled + /scripts/replicaSetConfigurationSettings.sh & + {{- end }} + + if is_empty_value "$MONGODB_ADVERTISED_PORT_NUMBER"; then + export MONGODB_ADVERTISED_PORT_NUMBER="$MONGODB_PORT_NUMBER" + fi + + info "Advertised Hostname: $MONGODB_ADVERTISED_HOSTNAME" + info "Advertised Port: $MONGODB_ADVERTISED_PORT_NUMBER" + + # Check for existing replica set in case there is no data in the PVC + # This is for cases where the PVC is lost or for MongoDB caches without + # persistence + current_primary="" + if is_dir_empty "${MONGODB_DATA_DIR}/db"; then + info "Data dir empty, checking if the replica set already exists" + {{- $replicaCount := int .Values.replicaCount }} + {{- $portNumber := int .Values.service.ports.mongodb }} + {{- $fullname := include "mongodb.fullname" . }} + {{- $releaseNamespace := include "mongodb.namespace" . }} + {{- $clusterDomain := .Values.clusterDomain }} + {{- $loadBalancerIPListLength := len .Values.externalAccess.service.loadBalancerIPs }} + {{- $mongoList := list }} + {{- range $e, $i := until $replicaCount }} + {{- $mongoList = append $mongoList (printf "%s-%d.%s-headless.%s.svc.%s:%d" $fullname $i $fullname $releaseNamespace $clusterDomain $portNumber) }} + {{- end }} + + {{- if .Values.externalAccess.externalMaster.enabled }} + current_primary={{ printf "%s:%d" (.Values.externalAccess.externalMaster.host) ( int .Values.externalAccess.externalMaster.port) }} + {{- else }} + current_primary=$(mongosh admin --host "{{ join "," $mongoList }}" {{- if .Values.auth.enabled }} --authenticationDatabase admin -u $MONGODB_ROOT_USER -p $MONGODB_ROOT_PASSWORD{{- end }}{{- if .Values.tls.enabled}} --tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert{{- end }} --eval 'db.runCommand("ismaster")' | awk -F\' '/primary/ {print $2}') + {{- end }} + if ! is_empty_value "$current_primary"; then + info "Detected existing primary: ${current_primary}" + fi + fi + + if ! is_empty_value "$current_primary" && [[ "$MONGODB_ADVERTISED_HOSTNAME:$MONGODB_ADVERTISED_PORT_NUMBER" == "$current_primary" ]]; then + info "Advertised name matches current primary, configuring node as a primary" + export MONGODB_REPLICA_SET_MODE="primary" + elif ! is_empty_value "$current_primary" && [[ "$MONGODB_ADVERTISED_HOSTNAME:$MONGODB_ADVERTISED_PORT_NUMBER" != "$current_primary" ]]; then + info "Current primary is different from this node. Configuring the node as replica of ${current_primary}" + export MONGODB_REPLICA_SET_MODE="secondary" + export MONGODB_INITIAL_PRIMARY_HOST="${current_primary%:*}" + export MONGODB_INITIAL_PRIMARY_PORT_NUMBER="${current_primary#*:}" + export MONGODB_SET_SECONDARY_OK="yes" + elif [[ "$MY_POD_NAME" = "{{ $fullname }}-0" ]]; then + info "Pod name matches initial primary pod name, configuring node as a primary" + export MONGODB_REPLICA_SET_MODE="primary" + else + info "Pod name doesn't match initial primary pod name, configuring node as a secondary" + export MONGODB_REPLICA_SET_MODE="secondary" + export MONGODB_INITIAL_PRIMARY_PORT_NUMBER="$MONGODB_PORT_NUMBER" + fi + + if [[ "$MONGODB_REPLICA_SET_MODE" == "secondary" ]]; then + export MONGODB_INITIAL_PRIMARY_ROOT_USER="$MONGODB_ROOT_USER" + export MONGODB_INITIAL_PRIMARY_ROOT_PASSWORD="$MONGODB_ROOT_PASSWORD" + export MONGODB_ROOT_PASSWORD="" + export MONGODB_EXTRA_USERNAMES="" + export MONGODB_EXTRA_DATABASES="" + export MONGODB_EXTRA_PASSWORDS="" + export MONGODB_ROOT_PASSWORD_FILE="" + export MONGODB_EXTRA_USERNAMES_FILE="" + export MONGODB_EXTRA_DATABASES_FILE="" + export MONGODB_EXTRA_PASSWORDS_FILE="" + fi + + exec /opt/bitnami/scripts/mongodb/entrypoint.sh /opt/bitnami/scripts/mongodb/run.sh + setup-hidden.sh: |- + #!/bin/bash + + . /opt/bitnami/scripts/mongodb-env.sh + + {{- if .Values.externalAccess.hidden.enabled }} + {{- if eq .Values.externalAccess.hidden.service.type "LoadBalancer" }} + {{- if .Values.externalAccess.autoDiscovery.enabled }} + export MONGODB_ADVERTISED_HOSTNAME="$(<${SHARED_FILE})" + {{- else }} + ID="${MY_POD_NAME#"{{ $fullname }}-hidden-"}" + export MONGODB_ADVERTISED_HOSTNAME=$(echo '{{ .Values.externalAccess.hidden.service.loadBalancerIPs }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))") + {{- end }} + {{- else if eq .Values.externalAccess.hidden.service.type "NodePort" }} + ID="${MY_POD_NAME#"{{ $fullname }}-hidden-"}" + if is_empty_value "$MONGODB_ADVERTISED_PORT_NUMBER"; then + export MONGODB_ADVERTISED_PORT_NUMBER=$(echo '{{ .Values.externalAccess.service.nodePorts }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))") + fi + {{- if .Values.externalAccess.hidden.service.domain }} + export MONGODB_ADVERTISED_HOSTNAME={{ .Values.externalAccess.hidden.service.domain }} + {{- else }} + export MONGODB_ADVERTISED_HOSTNAME=$MY_POD_HOST_IP + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.replicaSetConfigurationSettings.enabled }} + # placed here before root password env is overwritten + # makes no assumption about starting state + # ensures that any stepDown or non-default starting state is handled + /scripts/replicaSetConfigurationSettings.sh & + {{- end }} + + echo "Advertised Hostname: $MONGODB_ADVERTISED_HOSTNAME" + echo "Advertised Port: $MONGODB_ADVERTISED_PORT_NUMBER" + echo "Configuring node as a hidden node" + export MONGODB_REPLICA_SET_MODE="hidden" + export MONGODB_INITIAL_PRIMARY_ROOT_USER="$MONGODB_ROOT_USER" + export MONGODB_INITIAL_PRIMARY_ROOT_PASSWORD="$MONGODB_ROOT_PASSWORD" + export MONGODB_INITIAL_PRIMARY_PORT_NUMBER="$MONGODB_PORT_NUMBER" + export MONGODB_ROOT_PASSWORD="" + export MONGODB_EXTRA_USERNAMES="" + export MONGODB_EXTRA_DATABASES="" + export MONGODB_EXTRA_PASSWORDS="" + export MONGODB_ROOT_PASSWORD_FILE="" + export MONGODB_EXTRA_USERNAMES_FILE="" + export MONGODB_EXTRA_DATABASES_FILE="" + export MONGODB_EXTRA_PASSWORDS_FILE="" + exec /opt/bitnami/scripts/mongodb/entrypoint.sh /opt/bitnami/scripts/mongodb/run.sh + {{- if .Values.replicaSetConfigurationSettings.enabled }} + replicaSetConfigurationSettings.sh: |- + #!/bin/bash + # This script to be called when pod starts. + # This script sets rs settings which can not be applied via conf file + + function logger () + #$1 is the line to be logged + { + echo "replicaSetConfigurationSettings.sh -- ${1}" >&1 + } + + SLEEP_PERIOD=10 + + {{- if and .Values.auth.enabled .Values.auth.rootPassword }} + usernameAndPassword="{{- if .Values.tls.enabled}} --tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert{{- end }} -u ${MONGODB_ROOT_USER} -p ${MONGODB_ROOT_PASSWORD}" + {{- else }} + usernameAndPassword="" + {{- end }} + + # load Values.replicaSetConfigurationSettings.configuration into associtive array which makes iterating and string manipulation easy + declare -A desiredRsConf + {{ range $setting, $value := .Values.replicaSetConfigurationSettings.configuration -}} + {{ printf "desiredRsConf[%s]='%v'" $setting $value }} + {{ end }} + + rsConfWriteAttempts=0 + rs_conf_configured_ok=unknown + + while [[ "${rs_conf_configured_ok}" != "true" ]]; do + + # give the rs setup a chance to succeed before attempting to read or configure + sleep ${SLEEP_PERIOD} + + counter=0 + while ! mongosh ${usernameAndPassword} --eval 'rs.conf()'; do + counter=$((${counter} +1)) + logger "not yet able to read rs.conf settings from the currently running rs (after ${counter} attempts)" + sleep ${SLEEP_PERIOD} + done + counter=$((${counter} +1)) + logger "rs.conf settings have been read from the currently running rs (after ${counter} attempts)" + + # read rs.conf again and store it. settings format is '"" : ,' + currentRsConf=$(mongosh ${usernameAndPassword} --eval 'rs.conf()') + + desiredEqualsactual=unknown + settingsToConfigure="" + for key in ${!desiredRsConf[@]}; do + value=${desiredRsConf[$key]} + if ! $(echo "\"${currentRsConf}"\" | grep -q -e "${key}: ${value},"); then + if [[ $key =~ ^members\[[0-9]+\]\..+ ]]; then + memberIndex=$(echo $key | grep -o -E '[0-9]+') + nodeConfigKey=${key#*.} + settingsToConfigure="${settingsToConfigure}cfg.members[${memberIndex}].${nodeConfigKey} = ${value}; " + else + # General rs settings + settingsToConfigure="${settingsToConfigure}cfg.settings.${key} = ${value}; " + fi + desiredEqualsactual=false + else + logger "rs conf: ${key} is already at desired value: ${value}" + fi + done + + if [[ "${desiredEqualsactual}" != "false" ]]; then + logger "replicaSetConfigurationSettings match the settings of the currently running rs" + desiredEqualsactual=true + rs_conf_configured_ok=true + logger "Current settings match desired settings (There have been ${rsConfWriteAttempts} attempts to write to mongoDB rs configuration)" + exit + fi + + # apply the settings only if this member is currently the mongo replicaset PRIMARY + # it might take a little time before any pod is PRIMARY + isMaster=unknown + if ! mongosh ${usernameAndPassword} --eval 'rs.isMaster()' | grep -q "ismaster: true"; then + isMaster=false + logger "This node is not yet PRIMARY - replicaSetConfigurationSettings will only be set on the member that is currently PRIMARY" + else + isMaster=true + logger "This node is PRIMARY" + fi + + if [[ "${isMaster}" == "true" ]]; then + logger "This node is currently PRIMARY - will apply rs.conf settings" + + # avoiding tricky string substitution with single quotes by making the eval string a set of vars + rsconf="cfg = rs.conf();" + rsreconf="rs.reconfig(cfg);" + rsCommand="${rsconf} ${settingsToConfigure} ${rsreconf}" + + mongosh ${usernameAndPassword} --eval "${rsCommand}" + if [ $? -ne 0 ]; then + logger "Failed to apply mongodb cfg.settings configuration" + else + logger "mongodb replicaset cfg.settings configuration applied" + logger "Will check rs conf" + # don't exit just yet - the settings will be checked in the next loop + fi + rsConfWriteAttempts=$((${rsConfWriteAttempts} + 1 )) + fi + done + {{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml b/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml new file mode 100644 index 0000000000..55158e8fb0 --- /dev/null +++ b/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml @@ -0,0 +1,606 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if eq .Values.architecture "replicaset" }} +{{- $replicaCount := int .Values.replicaCount }} +{{- $loadBalancerIPListLength := len .Values.externalAccess.service.loadBalancerIPs }} +{{- if not (and .Values.externalAccess.enabled (not .Values.externalAccess.autoDiscovery.enabled) (not (eq $replicaCount $loadBalancerIPListLength )) (eq .Values.externalAccess.service.type "LoadBalancer")) }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if or .Values.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + serviceName: {{ include "mongodb.service.nameOverride" . }} + podManagementPolicy: {{ .Values.podManagementPolicy }} + replicas: {{ .Values.replicaCount }} + {{- if .Values.updateStrategy }} + updateStrategy: {{- toYaml .Values.updateStrategy | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: mongodb + template: + metadata: + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: mongodb + {{- if or (include "mongodb.createConfigmap" .) .Values.podAnnotations }} + annotations: + {{- if (include "mongodb.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- include "mongodb.imagePullSecrets" . | nindent 6 }} + {{- if .Values.schedulerName }} + schedulerName: {{ .Values.schedulerName | quote }} + {{- end }} + serviceAccountName: {{ template "mongodb.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} + {{- if .Values.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "component" "mongodb" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "component" "mongodb" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + {{- if .Values.runtimeClassName }} + runtimeClassName: {{ .Values.runtimeClassName }} + {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{ if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + enableServiceLinks: {{ .Values.enableServiceLinks }} + {{- if or .Values.initContainers (and .Values.volumePermissions.enabled .Values.persistence.enabled) (and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled) .Values.tls.enabled }} + initContainers: + {{- if .Values.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} + - name: volume-permissions + image: {{ include "mongodb.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + args: + - -ec + - | + mkdir -p {{ printf "%s/%s" .Values.persistence.mountPath (default "" .Values.persistence.subPath) }} + chown {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ printf "%s/%s" .Values.persistence.mountPath (default "" .Values.persistence.subPath) }} + find {{ printf "%s/%s" .Values.persistence.mountPath (default "" .Values.persistence.subPath) }} -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- else if ne .Values.volumePermissions.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: datadir + mountPath: {{ .Values.persistence.mountPath }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- end }} + {{- if .Values.tls.enabled }} + - name: generate-tls-certs + image: {{ include "mongodb.tls.image" . }} + imagePullPolicy: {{ .Values.tls.image.pullPolicy | quote }} + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + volumeMounts: + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + mountPath: /certs/CAs + {{- else }} + {{- range $index, $_ := .Values.tls.replicaset.existingSecrets }} + - name: mongodb-certs-{{ $index }} + mountPath: /certs-{{ $index }} + {{- end }} + {{- end }} + - name: certs + mountPath: /certs + - name: common-scripts + mountPath: /bitnami/scripts + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + command: + - /bitnami/scripts/generate-certs.sh + args: + - -s {{ include "mongodb.service.nameOverride" . }} + {{- if .Values.externalAccess.service.loadBalancerIPs }} + - -i {{ join "," .Values.externalAccess.service.loadBalancerIPs }} + {{- end }} + {{- if .Values.tls.extraDnsNames }} + - -n {{ join "," .Values.tls.extraDnsNames }} + {{- end }} + {{- if .Values.tls.resources }} + resources: {{- toYaml .Values.tls.resources | nindent 12 }} + {{- else if ne .Values.tls.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.tls.resourcesPreset) | nindent 12 }} + {{- end }} + {{- end }} + {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} + - name: auto-discovery + image: {{ include "mongodb.externalAccess.autoDiscovery.image" . }} + imagePullPolicy: {{ .Values.externalAccess.autoDiscovery.image.pullPolicy | quote }} + # We need the service account token for contacting the k8s API + automountServiceAccountToken: true + command: + - /scripts/auto-discovery.sh + env: + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: SHARED_FILE + value: "/shared/info.txt" + {{- if .Values.externalAccess.autoDiscovery.resources }} + resources: {{- toYaml .Values.externalAccess.autoDiscovery.resources | nindent 12 }} + {{- else if ne .Values.externalAccess.autoDiscovery.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.externalAccess.autoDiscovery.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: shared + mountPath: /shared + - name: scripts + mountPath: /scripts/auto-discovery.sh + subPath: auto-discovery.sh + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- end }} + {{- end }} + containers: + - name: mongodb + image: {{ include "mongodb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} + {{- else }} + command: + - /scripts/setup.sh + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} + - name: SHARED_FILE + value: "/shared/info.txt" + {{- end }} + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: K8S_SERVICE_NAME + value: "{{ include "mongodb.service.nameOverride" . }}" + - name: MONGODB_INITIAL_PRIMARY_HOST + value: {{ printf "%s-0.$(K8S_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.%s" (include "mongodb.fullname" .) .Values.clusterDomain }} + - name: MONGODB_REPLICA_SET_NAME + value: {{ .Values.replicaSetName | quote }} + {{- if and .Values.replicaSetHostnames (not .Values.externalAccess.enabled) }} + - name: MONGODB_ADVERTISED_HOSTNAME + value: "$(MY_POD_NAME).$(K8S_SERVICE_NAME).$(MY_POD_NAMESPACE).svc.{{ .Values.clusterDomain }}" + {{- end }} + {{- $customUsers := include "mongodb.customUsers" . -}} + {{- $customDatabases := include "mongodb.customDatabases" . -}} + {{- if not (empty $customUsers) }} + - name: MONGODB_EXTRA_USERNAMES + value: {{ $customUsers | quote }} + {{- end }} + {{- if not (empty $customDatabases) }} + - name: MONGODB_EXTRA_DATABASES + value: {{ $customDatabases | quote }} + {{- end }} + {{- if .Values.auth.enabled }} + {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} + - name: MONGODB_EXTRA_PASSWORDS + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-passwords + {{- end }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + - name: MONGODB_REPLICA_SET_KEY + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-replica-set-key + {{- end }} + {{- if and .Values.metrics.enabled (not (empty .Values.metrics.username)) }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + {{- if .Values.auth.enabled }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + - name: ALLOW_EMPTY_PASSWORD + value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} + - name: MONGODB_SYSTEM_LOG_VERBOSITY + value: {{ .Values.systemLogVerbosity | quote }} + - name: MONGODB_DISABLE_SYSTEM_LOG + value: {{ ternary "yes" "no" .Values.disableSystemLog | quote }} + - name: MONGODB_DISABLE_JAVASCRIPT + value: {{ ternary "yes" "no" .Values.disableJavascript | quote }} + - name: MONGODB_ENABLE_JOURNAL + value: {{ ternary "yes" "no" .Values.enableJournal | quote }} + - name: MONGODB_PORT_NUMBER + value: {{ .Values.containerPorts.mongodb | quote }} + - name: MONGODB_ENABLE_IPV6 + value: {{ ternary "yes" "no" .Values.enableIPv6 | quote }} + - name: MONGODB_ENABLE_DIRECTORY_PER_DB + value: {{ ternary "yes" "no" .Values.directoryPerDB | quote }} + {{- $extraFlags := .Values.extraFlags | join " " -}} + {{- if .Values.tls.enabled }} + {{- if .Values.tls.mTLS.enabled }} + {{- $extraFlags = printf "--tlsCAFile=/certs/mongodb-ca-cert %s" $extraFlags }} + {{- end }} + {{- $extraFlags = printf "--tlsMode=%s --tlsCertificateKeyFile=/certs/mongodb.pem %s" .Values.tls.mode $extraFlags }} + {{- end }} + {{- if ne $extraFlags "" }} + - name: MONGODB_EXTRA_FLAGS + value: {{ $extraFlags | quote }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: MONGODB_CLIENT_EXTRA_FLAGS + value: --tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert + {{- end }} + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.extraEnvVarsCM .Values.extraEnvVarsSecret }} + envFrom: + {{- if .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ tpl .Values.extraEnvVarsCM . | quote }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ tpl .Values.extraEnvVarsSecret . | quote }} + {{- end }} + {{- end }} + ports: + - name: mongodb + containerPort: {{ .Values.containerPorts.mongodb }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/ping-mongodb.sh + {{- end }} + {{- if .Values.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readinessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/readiness-probe.sh + {{- end }} + {{- if .Values.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.startupProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/startup-probe.sh + {{- end }} + {{- end }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/logs + subPath: app-logs-dir + - name: datadir + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + - name: common-scripts + mountPath: /bitnami/scripts + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + mountPath: /docker-entrypoint-initdb.d + {{- end }} + {{- if or .Values.configuration .Values.existingConfigmap }} + - name: config + mountPath: /opt/bitnami/mongodb/conf/mongodb.conf + subPath: mongodb.conf + {{- end }} + - name: scripts + mountPath: /scripts/setup.sh + subPath: setup.sh + {{ if .Values.replicaSetConfigurationSettings.enabled }} + - name: scripts + mountPath: /scripts/replicaSetConfigurationSettings.sh + subPath: replicaSetConfigurationSettings.sh + {{- end }} + {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} + - name: shared + mountPath: /shared + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + {{- if .Values.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ template "mongodb.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.metrics.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + - -ec + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.metrics.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.args "context" $) | nindent 12 }} + {{- else }} + args: + - | + /bin/mongodb_exporter {{ include "mongodb.exporterArgs" $ }} --mongodb.direct-connect --mongodb.global-conn-pool --web.listen-address ":{{ .Values.metrics.containerPort }}" --mongodb.uri "{{ include "mongodb.mongodb_exporter.uri" . }}" {{ .Values.metrics.extraFlags }} + {{- end }} + env: + {{- if .Values.auth.enabled }} + {{- if not .Values.metrics.username }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + {{- else }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + {{- if .Values.metrics.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + ports: + - name: metrics + containerPort: {{ .Values.metrics.containerPort }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.metrics.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: metrics + {{- end }} + {{- if .Values.metrics.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: metrics + {{- end }} + {{- if .Values.metrics.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: metrics + {{- end }} + {{- end }} + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: empty-dir + emptyDir: {} + - name: common-scripts + configMap: + name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} + defaultMode: 0550 + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + configMap: + name: {{ template "mongodb.initdbScriptsCM" . }} + {{- end }} + {{- if or .Values.configuration .Values.existingConfigmap }} + - name: config + configMap: + name: {{ include "mongodb.configmapName" . }} + {{- end }} + {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} + - name: shared + emptyDir: {} + {{- end }} + - name: scripts + configMap: + name: {{ printf "%s-scripts" (include "mongodb.fullname" .) }} + defaultMode: 0755 + {{- if .Values.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + emptyDir: {} + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + secret: + secretName: {{ template "mongodb.tlsSecretName" . }} + items: + - key: mongodb-ca-cert + path: mongodb-ca-cert + mode: 0600 + - key: mongodb-ca-key + path: mongodb-ca-key + mode: 0600 + {{- else }} + {{- range $index, $secret := .Values.tls.replicaset.existingSecrets }} + - name: mongodb-certs-{{ $index }} + secret: + secretName: {{ include "common.tplvalues.render" ( dict "value" $secret "context" $) }} + defaultMode: 256 + {{- end }} + {{- end }} + {{- end }} + {{- if not .Values.persistence.enabled }} + - name: datadir + {{- if .Values.persistence.medium }} + emptyDir: + medium: {{ .Values.persistence.medium | quote }} + {{- else }} + emptyDir: {} + {{- end }} + {{- else }} + {{- if .Values.persistentVolumeClaimRetentionPolicy.enabled }} + persistentVolumeClaimRetentionPolicy: + whenDeleted: {{ .Values.persistentVolumeClaimRetentionPolicy.whenDeleted }} + whenScaled: {{ .Values.persistentVolumeClaimRetentionPolicy.whenScaled }} + {{- end }} + volumeClaimTemplates: + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: datadir + {{- if .Values.persistence.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.annotations "context" $) | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{- if .Values.persistence.volumeClaimTemplates.requests }} + {{- include "common.tplvalues.render" (dict "value" .Values.persistence.volumeClaimTemplates.requests "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.persistence.volumeClaimTemplates.dataSource }} + dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.volumeClaimTemplates.dataSource "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.persistence.volumeClaimTemplates.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.volumeClaimTemplates.selector "context" $) | nindent 10 }} + {{- end }} + {{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }} + {{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/replicaset/svc.yaml b/kubernetes/common/mongodb/templates/replicaset/svc.yaml new file mode 100644 index 0000000000..d95504376a --- /dev/null +++ b/kubernetes/common/mongodb/templates/replicaset/svc.yaml @@ -0,0 +1,41 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled (eq .Values.externalAccess.service.type "ClusterIP") }} + +{{- $fullName := include "mongodb.fullname" . }} +{{- $replicaCount := .Values.replicaCount | int }} +{{- $root := . }} + +{{- range $i, $e := until $replicaCount }} +{{- $targetPod := printf "%s-%d" (printf "%s" $fullName) $i }} +{{- $_ := set $ "targetPod" $targetPod }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-%d" $fullName $i }} + namespace: {{ include "mongodb.namespace" $ }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $root.Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if or $root.Values.service.annotations $root.Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list $root.Values.service.annotations $root.Values.commonAnnotations ) "context" $ ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + ports: + - name: {{ $root.Values.service.portName | quote }} + port: {{ $root.Values.service.ports.mongodb }} + targetPort: mongodb + {{- if $root.Values.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" $root.Values.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list $root.Values.podLabels $root.Values.commonLabels ) "context" $ ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + statefulset.kubernetes.io/pod-name: {{ $targetPod }} +--- +{{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/role.yaml b/kubernetes/common/mongodb/templates/role.yaml new file mode 100644 index 0000000000..b37d192cb0 --- /dev/null +++ b/kubernetes/common/mongodb/templates/role.yaml @@ -0,0 +1,31 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.rbac.create }} +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: Role +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +{{- if .Values.rbac.rules }} +{{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }} +{{- end -}} +{{- if and (include "common.capabilities.psp.supported" .) .Values.podSecurityPolicy.create }} + - apiGroups: ['{{ template "podSecurityPolicy.apiGroup" . }}'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: [{{ include "mongodb.fullname" . }}] +{{- end -}} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/rolebinding.yaml b/kubernetes/common/mongodb/templates/rolebinding.yaml new file mode 100644 index 0000000000..c6a76e6455 --- /dev/null +++ b/kubernetes/common/mongodb/templates/rolebinding.yaml @@ -0,0 +1,21 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.serviceAccount.create .Values.rbac.create }} +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: RoleBinding +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} +roleRef: + kind: Role + name: {{ include "mongodb.fullname" . }} + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ include "mongodb.serviceAccountName" . }} + namespace: {{ include "mongodb.namespace" . | quote }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/secrets-ca.yaml b/kubernetes/common/mongodb/templates/secrets-ca.yaml new file mode 100644 index 0000000000..e1387ae30f --- /dev/null +++ b/kubernetes/common/mongodb/templates/secrets-ca.yaml @@ -0,0 +1,33 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.createTlsSecret" .) }} +{{- $secretName := printf "%s" (include "mongodb.tlsSecretName" .) }} +{{- $fullname := include "mongodb.fullname" . }} +{{- $releaseNamespace := .Release.Namespace }} +{{- $clusterDomain := .Values.clusterDomain }} +{{- $cn := printf "%s.%s.svc.%s" $fullname .Release.Namespace $clusterDomain }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + namespace: {{ template "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + {{- if or .Values.tls.caCert .Values.tls.caKey (not .Values.tls.autoGenerated) }} + {{- $ca := buildCustomCert (required "A valid .Values.tls.caCert is required!" .Values.tls.caCert) (required "A valid .Values.tls.caKey is required!" .Values.tls.caKey) }} + mongodb-ca-cert: {{ b64enc $ca.Cert }} + mongodb-ca-key: {{ b64enc $ca.Key }} + {{- else }} + {{- $ca := genCA "myMongo-ca" 3650 }} + mongodb-ca-cert: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "mongodb-ca-cert" "defaultValue" $ca.Cert "context" $) }} + mongodb-ca-key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "mongodb-ca-key" "defaultValue" $ca.Key "context" $) }} + {{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/secrets.yaml b/kubernetes/common/mongodb/templates/secrets.yaml new file mode 100644 index 0000000000..004f2f3622 --- /dev/null +++ b/kubernetes/common/mongodb/templates/secrets.yaml @@ -0,0 +1,128 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.auth.enabled }} +{{- $replicaCount := int .Values.replicaCount }} +{{- $port := .Values.service.ports.mongodb }} +{{- $host := include "mongodb.service.nameOverride" . }} +{{- $hostForURI := printf "%s:%s" (include "mongodb.service.nameOverride" .) (print $port) }} +{{- if (eq .Values.architecture "replicaset") }} + {{- $fullname := include "mongodb.fullname" . }} + {{- $releaseNamespace := include "mongodb.namespace" . }} + {{- $clusterDomain := .Values.clusterDomain }} + {{- $mongoList := list }} + {{- $mongoOnlyHostList := list }} + {{- range $e, $i := until $replicaCount }} + {{- $mongoOnlyHostList = append $mongoList (printf "%s-%d.%s-headless.%s.svc.%s" $fullname $i $fullname $releaseNamespace $clusterDomain) }} + {{- $mongoList = append $mongoList (printf "%s-%d.%s-headless.%s.svc.%s:%s" $fullname $i $fullname $releaseNamespace $clusterDomain (print $port)) }} + {{- end }} + {{- $host = (join "," $mongoOnlyHostList) }} + {{- $hostForURI = (join "," $mongoList) }} +{{- end }} + +{{/* Root user section. */}} +{{- $rootPassword := include "common.secrets.passwords.manage" (dict "secret" (include "mongodb.secretName" .) "key" "mongodb-root-password" "providedValues" (list "auth.rootPassword" ) "context" $) | trimAll "\"" | b64dec }} + +{{/* Custom user section. This chart allows creating multiple users */}} +{{- $customUsers := include "mongodb.customUsers" . }} +{{- $customDatabases := include "mongodb.customDatabases" . }} +{{- $customPasswords := include "mongodb.customPasswords" . }} +{{- $passwords := "" }} +{{- $passwordList := list -}} +{{- $customUsersList := list }} +{{- $customDatabasesList := list }} +{{- $customPasswordsList := list }} +{{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} +{{- $customUsersList = splitList "," $customUsers }} +{{- $customDatabasesList = splitList "," $customDatabases }} +{{- if not (empty $customPasswords) }} +{{- $passwordList = $customPasswords }} +{{- $customPasswordsList = splitList "," $customPasswords }} +{{- else }} +{{- range $customUsersList }} +{{- $customPasswordsList = append $customPasswordsList (randAlphaNum 10) }} +{{- end -}} +{{- $passwordList = (join "," $customPasswordsList) }} +{{- end }} +{{- $passwords = include "common.secrets.passwords.manage" (dict "secret" (include "mongodb.secretName" .) "key" "mongodb-passwords" "providedValues" (list "mongodbPasswords") "context" (set (deepCopy $) "Values" (dict "mongodbPasswords" $passwordList))) | trimAll "\"" | b64dec }} +{{- end }} + +{{- if (include "mongodb.createSecret" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ template "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + mongodb-root-password: {{ print $rootPassword | b64enc | quote }} + {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} + mongodb-passwords: {{ print $passwords | b64enc | quote }} + {{- end }} + {{- if .Values.metrics.username }} + mongodb-metrics-password: {{ include "common.secrets.passwords.manage" (dict "secret" (include "mongodb.fullname" .) "key" "mongodb-metrics-password" "providedValues" (list "metrics.password" ) "context" $) }} + {{- end }} + {{- if eq .Values.architecture "replicaset" }} + mongodb-replica-set-key: {{ include "common.secrets.passwords.manage" (dict "secret" (include "mongodb.fullname" .) "key" "mongodb-replica-set-key" "providedValues" (list "auth.replicaSetKey" ) "context" $) }} + {{- end }} +{{- end }} +{{- if .Values.serviceBindings.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }}-svcbind-root + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: servicebinding.io/mongodb +data: + provider: {{ print "bitnami" | b64enc | quote }} + type: {{ print "mongodb" | b64enc | quote }} + host: {{ print $host | b64enc | quote }} + port: {{ print $port | b64enc | quote }} + username: {{ print .Values.auth.rootUser | b64enc | quote }} + password: {{ print $rootPassword | b64enc | quote }} + database: {{ print "admin" | b64enc | quote }} + uri: {{ printf "mongodb://%s:%s@%s/admin" .Values.auth.rootUser $rootPassword $hostForURI | b64enc | quote }} +{{- range $e, $i := until (len $customUsersList) }} +--- +{{- $currentSecret := printf "%s-svcbind-%d" (include "common.names.fullname" $) $i }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $currentSecret }} + namespace: {{ $.Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $.Values.commonLabels "context" $ ) | nindent 4 }} + {{- if $.Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: servicebinding.io/mongodb +data: + {{- $currentUser := index $customUsersList $i }} + {{- $currentDatabase := last $customDatabasesList }} + {{- if gt (len $customDatabasesList) $i }} + {{- $currentDatabase = index $customDatabasesList $i }} + {{- end }} + {{- $currentProvidedPassword := index $customPasswordsList $i }} + {{- $currentPassword := include "common.secrets.lookup" (dict "secret" $currentSecret "key" "password" "defaultValue" $currentProvidedPassword "context" $) | b64dec }} + provider: {{ print "bitnami" | b64enc | quote }} + type: {{ print "mongodb" | b64enc | quote }} + host: {{ print $host | b64enc | quote }} + port: {{ print $port | b64enc | quote }} + username: {{ print $currentUser | b64enc | quote }} + password: {{ print $currentPassword | b64enc | quote }} + database: {{ print $currentDatabase | b64enc | quote }} + uri: {{ printf "mongodb://%s:%s@%s/%s" $currentUser $currentPassword $hostForURI $currentDatabase | b64enc | quote }} +{{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/serviceaccount.yaml b/kubernetes/common/mongodb/templates/serviceaccount.yaml new file mode 100644 index 0000000000..6dd53ab83e --- /dev/null +++ b/kubernetes/common/mongodb/templates/serviceaccount.yaml @@ -0,0 +1,20 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "mongodb.serviceAccountName" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +secrets: + - name: {{ template "mongodb.fullname" . }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/servicemonitor.yaml b/kubernetes/common/mongodb/templates/servicemonitor.yaml new file mode 100644 index 0000000000..8273e4b626 --- /dev/null +++ b/kubernetes/common/mongodb/templates/servicemonitor.yaml @@ -0,0 +1,48 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.serviceMonitor.namespace" . }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: metrics + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.metrics.serviceMonitor.jobLabel }} + jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} + {{- if .Values.metrics.serviceMonitor.selector }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }} + {{- end }} + app.kubernetes.io/component: metrics + endpoints: + - port: http-metrics + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.honorLabels }} + honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} + {{- end }} + namespaceSelector: + matchNames: + - "{{ include "mongodb.namespace" . }}" +{{- end }} diff --git a/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml b/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml new file mode 100644 index 0000000000..29dd406bca --- /dev/null +++ b/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml @@ -0,0 +1,520 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if not (eq .Values.architecture "replicaset") }} +apiVersion: {{ if .Values.useStatefulSet }}{{ include "common.capabilities.statefulset.apiVersion" . }}{{- else }}{{ include "common.capabilities.deployment.apiVersion" . }}{{- end }} +kind: {{ if .Values.useStatefulSet }}StatefulSet{{- else }}Deployment{{- end }} +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if or .Values.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + replicas: {{ gt (.Values.replicaCount | int) 1 | ternary 1 .Values.replicaCount }} + {{- if .Values.useStatefulSet }} + serviceName: {{ include "mongodb.service.nameOverride" . }} + {{- end }} + {{- if .Values.updateStrategy}} + {{- if .Values.useStatefulSet }} + updateStrategy: + {{- else }} + strategy: + {{- end }} + {{- toYaml .Values.updateStrategy | nindent 4 }} + {{- end}} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: mongodb + template: + metadata: + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: mongodb + {{- if or (include "mongodb.createConfigmap" .) .Values.podAnnotations }} + annotations: + {{- if (include "mongodb.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- include "mongodb.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} + {{- if .Values.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.schedulerName }} + schedulerName: {{ .Values.schedulerName | quote }} + {{- end }} + serviceAccountName: {{ template "mongodb.serviceAccountName" . }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "component" "mongodb" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "component" "mongodb" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + {{- if .Values.runtimeClassName }} + runtimeClassName: {{ .Values.runtimeClassName }} + {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{ if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + enableServiceLinks: {{ .Values.enableServiceLinks }} + {{- if or .Values.initContainers (and .Values.volumePermissions.enabled .Values.persistence.enabled) .Values.tls.enabled }} + initContainers: + {{- if .Values.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} + - name: volume-permissions + image: {{ include "mongodb.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + args: + - -ec + - | + mkdir -p {{ printf "%s/%s" .Values.persistence.mountPath (default "" .Values.persistence.subPath) }} + chown {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ printf "%s/%s" .Values.persistence.mountPath (default "" .Values.persistence.subPath) }} + find {{ printf "%s/%s" .Values.persistence.mountPath (default "" .Values.persistence.subPath) }} -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- else if ne .Values.volumePermissions.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: {{ .Values.persistence.name | default "datadir" }} + mountPath: {{ .Values.persistence.mountPath }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: generate-tls-certs + image: {{ include "mongodb.tls.image" . }} + imagePullPolicy: {{ .Values.tls.image.pullPolicy | quote }} + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + mountPath: /certs/CAs + {{- else }} + - name: mongodb-certs-0 + mountPath: /certs-0 + {{- end }} + - name: certs + mountPath: /certs + - name: common-scripts + mountPath: /bitnami/scripts + command: + - /bitnami/scripts/generate-certs.sh + args: + - -s {{ include "mongodb.service.nameOverride" . }} + {{- if .Values.externalAccess.service.loadBalancerIPs }} + - -i {{ join "," .Values.externalAccess.service.loadBalancerIPs }} + {{- end }} + {{- if .Values.tls.extraDnsNames }} + - -n {{ join "," .Values.tls.extraDnsNames }} + {{- end }} + {{- if .Values.tls.resources }} + resources: {{- toYaml .Values.tls.resources | nindent 12 }} + {{- else if ne .Values.tls.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.tls.resourcesPreset) | nindent 12 }} + {{- end }} + {{- if .Values.tls.securityContext }} + securityContext: {{- toYaml .Values.tls.securityContext | nindent 12 }} + {{- end }} + {{- end }} + {{- end }} + containers: + - name: mongodb + image: {{ include "mongodb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + {{- $customUsers := include "mongodb.customUsers" . -}} + {{- $customDatabases := include "mongodb.customDatabases" . -}} + {{- if not (empty $customUsers) }} + - name: MONGODB_EXTRA_USERNAMES + value: {{ $customUsers | quote }} + {{- end }} + {{- if not (empty $customDatabases) }} + - name: MONGODB_EXTRA_DATABASES + value: {{ $customDatabases | quote }} + {{- end }} + {{- if .Values.auth.enabled }} + {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} + - name: MONGODB_EXTRA_PASSWORDS + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-passwords + {{- end }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + {{- end }} + {{- if and .Values.metrics.enabled (not (empty .Values.metrics.username)) }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + {{- if .Values.auth.enabled }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + - name: ALLOW_EMPTY_PASSWORD + value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} + - name: MONGODB_SYSTEM_LOG_VERBOSITY + value: {{ .Values.systemLogVerbosity | quote }} + - name: MONGODB_DISABLE_SYSTEM_LOG + value: {{ ternary "yes" "no" .Values.disableSystemLog | quote }} + - name: MONGODB_DISABLE_JAVASCRIPT + value: {{ ternary "yes" "no" .Values.disableJavascript | quote }} + - name: MONGODB_ENABLE_JOURNAL + value: {{ ternary "yes" "no" .Values.enableJournal | quote }} + - name: MONGODB_PORT_NUMBER + value: {{ .Values.containerPorts.mongodb | quote }} + - name: MONGODB_ENABLE_IPV6 + value: {{ ternary "yes" "no" .Values.enableIPv6 | quote }} + - name: MONGODB_ENABLE_DIRECTORY_PER_DB + value: {{ ternary "yes" "no" .Values.directoryPerDB | quote }} + {{- $extraFlags := .Values.extraFlags | join " " -}} + {{- if .Values.tls.enabled }} + {{- if .Values.tls.mTLS.enabled }} + {{- $extraFlags = printf "--tlsCAFile=/certs/mongodb-ca-cert %s" $extraFlags }} + {{- end }} + {{- $extraFlags = printf "--tlsMode=%s --tlsCertificateKeyFile=/certs/mongodb.pem %s" .Values.tls.mode $extraFlags }} + {{- end }} + {{- if ne $extraFlags "" }} + - name: MONGODB_EXTRA_FLAGS + value: {{ $extraFlags | quote }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: MONGODB_CLIENT_EXTRA_FLAGS + value: --tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert + {{- end }} + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.extraEnvVarsCM .Values.extraEnvVarsSecret }} + envFrom: + {{- if .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ tpl .Values.extraEnvVarsCM . | quote }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ tpl .Values.extraEnvVarsSecret . | quote }} + {{- end }} + {{- end }} + ports: + - name: mongodb + containerPort: {{ .Values.containerPorts.mongodb }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/ping-mongodb.sh + {{- end }} + {{- end }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readinessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/readiness-probe.sh + {{- end }} + {{- end }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.startupProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/startup-probe.sh + {{- end }} + {{- end }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/logs + subPath: app-logs-dir + - name: {{ .Values.persistence.name | default "datadir" }} + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + - name: common-scripts + mountPath: /bitnami/scripts + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + mountPath: /docker-entrypoint-initdb.d + {{- end }} + {{- if or .Values.configuration .Values.existingConfigmap }} + - name: config + mountPath: /opt/bitnami/mongodb/conf/mongodb.conf + subPath: mongodb.conf + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + {{- if .Values.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ template "mongodb.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.metrics.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + - -ec + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.metrics.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.args "context" $) | nindent 12 }} + {{- else }} + args: + - | + /bin/mongodb_exporter {{ include "mongodb.exporterArgs" $ }} --mongodb.direct-connect --mongodb.global-conn-pool --web.listen-address ":{{ .Values.metrics.containerPort }}" --mongodb.uri "{{ include "mongodb.mongodb_exporter.uri" . }}" {{ .Values.metrics.extraFlags }} + {{- end }} + env: + {{- if .Values.auth.enabled }} + {{- if not .Values.metrics.username }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + {{- else }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + {{- if .Values.metrics.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + ports: + - name: metrics + containerPort: {{ .Values.metrics.containerPort }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.metrics.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: metrics + {{- end }} + {{- if .Values.metrics.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: metrics + {{- end }} + {{- if .Values.metrics.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: metrics + {{- end }} + {{- end }} + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: empty-dir + emptyDir: {} + - name: common-scripts + configMap: + name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} + defaultMode: 0550 + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + configMap: + name: {{ template "mongodb.initdbScriptsCM" . }} + {{- end }} + {{- if or .Values.configuration .Values.existingConfigmap }} + - name: config + configMap: + name: {{ include "mongodb.configmapName" . }} + {{- end }} + {{- if .Values.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + emptyDir: {} + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + secret: + secretName: {{ template "mongodb.tlsSecretName" . }} + items: + - key: mongodb-ca-cert + path: mongodb-ca-cert + mode: 0600 + - key: mongodb-ca-key + path: mongodb-ca-key + mode: 0600 + {{- else }} + - name: mongodb-certs-0 + secret: + secretName: {{ include "common.tplvalues.render" ( dict "value" .Values.tls.standalone.existingSecret "context" $) }} + defaultMode: 256 + {{- end }} + {{- end }} + {{- if not .Values.persistence.enabled }} + - name: {{ .Values.persistence.name | default "datadir" }} + {{- if .Values.persistence.medium }} + emptyDir: + medium: {{ .Values.persistence.medium | quote }} + {{- else }} + emptyDir: {} + {{- end }} + {{- else if .Values.persistence.existingClaim }} + - name: {{ .Values.persistence.name | default "datadir" }} + persistentVolumeClaim: + claimName: {{ printf "%s" (tpl .Values.persistence.existingClaim .) }} + {{- else if not .Values.useStatefulSet }} + - name: {{ .Values.persistence.name | default "datadir" }} + persistentVolumeClaim: + claimName: {{ template "mongodb.fullname" . }} + {{- else }} + {{- if .Values.persistentVolumeClaimRetentionPolicy.enabled }} + persistentVolumeClaimRetentionPolicy: + whenDeleted: {{ .Values.persistentVolumeClaimRetentionPolicy.whenDeleted }} + whenScaled: {{ .Values.persistentVolumeClaimRetentionPolicy.whenScaled }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: {{ .Values.persistence.name | default "datadir" }} + {{- if .Values.persistence.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.annotations "context" $) | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{- if .Values.persistence.volumeClaimTemplates.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.volumeClaimTemplates.selector "context" $) | nindent 10 }} + {{- end }} + {{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }} + {{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/standalone/pvc.yaml b/kubernetes/common/mongodb/templates/standalone/pvc.yaml new file mode 100644 index 0000000000..d59bad918f --- /dev/null +++ b/kubernetes/common/mongodb/templates/standalone/pvc.yaml @@ -0,0 +1,31 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) (not (eq .Values.architecture "replicaset")) (not .Values.useStatefulSet) }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + annotations: + {{- if .Values.persistence.resourcePolicy }} + helm.sh/resource-policy: {{ .Values.persistence.resourcePolicy | quote }} + {{- end }} + {{- if or .Values.persistence.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.persistence.annotations .Values.commonAnnotations ) "context" . ) }} + {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/standalone/svc.yaml b/kubernetes/common/mongodb/templates/standalone/svc.yaml new file mode 100644 index 0000000000..5d0d03f3fb --- /dev/null +++ b/kubernetes/common/mongodb/templates/standalone/svc.yaml @@ -0,0 +1,62 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if not (eq .Values.architecture "replicaset") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "mongodb.service.nameOverride" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if or .Values.service.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.service.type }} + {{- if and (eq .Values.service.type "ClusterIP") .Values.service.clusterIP }} + clusterIP: {{ .Values.service.clusterIP }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerClass }} + loadBalancerClass: {{ .Values.service.loadBalancerClass }} + {{- end }} + {{- if .Values.service.externalIPs }} + externalIPs: {{ toYaml .Values.service.externalIPs | nindent 4 }} + {{- end }} + {{- if .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + {{- if (eq .Values.service.type "LoadBalancer") }} + allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if .Values.service.sessionAffinity }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- end }} + {{- if .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + {{- if (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort")) }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} + {{- end }} + ports: + - name: {{ .Values.service.portName | quote }} + port: {{ .Values.service.ports.mongodb }} + targetPort: mongodb + {{- if and (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort")) .Values.service.nodePorts.mongodb }} + nodePort: {{ .Values.service.nodePorts.mongodb }} + {{- else if eq .Values.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb +{{- end }} diff --git a/kubernetes/common/mongodb/values.schema.json b/kubernetes/common/mongodb/values.schema.json new file mode 100644 index 0000000000..3eb6a64ce7 --- /dev/null +++ b/kubernetes/common/mongodb/values.schema.json @@ -0,0 +1,232 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "architecture": { + "type": "string", + "title": "MongoDB® architecture", + "form": true, + "description": "Allowed values: `standalone` or `replicaset`" + }, + "auth": { + "type": "object", + "title": "Authentication configuration", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable Authentication", + "form": true + }, + "rootUser": { + "type": "string", + "title": "MongoDB® admin user", + "form": true, + "description": "Name of the admin user. Default is root" + }, + "rootPassword": { + "type": "string", + "title": "MongoDB® admin password", + "form": true, + "description": "Defaults to a random 10-character alphanumeric string if not set", + "hidden": { + "value": false, + "path": "auth/enabled" + } + }, + "database": { + "type": "string", + "title": "MongoDB® custom database", + "description": "Name of the custom database to be created during the 1st initialization of MongoDB®", + "form": true + }, + "username": { + "type": "string", + "title": "MongoDB® custom user", + "description": "Name of the custom user to be created during the 1st initialization of MongoDB®. This user only has permissions on the MongoDB® custom database", + "form": true + }, + "password": { + "type": "string", + "title": "Password for MongoDB® custom user", + "form": true, + "description": "Defaults to a random 10-character alphanumeric string if not set", + "hidden": { + "value": false, + "path": "auth/enabled" + } + }, + "replicaSetKey": { + "type": "string", + "title": "Key used for replica set authentication", + "form": true, + "description": "Defaults to a random 10-character alphanumeric string if not set", + "hidden": { + "value": "standalone", + "path": "architecture" + } + } + } + }, + "replicaCount": { + "type": "integer", + "form": true, + "title": "Number of MongoDB® replicas", + "hidden": { + "value": "standalone", + "path": "architecture" + } + }, + "configuration": { + "type": "string", + "title": "MongoDB® Custom Configuration", + "form": true, + "render": "textArea" + }, + "arbiter": { + "type": "object", + "title": "Arbiter configuration", + "form": true, + "properties": { + "configuration": { + "type": "string", + "title": "Arbiter Custom Configuration", + "form": true, + "render": "textArea", + "hidden": { + "value": "standalone", + "path": "architecture" + } + } + } + }, + "networkPolicy": { + "type": "object", + "title": "Network policy configuration", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable network policy", + "description": "Enable network policy using Kubernetes native NP", + "hidden": { + "value": false, + "path": "networkPolicy/enabled" + } + }, + "ingress": { + "type": "object", + "properties": { + "namespaceSelector": { + "type": "object", + "title": "Namespace selector label that is allowed to access this instance", + "hidden": { + "value": {}, + "path": "networkPolicy/ingress/namespaceSelector" + } + }, + "podSelector": { + "type": "object", + "title": "Pod selector label that is allowed to access this instance", + "hidden": { + "value": {}, + "path": "networkPolicy/ingress/podSelector" + } + }, + "customRules": { + "type": "array", + "title": "Custom rules for ingress network policy", + "hidden": { + "value": [], + "path": "networkPolicy/ingress/customRules" + } + } + } + }, + "egress": { + "type": "object", + "properties": { + "customRules": { + "type": "array", + "title": "Custom rules for egress network policy", + "hidden": { + "value": [], + "path": "networkPolicy/egress/customRules" + } + } + } + } + } + }, + "persistence": { + "type": "object", + "title": "Persistence configuration", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable persistence", + "description": "Enable persistence using Persistent Volume Claims" + }, + "size": { + "type": "string", + "title": "Persistent Volume Size", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderUnit": "Gi", + "hidden": { + "value": false, + "path": "persistence/enabled" + } + } + } + }, + "volumePermissions": { + "type": "object", + "hidden": { + "value": false, + "path": "persistence/enabled" + }, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable Init Containers", + "description": "Use an init container to set required folder permissions on the data volume before mounting it in the final destination" + } + } + }, + "metrics": { + "type": "object", + "form": true, + "title": "Prometheus metrics details", + "properties": { + "enabled": { + "type": "boolean", + "title": "Create Prometheus metrics exporter", + "description": "Create a side-car container to expose Prometheus metrics", + "form": true + }, + "serviceMonitor": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "title": "Create Prometheus Operator ServiceMonitor", + "description": "Create a ServiceMonitor to track metrics using Prometheus Operator", + "form": true, + "hidden": { + "value": false, + "path": "metrics/enabled" + } + } + } + } + } + } + } +} diff --git a/kubernetes/common/mongodb/values.yaml b/kubernetes/common/mongodb/values.yaml new file mode 100644 index 0000000000..8d995ce973 --- /dev/null +++ b/kubernetes/common/mongodb/values.yaml @@ -0,0 +1,2415 @@ +# Copyright VMware, Inc. +# SPDX-License-Identifier: APACHE-2.0 + +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass +## + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.storageClass Global StorageClass for Persistent Volume(s) +## @param global.namespaceOverride Override the namespace for resource deployed by the chart, but can itself be overridden by the local namespaceOverride +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + storageClass: "" + namespaceOverride: "" +## @section Common parameters +## + +## @param nameOverride String to partially override mongodb.fullname template (will maintain the release name) +## +nameOverride: "" +## @param fullnameOverride String to fully override mongodb.fullname template +## +fullnameOverride: "" +## @param namespaceOverride String to fully override common.names.namespace +## +namespaceOverride: "" +## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) +## +kubeVersion: "" +## @param clusterDomain Default Kubernetes cluster domain +## +clusterDomain: cluster.local +## @param extraDeploy Array of extra objects to deploy with the release +## extraDeploy: +## This needs to be uncommented and added to 'extraDeploy' in order to use the replicaset 'mongo-labeler' sidecar +## for dynamically discovering the mongodb primary pod +## suggestion is to use a hard-coded and predictable TCP port for the primary mongodb pod (here is 30001, choose your own) +## - apiVersion: v1 +## kind: Service +## metadata: +## name: mongodb-primary +## namespace: the-mongodb-namespace +## labels: +## app.kubernetes.io/component: mongodb +## app.kubernetes.io/instance: mongodb +## app.kubernetes.io/managed-by: Helm +## app.kubernetes.io/name: mongodb +## spec: +## type: NodePort +## externalTrafficPolicy: Cluster +## ports: +## - name: mongodb +## port: 30001 +## nodePort: 30001 +## protocol: TCP +## targetPort: mongodb +## selector: +## app.kubernetes.io/component: mongodb +## app.kubernetes.io/instance: mongodb +## app.kubernetes.io/name: mongodb +## primary: "true" +## +extraDeploy: [] +## @param commonLabels Add labels to all the deployed resources (sub-charts are not considered). Evaluated as a template +## +commonLabels: {} +## @param commonAnnotations Common annotations to add to all Mongo resources (sub-charts are not considered). Evaluated as a template +## +commonAnnotations: {} +## @param topologyKey Override common lib default topology key. If empty - "kubernetes.io/hostname" is used +## i.e. topologyKey: topology.kubernetes.io/zone +## +topologyKey: "" +## @param serviceBindings.enabled Create secret for service binding (Experimental) +## Ref: https://servicebinding.io/service-provider/ +## +serviceBindings: + enabled: false +## @param enableServiceLinks Whether information about services should be injected into pod's environment variable +## The environment variables injected by service links are not used, but can lead to slow boot times or slow running of the scripts when there are many services in the current namespace. +## If you experience slow pod startups or slow running of the scripts you probably want to set this to `false`. +## +enableServiceLinks: true +## Enable diagnostic mode in the deployment +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the deployment + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the deployment + ## + args: + - infinity +## @section MongoDB(®) parameters +## + +## Bitnami MongoDB(®) image +## ref: https://hub.docker.com/r/bitnami/mongodb/tags/ +## @param image.registry [default: REGISTRY_NAME] MongoDB(®) image registry +## @param image.repository [default: REPOSITORY_NAME/mongodb] MongoDB(®) image registry +## @skip image.tag MongoDB(®) image tag (immutable tags are recommended) +## @param image.digest MongoDB(®) image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag +## @param image.pullPolicy MongoDB(®) image pull policy +## @param image.pullSecrets Specify docker-registry secret names as an array +## @param image.debug Set to true if you would like to see extra information on logs +## +image: + registry: docker.io + repository: bitnami/mongodb + tag: 7.0.5-debian-12-r5 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## + debug: false +## @param schedulerName Name of the scheduler (other than default) to dispatch pods +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" +## @param architecture MongoDB(®) architecture (`standalone` or `replicaset`) +## +architecture: standalone +## @param useStatefulSet Set to true to use a StatefulSet instead of a Deployment (only when `architecture=standalone`) +## +useStatefulSet: false +## MongoDB(®) Authentication parameters +## +auth: + ## @param auth.enabled Enable authentication + ## ref: https://docs.mongodb.com/manual/tutorial/enable-authentication/ + ## + enabled: true + ## @param auth.rootUser MongoDB(®) root user + ## + rootUser: root + ## @param auth.rootPassword MongoDB(®) root password + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/mongodb#setting-the-root-user-and-password-on-first-run + ## + rootPassword: "" + ## MongoDB(®) custom users and databases + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/mongodb#creating-a-user-and-database-on-first-run + ## @param auth.usernames List of custom users to be created during the initialization + ## @param auth.passwords List of passwords for the custom users set at `auth.usernames` + ## @param auth.databases List of custom databases to be created during the initialization + ## + usernames: [] + passwords: [] + databases: [] + ## @param auth.username DEPRECATED: use `auth.usernames` instead + ## @param auth.password DEPRECATED: use `auth.passwords` instead + ## @param auth.database DEPRECATED: use `auth.databases` instead + ## + username: "" + password: "" + database: "" + ## @param auth.replicaSetKey Key used for authentication in the replicaset (only when `architecture=replicaset`) + ## + replicaSetKey: "" + ## @param auth.existingSecret Existing secret with MongoDB(®) credentials (keys: `mongodb-passwords`, `mongodb-root-password`, `mongodb-metrics-password`, `mongodb-replica-set-key`) + ## NOTE: When it's set the previous parameters are ignored. + ## + existingSecret: "" +tls: + ## @param tls.enabled Enable MongoDB(®) TLS support between nodes in the cluster as well as between mongo clients and nodes + ## + enabled: false + mTLS: + ## @param tls.mTLS.enabled IF TLS support is enabled, require clients to provide certificates + enabled: true + ## @param tls.autoGenerated Generate a custom CA and self-signed certificates + ## + autoGenerated: true + ## @param tls.existingSecret Existing secret with TLS certificates (keys: `mongodb-ca-cert`, `mongodb-ca-key`) + ## NOTE: When it's set it will disable secret creation. + ## + existingSecret: "" + ## Add Custom CA certificate + ## @param tls.caCert Custom CA certificated (base64 encoded) + ## @param tls.caKey CA certificate private key (base64 encoded) + ## + caCert: "" + caKey: "" + ## @param tls.pemChainIncluded Flag to denote that the Certificate Authority (CA) certificates are bundled with the endpoint cert. + ## Certificates must be in proper order, where the top certificate is the leaf and the bottom certificate is the top-most intermediate CA. + ## + pemChainIncluded: false + standalone: + ## @param tls.standalone.existingSecret Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. + ## NOTE: When it's set it will disable certificate self-generation from existing CA. + ## + existingSecret: "" + replicaset: + ## @param tls.replicaset.existingSecrets Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. + ## existingSecrets: + ## - "mySecret-0" + ## - "mySecret-1" + ## NOTE: When it's set it will disable certificate self-generation from existing CA. + ## + existingSecrets: [] + hidden: + ## @param tls.hidden.existingSecrets Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. + ## existingSecrets: + ## - "mySecret-0" + ## - "mySecret-1" + ## NOTE: When it's set it will disable certificate self-generation from existing CA. + ## + existingSecrets: [] + arbiter: + ## @param tls.arbiter.existingSecret Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. + ## NOTE: When it's set it will disable certificate self-generation from existing CA. + ## + existingSecret: "" + ## Bitnami Nginx image + ## @param tls.image.registry [default: REGISTRY_NAME] Init container TLS certs setup image registry + ## @param tls.image.repository [default: REPOSITORY_NAME/nginx] Init container TLS certs setup image repository + ## @skip tls.image.tag Init container TLS certs setup image tag (immutable tags are recommended) + ## @param tls.image.digest Init container TLS certs setup image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param tls.image.pullPolicy Init container TLS certs setup image pull policy + ## @param tls.image.pullSecrets Init container TLS certs specify docker-registry secret names as an array + ## @param tls.extraDnsNames Add extra dns names to the CA, can solve x509 auth issue for pod clients + ## + image: + registry: docker.io + repository: bitnami/nginx + tag: 1.25.4-debian-12-r1 + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## e.g: + ## extraDnsNames + ## "DNS.6": "$my_host" + ## "DNS.7": "$test" + ## + extraDnsNames: [] + ## @param tls.mode Allows to set the tls mode which should be used when tls is enabled (options: `allowTLS`, `preferTLS`, `requireTLS`) + ## + mode: requireTLS + ## Init Container resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param tls.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if tls.resources is set (tls.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "none" + ## @param tls.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Init Container securityContext + ## ref: https://kubernetes.io/docs/concepts/security/pod-security-policy/ + ## @param tls.securityContext Init container generate-tls-cert Security context + ## + securityContext: {} + ## Example: + ## allowPrivilegeEscalation: false + ## capabilities: + ## drop: ["ALL"] + ## +## @param automountServiceAccountToken Mount Service Account token in pod +## +automountServiceAccountToken: false +## @param hostAliases Add deployment host aliases +## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ +## +hostAliases: [] +## @param replicaSetName Name of the replica set (only when `architecture=replicaset`) +## Ignored when mongodb.architecture=standalone +## +replicaSetName: rs0 +## @param replicaSetHostnames Enable DNS hostnames in the replicaset config (only when `architecture=replicaset`) +## Ignored when mongodb.architecture=standalone +## Ignored when externalAccess.enabled=true +## +replicaSetHostnames: true +## @param enableIPv6 Switch to enable/disable IPv6 on MongoDB(®) +## ref: https://github.com/bitnami/containers/tree/main/bitnami/mongodb#enablingdisabling-ipv6 +## +enableIPv6: false +## @param directoryPerDB Switch to enable/disable DirectoryPerDB on MongoDB(®) +## ref: https://github.com/bitnami/containers/tree/main/bitnami/mongodb#enablingdisabling-directoryperdb +## +directoryPerDB: false +## MongoDB(®) System Log configuration +## ref: https://github.com/bitnami/containers/tree/main/bitnami/mongodb#configuring-system-log-verbosity-level +## @param systemLogVerbosity MongoDB(®) system log verbosity level +## @param disableSystemLog Switch to enable/disable MongoDB(®) system log +## +systemLogVerbosity: 0 +disableSystemLog: false +## @param disableJavascript Switch to enable/disable MongoDB(®) server-side JavaScript execution +## ref: https://docs.mongodb.com/manual/core/server-side-javascript/ +## +disableJavascript: false +## @param enableJournal Switch to enable/disable MongoDB(®) Journaling +## ref: https://docs.mongodb.com/manual/reference/configuration-options/#mongodb-setting-storage.journal.enabled +## +enableJournal: true +## @param configuration MongoDB(®) configuration file to be used for Primary and Secondary nodes +## For documentation of all options, see: http://docs.mongodb.org/manual/reference/configuration-options/ +## Example: +## configuration: |- +## # where and how to store data. +## storage: +## dbPath: /bitnami/mongodb/data/db +## journal: +## enabled: true +## directoryPerDB: false +## # where to write logging data +## systemLog: +## destination: file +## quiet: false +## logAppend: true +## logRotate: reopen +## path: /opt/bitnami/mongodb/logs/mongodb.log +## verbosity: 0 +## # network interfaces +## net: +## port: 27017 +## unixDomainSocket: +## enabled: true +## pathPrefix: /opt/bitnami/mongodb/tmp +## ipv6: false +## bindIpAll: true +## # replica set options +## #replication: +## #replSetName: replicaset +## #enableMajorityReadConcern: true +## # process management options +## processManagement: +## fork: false +## pidFilePath: /opt/bitnami/mongodb/tmp/mongodb.pid +## # set parameter options +## setParameter: +## enableLocalhostAuthBypass: true +## # security options +## security: +## authorization: disabled +## #keyFile: /opt/bitnami/mongodb/conf/keyfile +## +configuration: "" +## @section replicaSetConfigurationSettings settings applied during runtime (not via configuration file) +## If enabled, these are applied by a script which is called within setup.sh +## for documentation see https://docs.mongodb.com/manual/reference/replica-configuration/#replica-set-configuration-fields +## @param replicaSetConfigurationSettings.enabled Enable MongoDB(®) Switch to enable/disable configuring MongoDB(®) run time rs.conf settings +## @param replicaSetConfigurationSettings.configuration run-time rs.conf settings +## +replicaSetConfigurationSettings: + enabled: false + configuration: {} +## Custom configurations for individual replica set members. +## Use the prefix 'members[X].' to apply settings to the member X of the replica set. +## Example: 'members[0].priority: 3' sets the priority of the first replica set member to 3. +## The index X in 'members[X]' corresponds to the member's position in the replica set. +## members[0].priority: 3 +## chainingAllowed : false +## heartbeatTimeoutSecs : 10 +## heartbeatIntervalMillis : 2000 +## electionTimeoutMillis : 10000 +## catchUpTimeoutMillis : 30000 +## @param existingConfigmap Name of existing ConfigMap with MongoDB(®) configuration for Primary and Secondary nodes +## NOTE: When it's set the arbiter.configuration parameter is ignored +## +existingConfigmap: "" +## @param initdbScripts Dictionary of initdb scripts +## Specify dictionary of scripts to be run at first boot +## Example: +## initdbScripts: +## my_init_script.sh: | +## #!/bin/bash +## echo "Do something." +## +initdbScripts: {} +## @param initdbScriptsConfigMap Existing ConfigMap with custom initdb scripts +## +initdbScriptsConfigMap: "" +## Command and args for running the container (set to default if not set). Use array form +## @param command Override default container command (useful when using custom images) +## @param args Override default container args (useful when using custom images) +## +command: [] +args: [] +## @param extraFlags MongoDB(®) additional command line flags +## Example: +## extraFlags: +## - "--wiredTigerCacheSizeGB=2" +## +extraFlags: [] +## @param extraEnvVars Extra environment variables to add to MongoDB(®) pods +## E.g: +## extraEnvVars: +## - name: FOO +## value: BAR +## +extraEnvVars: [] +## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars +## +extraEnvVarsCM: "" +## @param extraEnvVarsSecret Name of existing Secret containing extra env vars (in case of sensitive data) +## +extraEnvVarsSecret: "" +## @section MongoDB(®) statefulset parameters +## + +## @param annotations Additional labels to be added to the MongoDB(®) statefulset. Evaluated as a template +## +annotations: {} +## @param labels Annotations to be added to the MongoDB(®) statefulset. Evaluated as a template +## +labels: {} +## @param replicaCount Number of MongoDB(®) nodes +## When `mongodb.architecture=replicaset`, the number of replicas is taken in account +## When `mongodb.architecture=standalone`, the number of replicas can only be 0 or 1 (value higher then 1 will not be taken in account) +## +replicaCount: 2 +## @param updateStrategy.type Strategy to use to replace existing MongoDB(®) pods. When architecture=standalone and useStatefulSet=false, +## this parameter will be applied on a deployment object. In other case it will be applied on a statefulset object +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +## Example: +## updateStrategy: +## type: RollingUpdate +## rollingUpdate: +## maxSurge: 25% +## maxUnavailable: 25% +## +updateStrategy: + type: RollingUpdate +## @param podManagementPolicy Pod management policy for MongoDB(®) +## Should be initialized one by one when building the replicaset for the first time +## +podManagementPolicy: OrderedReady +## @param podAffinityPreset MongoDB(®) Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAffinityPreset: "" +## @param podAntiAffinityPreset MongoDB(®) Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAntiAffinityPreset: soft +## Node affinity preset +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## +nodeAffinityPreset: + ## @param nodeAffinityPreset.type MongoDB(®) Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param nodeAffinityPreset.key MongoDB(®) Node label key to match Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param nodeAffinityPreset.values MongoDB(®) Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] +## @param affinity MongoDB(®) Affinity for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set +## +affinity: {} +## @param nodeSelector MongoDB(®) Node labels for pod assignment +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ +## +nodeSelector: {} +## @param tolerations MongoDB(®) Tolerations for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## @param topologySpreadConstraints MongoDB(®) Spread Constraints for Pods +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +## +topologySpreadConstraints: [] +## @param lifecycleHooks LifecycleHook for the MongoDB(®) container(s) to automate configuration before or after startup +## +lifecycleHooks: {} +## @param terminationGracePeriodSeconds MongoDB(®) Termination Grace Period +## +terminationGracePeriodSeconds: "" +## @param podLabels MongoDB(®) pod labels +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} +## @param podAnnotations MongoDB(®) Pod annotations +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} +## @param priorityClassName Name of the existing priority class to be used by MongoDB(®) pod(s) +## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +## +priorityClassName: "" +## @param runtimeClassName Name of the runtime class to be used by MongoDB(®) pod(s) +## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ +## +runtimeClassName: "" +## MongoDB(®) pods' Security Context. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param podSecurityContext.enabled Enable MongoDB(®) pod(s)' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.supplementalGroups Set filesystem extra groups +## @param podSecurityContext.fsGroup Group ID for the volumes of the MongoDB(®) pod(s) +## @param podSecurityContext.sysctls sysctl settings of the MongoDB(®) pod(s)' +## +podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + supplementalGroups: [] + fsGroup: 1001 + ## sysctl settings + ## Example: + ## sysctls: + ## - name: net.core.somaxconn + ## value: "10000" + ## + sysctls: [] +## MongoDB(®) containers' Security Context (main and metrics container). +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container +## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup +## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param containerSecurityContext.privileged Set container's Security Context privileged +## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem +## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation +## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile +## +containerSecurityContext: + enabled: true + seLinuxOptions: null + runAsUser: 1001 + runAsGroup: 0 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" +## MongoDB(®) containers' resource requests and limits. +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +## We usually recommend not to specify default resources and to leave this as a conscious +## choice for the user. This also increases chances charts run on environments with little +## resources, such as Minikube. If you do want to specify resources, uncomment the following +## lines, adjust them as necessary, and remove the curly braces after 'resources:'. +## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). +## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 +## +resourcesPreset: "none" +## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) +## Example: +## resources: +## requests: +## cpu: 2 +## memory: 512Mi +## limits: +## cpu: 3 +## memory: 1024Mi +## +resources: {} +## @param containerPorts.mongodb MongoDB(®) container port +## +containerPorts: + mongodb: 27017 +## MongoDB(®) pods' liveness probe. Evaluated as a template. +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +## @param livenessProbe.enabled Enable livenessProbe +## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe +## @param livenessProbe.periodSeconds Period seconds for livenessProbe +## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe +## @param livenessProbe.failureThreshold Failure threshold for livenessProbe +## @param livenessProbe.successThreshold Success threshold for livenessProbe +## +livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 20 + timeoutSeconds: 10 + failureThreshold: 6 + successThreshold: 1 +## MongoDB(®) pods' readiness probe. Evaluated as a template. +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +## @param readinessProbe.enabled Enable readinessProbe +## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe +## @param readinessProbe.periodSeconds Period seconds for readinessProbe +## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe +## @param readinessProbe.failureThreshold Failure threshold for readinessProbe +## @param readinessProbe.successThreshold Success threshold for readinessProbe +## +readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 +## Slow starting containers can be protected through startup probes +## Startup probes are available in Kubernetes version 1.16 and above +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes +## @param startupProbe.enabled Enable startupProbe +## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe +## @param startupProbe.periodSeconds Period seconds for startupProbe +## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe +## @param startupProbe.failureThreshold Failure threshold for startupProbe +## @param startupProbe.successThreshold Success threshold for startupProbe +## +startupProbe: + enabled: false + initialDelaySeconds: 5 + periodSeconds: 20 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 30 +## @param customLivenessProbe Override default liveness probe for MongoDB(®) containers +## Ignored when livenessProbe.enabled=true +## +customLivenessProbe: {} +## @param customReadinessProbe Override default readiness probe for MongoDB(®) containers +## Ignored when readinessProbe.enabled=true +## +customReadinessProbe: {} +## @param customStartupProbe Override default startup probe for MongoDB(®) containers +## Ignored when startupProbe.enabled=true +## +customStartupProbe: {} +## @param initContainers Add additional init containers for the hidden node pod(s) +## Example: +## initContainers: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +initContainers: [] +## @param sidecars Add additional sidecar containers for the MongoDB(®) pod(s) +## Example: +## sidecars: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## This is an optional 'mongo-labeler' sidecar container that tracks replica-set for the primary mongodb pod +## and labels it dynamically with ' primary: "true" ' in order for an extra-deployed service to always expose +## and attach to the primary pod, this needs to be uncommented along with the suggested 'extraDeploy' example +## and the suggested rbac example for the pod to be allowed adding labels to mongo replica pods +## search 'mongo-labeler' through this file to find the sections that needs to be uncommented to make it work +## +## - name: mongo-labeler +## image: korenlev/k8s-mongo-labeler-sidecar +## imagePullPolicy: Always +## env: +## - name: LABEL_SELECTOR +## value: "app.kubernetes.io/component=mongodb,app.kubernetes.io/instance=mongodb,app.kubernetes.io/name=mongodb" +## - name: NAMESPACE +## value: "the-mongodb-namespace" +## - name: DEBUG +## value: "true" +## +sidecars: [] +## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for the MongoDB(®) container(s) +## Examples: +## extraVolumeMounts: +## - name: extras +## mountPath: /usr/share/extras +## readOnly: true +## +extraVolumeMounts: [] +## @param extraVolumes Optionally specify extra list of additional volumes to the MongoDB(®) statefulset +## extraVolumes: +## - name: extras +## emptyDir: {} +## +extraVolumes: [] +## MongoDB(®) Pod Disruption Budget configuration +## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +## +pdb: + ## @param pdb.create Enable/disable a Pod Disruption Budget creation for MongoDB(®) pod(s) + ## + create: false + ## @param pdb.minAvailable Minimum number/percentage of MongoDB(®) pods that must still be available after the eviction + ## + minAvailable: 1 + ## @param pdb.maxUnavailable Maximum number/percentage of MongoDB(®) pods that may be made unavailable after the eviction + ## + maxUnavailable: "" +## @section Traffic exposure parameters +## + +## Service parameters +## +service: + ## @param service.nameOverride MongoDB(®) service name + ## + nameOverride: "" + ## @param service.type Kubernetes Service type (only for standalone architecture) + ## + type: ClusterIP + ## @param service.portName MongoDB(®) service port name (only for standalone architecture) + ## + portName: mongodb + ## @param service.ports.mongodb MongoDB(®) service port. + ## + ports: + mongodb: 27017 + ## @param service.nodePorts.mongodb Port to bind to for NodePort and LoadBalancer service types (only for standalone architecture) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + mongodb: "" + ## @param service.clusterIP MongoDB(®) service cluster IP (only for standalone architecture) + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param service.externalIPs Specify the externalIP value ClusterIP service type (only for standalone architecture) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips + ## + externalIPs: [] + ## @param service.loadBalancerIP loadBalancerIP for MongoDB(®) Service (only for standalone architecture) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + ## + loadBalancerIP: "" + ## @param service.loadBalancerClass loadBalancerClass for MongoDB(®) Service (only for standalone architecture) + # ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + loadBalancerClass: "" + ## @param service.loadBalancerSourceRanges Address(es) that are allowed when service is LoadBalancer (only for standalone architecture) + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + loadBalancerSourceRanges: [] + ## @param service.allocateLoadBalancerNodePorts Wheter to allocate node ports when service type is LoadBalancer + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation + ## + allocateLoadBalancerNodePorts: true + ## @param service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param service.annotations Provide any additional annotations that may be required + ## + annotations: {} + ## @param service.externalTrafficPolicy service external traffic policy (only for standalone architecture) + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Local + ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## + sessionAffinity: None + ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## Headless service properties + ## + headless: + ## @param service.headless.annotations Annotations for the headless service. + ## + annotations: {} +## External Access to MongoDB(®) nodes configuration +## +externalAccess: + ## @param externalAccess.enabled Enable Kubernetes external cluster access to MongoDB(®) nodes (only for replicaset architecture) + ## + enabled: false + ## External IPs auto-discovery configuration + ## An init container is used to auto-detect LB IPs or node ports by querying the K8s API + ## Note: RBAC might be required + ## + autoDiscovery: + ## @param externalAccess.autoDiscovery.enabled Enable using an init container to auto-detect external IPs by querying the K8s API + ## + enabled: false + ## Bitnami Kubectl image + ## ref: https://hub.docker.com/r/bitnami/kubectl/tags/ + ## @param externalAccess.autoDiscovery.image.registry [default: REGISTRY_NAME] Init container auto-discovery image registry + ## @param externalAccess.autoDiscovery.image.repository [default: REPOSITORY_NAME/kubectl] Init container auto-discovery image repository + ## @skip externalAccess.autoDiscovery.image.tag Init container auto-discovery image tag (immutable tags are recommended) + ## @param externalAccess.autoDiscovery.image.digest Init container auto-discovery image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param externalAccess.autoDiscovery.image.pullPolicy Init container auto-discovery image pull policy + ## @param externalAccess.autoDiscovery.image.pullSecrets Init container auto-discovery image pull secrets + ## + image: + registry: docker.io + repository: bitnami/kubectl + tag: 1.29.2-debian-12-r1 + digest: "" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init Container resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param externalAccess.autoDiscovery.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if externalAccess.autoDiscovery.resources is set (externalAccess.autoDiscovery.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "none" + ## @param externalAccess.autoDiscovery.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Parameters to configure a set of Pods that connect to an existing MongoDB(®) deployment that lies outside of Kubernetes. + ## @param externalAccess.externalMaster.enabled Use external master for bootstrapping + ## @param externalAccess.externalMaster.host External master host to bootstrap from + ## @param externalAccess.externalMaster.port Port for MongoDB(®) service external master host + ## + externalMaster: + enabled: false + host: "" + port: 27017 + ## Parameters to configure K8s service(s) used to externally access MongoDB(®) + ## A new service per broker will be created + ## + service: + ## @param externalAccess.service.type Kubernetes Service type for external access. Allowed values: NodePort, LoadBalancer or ClusterIP + ## + type: LoadBalancer + ## @param externalAccess.service.portName MongoDB(®) port name used for external access when service type is LoadBalancer + ## + portName: "mongodb" + ## @param externalAccess.service.ports.mongodb MongoDB(®) port used for external access when service type is LoadBalancer + ## + ports: + mongodb: 27017 + ## @param externalAccess.service.loadBalancerIPs Array of load balancer IPs for MongoDB(®) nodes + ## Example: + ## loadBalancerIPs: + ## - X.X.X.X + ## - Y.Y.Y.Y + ## + loadBalancerIPs: [] + ## @param externalAccess.service.loadBalancerClass loadBalancerClass when service type is LoadBalancer + # ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + loadBalancerClass: "" + ## @param externalAccess.service.loadBalancerSourceRanges Address(es) that are allowed when service is LoadBalancer + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## Example: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param externalAccess.service.allocateLoadBalancerNodePorts Wheter to allocate node ports when service type is LoadBalancer + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation + ## + allocateLoadBalancerNodePorts: true + ## @param externalAccess.service.externalTrafficPolicy MongoDB(®) service external traffic policy + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Local + ## @param externalAccess.service.nodePorts Array of node ports used to configure MongoDB(®) advertised hostname when service type is NodePort + ## Example: + ## nodePorts: + ## - 30001 + ## - 30002 + ## + nodePorts: [] + ## @param externalAccess.service.domain Domain or external IP used to configure MongoDB(®) advertised hostname when service type is NodePort + ## If not specified, the container will try to get the kubernetes node external IP + ## e.g: + ## domain: mydomain.com + ## + domain: "" + ## @param externalAccess.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param externalAccess.service.annotations Service annotations for external access + ## + annotations: {} + ## @param externalAccess.service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## + sessionAffinity: None + ## @param externalAccess.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## External Access to MongoDB(®) Hidden nodes configuration + ## + hidden: + ## @param externalAccess.hidden.enabled Enable Kubernetes external cluster access to MongoDB(®) hidden nodes + ## + enabled: false + ## Parameters to configure K8s service(s) used to externally access MongoDB(®) + ## A new service per broker will be created + ## + service: + ## @param externalAccess.hidden.service.type Kubernetes Service type for external access. Allowed values: NodePort or LoadBalancer + ## + type: LoadBalancer + ## @param externalAccess.hidden.service.portName MongoDB(®) port name used for external access when service type is LoadBalancer + ## + portName: "mongodb" + ## @param externalAccess.hidden.service.ports.mongodb MongoDB(®) port used for external access when service type is LoadBalancer + ## + ports: + mongodb: 27017 + ## @param externalAccess.hidden.service.loadBalancerIPs Array of load balancer IPs for MongoDB(®) nodes + ## Example: + ## loadBalancerIPs: + ## - X.X.X.X + ## - Y.Y.Y.Y + ## + loadBalancerIPs: [] + ## @param externalAccess.hidden.service.loadBalancerClass loadBalancerClass when service type is LoadBalancer + # ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + loadBalancerClass: "" + ## @param externalAccess.hidden.service.loadBalancerSourceRanges Address(es) that are allowed when service is LoadBalancer + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## Example: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param externalAccess.hidden.service.allocateLoadBalancerNodePorts Wheter to allocate node ports when service type is LoadBalancer + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation + ## + allocateLoadBalancerNodePorts: true + ## @param externalAccess.hidden.service.externalTrafficPolicy MongoDB(®) service external traffic policy + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Local + ## @param externalAccess.hidden.service.nodePorts Array of node ports used to configure MongoDB(®) advertised hostname when service type is NodePort. Length must be the same as replicaCount + ## Example: + ## nodePorts: + ## - 30001 + ## - 30002 + ## + nodePorts: [] + ## @param externalAccess.hidden.service.domain Domain or external IP used to configure MongoDB(®) advertised hostname when service type is NodePort + ## If not specified, the container will try to get the kubernetes node external IP + ## e.g: + ## domain: mydomain.com + ## + domain: "" + ## @param externalAccess.hidden.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param externalAccess.hidden.service.annotations Service annotations for external access + ## + annotations: {} + ## @param externalAccess.hidden.service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## + sessionAffinity: None + ## @param externalAccess.hidden.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} +## @section Network policy parameters +## + +## Network Policies +## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## +networkPolicy: + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} +persistence: + ## @param persistence.enabled Enable MongoDB(®) data persistence using PVC + ## + enabled: true + ## @param persistence.name Name of the PVC and mounted volume + ## + name: "datadir" + ## @param persistence.medium Provide a medium for `emptyDir` volumes. + ## Requires persistence.enabled: false + ## + medium: "" + ## @param persistence.existingClaim Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + ## Ignored when mongodb.architecture=replicaset + ## + existingClaim: "" + ## @param persistence.resourcePolicy Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted + ## + resourcePolicy: "" + ## @param persistence.storageClass PVC Storage Class for MongoDB(®) data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + storageClass: "" + ## @param persistence.accessModes PV Access Mode + ## + accessModes: + - ReadWriteOnce + ## @param persistence.size PVC Storage Request for MongoDB(®) data volume + ## + size: 8Gi + ## @param persistence.annotations PVC annotations + ## + annotations: {} + ## @param persistence.mountPath Path to mount the volume at + ## MongoDB(®) images. + ## + mountPath: /bitnami/mongodb + ## @param persistence.subPath Subdirectory of the volume to mount at + ## and one PV for multiple services. + ## + subPath: "" + ## Fine tuning for volumeClaimTemplates + ## + volumeClaimTemplates: + ## @param persistence.volumeClaimTemplates.selector A label query over volumes to consider for binding (e.g. when using local volumes) + ## A label query over volumes to consider for binding (e.g. when using local volumes) + ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details + ## + selector: {} + ## @param persistence.volumeClaimTemplates.requests Custom PVC requests attributes + ## Sometime cloud providers use additional requests attributes to provision custom storage instance + ## See https://cloud.ibm.com/docs/containers?topic=containers-file_storage#file_dynamic_statefulset + ## + requests: {} + ## @param persistence.volumeClaimTemplates.dataSource Add dataSource to the VolumeClaimTemplate + ## + dataSource: {} +## Persistent Volume Claim Retention Policy +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention +## +persistentVolumeClaimRetentionPolicy: + ## @param persistentVolumeClaimRetentionPolicy.enabled Enable Persistent volume retention policy for MongoDB(®) Statefulset + ## + enabled: false + ## @param persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced + ## + whenScaled: Retain + ## @param persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted + ## + whenDeleted: Retain +## @section Backup parameters +## This section implements a trivial logical dump cronjob of the database. +## This only comes with the consistency guarantees of the dump program. +## This is not a snapshot based roll forward/backward recovery backup. +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ +## +backup: + ## @param backup.enabled Enable the logical dump of the database "regularly" + ## + enabled: false + ## Fine tuning cronjob's config + ## + cronjob: + ## @param backup.cronjob.schedule Set the cronjob parameter schedule + ## + schedule: "@daily" + ## @param backup.cronjob.concurrencyPolicy Set the cronjob parameter concurrencyPolicy + ## + concurrencyPolicy: Allow + ## @param backup.cronjob.failedJobsHistoryLimit Set the cronjob parameter failedJobsHistoryLimit + ## + failedJobsHistoryLimit: 1 + ## @param backup.cronjob.successfulJobsHistoryLimit Set the cronjob parameter successfulJobsHistoryLimit + ## + successfulJobsHistoryLimit: 3 + ## @param backup.cronjob.startingDeadlineSeconds Set the cronjob parameter startingDeadlineSeconds + ## + startingDeadlineSeconds: "" + ## @param backup.cronjob.ttlSecondsAfterFinished Set the cronjob parameter ttlSecondsAfterFinished + ## + ttlSecondsAfterFinished: "" + ## @param backup.cronjob.restartPolicy Set the cronjob parameter restartPolicy + ## + restartPolicy: OnFailure + ## backup container's Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param backup.cronjob.containerSecurityContext.enabled Enabled containers' Security Context + ## @param backup.cronjob.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param backup.cronjob.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param backup.cronjob.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param backup.cronjob.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param backup.cronjob.containerSecurityContext.privileged Set container's Security Context privileged + ## @param backup.cronjob.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param backup.cronjob.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param backup.cronjob.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param backup.cronjob.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: null + runAsUser: 1001 + runAsGroup: 0 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## @param backup.cronjob.command Set backup container's command to run + ## + command: [] + ## @param backup.cronjob.labels Set the cronjob labels + ## + labels: {} + ## @param backup.cronjob.annotations Set the cronjob annotations + ## + annotations: {} + ## Backup container's + ## + storage: + ## @param backup.cronjob.storage.existingClaim Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) + ## If defined, PVC must be created manually before volume will be bound + ## + existingClaim: "" + ## @param backup.cronjob.storage.resourcePolicy Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted + ## + resourcePolicy: "" + ## @param backup.cronjob.storage.storageClass PVC Storage Class for the backup data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + storageClass: "" + ## @param backup.cronjob.storage.accessModes PV Access Mode + ## + accessModes: + - ReadWriteOnce + ## @param backup.cronjob.storage.size PVC Storage Request for the backup data volume + ## + size: 8Gi + ## @param backup.cronjob.storage.annotations PVC annotations + ## + annotations: {} + ## @param backup.cronjob.storage.mountPath Path to mount the volume at + ## + mountPath: /backup/mongodb + ## @param backup.cronjob.storage.subPath Subdirectory of the volume to mount at + ## and one PV for multiple services. + ## + subPath: "" + ## Fine tuning for volumeClaimTemplates + ## + volumeClaimTemplates: + ## @param backup.cronjob.storage.volumeClaimTemplates.selector A label query over volumes to consider for binding (e.g. when using local volumes) + ## A label query over volumes to consider for binding (e.g. when using local volumes) + ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details + ## + selector: {} +## @section RBAC parameters +## + +## ServiceAccount +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccount: + ## @param serviceAccount.create Enable creation of ServiceAccount for MongoDB(®) pods + ## + create: true + ## @param serviceAccount.name Name of the created serviceAccount + ## If not set and create is true, a name is generated using the mongodb.fullname template + ## + name: "" + ## @param serviceAccount.annotations Additional Service Account annotations + ## + annotations: {} + ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created + ## Can be set to false if pods using this serviceAccount do not need to use K8s API + ## + automountServiceAccountToken: false +## Role Based Access +## ref: https://kubernetes.io/docs/admin/authorization/rbac/ +## +rbac: + ## @param rbac.create Whether to create & use RBAC resources or not + ## binding MongoDB(®) ServiceAccount to a role + ## that allows MongoDB(®) pods querying the K8s API + ## this needs to be set to 'true' to enable the mongo-labeler sidecar primary mongodb discovery + ## + create: false + ## @param rbac.rules Custom rules to create following the role specification + ## The example below needs to be uncommented to use the 'mongo-labeler' sidecar for dynamic discovery of the primary mongodb pod: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## - watch + ## - update + ## + rules: [] +## PodSecurityPolicy configuration +## Be sure to also set rbac.create to true, otherwise Role and RoleBinding won't be created. +## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +## +podSecurityPolicy: + ## @param podSecurityPolicy.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later + ## + create: false + ## @param podSecurityPolicy.allowPrivilegeEscalation Enable privilege escalation + ## Either use predefined policy with some adjustments or use `podSecurityPolicy.spec` + ## + allowPrivilegeEscalation: false + ## @param podSecurityPolicy.privileged Allow privileged + ## + privileged: false + ## @param podSecurityPolicy.spec Specify the full spec to use for Pod Security Policy + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## Defining a spec ignores the above values. + ## + spec: {} + ## Example: + ## allowPrivilegeEscalation: false + ## fsGroup: + ## rule: 'MustRunAs' + ## ranges: + ## - min: 1001 + ## max: 1001 + ## hostIPC: false + ## hostNetwork: false + ## hostPID: false + ## privileged: false + ## readOnlyRootFilesystem: false + ## requiredDropCapabilities: + ## - ALL + ## runAsUser: + ## rule: 'MustRunAs' + ## ranges: + ## - min: 1001 + ## max: 1001 + ## seLinux: + ## rule: 'RunAsAny' + ## supplementalGroups: + ## rule: 'MustRunAs' + ## ranges: + ## - min: 1001 + ## max: 1001 + ## volumes: + ## - 'configMap' + ## - 'secret' + ## - 'emptyDir' + ## - 'persistentVolumeClaim' + ## +## @section Volume Permissions parameters +## +## Init Container parameters +## Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each component +## values from the securityContext section of the component +## +volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` + ## + enabled: false + ## @param volumePermissions.image.registry [default: REGISTRY_NAME] Init container volume-permissions image registry + ## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] Init container volume-permissions image repository + ## @skip volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) + ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy + ## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: bitnami/os-shell + tag: 12-debian-12-r15 + digest: "" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init Container resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "none" + ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Init container Security Context + ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser + ## and not the below volumePermissions.securityContext.runAsUser + ## When runAsUser is set to special value "auto", init container will try to chwon the + ## data folder to autodetermined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` + ## "auto" is especially useful for OpenShift which has scc with dynamic userids (and 0 is not allowed). + ## You may want to use this volumePermissions.securityContext.runAsUser="auto" in combination with + ## podSecurityContext.enabled=false,containerSecurityContext.enabled=false and shmVolume.chmod.enabled=false + ## @param volumePermissions.securityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param volumePermissions.securityContext.runAsUser User ID for the volumePermissions container + ## + securityContext: + seLinuxOptions: null + runAsUser: 0 +## @section Arbiter parameters +## +arbiter: + ## @param arbiter.enabled Enable deploying the arbiter + ## https://docs.mongodb.com/manual/tutorial/add-replica-set-arbiter/ + ## + enabled: true + ## @param arbiter.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false + ## @param arbiter.hostAliases Add deployment host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param arbiter.configuration Arbiter configuration file to be used + ## http://docs.mongodb.org/manual/reference/configuration-options/ + ## + configuration: "" + ## @param arbiter.existingConfigmap Name of existing ConfigMap with Arbiter configuration + ## NOTE: When it's set the arbiter.configuration parameter is ignored + ## + existingConfigmap: "" + ## Command and args for running the container (set to default if not set). Use array form + ## @param arbiter.command Override default container command (useful when using custom images) + ## @param arbiter.args Override default container args (useful when using custom images) + ## + command: [] + args: [] + ## @param arbiter.extraFlags Arbiter additional command line flags + ## Example: + ## extraFlags: + ## - "--wiredTigerCacheSizeGB=2" + ## + extraFlags: [] + ## @param arbiter.extraEnvVars Extra environment variables to add to Arbiter pods + ## E.g: + ## extraEnvVars: + ## - name: FOO + ## value: BAR + ## + extraEnvVars: [] + ## @param arbiter.extraEnvVarsCM Name of existing ConfigMap containing extra env vars + ## + extraEnvVarsCM: "" + ## @param arbiter.extraEnvVarsSecret Name of existing Secret containing extra env vars (in case of sensitive data) + ## + extraEnvVarsSecret: "" + ## @param arbiter.annotations Additional labels to be added to the Arbiter statefulset + ## + annotations: {} + ## @param arbiter.labels Annotations to be added to the Arbiter statefulset + ## + labels: {} + ## @param arbiter.topologySpreadConstraints MongoDB(®) Spread Constraints for arbiter Pods + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## + topologySpreadConstraints: [] + ## @param arbiter.lifecycleHooks LifecycleHook for the Arbiter container to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param arbiter.terminationGracePeriodSeconds Arbiter Termination Grace Period + ## + terminationGracePeriodSeconds: "" + ## @param arbiter.updateStrategy.type Strategy that will be employed to update Pods in the StatefulSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## updateStrategy: + ## type: RollingUpdate + ## rollingUpdate: + ## maxSurge: 25% + ## maxUnavailable: 25% + ## + updateStrategy: + type: RollingUpdate + ## @param arbiter.podManagementPolicy Pod management policy for MongoDB(®) + ## Should be initialized one by one when building the replicaset for the first time + ## + podManagementPolicy: OrderedReady + ## @param arbiter.schedulerName Name of the scheduler (other than default) to dispatch pods + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param arbiter.podAffinityPreset Arbiter Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param arbiter.podAntiAffinityPreset Arbiter Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param arbiter.nodeAffinityPreset.type Arbiter Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param arbiter.nodeAffinityPreset.key Arbiter Node label key to match Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param arbiter.nodeAffinityPreset.values Arbiter Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param arbiter.affinity Arbiter Affinity for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: arbiter.podAffinityPreset, arbiter.podAntiAffinityPreset, and arbiter.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param arbiter.nodeSelector Arbiter Node labels for pod assignment + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param arbiter.tolerations Arbiter Tolerations for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param arbiter.podLabels Arbiter pod labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param arbiter.podAnnotations Arbiter Pod annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param arbiter.priorityClassName Name of the existing priority class to be used by Arbiter pod(s) + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + ## + priorityClassName: "" + ## @param arbiter.runtimeClassName Name of the runtime class to be used by Arbiter pod(s) + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + ## + runtimeClassName: "" + ## MongoDB(®) Arbiter pods' Security Context. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param arbiter.podSecurityContext.enabled Enable Arbiter pod(s)' Security Context + ## @param arbiter.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param arbiter.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param arbiter.podSecurityContext.fsGroup Group ID for the volumes of the Arbiter pod(s) + ## @param arbiter.podSecurityContext.sysctls sysctl settings of the Arbiter pod(s)' + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + supplementalGroups: [] + fsGroup: 1001 + ## sysctl settings + ## Example: + ## sysctls: + ## - name: net.core.somaxconn + ## value: "10000" + ## + sysctls: [] + ## MongoDB(®) Arbiter containers' Security Context (only main container). + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param arbiter.containerSecurityContext.enabled Enabled containers' Security Context + ## @param arbiter.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param arbiter.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param arbiter.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param arbiter.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param arbiter.containerSecurityContext.privileged Set container's Security Context privileged + ## @param arbiter.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param arbiter.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param arbiter.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param arbiter.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: null + runAsUser: 1001 + runAsGroup: 0 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## MongoDB(®) Arbiter containers' resource requests and limits. + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param arbiter.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if arbiter.resources is set (arbiter.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "none" + ## @param arbiter.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## @param arbiter.containerPorts.mongodb MongoDB(®) arbiter container port + ## + containerPorts: + mongodb: 27017 + ## MongoDB(®) Arbiter pods' liveness probe. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param arbiter.livenessProbe.enabled Enable livenessProbe + ## @param arbiter.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param arbiter.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param arbiter.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param arbiter.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param arbiter.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 20 + timeoutSeconds: 10 + failureThreshold: 6 + successThreshold: 1 + ## MongoDB(®) Arbiter pods' readiness probe. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param arbiter.readinessProbe.enabled Enable readinessProbe + ## @param arbiter.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param arbiter.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param arbiter.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param arbiter.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param arbiter.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 20 + timeoutSeconds: 10 + failureThreshold: 6 + successThreshold: 1 + ## MongoDB(®) Arbiter pods' startup probe. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param arbiter.startupProbe.enabled Enable startupProbe + ## @param arbiter.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param arbiter.startupProbe.periodSeconds Period seconds for startupProbe + ## @param arbiter.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param arbiter.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param arbiter.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 30 + ## @param arbiter.customLivenessProbe Override default liveness probe for Arbiter containers + ## Ignored when arbiter.livenessProbe.enabled=true + ## + customLivenessProbe: {} + ## @param arbiter.customReadinessProbe Override default readiness probe for Arbiter containers + ## Ignored when arbiter.readinessProbe.enabled=true + ## + customReadinessProbe: {} + ## @param arbiter.customStartupProbe Override default startup probe for Arbiter containers + ## Ignored when arbiter.startupProbe.enabled=true + ## + customStartupProbe: {} + ## @param arbiter.initContainers Add additional init containers for the Arbiter pod(s) + ## Example: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + initContainers: [] + ## @param arbiter.sidecars Add additional sidecar containers for the Arbiter pod(s) + ## Example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param arbiter.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Arbiter container(s) + ## Examples: + ## extraVolumeMounts: + ## - name: extras + ## mountPath: /usr/share/extras + ## readOnly: true + ## + extraVolumeMounts: [] + ## @param arbiter.extraVolumes Optionally specify extra list of additional volumes to the Arbiter statefulset + ## extraVolumes: + ## - name: extras + ## emptyDir: {} + ## + extraVolumes: [] + ## MongoDB(®) Arbiter Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + ## + pdb: + ## @param arbiter.pdb.create Enable/disable a Pod Disruption Budget creation for Arbiter pod(s) + ## + create: false + ## @param arbiter.pdb.minAvailable Minimum number/percentage of Arbiter pods that should remain scheduled + ## + minAvailable: 1 + ## @param arbiter.pdb.maxUnavailable Maximum number/percentage of Arbiter pods that may be made unavailable + ## + maxUnavailable: "" + ## MongoDB(®) Arbiter service parameters + ## + service: + ## @param arbiter.service.nameOverride The arbiter service name + ## + nameOverride: "" + ## @param arbiter.service.ports.mongodb MongoDB(®) service port + ## + ports: + mongodb: 27017 + ## @param arbiter.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param arbiter.service.annotations Provide any additional annotations that may be required + ## + annotations: {} + ## Headless service properties + ## + headless: + ## @param arbiter.service.headless.annotations Annotations for the headless service. + ## + annotations: {} +## @section Hidden Node parameters +## +hidden: + ## @param hidden.enabled Enable deploying the hidden nodes + ## https://docs.mongodb.com/manual/tutorial/configure-a-hidden-replica-set-member/ + ## + enabled: false + ## @param hidden.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false + ## @param hidden.hostAliases Add deployment host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param hidden.configuration Hidden node configuration file to be used + ## http://docs.mongodb.org/manual/reference/configuration-options/ + ## + configuration: "" + ## @param hidden.existingConfigmap Name of existing ConfigMap with Hidden node configuration + ## NOTE: When it's set the hidden.configuration parameter is ignored + ## + existingConfigmap: "" + ## Command and args for running the container (set to default if not set). Use array form + ## @param hidden.command Override default container command (useful when using custom images) + ## @param hidden.args Override default container args (useful when using custom images) + ## + command: [] + args: [] + ## @param hidden.extraFlags Hidden node additional command line flags + ## Example: + ## extraFlags: + ## - "--wiredTigerCacheSizeGB=2" + ## + extraFlags: [] + ## @param hidden.extraEnvVars Extra environment variables to add to Hidden node pods + ## E.g: + ## extraEnvVars: + ## - name: FOO + ## value: BAR + ## + extraEnvVars: [] + ## @param hidden.extraEnvVarsCM Name of existing ConfigMap containing extra env vars + ## + extraEnvVarsCM: "" + ## @param hidden.extraEnvVarsSecret Name of existing Secret containing extra env vars (in case of sensitive data) + ## + extraEnvVarsSecret: "" + ## @param hidden.annotations Additional labels to be added to thehidden node statefulset + ## + annotations: {} + ## @param hidden.labels Annotations to be added to the hidden node statefulset + ## + labels: {} + ## @param hidden.topologySpreadConstraints MongoDB(®) Spread Constraints for hidden Pods + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## + topologySpreadConstraints: [] + ## @param hidden.lifecycleHooks LifecycleHook for the Hidden container to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param hidden.replicaCount Number of hidden nodes (only when `architecture=replicaset`) + ## Ignored when mongodb.architecture=standalone + ## + replicaCount: 1 + ## @param hidden.terminationGracePeriodSeconds Hidden Termination Grace Period + ## + terminationGracePeriodSeconds: "" + ## @param hidden.updateStrategy.type Strategy that will be employed to update Pods in the StatefulSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## updateStrategy: + ## type: RollingUpdate + ## rollingUpdate: + ## maxSurge: 25% + ## maxUnavailable: 25% + ## + updateStrategy: + type: RollingUpdate + ## @param hidden.podManagementPolicy Pod management policy for hidden node + ## + podManagementPolicy: OrderedReady + ## @param hidden.schedulerName Name of the scheduler (other than default) to dispatch pods + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param hidden.podAffinityPreset Hidden node Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param hidden.podAntiAffinityPreset Hidden node Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## Allowed values: soft, hard + ## + nodeAffinityPreset: + ## @param hidden.nodeAffinityPreset.type Hidden Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param hidden.nodeAffinityPreset.key Hidden Node label key to match Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param hidden.nodeAffinityPreset.values Hidden Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param hidden.affinity Hidden node Affinity for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param hidden.nodeSelector Hidden node Node labels for pod assignment + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param hidden.tolerations Hidden node Tolerations for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param hidden.podLabels Hidden node pod labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param hidden.podAnnotations Hidden node Pod annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param hidden.priorityClassName Name of the existing priority class to be used by hidden node pod(s) + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + ## + priorityClassName: "" + ## @param hidden.runtimeClassName Name of the runtime class to be used by hidden node pod(s) + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + ## + runtimeClassName: "" + ## MongoDB(®) Hidden pods' Security Context. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param hidden.podSecurityContext.enabled Enable Hidden pod(s)' Security Context + ## @param hidden.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param hidden.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param hidden.podSecurityContext.fsGroup Group ID for the volumes of the Hidden pod(s) + ## @param hidden.podSecurityContext.sysctls sysctl settings of the Hidden pod(s)' + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + supplementalGroups: [] + fsGroup: 1001 + ## sysctl settings + ## Example: + ## sysctls: + ## - name: net.core.somaxconn + ## value: "10000" + ## + sysctls: [] + ## MongoDB(®) Hidden containers' Security Context (only main container). + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param hidden.containerSecurityContext.enabled Enabled containers' Security Context + ## @param hidden.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param hidden.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param hidden.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param hidden.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param hidden.containerSecurityContext.privileged Set container's Security Context privileged + ## @param hidden.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param hidden.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param hidden.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param hidden.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: null + runAsUser: 1001 + runAsGroup: 0 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## MongoDB(®) Hidden containers' resource requests and limits. + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param hidden.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if hidden.resources is set (hidden.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "none" + ## @param hidden.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## @param hidden.containerPorts.mongodb MongoDB(®) hidden container port + ## + containerPorts: + mongodb: 27017 + ## MongoDB(®) Hidden pods' liveness probe. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param hidden.livenessProbe.enabled Enable livenessProbe + ## @param hidden.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param hidden.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param hidden.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param hidden.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param hidden.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 20 + timeoutSeconds: 10 + failureThreshold: 6 + successThreshold: 1 + ## MongoDB(®) Hidden pods' readiness probe. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param hidden.readinessProbe.enabled Enable readinessProbe + ## @param hidden.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param hidden.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param hidden.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param hidden.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param hidden.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 20 + timeoutSeconds: 10 + failureThreshold: 6 + successThreshold: 1 + ## Slow starting containers can be protected through startup probes + ## Startup probes are available in Kubernetes version 1.16 and above + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes + ## @param hidden.startupProbe.enabled Enable startupProbe + ## @param hidden.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param hidden.startupProbe.periodSeconds Period seconds for startupProbe + ## @param hidden.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param hidden.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param hidden.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 30 + ## @param hidden.customLivenessProbe Override default liveness probe for hidden node containers + ## Ignored when hidden.livenessProbe.enabled=true + ## + customLivenessProbe: {} + ## @param hidden.customReadinessProbe Override default readiness probe for hidden node containers + ## Ignored when hidden.readinessProbe.enabled=true + ## + customReadinessProbe: {} + ## @param hidden.customStartupProbe Override default startup probe for MongoDB(®) containers + ## Ignored when hidden.startupProbe.enabled=true + ## + customStartupProbe: {} + ## @param hidden.initContainers Add init containers to the MongoDB(®) Hidden pods. + ## Example: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + initContainers: [] + ## @param hidden.sidecars Add additional sidecar containers for the hidden node pod(s) + ## Example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param hidden.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the hidden node container(s) + ## Examples: + ## extraVolumeMounts: + ## - name: extras + ## mountPath: /usr/share/extras + ## readOnly: true + ## + extraVolumeMounts: [] + ## @param hidden.extraVolumes Optionally specify extra list of additional volumes to the hidden node statefulset + ## extraVolumes: + ## - name: extras + ## emptyDir: {} + ## + extraVolumes: [] + ## MongoDB(®) Hidden Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + ## + pdb: + ## @param hidden.pdb.create Enable/disable a Pod Disruption Budget creation for hidden node pod(s) + ## + create: false + ## @param hidden.pdb.minAvailable Minimum number/percentage of hidden node pods that should remain scheduled + ## + minAvailable: 1 + ## @param hidden.pdb.maxUnavailable Maximum number/percentage of hidden node pods that may be made unavailable + ## + maxUnavailable: "" + ## Enable persistence using Persistent Volume Claims + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ + ## + persistence: + ## @param hidden.persistence.enabled Enable hidden node data persistence using PVC + ## + enabled: true + ## @param hidden.persistence.medium Provide a medium for `emptyDir` volumes. + ## Requires hidden.persistence.enabled: false + ## + medium: "" + ## @param hidden.persistence.storageClass PVC Storage Class for hidden node data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + storageClass: "" + ## @param hidden.persistence.accessModes PV Access Mode + ## + accessModes: + - ReadWriteOnce + ## @param hidden.persistence.size PVC Storage Request for hidden node data volume + ## + size: 8Gi + ## @param hidden.persistence.annotations PVC annotations + ## + annotations: {} + ## @param hidden.persistence.mountPath The path the volume will be mounted at, useful when using different MongoDB(®) images. + ## + mountPath: /bitnami/mongodb + ## @param hidden.persistence.subPath The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + ## + subPath: "" + ## Fine tuning for volumeClaimTemplates + ## + volumeClaimTemplates: + ## @param hidden.persistence.volumeClaimTemplates.selector A label query over volumes to consider for binding (e.g. when using local volumes) + ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details + ## + selector: {} + ## @param hidden.persistence.volumeClaimTemplates.requests Custom PVC requests attributes + ## Sometime cloud providers use additional requests attributes to provision custom storage instance + ## See https://cloud.ibm.com/docs/containers?topic=containers-file_storage#file_dynamic_statefulset + ## + requests: {} + ## @param hidden.persistence.volumeClaimTemplates.dataSource Set volumeClaimTemplate dataSource + ## + dataSource: {} + service: + ## @param hidden.service.portName MongoDB(®) service port name + ## + portName: "mongodb" + ## @param hidden.service.ports.mongodb MongoDB(®) service port + ## + ports: + mongodb: 27017 + ## @param hidden.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param hidden.service.annotations Provide any additional annotations that may be required + ## + annotations: {} + ## Headless service properties + ## + headless: + ## @param hidden.service.headless.annotations Annotations for the headless service. + ## + annotations: {} +## @section Metrics parameters +## +metrics: + ## @param metrics.enabled Enable using a sidecar Prometheus exporter + ## + enabled: false + ## Bitnami MongoDB(®) Promtheus Exporter image + ## ref: https://hub.docker.com/r/bitnami/mongodb-exporter/tags/ + ## @param metrics.image.registry [default: REGISTRY_NAME] MongoDB(®) Prometheus exporter image registry + ## @param metrics.image.repository [default: REPOSITORY_NAME/mongodb-exporter] MongoDB(®) Prometheus exporter image repository + ## @skip metrics.image.tag MongoDB(®) Prometheus exporter image tag (immutable tags are recommended) + ## @param metrics.image.digest MongoDB(®) image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param metrics.image.pullPolicy MongoDB(®) Prometheus exporter image pull policy + ## @param metrics.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: bitnami/mongodb-exporter + tag: 0.40.0-debian-12-r11 + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param metrics.username String with username for the metrics exporter + ## If undefined the root user will be used for the metrics exporter + ## + username: "" + ## @param metrics.password String with password for the metrics exporter + ## If undefined but metrics.username is defined, a random password will be generated + ## + password: "" + ## @param metrics.compatibleMode Enables old style mongodb-exporter metrics + compatibleMode: true + collector: + ## @param metrics.collector.all Enable all collectors. Same as enabling all individual metrics + ## Enabling all metrics will cause significant CPU load on mongod + all: false + ## @param metrics.collector.diagnosticdata Boolean Enable collecting metrics from getDiagnosticData + diagnosticdata: true + ## @param metrics.collector.replicasetstatus Boolean Enable collecting metrics from replSetGetStatus + replicasetstatus: true + ## @param metrics.collector.dbstats Boolean Enable collecting metrics from dbStats + dbstats: false + ## @param metrics.collector.topmetrics Boolean Enable collecting metrics from top admin command + topmetrics: false + ## @param metrics.collector.indexstats Boolean Enable collecting metrics from $indexStats + indexstats: false + ## @param metrics.collector.collstats Boolean Enable collecting metrics from $collStats + collstats: false + ## @param metrics.collector.collstatsColls List of \.\ to get $collStats + collstatsColls: [] + ## @param metrics.collector.indexstatsColls List - List of \.\ to get $indexStats + indexstatsColls: [] + ## @param metrics.collector.collstatsLimit Number - Disable collstats, dbstats, topmetrics and indexstats collector if there are more than \ collections. 0=No limit + collstatsLimit: 0 + ## @param metrics.extraFlags String with extra flags to the metrics exporter + ## ref: https://github.com/percona/mongodb_exporter/blob/main/main.go + ## + extraFlags: "" + ## Command and args for running the container (set to default if not set). Use array form + ## @param metrics.command Override default container command (useful when using custom images) + ## @param metrics.args Override default container args (useful when using custom images) + ## + command: [] + args: [] + ## Metrics exporter container resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "none" + ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## @param metrics.containerPort Port of the Prometheus metrics container + ## + containerPort: 9216 + ## Prometheus Exporter service configuration + ## + service: + ## @param metrics.service.annotations [object] Annotations for Prometheus Exporter pods. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.metrics.service.ports.metrics }}" + prometheus.io/path: "/metrics" + ## @param metrics.service.type Type of the Prometheus metrics service + ## + type: ClusterIP + ## @param metrics.service.ports.metrics Port of the Prometheus metrics service + ## + ports: + metrics: 9216 + ## @param metrics.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## Metrics exporter liveness probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## @param metrics.livenessProbe.enabled Enable livenessProbe + ## @param metrics.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param metrics.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param metrics.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param metrics.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param metrics.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 15 + periodSeconds: 5 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + ## Metrics exporter readiness probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## @param metrics.readinessProbe.enabled Enable readinessProbe + ## @param metrics.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param metrics.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param metrics.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param metrics.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param metrics.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + ## Slow starting containers can be protected through startup probes + ## Startup probes are available in Kubernetes version 1.16 and above + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes + ## @param metrics.startupProbe.enabled Enable startupProbe + ## @param metrics.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param metrics.startupProbe.periodSeconds Period seconds for startupProbe + ## @param metrics.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param metrics.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param metrics.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 30 + ## @param metrics.customLivenessProbe Override default liveness probe for MongoDB(®) containers + ## Ignored when livenessProbe.enabled=true + ## + customLivenessProbe: {} + ## @param metrics.customReadinessProbe Override default readiness probe for MongoDB(®) containers + ## Ignored when readinessProbe.enabled=true + ## + customReadinessProbe: {} + ## @param metrics.customStartupProbe Override default startup probe for MongoDB(®) containers + ## Ignored when startupProbe.enabled=true + ## + customStartupProbe: {} + ## @param metrics.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the metrics container(s) + ## Examples: + ## extraVolumeMounts: + ## - name: extras + ## mountPath: /usr/share/extras + ## readOnly: true + ## + extraVolumeMounts: [] + ## Prometheus Service Monitor + ## ref: https://github.com/coreos/prometheus-operator + ## https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using Prometheus Operator + ## + enabled: false + ## @param metrics.serviceMonitor.namespace Namespace which Prometheus is running in + ## + namespace: "" + ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped + ## + interval: 30s + ## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended + ## e.g: + ## scrapeTimeout: 30s + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping. + ## + relabelings: [] + ## @param metrics.serviceMonitor.metricRelabelings MetricsRelabelConfigs to apply to samples before ingestion. + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.labels Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec + ## + labels: {} + ## @param metrics.serviceMonitor.selector Prometheus instance selector labels + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration + ## + selector: {} + ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint + ## + honorLabels: false + ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## Custom PrometheusRule to be defined + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + ## + prometheusRule: + ## @param metrics.prometheusRule.enabled Set this to true to create prometheusRules for Prometheus operator + ## + enabled: false + ## @param metrics.prometheusRule.additionalLabels Additional labels that can be used so prometheusRules will be discovered by Prometheus + ## + additionalLabels: {} + ## @param metrics.prometheusRule.namespace Namespace where prometheusRules resource should be created + ## + namespace: "" + ## @param metrics.prometheusRule.rules Rules to be created, check values for an example + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#rulegroup + ## https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/ + ## + ## This is an example of a rule, you should add the below code block under the "rules" param, removing the brackets + ## rules: + ## - alert: HighRequestLatency + ## expr: job:request_latency_seconds:mean5m{job="myjob"} > 0.5 + ## for: 10m + ## labels: + ## severity: page + ## annotations: + ## summary: High request latency + ## + rules: [] diff --git a/kubernetes/common/music/Chart.yaml b/kubernetes/common/music/Chart.yaml deleted file mode 100644 index f275168967..0000000000 --- a/kubernetes/common/music/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: MUSIC - Multi-site State Coordination Service -name: music -version: 11.0.0 - -dependencies: - - name: music-cassandra - version: ~11.x-0 - repository: 'file://components/music-cassandra' - - name: common - version: ~11.x-0 - repository: 'file://../common' - - name: repositoryGenerator - version: ~11.x-0 - repository: 'file://../repositoryGenerator' - - name: certInitializer - version: ~11.x-0 - repository: 'file://../certInitializer' \ No newline at end of file diff --git a/kubernetes/common/music/Makefile b/kubernetes/common/music/Makefile deleted file mode 100644 index 51d7de122c..0000000000 --- a/kubernetes/common/music/Makefile +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts docker -HELM_BIN := helm -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/common/music/components/Makefile b/kubernetes/common/music/components/Makefile deleted file mode 100644 index f4c9784bc4..0000000000 --- a/kubernetes/common/music/components/Makefile +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/common/music/components/music-cassandra/.helmignore b/kubernetes/common/music/components/music-cassandra/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/common/music/components/music-cassandra/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/common/music/components/music-cassandra/Chart.yaml b/kubernetes/common/music/components/music-cassandra/Chart.yaml deleted file mode 100644 index 8a575c72f7..0000000000 --- a/kubernetes/common/music/components/music-cassandra/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP - Cassandra Database -name: music-cassandra -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: 'file://../../../common' - - name: repositoryGenerator - version: ~11.x-0 - repository: 'file://../../../repositoryGenerator' \ No newline at end of file diff --git a/kubernetes/common/music/components/music-cassandra/resources/LICENSE.txt b/kubernetes/common/music/components/music-cassandra/resources/LICENSE.txt deleted file mode 100644 index 7f60913d26..0000000000 --- a/kubernetes/common/music/components/music-cassandra/resources/LICENSE.txt +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. \ No newline at end of file diff --git a/kubernetes/common/music/components/music-cassandra/resources/cql/admin.cql b/kubernetes/common/music/components/music-cassandra/resources/cql/admin.cql deleted file mode 100644 index a76d774bd3..0000000000 --- a/kubernetes/common/music/components/music-cassandra/resources/cql/admin.cql +++ /dev/null @@ -1,19 +0,0 @@ -CREATE KEYSPACE IF NOT EXISTS admin - WITH REPLICATION = { - 'class' : '{{.Values.cql.keyspace.replicationClass}}', - 'replication_factor': {{.Values.cql.keyspace.replicationFactor}} - } - AND DURABLE_WRITES = true; - -CREATE TABLE IF NOT EXISTS admin.keyspace_master ( - uuid uuid, - keyspace_name text, - application_name text, - is_api boolean, - password text, - username text, - is_aaf boolean, - PRIMARY KEY (uuid) -); - -describe keyspaces; diff --git a/kubernetes/common/music/components/music-cassandra/resources/cql/admin_pw.cql b/kubernetes/common/music/components/music-cassandra/resources/cql/admin_pw.cql deleted file mode 100644 index 24f2ad77f7..0000000000 --- a/kubernetes/common/music/components/music-cassandra/resources/cql/admin_pw.cql +++ /dev/null @@ -1,8 +0,0 @@ -CREATE ROLE IF NOT EXISTS {{.Values.cql.adminUser.username}} -WITH PASSWORD = '{{.Values.cql.adminUser.password}}' -AND SUPERUSER = true -AND LOGIN = true; - -ALTER ROLE cassandra -WITH PASSWORD = '{{.Values.cql.adminUser.passwordReplace}}'; - diff --git a/kubernetes/common/music/components/music-cassandra/resources/cql/extra/check.cql b/kubernetes/common/music/components/music-cassandra/resources/cql/extra/check.cql deleted file mode 100644 index a516be857b..0000000000 --- a/kubernetes/common/music/components/music-cassandra/resources/cql/extra/check.cql +++ /dev/null @@ -1,23 +0,0 @@ -CREATE KEYSPACE testks - WITH REPLICATION = { - 'class' : '{{.Values.cql.keyspace.replicationClass}}', - 'replication_factor': {{.Values.cql.keyspace.replicationFactor}} - } - AND DURABLE_WRITES = true; - -CREATE TABLE testks.keyspace_master_table ( - uuid uuid, - keyspace_name text, - application_name text, - is_api boolean, - password text, - username text, - is_aaf boolean, - PRIMARY KEY (uuid) -); - -DESCRIBE KEYSPACES; -DESCRIBE keyspace testks; -SELECT * FROM system_auth.roles; -DROP keyspace testks; - diff --git a/kubernetes/common/music/components/music-cassandra/templates/configmap.yaml b/kubernetes/common/music/components/music-cassandra/templates/configmap.yaml deleted file mode 100755 index 011dccda25..0000000000 --- a/kubernetes/common/music/components/music-cassandra/templates/configmap.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-cql - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/cql/*").AsConfig . | indent 2 }} - diff --git a/kubernetes/common/music/components/music-cassandra/templates/configmap_extra.yaml b/kubernetes/common/music/components/music-cassandra/templates/configmap_extra.yaml deleted file mode 100755 index 72733b3088..0000000000 --- a/kubernetes/common/music/components/music-cassandra/templates/configmap_extra.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-extra-cql - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/cql/extra/*").AsConfig . | indent 2 }} - diff --git a/kubernetes/common/music/components/music-cassandra/templates/job.yaml b/kubernetes/common/music/components/music-cassandra/templates/job.yaml deleted file mode 100644 index d3c89d4a59..0000000000 --- a/kubernetes/common/music/components/music-cassandra/templates/job.yaml +++ /dev/null @@ -1,87 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-config - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-job - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - template: - metadata: - labels: - app: {{ include "common.name" . }}-job - release: {{ include "common.release" . }} - spec: - restartPolicy: Never - initContainers: - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - music-cassandra - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - name: {{ include "common.name" . }}-update-job - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.job.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - env: - - name: CASS_HOSTNAME - value: "{{ .Values.job.host }}" - - name: USERNAME - value: "{{ .Values.cql.adminUser.username }}" - - name: PORT - value: "{{ .Values.job.port }}" - - name: PASSWORD - value: "{{ .Values.cql.adminUser.password }}" - - name: TIMEOUT - value: "{{ .Values.job.timeout }}" - - name: DELAY - value: "{{ .Values.job.delay }}" - volumeMounts: - # Admin cql Files that setup Admin Keyspace and Change Admin user. - - name: {{ include "common.name" . }}-cql - mountPath: /cql/admin.cql - subPath: admin.cql - - name: {{ include "common.name" . }}-cql - mountPath: /cql/admin_pw.cql - subPath: admin_pw.cql - # This is where Apps or MISC will put any of their own startup cql scripts. - - name: {{ include "common.name" . }}-extra-cql - mountPath: /cql/extra - volumes: - - name: {{ include "common.name" . }}-cql - configMap: - name: {{ include "common.fullname" . }}-cql - - name: {{ include "common.name" . }}-extra-cql - configMap: - name: {{ include "common.fullname" . }}-extra-cql - restartPolicy: Never - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/common/music/components/music-cassandra/templates/pv.yaml b/kubernetes/common/music/components/music-cassandra/templates/pv.yaml deleted file mode 100644 index 8399bff77d..0000000000 --- a/kubernetes/common/music/components/music-cassandra/templates/pv.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- $global := . }} -{{- if and $global.Values.persistence.enabled (not $global.Values.persistence.existingClaim) }} -{{- if eq "True" (include "common.needPV" .) -}} -{{- range $i := until (int $global.Values.replicaCount)}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" $global }}-data-{{ $i }} - namespace: {{ include "common.namespace" $global }} - labels: - app: {{ include "common.fullname" $global }} - chart: "{{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" $global }}" - heritage: "{{ $global.Release.Service }}" - name: {{ include "common.fullname" $global }} -spec: - capacity: - storage: {{ $global.Values.persistence.size}} - accessModes: - - {{ $global.Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ $global.Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" $global }}-data" - hostPath: - path: {{ $global.Values.global.persistence.mountPath | default $global.Values.persistence.mountPath }}/{{ include "common.release" $global }}/{{ $global.Values.persistence.mountSubPath }}-{{$i}} -{{if ne $i (int $global.Values.replicaCount) }} ---- -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/common/music/components/music-cassandra/templates/service.yaml b/kubernetes/common/music/components/music-cassandra/templates/service.yaml deleted file mode 100644 index 5a26d6701c..0000000000 --- a/kubernetes/common/music/components/music-cassandra/templates/service.yaml +++ /dev/null @@ -1,54 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" -spec: - type: {{ .Values.service.type }} - # Not working, open k8s bug: https://github.com/kubernetes/kubernetes/issues/58662 - publishNotReadyAddresses: true - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - - port: {{ .Values.service.internalPort2 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} - name: {{ .Values.service.portName3 }} - - port: {{ .Values.service.internalPort3 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort3 }} - name: {{ .Values.service.portName3 }} - {{- else -}} - - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - - port: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.portName2 }} - - port: {{ .Values.service.internalPort3 }} - name: {{ .Values.service.portName3 }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - clusterIP: None diff --git a/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml b/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml deleted file mode 100644 index d80e70b5fb..0000000000 --- a/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml +++ /dev/null @@ -1,143 +0,0 @@ -{{/* -# Copyright © 2019 AT&T, Amdocs, Bell Canada, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - serviceName: {{ include "common.servicename" . }} - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - podManagementPolicy: {{ .Values.podManagementPolicy }} - updateStrategy: - type: {{ .Values.updateStrategy.type }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} - spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPort2 }} - - containerPort: {{ .Values.service.internalPort3 }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - exec: - command: - - /bin/bash - - -c - - nodetool status | grep $POD_IP | awk '$1!="UN" { exit 1; }' - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - successThreshold: {{ .Values.liveness.successThreshold }} - failureThreshold: {{ .Values.liveness.failureThreshold }} - {{ end -}} - readinessProbe: - exec: - command: - - /bin/bash - - -c - - nodetool status | grep $POD_IP | awk '$1!="UN" { exit 1; }' - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} - successThreshold: {{ .Values.readiness.successThreshold }} - failureThreshold: {{ .Values.readiness.failureThreshold }} - startupProbe: - exec: - command: - - /bin/bash - - -c - - nodetool status | grep $POD_IP | awk '$1!="UN" { exit 1; }' - initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }} - periodSeconds: {{ .Values.startup.periodSeconds }} - timeoutSeconds: {{ .Values.startup.timeoutSeconds }} - successThreshold: {{ .Values.startup.successThreshold }} - failureThreshold: {{ .Values.startup.failureThreshold }} - lifecycle: - preStop: - exec: - command: ["/bin/sh", "-c", "PID=$(pidof java) && kill $PID && while ps -p $PID > /dev/null; do sleep 1; done"] - env: - {{- $seed_size := default 1 .Values.replicaCount | int -}} - {{- $global := . }} - - name: MAX_HEAP_SIZE - value: {{ .Values.config.heap.max }} - - name: HEAP_NEWSIZE - value: {{ .Values.config.heap.min }} - - name: CASSANDRA_SEEDS - value: "{{- range $i, $e := until $seed_size }}{{ template "common.fullname" $global }}-{{ $i }}.{{ include "common.servicename" $global }}{{- if (lt ( add 1 $i ) $seed_size ) }},{{- end }}{{- end }}" - - name: JVM_OPTS - value: {{ .Values.config.jvmOpts | quote }} - - name: CASSANDRA_CLUSTER_NAME - value: {{ .Values.config.clusterName | quote }} - - name: CASSANDRA_DC - value: {{ .Values.config.dataCenter | quote }} - - name: CASSANDRA_RACK - value: {{ .Values.config.rackName | quote }} - - name: CASSANDRA_AUTO_BOOTSTRAP - value: {{ .Values.config.autoBootstrap | quote }} - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP -{{- if .Values.persistence.enabled }} - volumeMounts: - - name: {{ include "common.fullname" . }}-data - mountPath: /var/lib/cassandra -{{- end }} - resources: -{{ include "common.resources" . | indent 12 }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime -{{- if .Values.persistence.enabled }} - volumeClaimTemplates: - - metadata: - name: {{ include "common.fullname" . }}-data - labels: - name: {{ include "common.fullname" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - spec: - accessModes: - - {{ .Values.persistence.accessMode | quote }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} -{{- end }} diff --git a/kubernetes/common/music/components/music-cassandra/values.yaml b/kubernetes/common/music/components/music-cassandra/values.yaml deleted file mode 100644 index 92ed723989..0000000000 --- a/kubernetes/common/music/components/music-cassandra/values.yaml +++ /dev/null @@ -1,147 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. -global: - nodePortPrefix: 302 - persistence: {} - -replicaCount: 1 - -# Cassandra Image - This image is modified from the original on -# Docker Hub where the Security has been turned on. -# When logging into DB the default username and password are 'cassandra' -# kubectl exec -it -n cqlsh -u cassandra -p cassandra -image: onap/music/cassandra_3_11:3.0.24 -pullPolicy: Always - -# Cassandra ENV configuration -config: - heap: - max: 512M - min: 100M - jvmOpts: -Dcassandra.consistent.rangemovement=false - clusterName: music-cluster - dataCenter: onap-1 - rackName: Rack1 - autoBootstrap: true - ports: - cql: &cqlPort 9042 - thrift: &thriftPort 9160 - # If a JVM Agent is in place - # agent: 61621 - -service: - expose: true - type: ClusterIP - name: &cassandraService music-cassandra - internalPort: *cqlPort - portName: cql - internalPort2: *thriftPort - portName2: thrift - internalPort3: 61621 - portName3: agent - -job: - host: *cassandraService - port: *cqlPort - timeout: 30 - delay: 120 - image: onap/music/cassandra_job:3.0.24 - -cql: - keyspace: - replicationClass: "SimpleStrategy" - replicationFactor: 3 - adminUser: - username: nelson24 - password: nelson24 - passwordReplace: A2C4E6G8I0J2L4O6Q8S0U2W4Y6 - -# probe configuration parameters -liveness: - initialDelaySeconds: 1 - periodSeconds: 10 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 1 - periodSeconds: 10 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - -startup: - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 90 - -podManagementPolicy: OrderedReady -updateStrategy: - type: OnDelete - -ingress: - enabled: false - -tolerations: [] - -persistence: - enabled: true - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - volumeReclaimPolicy: Retain - - ## database data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - ## storageClass: "-" - accessMode: ReadWriteOnce - size: 2Gi - mountPath: /dockerdata-nfs/ - mountSubPath: common/cassandra/data - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 500m - memory: 1.2Gi - requests: - cpu: 160m - memory: 900Mi - large: - limits: - cpu: 4 - memory: 10Gi - requests: - cpu: 2 - memory: 6Gi - unlimited: {} diff --git a/kubernetes/common/music/resources/config/logback.xml b/kubernetes/common/music/resources/config/logback.xml deleted file mode 100755 index 51423e547d..0000000000 --- a/kubernetes/common/music/resources/config/logback.xml +++ /dev/null @@ -1,302 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - %d{yyyy-MM-dd HH:mm:ss} [%thread] %-5level %logger{36} - %X{keyspace} %msg%n - - - - - - - - - ${logDirectory}/${generalLogName}.log - - ${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.%i.log.zip - 1GB - 5 - 5GB - - - ${applicationLoggerPattern} - - - - - 256 - true - - - - - - - - keyspace - unknown - - - - ${logDirectory}/${generalLogName}-keyspace.log - - ${logDirectory}/${generalLogName}-${keyspace}.%d{yyyy-MM-dd}.%i.log.zip - 30 - - - ${applicationLoggerPattern} - - - - - - - 256 - true - - - - - - - - - - - ${logDirectory}/${securityLogName}.log - - ${logDirectory}/${securityLogName}.%i.log.zip - 1 - 9 - - - 5MB - - - %d{yyyy-MM-dd HH:mm:ss} [%thread] %-5level %logger{36} - %msg%n - - - - - 256 - 0 - - - - - - - - - - ${logDirectory}/${auditLogName}.log - - ${logDirectory}/${auditLogName}.%i.log.zip - 1 - 9 - - - 5MB - - - ${auditLoggerPattern} - - - - 256 - - - - - ${logDirectory}/${metricsLogName}.log - - ${logDirectory}/${metricsLogName}.%i.log.zip - - 1 - 9 - - - 5MB - - - - ${metricsLoggerPattern} - - - - - - 256 - - - - - ${logDirectory}/${errorLogName}.log - - ${logDirectory}/${errorLogName}.%i.log.zip - 1 - 9 - - - 5MB - - - ${errorLoggerPattern} - - - - - 256 - - - - - ${debugLogDirectory}/${debugLogName}.log - - ${debugLogDirectory}/${debugLogName}.%i.log.zip - 1 - 9 - - - 5MB - - - ${debugLoggerPattern} - - - - - 256 - - true - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/kubernetes/common/music/resources/config/music-sb.properties b/kubernetes/common/music/resources/config/music-sb.properties deleted file mode 100755 index 7a13f10d8e..0000000000 --- a/kubernetes/common/music/resources/config/music-sb.properties +++ /dev/null @@ -1,13 +0,0 @@ -server.port=8443 -server.servlet.context-path=/MUSIC/rest -spring.jackson.mapper.ACCEPT_CASE_INSENSITIVE_ENUMS=true -#server.ssl.enabled=false -server.tomcat.max-threads=100 -#logging.file=/opt/app/music/logs/MUSIC/music-app.log -#logging.config=file:/opt/app/music/etc/logback.xml -security.require-ssl=true -server.ssl.key-store=/opt/app/aafcertman/local/org.onap.music.jks -server.ssl.key-store-password=${KEYSTORE_PASSWORD} -server.ssl.key-store-provider=SUN -server.ssl.key-store-type=JKS - diff --git a/kubernetes/common/music/resources/config/music.properties b/kubernetes/common/music/resources/config/music.properties deleted file mode 100755 index a7681d0a02..0000000000 --- a/kubernetes/common/music/resources/config/music.properties +++ /dev/null @@ -1,24 +0,0 @@ -lock.using={{.Values.properties.lockUsing}} -cassandra.host={{.Values.properties.cassandraHost}} -cassandra.port={{ .Values.properties.cassandraPort }} -lock.lease.period={{.Values.properties.lockLeasePeriod}} -cassandra.user=${CASSA_USER} -cassandra.password=${CASSA_PASSWORD} -cassandra.connecttimeoutms={{.Values.properties.cassandraConnecttimeoutms}} -cassandra.readtimeoutms={{.Values.properties.cassandraReadtimeoutms}} -cadi={{.Values.properties.cadi}} -music.aaf.ns={{.Values.properties.musicAafNs}} -keyspace.active={{.Values.properties.keyspaceActive}} -transId.header.required={{.Values.properties.transIdRequired}} -transId.header.prefix={{.Values.properties.transIdPrefix}} -conversation.header.required={{.Values.properties.conversationRequired}} -conversation.header.prefix={{.Values.properties.conversationPrefix}} -clientId.header.required={{.Values.properties.clientIdRequired}} -clientId.header.prefix={{.Values.properties.clientIdPrefix}} -messageId.header.required={{.Values.properties.messageIdRequired}} -messageId.header.prefix={{.Values.properties.messageIdPrefix}} -retry.count={{.Values.properties.retryCount}} -lock.daemon.sleeptime.ms={{.Values.properties.lockDaemonSleeptimeMs}} -keyspaces.for.lock.cleanup={{.Values.properties.keyspaceForLockCleanup}} -create.lock.wait.period.ms=0 -create.lock.wait.increment.ms=0 diff --git a/kubernetes/common/music/resources/config/startup.sh b/kubernetes/common/music/resources/config/startup.sh deleted file mode 100755 index eb84b084d0..0000000000 --- a/kubernetes/common/music/resources/config/startup.sh +++ /dev/null @@ -1,69 +0,0 @@ -#!/bin/sh - -{{/* -# ============LICENSE_START========================================== -# org.onap.music -# =================================================================== -# Copyright (c) 2019 AT&T Intellectual Property -# =================================================================== -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# ============LICENSE_END============================================= -# ==================================================================== -*/}} - -echo "Running startup script to get password from certman" -PWFILE=/opt/app/aafcertman/.password -LOGFILE=/opt/app/music/logs/MUSIC/music-sb.log -PROPS=/opt/app/music/etc/music-sb.properties -LOGBACK=/opt/app/music/etc/logback.xml -LOGGING= -DEBUG_PROP= -# Debug Setup. Uses env variables -# DEBUG and DEBUG_PORT -# DEBUG=true/false | DEBUG_PORT= -if [ "${DEBUG}" = "true" ]; then - if [ "${DEBUG_PORT}" = "" ]; then - DEBUG_PORT=8000 - fi - echo "Debug mode on" - DEBUG_PROP="-Xdebug -Xrunjdwp:server=y,transport=dt_socket,address=${DEBUG_PORT},suspend=n" -fi - -# LOGBACK file: if /opt/app/music/etc/logback.xml exists thenuse that. -if [ -f $LOGBACK ]; then - LOGGING="--logging.config=file:${LOGBACK}" -fi - -# Get Passwords from /opt/app/aafcertman -if [ -f $PWFILE ]; then - echo "Found ${PWFILE}" >> $LOGFILE - PASSWORD=$(cat ${PWFILE}) -else - PASSWORD=changeit - echo "#### Using Default Password for Certs" >> ${LOGFILE} -fi - -# If music-sb.properties exists in /opt/app/music/etc then use that to override the application.properties -if [ -f $PROPS ]; then - # Run with different Property file - #echo "java ${DEBUG_PROP} -jar MUSIC.jar --spring.config.location=file:${PROPS} ${LOGGING} 2>&1 | tee ${LOGFILE}" - java ${DEBUG_PROP} ${JAVA_OPTS} -jar MUSIC-SB.jar ${SPRING_OPTS} --spring.config.location=file:${PROPS} ${LOGGING} 2>&1 | tee ${LOGFILE} -else - #echo "java ${DEBUG_PROP} -jar MUSIC.jar --server.ssl.key-store-password=${PASSWORD} ${LOGGING} 2>&1 | tee ${LOGFILE}" - java ${DEBUG_PROP} ${JAVA_OPTS} -jar MUSIC-SB.jar ${SPRING_OPTS} --server.ssl.key-store-password="${PASSWORD}" ${LOGGING} 2>&1 | tee ${LOGFILE} -fi - - - - diff --git a/kubernetes/common/music/templates/configmap.yaml b/kubernetes/common/music/templates/configmap.yaml deleted file mode 100644 index d42cf2e7e0..0000000000 --- a/kubernetes/common/music/templates/configmap.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -# Copyright © 2017-2020 AT&T, Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/common/music/templates/deployment.yaml b/kubernetes/common/music/templates/deployment.yaml deleted file mode 100644 index 53d5a366f7..0000000000 --- a/kubernetes/common/music/templates/deployment.yaml +++ /dev/null @@ -1,117 +0,0 @@ -{{/* -# Copyright © 2017-2020 AT&T, Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - replicas: {{ .Values.replicaCount }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - initContainers: - - name: {{ include "common.name" . }}-cassandra-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - -j - - "{{ include "common.release" . }}-music-cassandra-config" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - {{ include "common.certInitializer.initContainer" . | indent 8 | trim }} - - command: - - sh - args: - - -c - - "export KEYSTORE_PASSWORD=$(cat /opt/app/aafcertman/local/.pass); cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" - env: - - name: CASSA_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cassa-secret" "key" "login") | indent 12 }} - - name: CASSA_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cassa-secret" "key" "password") | indent 12 }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /config-input - name: properties-music-scrubbed - - mountPath: /config - name: properties-music - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - containers: - # MUSIC Container - - name: "{{ include "common.name" . }}-springboot" - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 12 }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.liveness.port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.readiness.port }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . | indent 12 }} - env: - - name: SPRING_OPTS - value: "{{ .Values.springOpts }}" - - name: JAVA_OPTS - value: "{{ .Values.javaOpts }}" - - name: DEBUG - value: "{{ .Values.debug }}" - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - name: localtime - mountPath: /etc/localtime - readOnly: true - - name: properties-music - mountPath: /opt/app/music/etc/music.properties - subPath: music.properties - - name: properties-music - mountPath: /opt/app/music/etc/music-sb.properties - subPath: music-sb.properties - - name: properties-music-scrubbed - mountPath: /opt/app/music/etc/logback.xml - subPath: logback.xml - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: shared-data - emptyDir: {} - - name: certificate-vol - emptyDir: {} - - name: localtime - hostPath: - path: /etc/localtime - - name: properties-music-scrubbed - configMap: - name: {{ include "common.fullname" . }} - - name: properties-music - emptyDir: - medium: Memory diff --git a/kubernetes/common/music/templates/secrets.yaml b/kubernetes/common/music/templates/secrets.yaml deleted file mode 100644 index 15791a85d7..0000000000 --- a/kubernetes/common/music/templates/secrets.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 AT&T, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/common/music/templates/service.yaml b/kubernetes/common/music/templates/service.yaml deleted file mode 100644 index 3bd32a9419..0000000000 --- a/kubernetes/common/music/templates/service.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2017-2020 AT&T, Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/common/music/values.yaml b/kubernetes/common/music/values.yaml deleted file mode 100644 index f578949196..0000000000 --- a/kubernetes/common/music/values.yaml +++ /dev/null @@ -1,167 +0,0 @@ -# Copyright © 2018-2020 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - truststore: truststoreONAPall.jks - - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: cassa-secret - type: basicAuth - login: '{{ .Values.properties.cassandraUser }}' - password: '{{ .Values.properties.cassandraPassword }}' - passwordPolicy: required - - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/music/music_sb:3.2.40 -pullPolicy: Always - -job: - host: cassandra - port: 9042 - - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 6 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: false - port: 8443 - - -# Java options that need to be passed to jave on CLI -#javaOpts: -Xms256m -Xmx2048m -javaOpts: -# Options that need to be passed to CLI for Sprngboot, pw is a secret passed in through ENV -springOpts: --spring.config.location=file:/opt/app/music/etc/music-sb.properties -# Resource Limit flavor -By Default using small -flavor: large -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 1000m - memory: 1G - requests: - cpu: 300m - memory: 512Mi - large: - limits: - cpu: 1500m - memory: 3Gi - requests: - cpu: 1000m - memory: 2Gi - unlimited: {} - -readiness: - initialDelaySeconds: 350 - periodSeconds: 120 - port: 8443 - -service: - useNodePortExt: true - type: NodePort - name: music - ports: - - name: https-api - port: 8443 - nodePort: '07' - -# Turn on Debugging true/false -debug: false -ingress: - enabled: false - -properties: - lockUsing: "cassandra" - # Comma dilimited list of hosts - cassandraHost: "music-cassandra" - cassandraUser: "nelson24" - cassandraPassword: "nelson24" - cassandraConnecttimeoutms: 12000 - cassandraPort: 9042 - # Connection Timeout for Cassandra in ms - # Read Timeout for Cassandra in ms - cassandraReadtimeoutms: 12000 - keyspaceActive: true - # Enable CADI - cadi: false - # Special headers that may be passed and if they are required. - # With the ability to add a Prefix if required. - transIdRequired: false - transIdPrefix: X-ATT- - conversationRequired: false - conversationPrefix: X-CSI- - clientIdRequired: false - clientIdPrefix: - messageIdRequired: false - messageIdPrefix: - - # sleep time for lock cleanup daemon, negative values turn off daemon -##### Lock settings - retryCount: 3 - lockLeasePeriod: 6000 - # sleep time for lock cleanup daemon, negative values turn off daemon - lockDaemonSleeptimeMs: 30000 - #comma separated list of keyspace names - keyspaceForLockCleanup: - - -logback: - errorLogLevel: info - securityLogLevel: info - applicationLogLevel: info - metricsLogLevel: info - auditLogLevel: info - # Values must be uppercase: INFO, WARN, CRITICAL,DEBUG etc.. - rootLogLevel: INFO - -#sub-charts configuration -certInitializer: - nameOverride: music-cert-initializer - fqdn: "music.onap" - app_ns: "org.osaaf.aaf" - fqi: "music@music.onap.org" - fqi_namespace: org.onap.music - public_fqdn: "music.onap.org" - aafDeployFqi: "deployer@people.osaaf.org" - aafDeployPass: demo123456! - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - appMountPath: /opt/app/aafcertman - aaf_add_config: > - echo "$cadi_keystore_password_jks" > {{ .Values.credsPath }}/.pass; diff --git a/kubernetes/common/network-name-gen/Chart.yaml b/kubernetes/common/network-name-gen/Chart.yaml deleted file mode 100644 index 2c4ed9e581..0000000000 --- a/kubernetes/common/network-name-gen/Chart.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# Copyright (C) 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Name Generation Micro Service -name: network-name-gen -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: 'file://../common' - - name: repositoryGenerator - version: ~11.x-0 - repository: 'file://../repositoryGenerator' - - name: mariadb-galera - version: ~11.x-0 - repository: 'file://../mariadb-galera' - condition: global.mariadbGalera.localCluster - - name: mariadb-init - version: ~11.x-0 - repository: 'file://../mariadb-init' - condition: not global.mariadbGalera.localCluster \ No newline at end of file diff --git a/kubernetes/common/network-name-gen/templates/deployment.yaml b/kubernetes/common/network-name-gen/templates/deployment.yaml deleted file mode 100644 index 97fece8a54..0000000000 --- a/kubernetes/common/network-name-gen/templates/deployment.yaml +++ /dev/null @@ -1,126 +0,0 @@ -{{/* -# Copyright (C) 2018 AT&T Intellectual Property. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: -{{- if .Values.global.mariadbGalera.localCluster }} - - --container-name - - {{ index .Values "mariadb-galera" "nameOverride" }} -{{- else }} - - --job-name - - {{ include "common.release" . }}-{{ index .Values "mariadb-init" "nameOverride" }}-config-job -{{- end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - containers: - - name: {{ include "common.name" . }} - command: - - bash - args: - - '-c' - - 'export POL_BASIC_AUTH=`echo -n $POL_BASIC_AUTH_USER:$POL_BASIC_AUTH_PASSWORD | base64`; /startService.sh' - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - env: - - name: SPRING_PROFILE - value: "{{ .Values.config.springProfile }}" - - name: NENG_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "neng-db-secret" "key" "login") | indent 10}} - - name: NENG_DB_PASS - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "neng-db-secret" "key" "password") | indent 10}} - - name: NENG_DB_URL - value: jdbc:mysql://{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}/{{ index .Values "mariadb-galera" "db" "name" }} - - name: POL_CLIENT_AUTH - value: "{{ .Values.config.polClientAuth }}" - - name: POL_BASIC_AUTH_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pol-basic-auth-secret" "key" "login") | indent 10}} - - name: POL_BASIC_AUTH_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pol-basic-auth-secret" "key" "password") | indent 10}} - - name: POL_URL - {{- if (include "common.needTLS" .) }} - value: "{{ .Values.config.polUrl.https }}" - {{- else }} - value: "{{ .Values.config.polUrl.http }}" - {{- end }} - - name: POL_ENV - value: "{{ .Values.config.polEnv }}" - - name: POL_REQ_ID - value: "{{ .Values.config.polReqId }}" - - name: AAI_CERT_PASS - value: "{{ .Values.config.aaiCertPass }}" - - name: AAI_CERT_PATH - value: "{{ .Values.config.aaiCertPath }}" - - name: AAI_URI - {{- if (include "common.needTLS" .) }} - value: "{{ .Values.config.aaiUri.https }}" - {{- else }} - value: "{{ .Values.config.aaiUri.http }}" - {{- end }} - - name: AAI_AUTH - value: "{{ .Values.config.aaiAuth }}" - - name: DISABLE_HOST_VERIFICATION - value: "{{ .Values.config.disableHostVerification }}" - volumeMounts: - - name: certs - mountPath: /opt/etc/config/aai_keystore - subPath: aai_keystore - readOnly: true - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - volumes: - - name: certs - secret: - secretName: {{ include "common.release" . }}-aai-keystore - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/common/network-name-gen/templates/service.yaml b/kubernetes/common/network-name-gen/templates/service.yaml deleted file mode 100644 index 753448c5b7..0000000000 --- a/kubernetes/common/network-name-gen/templates/service.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -# Copyright (C) 2018 AT&T Intellectual Property. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/common/network-name-gen/values.yaml b/kubernetes/common/network-name-gen/values.yaml deleted file mode 100644 index e5e2a7a338..0000000000 --- a/kubernetes/common/network-name-gen/values.yaml +++ /dev/null @@ -1,132 +0,0 @@ -# Copyright (C) 2018 AT&T Intellectual Property. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# Global configuration default values that can be inherited by -# all subcharts. -################################################################# -global: - - # Change to an unused port prefix range to prevent port conflicts - # with other instances running within the same k8s cluster - nodePortPrefix: 302 - - # image pull policy - pullPolicy: IfNotPresent - - mariadbGalera: &mariadbGalera - #This flag allows SO to instantiate its own mariadb-galera cluster - localCluster: false - service: mariadb-galera - internalPort: 3306 - nameOverride: mariadb-galera - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: neng-db-secret - name: &dbUserSecretName '{{ include "common.release" . }}-neng-db-secret' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.db.externalSecret) . }}' - login: '{{ .Values.config.db.userName }}' - password: '{{ .Values.config.db.userPassword }}' - - uid: pol-basic-auth-secret - name: '{{ include "common.release" . }}-pol-basic-auth-secret' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.polBasicAuthSecret) . }}' - login: '{{ .Values.config.polBasicAuthUser }}' - password: '{{ .Values.config.polBasicAuthPassword }}' - -# sub-chart config -mariadb-galera: - db: - user: sdnctl - # password: - externalSecret: *dbUserSecretName - name: &mysqlDbName nengdb - nameOverride: nengdb - service: - name: nengdb - portName: nengdbport - replicaCount: 1 - persistence: - enabled: true - mountSubPath: network-name-gen/data - -mariadb-init: - config: - userCredentialsExternalSecret: *dbUserSecretName - mysqlDatabase: *mysqlDbName - nameOverride: nengdb-init - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/ccsdk-apps-ms-neng:1.3.0 -pullPolicy: IfNotPresent - -# application configuration -config: - db: - userName: nenguser - # userPassword: password - # userCredentialsExternalSecret: some-secret - springProfile: live - polClientAuth: cHl0aG9uOnRlc3Q= - polBasicAuthUser: healthcheck - polBasicAuthPassword: zb!XztG34 - polUrl: - https: https://policy-xacml-pdp:6969/policy/pdpx/v1/decision - http: http://policy-xacml-pdp:8080/policy/pdpx/v1/decision - polEnv: TEST - polReqId: xx - disableHostVerification: true - aaiCertPass: changeit - aaiCertPath: /opt/etc/config/aai_keystore - aaiAuth: QUFJOkFBSQ== - aaiUri: - https: https://aai:8443/aai/v14/ - http: http://aai:8080/aai/v14/ - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: false - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: ClusterIP - name: neng-serv - portName: http - internalPort: 8080 - externalPort: 8080 - -ingress: - enabled: false - -resources: {} diff --git a/kubernetes/common/postgres-init/Chart.yaml b/kubernetes/common/postgres-init/Chart.yaml index ff8c98cd13..81f566f9e1 100644 --- a/kubernetes/common/postgres-init/Chart.yaml +++ b/kubernetes/common/postgres-init/Chart.yaml @@ -16,13 +16,19 @@ apiVersion: v2 description: Chart for Postgres init job name: postgres-init -version: 11.0.0 +version: 13.0.1 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../common' - name: repositoryGenerator - version: ~11.x-0 - repository: 'file://../repositoryGenerator' \ No newline at end of file + version: ~13.x-0 + repository: 'file://../repositoryGenerator' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/common/postgres-init/templates/job.yaml b/kubernetes/common/postgres-init/templates/job.yaml index d9a7386f83..cc7d410eb2 100644 --- a/kubernetes/common/postgres-init/templates/job.yaml +++ b/kubernetes/common/postgres-init/templates/job.yaml @@ -28,26 +28,18 @@ spec: backoffLimit: 20 template: metadata: + annotations: + # Workarround to exclude K8S API from istio communication + # as init-container (readinessCheck) does not work with the + # Istio CNI plugin, see: + # (https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers) + traffic.sidecar.istio.io/excludeOutboundPorts: "443" labels: app: {{ include "common.name" . }} release: {{ include "common.release" . }} name: {{ include "common.name" . }} spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --container-name - - {{ .Values.global.postgres.container.name }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }} containers: - command: - sh @@ -80,26 +72,16 @@ spec: value: "{{ .Values.config.pgDatabase }}" - name: PG_ROOT_PASSWORD_INPUT {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.postgres.secret.rootPassUID" .) "key" "password") | indent 10 }} - volumeMounts: - - mountPath: /config-input/setup.sql - name: config - subPath: setup.sql - - mountPath: /config - name: pgconf image: {{ include "repositoryGenerator.image.postgres" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /config-input/setup.sql name: config subPath: setup.sql - mountPath: /config name: pgconf - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 10 }} {{ include "common.waitForJobContainer" . | indent 6 | trim }} {{- if .Values.nodeSelector }} nodeSelector: @@ -109,10 +91,8 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: config configMap: name: {{ include "common.fullname" . }} @@ -120,5 +100,4 @@ spec: emptyDir: medium: Memory restartPolicy: Never - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/common/postgres-init/values.yaml b/kubernetes/common/postgres-init/values.yaml index d6d51f0b51..160e6720ed 100644 --- a/kubernetes/common/postgres-init/values.yaml +++ b/kubernetes/common/postgres-init/values.yaml @@ -19,6 +19,7 @@ global: postgres: service: name: pgset + name2: tcp-pgset-primary container: name: postgres @@ -76,20 +77,31 @@ flavor: small resources: small: limits: - cpu: 100m - memory: 300Mi + cpu: "100m" + memory: "300Mi" requests: - cpu: 10m - memory: 90Mi + cpu: "10m" + memory: "90Mi" large: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" requests: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} +#Pods Service Account +serviceAccount: + nameOverride: postgres-init + roles: + - read + +readinessCheck: + wait_for: + services: + - '{{ .Values.global.postgres.service.name2 }}' + wait_for_job_container: containers: - '{{ include "common.name" . }}-update-config' \ No newline at end of file diff --git a/kubernetes/common/postgres/Chart.yaml b/kubernetes/common/postgres/Chart.yaml index 8644bcfd6d..3920d8e73d 100644 --- a/kubernetes/common/postgres/Chart.yaml +++ b/kubernetes/common/postgres/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: ONAP Postgres Server name: postgres -version: 11.0.0 +version: 13.1.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../common' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../repositoryGenerator' \ No newline at end of file diff --git a/kubernetes/common/postgres/templates/_deployment.tpl b/kubernetes/common/postgres/templates/_deployment.tpl index 1051aaff0b..ff701a2c10 100644 --- a/kubernetes/common/postgres/templates/_deployment.tpl +++ b/kubernetes/common/postgres/templates/_deployment.tpl @@ -27,6 +27,12 @@ metadata: namespace: {{ include "common.namespace" $dot }} labels: app: {{ include "common.name" $dot }}-{{ $pgMode }} + app.kubernetes.io/name: {{ include "common.name" $dot }}-{{ $pgMode }} + {{- if $dot.Chart.AppVersion }} + version: "{{ $dot.Chart.AppVersion | replace "+" "_" }}" + {{- else }} + version: "{{ $dot.Chart.Version | replace "+" "_" }}" + {{- end }} chart: {{ $dot.Chart.Name }}-{{ $dot.Chart.Version | replace "+" "_" }} release: {{ include "common.release" $dot }} heritage: {{ $dot.Release.Service }} @@ -42,11 +48,16 @@ spec: metadata: labels: app: {{ include "common.name" $dot }}-{{ $pgMode }} + app.kubernetes.io/name: {{ include "common.name" $dot }}-{{ $pgMode }} + {{- if $dot.Chart.AppVersion }} + version: "{{ $dot.Chart.AppVersion | replace "+" "_" }}" + {{- else }} + version: "{{ $dot.Chart.Version | replace "+" "_" }}" + {{- end }} release: {{ include "common.release" $dot }} name: "{{ index $dot.Values "container" "name" $pgMode }}" spec: - imagePullSecrets: - - name: "{{ include "common.namespace" $dot }}-docker-registry-key" + {{- include "common.imagePullSecrets" $dot | nindent 6 }} initContainers: - command: - sh @@ -158,7 +169,50 @@ spec: - mountPath: /backup name: {{ include "common.fullname" $dot }}-backup readOnly: true - resources: {{ include "common.resources" $dot | nindent 12 }} + resources: {{ include "common.resources" $dot | nindent 10 }} + {{- if (default false $dot.Values.metrics.enabled) }} + - name: {{ include "common.name" $dot }}-metrics + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ $dot.Values.metrics.image }} + imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.metrics.pullPolicy | quote}} + env: + - name: POSTGRES_METRICS_EXTRA_FLAGS + value: {{ default "" (join " " $dot.Values.metrics.extraFlags) | quote }} + - name: DATA_SOURCE_USER + value: "{{ $dot.Values.metrics.postgresUser }}" + - name: DATA_SOURCE_PASS + {{- include "common.secret.envFromSecretFast" (dict "global" $dot "uid" (include "common.postgres.secret.rootPassUID" .) "key" "password") | indent 12 }} + command: + - sh + - -c + - | + DATA_SOURCE_URI="127.0.0.1:5432/?sslmode=disable" ./bin/postgres_exporter $POSTGRES_METRICS_EXTRA_FLAGS + ports: + {{- range $index, $metricPort := $dot.Values.metrics.ports }} + - name: {{ $metricPort.name }} + containerPort: {{ $metricPort.port }} + protocol: TCP + {{- end }} + livenessProbe: + httpGet: + path: /metrics + port: tcp-metrics + initialDelaySeconds: {{ $dot.Values.metrics.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ $dot.Values.metrics.livenessProbe.periodSeconds }} + timeoutSeconds: {{ $dot.Values.metrics.livenessProbe.timeoutSeconds }} + successThreshold: {{ $dot.Values.metrics.livenessProbe.successThreshold }} + failureThreshold: {{ $dot.Values.metrics.livenessProbe.failureThreshold }} + readinessProbe: + httpGet: + path: /metrics + port: tcp-metrics + initialDelaySeconds: {{ $dot.Values.metrics.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ $dot.Values.metrics.readinessProbe.periodSeconds }} + timeoutSeconds: {{ $dot.Values.metrics.readinessProbe.timeoutSeconds }} + successThreshold: {{ $dot.Values.metrics.readinessProbe.successThreshold }} + failureThreshold: {{ $dot.Values.metrics.readinessProbe.failureThreshold }} + {{ include "common.containerSecurityContext" $dot | indent 10 | trim }} + resources: {{- toYaml $dot.Values.metrics.resources | nindent 12 }} + {{ end }} {{- if $dot.Values.nodeSelector }} nodeSelector: {{ toYaml $dot.Values.nodeSelector | indent 10 }} @@ -168,9 +222,6 @@ spec: {{ toYaml $dot.Values.affinity | indent 10 }} {{- end }} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: {{ include "common.fullname" $dot }}-backup emptyDir: {} - name: {{ include "common.fullname" $dot }}-data diff --git a/kubernetes/common/postgres/templates/configmap.yaml b/kubernetes/common/postgres/templates/configmap.yaml index e8bfd1194a..ff4f976bf0 100644 --- a/kubernetes/common/postgres/templates/configmap.yaml +++ b/kubernetes/common/postgres/templates/configmap.yaml @@ -14,6 +14,7 @@ # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} apiVersion: v1 kind: ConfigMap metadata: @@ -26,4 +27,4 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "configs/*").AsConfig . | indent 2 }} - +{{- end }} diff --git a/kubernetes/common/postgres/templates/deployment-primary.yaml b/kubernetes/common/postgres/templates/deployment-primary.yaml index c8a000142e..535eefa8cf 100644 --- a/kubernetes/common/postgres/templates/deployment-primary.yaml +++ b/kubernetes/common/postgres/templates/deployment-primary.yaml @@ -13,4 +13,6 @@ # # See the License for the specific language governing permissions and # # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} {{ include "common.postgres.deployment" (dict "dot" . "pgMode" "primary") }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/postgres/templates/deployment-replica.yaml b/kubernetes/common/postgres/templates/deployment-replica.yaml index dc19c2d985..97c7e11053 100644 --- a/kubernetes/common/postgres/templates/deployment-replica.yaml +++ b/kubernetes/common/postgres/templates/deployment-replica.yaml @@ -13,4 +13,6 @@ # # See the License for the specific language governing permissions and # # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} {{ include "common.postgres.deployment" (dict "dot" . "pgMode" "replica") }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/postgres/templates/metrics-svc-primary.yaml b/kubernetes/common/postgres/templates/metrics-svc-primary.yaml new file mode 100644 index 0000000000..00a5182eb1 --- /dev/null +++ b/kubernetes/common/postgres/templates/metrics-svc-primary.yaml @@ -0,0 +1,38 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if not .Values.global.postgres.useOperator }} +{{- if default false .Values.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.service.name2 }}-metrics + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} + {{- if .Values.metrics.service.annotations }} + annotations: {{- include "common.tplValue" (dict "value" .Values.metrics.service.annotations "context" .) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.metrics.service.type2 }} + ports: + - name: tcp-metrics + port: {{ .Values.metrics.service.port2 }} + targetPort: tcp-metrics + selector: + name: {{ .Values.container.name.primary }} + release: {{ include "common.release" . }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/postgres/templates/metrics-svc-replica.yaml b/kubernetes/common/postgres/templates/metrics-svc-replica.yaml new file mode 100644 index 0000000000..b8b9e793e8 --- /dev/null +++ b/kubernetes/common/postgres/templates/metrics-svc-replica.yaml @@ -0,0 +1,38 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if not .Values.global.postgres.useOperator }} +{{- if default false .Values.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.service.name3 }}-metrics + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} + {{- if .Values.metrics.service.annotations }} + annotations: {{- include "common.tplValue" (dict "value" .Values.metrics.service.annotations "context" .) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.metrics.service.type3 }} + ports: + - name: tcp-metrics + port: {{ .Values.metrics.service.port3 }} + targetPort: tcp-metrics + selector: + name: {{ .Values.container.name.replica }} + release: {{ include "common.release" . }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/postgres/templates/postgres.yaml b/kubernetes/common/postgres/templates/postgres.yaml new file mode 100644 index 0000000000..aca6aa260f --- /dev/null +++ b/kubernetes/common/postgres/templates/postgres.yaml @@ -0,0 +1,19 @@ +{{/* +# Copyright © 2023 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if .Values.global.postgres.useOperator }} +{{ include "common.postgresOpInstance" . }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/postgres/templates/pv-primary.yaml b/kubernetes/common/postgres/templates/pv-primary.yaml index e1ff1f9f4e..8db79d665e 100644 --- a/kubernetes/common/postgres/templates/pv-primary.yaml +++ b/kubernetes/common/postgres/templates/pv-primary.yaml @@ -13,6 +13,7 @@ # # See the License for the specific language governing permissions and # # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} {{- if include "common.needPV" . -}} kind: PersistentVolume @@ -37,3 +38,4 @@ spec: path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }}/primary {{- end -}} {{- end -}} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/postgres/templates/pv-replica.yaml b/kubernetes/common/postgres/templates/pv-replica.yaml index d553c36680..af46f611c8 100644 --- a/kubernetes/common/postgres/templates/pv-replica.yaml +++ b/kubernetes/common/postgres/templates/pv-replica.yaml @@ -13,6 +13,7 @@ # # See the License for the specific language governing permissions and # # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} {{- if include "common.needPV" . -}} kind: PersistentVolume @@ -35,5 +36,6 @@ spec: persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} hostPath: path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }}/replica -{{- end -}} -{{- end -}} +{{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/common/postgres/templates/pvc-primary.yaml b/kubernetes/common/postgres/templates/pvc-primary.yaml index a47d3ed56e..6aaa52913e 100644 --- a/kubernetes/common/postgres/templates/pvc-primary.yaml +++ b/kubernetes/common/postgres/templates/pvc-primary.yaml @@ -14,6 +14,7 @@ # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} kind: PersistentVolumeClaim apiVersion: v1 @@ -41,4 +42,5 @@ spec: {{- else }} storageClassName: {{ include "common.storageClass" . }} {{- end }} -{{- end -}} +{{- end }} +{{- end }} diff --git a/kubernetes/common/postgres/templates/pvc-replica.yaml b/kubernetes/common/postgres/templates/pvc-replica.yaml index 1e453fbcfd..f59adf736a 100644 --- a/kubernetes/common/postgres/templates/pvc-replica.yaml +++ b/kubernetes/common/postgres/templates/pvc-replica.yaml @@ -14,6 +14,7 @@ # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} kind: PersistentVolumeClaim apiVersion: v1 @@ -41,4 +42,5 @@ spec: {{- else }} storageClassName: {{ include "common.storageClass" . }} {{- end }} -{{- end -}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/postgres/templates/service-common.yaml b/kubernetes/common/postgres/templates/service-common.yaml index 6e74a06616..6ec83dc0f4 100644 --- a/kubernetes/common/postgres/templates/service-common.yaml +++ b/kubernetes/common/postgres/templates/service-common.yaml @@ -13,6 +13,7 @@ # # See the License for the specific language governing permissions and # # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} apiVersion: v1 kind: Service metadata: @@ -39,3 +40,4 @@ spec: selector: app: {{ include "common.name" . }} release: {{ include "common.release" . }} +{{- end }} diff --git a/kubernetes/common/postgres/templates/service-primary.yaml b/kubernetes/common/postgres/templates/service-primary.yaml index 2965b7df81..bc60d27f44 100644 --- a/kubernetes/common/postgres/templates/service-primary.yaml +++ b/kubernetes/common/postgres/templates/service-primary.yaml @@ -13,6 +13,7 @@ # # See the License for the specific language governing permissions and # # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} apiVersion: v1 kind: Service metadata: @@ -39,3 +40,4 @@ spec: selector: name: "{{.Values.container.name.primary}}" release: {{ include "common.release" . }} +{{- end }} diff --git a/kubernetes/common/postgres/templates/service-replica.yaml b/kubernetes/common/postgres/templates/service-replica.yaml index d92a0833af..68694561bd 100644 --- a/kubernetes/common/postgres/templates/service-replica.yaml +++ b/kubernetes/common/postgres/templates/service-replica.yaml @@ -13,6 +13,7 @@ # # See the License for the specific language governing permissions and # # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} apiVersion: v1 kind: Service metadata: @@ -39,3 +40,4 @@ spec: selector: name: "{{.Values.container.name.replica}}" release: {{ include "common.release" . }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/postgres/templates/servicemonitor.yaml b/kubernetes/common/postgres/templates/servicemonitor.yaml new file mode 100644 index 0000000000..522e515545 --- /dev/null +++ b/kubernetes/common/postgres/templates/servicemonitor.yaml @@ -0,0 +1,20 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{- if not .Values.global.postgres.useOperator }} +{{- if .Values.metrics.serviceMonitor.enabled }} +{{ include "common.serviceMonitor" . }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/common/postgres/values.yaml b/kubernetes/common/postgres/values.yaml index 93f6d66385..c0cdfef2d2 100644 --- a/kubernetes/common/postgres/values.yaml +++ b/kubernetes/common/postgres/values.yaml @@ -19,6 +19,9 @@ global: nodePortPrefix: 302 persistence: {} + postgres: + # flag to enable the DB creation via mariadb-operator + useOperator: false ################################################################# # Secrets metaconfig @@ -38,6 +41,27 @@ secrets: externalSecret: '{{ tpl (default "" .Values.config.pgPrimaryPasswordExternalSecret) . }}' password: '{{ .Values.config.pgPrimaryPassword }}' +################################################################# +# Postgres Operator configuration defaults. +# Example: https://github.com/CrunchyData/postgres-operator-examples/tree/main/helm/postgres +################################################################# +postgresOperator: + postgresVersion: 16 + # Possibility to override images + #imagePostgres: + #imagePgBouncer: + #imageExporter: + #imagePgBackRest: + instanceName: instance1 + instanceReplicas: 2 + #instanceStorageClassName: + instanceSize: 1Gi + #instanceCPU: + #instanceMemory: + bouncerReplicas: 2 + monitoring: true + #monitoringConfig: {} + ################################################################# # Application configuration defaults. ################################################################# @@ -136,16 +160,114 @@ flavor: small resources: small: limits: - cpu: 100m - memory: 300Mi + cpu: "100m" + memory: "300Mi" requests: - cpu: 10m - memory: 90Mi + cpu: "10m" + memory: "90Mi" large: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" requests: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} + +metrics: + enabled: false + ## Bitnami Postgres Prometheus exporter image + ## ref: https://hub.docker.com/r/bitnami/postgres-exporter/tags/ + ## + image: bitnami/postgres-exporter:0.11.1 + pullPolicy: Always + ports: + - name: tcp-metrics + port: 9187 + ## Postgres exporter additional command line flags + ## Can be used to specify command line flags + ## E.g.: + ## extraFlags: + ## - --collect.binlog_size + ## + extraFlags: [] + ## Postgres Prometheus exporter containers' resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + limits: + cpu: "0.5" + memory: "200Mi" + requests: + cpu: "0.5" + memory: "200Mi" + ## Postgres metrics container's liveness and readiness probes + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## + postgresUser: "postgres" + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 180 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 180 + successThreshold: 1 + failureThreshold: 3 + ## Postgres Prometheus exporter service parameters + ## + service: + type2: ClusterIP + port2: 9187 + type3: ClusterIP + port3: 9187 + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9187" + serviceMonitor: + enabled: false + basicAuth: + enabled: false + ## Namespace in which Prometheus is running + ## + ## namespace: monitoring + ## + ## Interval at which metrics should be scraped. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + ## interval: 10s + ## + ## Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + ## scrapeTimeout: 10s + ## Add your label under which prometheus is discovering resources + ## labels: + ## release: kube-prometheus-stack + ## + ## ServiceMonitor selector labels + ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration + ## + ## selector: + ## monitoring: enabled + ## + ## RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + ## + relabelings: [] + ## + ## MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + ## + metricRelabelings: [] diff --git a/kubernetes/common/readinessCheck/Chart.yaml b/kubernetes/common/readinessCheck/Chart.yaml index 3997aeb260..bb2986a9fb 100644 --- a/kubernetes/common/readinessCheck/Chart.yaml +++ b/kubernetes/common/readinessCheck/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: Template used to wait for other deployment/sts/jobs in onap name: readinessCheck -version: 11.0.0 +version: 13.1.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../common' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../repositoryGenerator' \ No newline at end of file diff --git a/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl b/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl index 90c278e4c5..51791fec13 100644 --- a/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl +++ b/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl @@ -35,6 +35,28 @@ - aaf-cm - aaf-service + the powerful one allows also to wait for pod names with this + (has to start with the given pod name): + wait_for: + name: myname + pods: + - test-pod + + the powerful one allows also to wait for a service to be + available, which means all pods are deployed, which are + selected by the service definition: + wait_for: + name: myservice + services: + - mariadb-galera-service + + the powerful one allows also to wait for pods with the + given "app" label: + wait_for: + name: myname + apps: + - mariadb-galera + the powerful one allows also to wait for jobs with this: wait_for: name: myname @@ -48,8 +70,8 @@ - .dot : environment (.) - .initRoot : the root dictionary of readinessCheck submodule (default to .Values.readinessCheck) - - .wait_for : list of containers / jobs to wait for (default to - .Values.wait_for) + - .wait_for : list of service / containers / pods /apps / jobs to wait for + (default to .Values.wait_for) Example calls: {{ include "common.readinessCheck.waitFor" . }} @@ -62,6 +84,9 @@ {{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }} {{- $wait_for := default $initRoot.wait_for .wait_for -}} {{- $containers := index (ternary (dict "containers" $wait_for) $wait_for (kindIs "slice" $wait_for)) "containers" -}} +{{- $services := index (ternary (dict) $wait_for (kindIs "slice" $wait_for)) "services" -}} +{{- $pods := index (ternary (dict) $wait_for (kindIs "slice" $wait_for)) "pods" -}} +{{- $apps := index (ternary (dict) $wait_for (kindIs "slice" $wait_for)) "apps" -}} {{- $namePart := index (ternary (dict) $wait_for (kindIs "slice" $wait_for)) "name" -}} {{- $jobs := index (ternary (dict) $wait_for (kindIs "slice" $wait_for)) "jobs" -}} - name: {{ include "common.name" $dot }}{{ ternary "" (printf "-%s" $namePart) (empty $namePart) }}-readiness @@ -77,6 +102,18 @@ - --container-name - {{ tpl $container $dot }} {{- end }} + {{- range $pod := default (list) $pods }} + - --pod-name + - {{ tpl $pod $dot }} + {{- end }} + {{- range $service := default (list) $services }} + - --service-name + - {{ tpl $service $dot }} + {{- end }} + {{- range $app := default (list) $apps }} + - --app-name + - {{ tpl $app $dot }} + {{- end }} {{- range $job := $jobs }} - --job-name - {{ tpl $job $dot }} diff --git a/kubernetes/common/readinessCheck/values.yaml b/kubernetes/common/readinessCheck/values.yaml index 128c5057cc..239743e106 100644 --- a/kubernetes/common/readinessCheck/values.yaml +++ b/kubernetes/common/readinessCheck/values.yaml @@ -19,8 +19,8 @@ user: 100 group: 65533 limits: - cpu: 100m - memory: 100Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 3m - memory: 20Mi + cpu: "3m" + memory: "20Mi" diff --git a/kubernetes/common/repository-wrapper/Chart.yaml b/kubernetes/common/repository-wrapper/Chart.yaml index c385a3bb36..c9894d2130 100644 --- a/kubernetes/common/repository-wrapper/Chart.yaml +++ b/kubernetes/common/repository-wrapper/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: Wrapper chart to allow docker secret to be shared all instances name: repository-wrapper -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../common' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../repositoryGenerator' \ No newline at end of file diff --git a/kubernetes/common/repositoryGenerator/Chart.yaml b/kubernetes/common/repositoryGenerator/Chart.yaml index fe710e1a2f..09d6836574 100644 --- a/kubernetes/common/repositoryGenerator/Chart.yaml +++ b/kubernetes/common/repositoryGenerator/Chart.yaml @@ -16,4 +16,4 @@ apiVersion: v2 description: Template used to generate the right repository link name: repositoryGenerator -version: 11.0.0 +version: 13.0.0 diff --git a/kubernetes/common/repositoryGenerator/templates/_repository.tpl b/kubernetes/common/repositoryGenerator/templates/_repository.tpl index 1b99285a80..1da838a5b9 100644 --- a/kubernetes/common/repositoryGenerator/templates/_repository.tpl +++ b/kubernetes/common/repositoryGenerator/templates/_repository.tpl @@ -58,6 +58,16 @@ {{- include "repositoryGenerator._repositoryHelper" (merge (dict "repoName" "elasticRepository") .) }} {{- end -}} +{{/* + Resolve the name of the quay.io Repository image repository. + + - .Values.global.quayRepository : default image quayRepository for all images using quay repository + - .Values.quayRepositoryOverride : override global quayRepository repository on a per chart basis +*/}} +{{- define "repositoryGenerator.quayRepository" -}} + {{- include "repositoryGenerator._repositoryHelper" (merge (dict "repoName" "quayRepository") .) }} +{{- end -}} + {{/* Resolve the name of the googleK8sRepository image repository. @@ -137,8 +147,8 @@ {{- include "repositoryGenerator.image._helper" (merge (dict "image" "readinessImage") .) }} {{- end -}} -{{- define "repositoryGenerator.image.dbcClient" -}} - {{- include "repositoryGenerator.image._helper" (merge (dict "image" "dbcClientImage") .) }} +{{- define "repositoryGenerator.image.drProvClient" -}} + {{- include "repositoryGenerator.image._helper" (merge (dict "image" "drProvClientImage") .) }} {{- end -}} {{- define "repositoryGenerator.image.quitQuit" -}} diff --git a/kubernetes/common/repositoryGenerator/values.yaml b/kubernetes/common/repositoryGenerator/values.yaml index 10703eff6e..da10d82035 100644 --- a/kubernetes/common/repositoryGenerator/values.yaml +++ b/kubernetes/common/repositoryGenerator/values.yaml @@ -21,6 +21,7 @@ global: elasticRepository: docker.elastic.co googleK8sRepository: k8s.gcr.io githubContainerRegistry: ghcr.io + quayRepository: quay.io # common global images busyboxImage: busybox:1.34.1 @@ -38,10 +39,10 @@ global: mariadbImage: bitnami/mariadb:10.5.8 nginxImage: bitnami/nginx:1.21.4 postgresImage: crunchydata/crunchy-postgres:centos8-13.2-4.6.1 - readinessImage: onap/oom/readiness:3.0.1 + readinessImage: onap/oom/readiness:6.0.3 dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1 - dbcClientImage: onap/dmaap/dbc-client:2.0.9 - quitQuitImage: onap/oom/readiness:4.1.0 + drProvClientImage: onap/dmaap/datarouter-prov-client:2.1.15 + quitQuitImage: onap/oom/readiness:6.0.3 # Default credentials # they're optional. If the target repository doesn't need them, comment them @@ -74,5 +75,5 @@ imageRepoMapping: postgresImage: dockerHubRepository readinessImage: repository dcaePolicySyncImage: repository - dbcClientImage: repository + drProvClientImage: repository quitQuitImage: repository diff --git a/kubernetes/common/roles-wrapper/Chart.yaml b/kubernetes/common/roles-wrapper/Chart.yaml index 8024abafd8..5de7b72299 100644 --- a/kubernetes/common/roles-wrapper/Chart.yaml +++ b/kubernetes/common/roles-wrapper/Chart.yaml @@ -16,9 +16,9 @@ apiVersion: v2 description: Wrapper chart to allow default roles to be shared among onap instances name: roles-wrapper -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../common' \ No newline at end of file diff --git a/kubernetes/common/roles-wrapper/templates/role.yaml b/kubernetes/common/roles-wrapper/templates/role.yaml index 0be6c7bbd6..3438b6e36e 100644 --- a/kubernetes/common/roles-wrapper/templates/role.yaml +++ b/kubernetes/common/roles-wrapper/templates/role.yaml @@ -30,6 +30,9 @@ rules: - batch - extensions resources: + - endpoints + - services + - nodes - pods - deployments - deployments/status diff --git a/kubernetes/common/serviceAccount/Chart.yaml b/kubernetes/common/serviceAccount/Chart.yaml index 3309753f37..7afd31f4d9 100644 --- a/kubernetes/common/serviceAccount/Chart.yaml +++ b/kubernetes/common/serviceAccount/Chart.yaml @@ -1,6 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,9 +18,9 @@ apiVersion: v2 description: Template used to create the right Service Accounts / Role / RoleBinding name: serviceAccount -version: 11.0.0 +version: 13.0.1 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../common' \ No newline at end of file diff --git a/kubernetes/common/serviceAccount/templates/role-binding.yaml b/kubernetes/common/serviceAccount/templates/role-binding.yaml index 7c272aecda..11593ccccb 100644 --- a/kubernetes/common/serviceAccount/templates/role-binding.yaml +++ b/kubernetes/common/serviceAccount/templates/role-binding.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2020 Orange +# Modifications Copyright © 2023 Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,7 +19,7 @@ {{- range $role_type := $dot.Values.roles }} {{/* retrieve the names for generic roles */}} {{ $name := printf "%s-%s" (include "common.release" $dot) $role_type }} -{{- if not (has $role_type $dot.Values.defaultRoles) }} +{{- if or (not (has $role_type $dot.Values.defaultRoles)) ($dot.Values.global.createDefaultRoles) ($dot.Values.createDefaultRoles) }} {{ $name = include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} {{- end }} --- @@ -36,4 +37,3 @@ roleRef: name: {{ $name }} apiGroup: rbac.authorization.k8s.io {{- end }} - diff --git a/kubernetes/common/serviceAccount/templates/role.yaml b/kubernetes/common/serviceAccount/templates/role.yaml index 2055885f2a..83cb945ba9 100644 --- a/kubernetes/common/serviceAccount/templates/role.yaml +++ b/kubernetes/common/serviceAccount/templates/role.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2020 Orange +# Modifications Copyright © 2023 Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -37,5 +38,114 @@ rules: verbs: - create {{- end }} +{{- else if or ($dot.Values.global.createDefaultRoles) ($dot.Values.createDefaultRoles) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} + namespace: {{ include "common.namespace" $dot }} +rules: +{{- if eq $role_type "read" }} +- apiGroups: + - "" # "" indicates the core API group + - apps + - batch + - extensions + resources: + - endpoints + - services + - nodes + - pods + - deployments + - deployments/status + - jobs + - jobs/status + - statefulsets + - replicasets + - replicasets/status + - daemonsets + verbs: + - get + - watch + - list +{{- else }} +{{- if eq $role_type "create" }} +- apiGroups: + - "" # "" indicates the core API group + - apps + - batch + - extensions + resources: + - pods + - deployments + - deployments/status + - jobs + - jobs/status + - statefulsets + - replicasets + - replicasets/status + - daemonsets + - secrets + - services + verbs: + - get + - watch + - list +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - statefulsets + - configmaps + verbs: + - patch +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - deployments + - secrets + - services + - pods + verbs: + - create +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - pods + - persistentvolumeclaims + - secrets + - deployments + - services + verbs: + - delete +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - pods/exec + verbs: + - create +- apiGroups: + - cert-manager.io + resources: + - certificates + verbs: + - create + - delete +{{- else }} +# if you don't match read or create, then you're not allowed to use API +# except to see basic information about yourself +- apiGroups: + - authorization.k8s.io + resources: + - selfsubjectaccessreviews + - selfsubjectrulesreviews + verbs: + - create +{{- end }} +{{- end }} {{- end }} {{- end }} diff --git a/kubernetes/common/serviceAccount/values.yaml b/kubernetes/common/serviceAccount/values.yaml index 22faeb6904..4c9f75f38d 100644 --- a/kubernetes/common/serviceAccount/values.yaml +++ b/kubernetes/common/serviceAccount/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2020 Samsung Electronics +# Modifications Copyright © 2023 Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,13 +13,21 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Default roles will be created by roles wrapper -# It won't work if roles wrapper is disabled. +# Global flag to enable the creation of default roles instead of using +# common roles-wrapper +global: + createDefaultRoles: false + +# Default roles will be created by roles wrapper, +# if "createDefaultRoles=false" roles: - nothing # - read # - create +# Flag to enable the creation of default roles instead of using +# common roles-wrapper +createDefaultRoles: false defaultRoles: - nothing - read diff --git a/kubernetes/common/timescaledb/Chart.yaml b/kubernetes/common/timescaledb/Chart.yaml index 5e84be191b..d8b9869817 100644 --- a/kubernetes/common/timescaledb/Chart.yaml +++ b/kubernetes/common/timescaledb/Chart.yaml @@ -22,15 +22,15 @@ apiVersion: v2 appVersion: "1.0" description: ONAP timescaledb name: timescaledb -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../repositoryGenerator' \ No newline at end of file diff --git a/kubernetes/common/timescaledb/templates/statefulset.yaml b/kubernetes/common/timescaledb/templates/statefulset.yaml index 2e83c5b1b0..653326be5f 100644 --- a/kubernetes/common/timescaledb/templates/statefulset.yaml +++ b/kubernetes/common/timescaledb/templates/statefulset.yaml @@ -74,8 +74,7 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "root-creds" "key" "password") | indent 14 }} - name: PGDATA value: /var/lib/postgresql/data/pgdata - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} volumeMounts: - name: {{ include "common.fullname" . }}-init mountPath: /docker-entrypoint-initdb.d diff --git a/kubernetes/common/timescaledb/values.yaml b/kubernetes/common/timescaledb/values.yaml index 72a4b6ffd0..2643f55062 100644 --- a/kubernetes/common/timescaledb/values.yaml +++ b/kubernetes/common/timescaledb/values.yaml @@ -63,18 +63,18 @@ flavor: small resources: small: limits: - cpu: 100m - memory: 300Mi + cpu: "100m" + memory: "300Mi" requests: - cpu: 10m - memory: 90Mi + cpu: "10m" + memory: "90Mi" large: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" requests: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} nodeSelector: {} diff --git a/kubernetes/consul/.helmignore b/kubernetes/consul/.helmignore deleted file mode 100644 index 7ddbad7ef4..0000000000 --- a/kubernetes/consul/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -components/ diff --git a/kubernetes/consul/Chart.yaml b/kubernetes/consul/Chart.yaml deleted file mode 100644 index c180bc16f0..0000000000 --- a/kubernetes/consul/Chart.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Consul Agent -name: consul -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: consul-server - version: ~11.x-0 - repository: 'file://components/consul-server' - condition: consul-server.enabled - - name: serviceAccount - version: ~11.x-0 - repository: '@local' \ No newline at end of file diff --git a/kubernetes/consul/Makefile b/kubernetes/consul/Makefile deleted file mode 100644 index c0253952aa..0000000000 --- a/kubernetes/consul/Makefile +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright © 2020 Samsung Electronics, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts docker -HELM_BIN := helm -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/consul/components/Makefile b/kubernetes/consul/components/Makefile deleted file mode 100644 index 8674687e7d..0000000000 --- a/kubernetes/consul/components/Makefile +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright © 2020 Samsung Electronics, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/consul/components/consul-server/Chart.yaml b/kubernetes/consul/components/consul-server/Chart.yaml deleted file mode 100644 index e1f838142a..0000000000 --- a/kubernetes/consul/components/consul-server/Chart.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Consul Server -name: consul-server -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' \ No newline at end of file diff --git a/kubernetes/consul/components/consul-server/templates/NOTES.txt b/kubernetes/consul/components/consul-server/templates/NOTES.txt deleted file mode 100644 index 157fe92427..0000000000 --- a/kubernetes/consul/components/consul-server/templates/NOTES.txt +++ /dev/null @@ -1,34 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, AT&T, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/consul/components/consul-server/templates/service.yaml b/kubernetes/consul/components/consul-server/templates/service.yaml deleted file mode 100644 index c24ddfb7e4..0000000000 --- a/kubernetes/consul/components/consul-server/templates/service.yaml +++ /dev/null @@ -1,67 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - clusterIP: None ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }}-ui - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type2 }} - ports: - {{if eq .Values.service.type2 "NodePort" -}} - - port: {{ .Values.service.internalPort2 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} - name: {{ .Values.service.portName2 }} - {{- else -}} - - port: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.portName2 }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/consul/components/consul-server/templates/statefulset.yaml b/kubernetes/consul/components/consul-server/templates/statefulset.yaml deleted file mode 100644 index 8e872b9c87..0000000000 --- a/kubernetes/consul/components/consul-server/templates/statefulset.yaml +++ /dev/null @@ -1,77 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - serviceName: {{ include "common.servicename" . }} - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - securityContext: - runAsUser: {{ .Values.securityContext.runAsUser }} - runAsGroup: {{ .Values.securityContext.runAsGroup }} - command: ["/usr/local/bin/docker-entrypoint.sh"] - args: - - "agent" - - "-bootstrap-expect={{ .Values.replicaCount }}" - - "-enable-script-checks" -{{- $fullname := include "common.fullname" . -}} -{{- $servname := include "common.servicename" . -}} -{{- range $i,$t := until (int .Values.replicaCount)}} - - "-retry-join={{ $fullname }}-{{$i}}.{{ $servname }}" -{{- end }} - - "-client=0.0.0.0" - - "-server" - - "-ui" - ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPort2 }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: {{ include "common.resources" . | nindent 10 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} diff --git a/kubernetes/consul/components/consul-server/values.yaml b/kubernetes/consul/components/consul-server/values.yaml deleted file mode 100644 index d4e649444a..0000000000 --- a/kubernetes/consul/components/consul-server/values.yaml +++ /dev/null @@ -1,100 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - repository: nexus3.onap.org:10001 - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/oom/consul:2.1.0 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -replicaCount: 3 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 5 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 5 - -service: - type: ClusterIP - name: consul-server - portName: consul-join - internalPort: 8301 - type2: ClusterIP - portName2: consul-ui - internalPort2: 8500 - nodePort2: 70 - -ingress: - enabled: false - -#resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # - # Example: - # Configure resource requests and limits - # ref: http://kubernetes.io/docs/user-guide/compute-resources/ - # Minimum memory for development is 2 CPU cores and 4GB memory - # Minimum memory for production is 4 CPU cores and 8GB memory -resources: - small: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 30m - memory: 25Mi - large: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - unlimited: {} - -securityContext: - fsGroup: 1000 - runAsUser: 100 - runAsGroup: 1000 - -#Pods Service Account -serviceAccount: - nameOverride: consul-server - roles: - - read diff --git a/kubernetes/consul/resources/config/consul-agent-config/aaf-service-health.json b/kubernetes/consul/resources/config/consul-agent-config/aaf-service-health.json deleted file mode 100755 index cd715f8b6a..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/aaf-service-health.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "service": { - "name": "Health Check: Application Authorization Framework", - "checks": [ - { - "id": "aaf-service", - "name": "AAF Service Health Check", - "http": "https://aaf-service:8100/authz/perms/user/demo@people.osaaf.org", - "header": { - "Authorization": ["Basic ZGVtb0BwZW9wbGUub3NhYWYub3JnOmRlbW8xMjM0NTYh"], - "X-TransactionId": ["ConsulHealthCheck"], - "X-FromAppId": ["healthcheck"] - }, - "tls_skip_verify": true, - "interval": "20s", - "timeout": "5s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/aaf-sms-health.json b/kubernetes/consul/resources/config/consul-agent-config/aaf-sms-health.json deleted file mode 100644 index 965732da5d..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/aaf-sms-health.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "service": { - "name": "Health Check: Secret Management Service (sms)", - "check":[ - { - "id" : "aaf-sms-health", - "name": "SMS Health Check", - "http": "https://aaf-sms.{{ .Release.Namespace }}:10443/v1/sms/healthcheck", - "tls_skip_verify": true, - "method": "GET", - "interval": "20s", - "timeout": "5s" - } - ] - } -} - diff --git a/kubernetes/consul/resources/config/consul-agent-config/aai-data-router-health.json b/kubernetes/consul/resources/config/consul-agent-config/aai-data-router-health.json deleted file mode 100644 index be41934e77..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/aai-data-router-health.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "A&AI Synapse Data Routing Service", - "checks": [ - { - "id": "data-router-process", - "name": "Synapse Presence", - "script": "/consul/scripts/data-router-script.sh", - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/aai-model-loader-health.json b/kubernetes/consul/resources/config/consul-agent-config/aai-model-loader-health.json deleted file mode 100644 index 044a844e35..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/aai-model-loader-health.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "A&AI Model Loader", - "checks": [ - { - "id": "model-loader-process", - "name": "Model Loader Presence", - "script": "/consul/scripts/model-loader-script.sh", - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/aai-search-data-service-health.json b/kubernetes/consul/resources/config/consul-agent-config/aai-search-data-service-health.json deleted file mode 100644 index 0817a19cf0..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/aai-search-data-service-health.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "service": { - "name": "A&AI Search Data Service", - "checks": [ - { - "id": "elasticsearch", - "name": "Search Data Service Document Store", - "http": "http://aai-elasticsearch:9200/_cat/indices?v", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "elasticsearch-write-health", - "name": "Search Data Service Document Store Write Test", - "script": "/consul/scripts/aai-search-storage-write-script.sh", - "interval": "60s" - }, - { - "id": "search-data-service-availability", - "name": "Search Data Service Availability", - "script": "curl -k --cert /consul/certs/client-cert-onap.crt.pem --cert-type PEM --key /consul/certs/client-cert-onap.key.pem --key-type PEM https://search-data-service:9509/services/search-data-service/v1/jaxrsExample/jaxrs-services/echo/up 2>&1 | grep 'Up'", - "interval": "15s" - }, - { - "id": "search-data-service-api", - "name": "Search Data Service Operational Test", - "script": "/consul/scripts/search-data-service-availability.sh", - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/aai-services-health.json b/kubernetes/consul/resources/config/consul-agent-config/aai-services-health.json deleted file mode 100644 index 99acff4e61..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/aai-services-health.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "service": { - "name": "Active and Available Inventory", - "checks": [ - { - "id": "aai-service", - "name": "Core A&AI", - "http": "https://aai.{{ .Release.Namespace }}:8443/aai/util/echo", - "header": { - "Authorization": ["Basic QUFJOkFBSQ=="], - "X-TransactionId": ["ConsulHealthCheck"], - "X-FromAppId": ["healthcheck"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "aai-resources", - "name": "Resources Microservice", - "http": "https://aai-resources.{{ .Release.Namespace }}:8447/aai/util/echo", - "header": { - "Authorization": ["Basic QUFJOkFBSQ=="], - "X-TransactionId": ["ConsulHealthCheck"], - "X-FromAppId": ["healthcheck"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "aai-traversal", - "name": "Traversal Microservice", - "http": "https://aai-traversal.{{ .Release.Namespace }}:8446/aai/util/echo", - "header": { - "Authorization": ["Basic QUFJOkFBSQ=="], - "X-TransactionId": ["ConsulHealthCheck"], - "X-FromAppId": ["healthcheck"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/aai-sparky-be-health.json b/kubernetes/consul/resources/config/consul-agent-config/aai-sparky-be-health.json deleted file mode 100644 index bf6305c1d0..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/aai-sparky-be-health.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "A&AI UI Backend Service", - "checks": [ - { - "id": "sparky-be-process", - "name": "UI Backend Presence", - "script": "/consul/scripts/sparky-be-script.sh", - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/appc-dbbuilder.json b/kubernetes/consul/resources/config/consul-agent-config/appc-dbbuilder.json deleted file mode 100644 index c86361743a..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/appc-dbbuilder.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "service": { - "name": "Health Check: APPC - Dgbuilder", - "checks": [ - { - "id": "appc-dgbuilder", - "name": "APPC-Dgbuilder Server Health Check", - "http": "http://appc-dgbuilder:3000/", - "method": "HEAD", - "header": { - "Authorization": ["Basic ZGd1c2VyOnRlc3QxMjM="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/appc-health.json b/kubernetes/consul/resources/config/consul-agent-config/appc-health.json deleted file mode 100644 index 86f2ce8da0..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/appc-health.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "Health Check: APPC", - "checks": [ - { - "id": "appc-dbhost-healthcheck", - "name": "APPC DBHost Health Check", - "script": "/consul/scripts/appc-dbhost-script.sh", - "interval": "10s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/appc-sdnctldb01-healthcheck.json b/kubernetes/consul/resources/config/consul-agent-config/appc-sdnctldb01-healthcheck.json deleted file mode 100644 index 230d31f509..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/appc-sdnctldb01-healthcheck.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "Health Check: APPC-SDN-CTL-DB-01", - "checks": [ - { - "id": "appc-sdnctldb01", - "name": "APPC SDNCTLDB01 Health Check", - "tcp": "appc-sdnctldb01:3306", - "interval": "10s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/appc-sdnctldb02-healthcheck.json b/kubernetes/consul/resources/config/consul-agent-config/appc-sdnctldb02-healthcheck.json deleted file mode 100644 index da669e3ac0..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/appc-sdnctldb02-healthcheck.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "Health Check: APPC-SDN-CTL-DB-02", - "checks": [ - { - "id": "appc-sdnctldb02", - "name": "APPC SDNCTLDB02 Health Check", - "tcp": "appc-sdnctldb02:3306", - "interval": "10s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/appc-sdnhost.json b/kubernetes/consul/resources/config/consul-agent-config/appc-sdnhost.json deleted file mode 100644 index 1548cab909..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/appc-sdnhost.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "service": { - "name": "Health Check: APPC - SDN Host", - "checks": [ - { - "id": "appc-sdnhost", - "name": "APPC SDN Host Health Check", - "http": "http://appc-sdnhost:8282/apidoc/explorer/index.html", - "method": "HEAD", - "header": { - "Authorization": ["Basic YWRtaW46S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ=="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/certs/client-cert-onap.crt.pem b/kubernetes/consul/resources/config/consul-agent-config/certs/client-cert-onap.crt.pem deleted file mode 100644 index b842710c11..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/certs/client-cert-onap.crt.pem +++ /dev/null @@ -1,25 +0,0 @@ -Bag Attributes - friendlyName: tomcat - localKeyID: 54 69 6D 65 20 31 34 39 33 33 32 33 39 32 32 37 35 31 -subject=/C=CA/ST=Ontario/L=Ottawa/O=ONAP/OU=ONAP/CN=ONAP -issuer=/C=CA/ST=Ontario/L=Ottawa/O=ONAP/OU=ONAP/CN=ONAP ------BEGIN CERTIFICATE----- -MIIDWTCCAkGgAwIBAgIERWHcIzANBgkqhkiG9w0BAQsFADBdMQswCQYDVQQGEwJD -QTEQMA4GA1UECBMHT250YXJpbzEPMA0GA1UEBxMGT3R0YXdhMQ0wCwYDVQQKEwRP -TkFQMQ0wCwYDVQQLEwRPTkFQMQ0wCwYDVQQDEwRPTkFQMB4XDTE3MDQyNzIwMDUz -N1oXDTM3MDExMjIwMDUzN1owXTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFy -aW8xDzANBgNVBAcTBk90dGF3YTENMAsGA1UEChMET05BUDENMAsGA1UECxMET05B -UDENMAsGA1UEAxMET05BUDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AJsQpjB5U0exZHWKVt6xDzmBBhLiAtv7Qb8zsbAcIZPxuKsieOJykWDCaf+Ip7oe -+b86nf4LmKrNm4KMsDNnlU7Bg7+3HFa7m+tZgfILORv2HPMRXgvcqPFr1dxgTBkp -xtlcGXHhA8oBpmqTmOCitE+ngVH+FBVxN93aHEDz+Dgc06PyzoP/xWI0GjvlOsv/ -qZeXCj6K4Hpu/FSPNk06Piq9M+rDwUMuyaRtY9FWjYMvkMCrRvlZUoAasrC0BGyR -UAboHdk5aW3AZ0cVR6NMSlELcvCUFqzacAOWLgffX3b5vhkOaAsmnnzmxANV6s0t -SqrD6Mmjg5OcYJW4VFKrwjUCAwEAAaMhMB8wHQYDVR0OBBYEFNji+IU70Qgptn4i -boq/rOKNAg8tMA0GCSqGSIb3DQEBCwUAA4IBAQBc5mJLeeUUzJ4MujZjn0DS3Lvv -THJTE54Id1euT3ddzfX3htF0Ewd90YzmLuj1y8r8PXj7b/8Bq+cvoKbmJ42c8h3X -If0tqde+gYWx1X3NAWHwz00Cje9R0KY4Bx1Cvr39jTw/ESnuSQDKPHBnn8WyAS9K -08ZhvrVSK54d3U7tDVut9UVva8Scdi12utTAWaOIlusLo3bU9Z6t+tgg7AnQBYc0 -N9oCMbq/MACFlLSdc1J6NITYS8XHY2RS8u88eLbWkCcEEx1glYz/PMX3+V1Ow9Uy -MjenEx8ifl96ZSOe9XsI2gl2TCaevCY/QuREu4LZB9XmO0gncH7gF5w9Bw2b ------END CERTIFICATE----- diff --git a/kubernetes/consul/resources/config/consul-agent-config/certs/client-cert-onap.key.pem b/kubernetes/consul/resources/config/consul-agent-config/certs/client-cert-onap.key.pem deleted file mode 100644 index 95de561981..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/certs/client-cert-onap.key.pem +++ /dev/null @@ -1,32 +0,0 @@ -Bag Attributes - friendlyName: tomcat - localKeyID: 54 69 6D 65 20 31 34 39 33 33 32 33 39 32 32 37 35 31 -Key Attributes: ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCbEKYweVNHsWR1 -ilbesQ85gQYS4gLb+0G/M7GwHCGT8birInjicpFgwmn/iKe6Hvm/Op3+C5iqzZuC -jLAzZ5VOwYO/txxWu5vrWYHyCzkb9hzzEV4L3Kjxa9XcYEwZKcbZXBlx4QPKAaZq -k5jgorRPp4FR/hQVcTfd2hxA8/g4HNOj8s6D/8ViNBo75TrL/6mXlwo+iuB6bvxU -jzZNOj4qvTPqw8FDLsmkbWPRVo2DL5DAq0b5WVKAGrKwtARskVAG6B3ZOWltwGdH -FUejTEpRC3LwlBas2nADli4H3192+b4ZDmgLJp585sQDVerNLUqqw+jJo4OTnGCV -uFRSq8I1AgMBAAECggEANFs6wcM1S0+qC8XZ7vb5nQDjfByzunLrkBN0O3JEJB/J -qn7JMixcyb7a61zIxR8QVHEGR3DC62jgyQOXusOOtjjAs0qwVtihnKVsKr1/WuGO -hMOobXjj0iAG5ZHeH+DrMxjVvo2rKdnExtdvFunY18xG7dhMD7Fam525THUTql4K -yxhT7X6MrfS1eFjbR6oAIGNjoNTwyyEjEm4yvHO3PnG2NeyIeu7zIO2k+GimAAXT -tN3AK30lmr3+35k6o+XQAhDE4/6msn6jBVSdLfK35ATFGwrojD0bCgALR4SUNEyd -i33nuNLGyeI7DPWbqmjyWQW9uWLFJD85We2HzqBZQQKBgQDIrJ4PLvYE75dFWnSa -lBr1HZbl/x5mP56MVEiwTabRbUsJoXKlX44lm9hwQaPbuoUAflb1ZtNKbyiRVsuN -Ft5RToU9PWXyFtc2eyLCJToxHI4MhsuGRAaEeic5+l12wdpRxl74eeXdKJK4P/iU -8wdhSxDG2ekkj6lyye5l5iwcBwKBgQDF0Pptcs+yPCz9FRqCmHT/I4QTK1VSD6mW -F2Yd2KEUa4aocIb+L56ghJfYR+enIe9hHmb0ulomJaLLTicZJk6ffDfaQpCFBiS7 -BirDqHX8zlnBHePrBzZPyA5EfGMLxlP4uUk4g28JMFBJaZTEXAnQLUH0mIm0o0YR -mbsaVo/Y4wKBgFsG8iuxAaf7hoLPJVV5GUFWyrxJnWCEO0csdEyE7MbS7NbRhU++ -qJwmtWc2Xz2svegbZxaqLe31vlEvLeYyGWaIV6gP0c6ezcDI2lt2x46/hS/pdSjS -cqJlRqXmC79y77VoZmwP31USsnshiYEHPLHFeza4YilTgWmwb5OJdTjBAoGBAJBC -0P7UhedjvyNqKoUnDdurWPxp07Ueuvw8YDpP61jq+a8JMUlaDQLe76XI+oWGV/6p -n0fGR0weklRV0Gmk6B2jB1BizuZUDqFd4/4ActtE2WvekoKqJc+VA+KqG8lQf5iZ -924BXA6Fb2e6WcXBoV5yQvFP9M0JbWYUiMCydAElAoGBAKof78r8POfTPq9fQA9I -0zsQGnxqnSqyIu5yobM3GyXHBPOKdevlxyXxuMnGTr7upSNZrDrrA+f5Czlu7Fas -qdt/5PmqYQjRsVoHNQFatUzHWwx2vU2Pr1jBpZFBpnjnLwn3A35+UEWn13nCjkla -TrDniEcyId4ya5cMLDnM7Zgw ------END PRIVATE KEY----- diff --git a/kubernetes/consul/resources/config/consul-agent-config/clamp-health.json b/kubernetes/consul/resources/config/consul-agent-config/clamp-health.json deleted file mode 100644 index 5fb57b4b6b..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/clamp-health.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "service": { - "name": "Health Check: CLAMP", - "check":[ - { - "id" : "clamp-health", - "name": "Clamp Health Check", - "http": "http://clamp:8080/restservices/clds/v1/clds/healthcheck", - "tls_skip_verify": true, - "method": "GET", - "interval": "10s", - "timeout": "1s" - } - ] - } -} - diff --git a/kubernetes/consul/resources/config/consul-agent-config/clamp-mariadb-health.json b/kubernetes/consul/resources/config/consul-agent-config/clamp-mariadb-health.json deleted file mode 100644 index f5ae467d74..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/clamp-mariadb-health.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "service": { - "name": "Health Check: CLAMP - MariaDb", - "checks": [ - { - "id": "clamp-mariadb", - "name": "CLAMP Mariadb Health Check", - "script": "/consul/scripts/clamp-mariadb-script.sh", - "interval": "10s", - "timeout": "1s" - } - ] - - } -} - diff --git a/kubernetes/consul/resources/config/consul-agent-config/cli-health-check.json b/kubernetes/consul/resources/config/consul-agent-config/cli-health-check.json deleted file mode 100644 index 81e55cb871..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/cli-health-check.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "service": { - "name": "Health Check: ONAP CLI", - "checks": [ - { - "id": "cli", - "name": "CLI Health Check", - "http": "http://cli.{{include "common.namespace" .}}:8080", - "method": "GET", - "interval": "3600s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/log-elastic-search.json b/kubernetes/consul/resources/config/consul-agent-config/log-elastic-search.json deleted file mode 100644 index 6e580579e1..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/log-elastic-search.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "service": { - "name": "Health Check: Log - Elastic Search", - "checks": [ - { - "id": "log-elasticsearch-server", - "name": "Log Elastic Search Health Check", - "http": "http://log-es:9200/_cluster/health?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-elasticsearch-tcp", - "name": "Log Elastic Search TCP Health Check", - "tcp": "log-es-tcp:9300", - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/log-kibana.json b/kubernetes/consul/resources/config/consul-agent-config/log-kibana.json deleted file mode 100644 index 6bca63f7bf..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/log-kibana.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "service": { - "name": "Health Check: Log - Kibana", - "checks": [ - { - "id": "log-kibana-server", - "name": "Log kibana Health Check", - "http": "http://log-kibana:5601/status", - "method": "HEAD", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/log-logstash.json b/kubernetes/consul/resources/config/consul-agent-config/log-logstash.json deleted file mode 100644 index ea32ecfe2a..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/log-logstash.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "service": { - "name": "Health Check: Log - Log Stash", - "checks": [ - { - "id": "log-logstash-internal-server-gi", - "name": "Log Stash Health Check - General Information", - "http": "http://log-ls-http:9600/?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-logstash-internal-server-node-info", - "name": "Log Stash Health Check - Node Information", - "http": "http://log-ls-http:9600/_node/?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-logstash-internal-server-os-info", - "name": "Log Stash Health Check - OS Information", - "http": "http://log-ls-http:9600/_node/os?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-logstash-internal-server-jvm-info", - "name": "Log Stash Health Check - JVM Information", - "http": "http://log-ls-http:9600/_node/jvm?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-logstash-internal-server-plugin-info", - "name": "Log Stash Health Check - Plugin Information", - "http": "http://log-ls-http:9600/_node/plugins?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-logstash-internal-server-node-stat", - "name": "Log Stash Health Check - Node Stats", - "http": "http://log-ls-http:9600/_node/stats?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-logstash-internal-server-jvm-stat", - "name": "Log Stash Health Check - JVM Stats", - "http": "http://log-ls-http:9600/_node/stats/jvm?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-logstash-internal-server-process-stat", - "name": "Log Stash Health Check - Process Stats", - "http": "http://log-ls-http:9600/_node/stats/process?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-logstash-internal-server-os-stat", - "name": "Log Stash Health Check - OS Stats", - "http": "http://log-ls-http:9600/_node/stats/os?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-logstash-tcp", - "name": "Log Stash File Beat TCP Health Check", - "tcp": "log-ls:5044", - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/model-loader.properties b/kubernetes/consul/resources/config/consul-agent-config/model-loader.properties deleted file mode 100644 index aae18b1e98..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/model-loader.properties +++ /dev/null @@ -1,39 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -# Model Loader Distribution Client Configuration -ml.distribution.ACTIVE_SERVER_TLS_AUTH=false -ml.distribution.ASDC_ADDRESS=c2.vm1.sdc.simpledemo.openecomp.org:8443 -ml.distribution.CONSUMER_GROUP=aai-ml-group -ml.distribution.CONSUMER_ID=aai-ml -ml.distribution.ENVIRONMENT_NAME=AUTO -ml.distribution.KEYSTORE_PASSWORD= -ml.distribution.KEYSTORE_FILE=asdc-client.jks -ml.distribution.PASSWORD=OBF:1ks51l8d1o3i1pcc1r2r1e211r391kls1pyj1z7u1njf1lx51go21hnj1y0k1mli1sop1k8o1j651vu91mxw1vun1mze1vv11j8x1k5i1sp11mjc1y161hlr1gm41m111nkj1z781pw31kku1r4p1e391r571pbm1o741l4x1ksp -ml.distribution.POLLING_INTERVAL=30 -ml.distribution.POLLING_TIMEOUT=20 -ml.distribution.USER=aai -ml.distribution.ARTIFACT_TYPES=MODEL_INVENTORY_PROFILE,MODEL_QUERY_SPEC,VNF_CATALOG - -# Model Loader AAI REST Client Configuration -ml.aai.BASE_URL=https://c1.vm1.aai.simpledemo.openecomp.org:8443 -ml.aai.MODEL_URL=/aai/v10/service-design-and-creation/models/model/ -ml.aai.NAMED_QUERY_URL=/aai/v10/service-design-and-creation/named-queries/named-query/ -ml.aai.VNF_IMAGE_URL=/aai/v8/service-design-and-creation/vnf-images -ml.aai.KEYSTORE_FILE=aai-os-cert.p12 -ml.aai.KEYSTORE_PASSWORD=OBF:1i9a1u2a1unz1lr61wn51wn11lss1unz1u301i6o -ml.aai.AUTH_USER=ModelLoader -ml.aai.AUTH_PASSWORD=OBF:1qvu1v2h1sov1sar1wfw1j7j1wg21saj1sov1v1x1qxw diff --git a/kubernetes/consul/resources/config/consul-agent-config/mr-health.json b/kubernetes/consul/resources/config/consul-agent-config/mr-health.json deleted file mode 100644 index d8c056f006..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/mr-health.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "service": { - "name": "Health Check: DMaaP", - "checks":[ - { - "id": "dmaap", - "name": "Health Check: Message Router", - "http": "http://message-router:3904/topics", - "tls_skip_verify": true, - "interval": "30s", - "timeout": "1s" - }, - { - "id": "mr-zookeeper", - "name": "Health Check: Message Router - ZooKeeper", - "script": "/consul/scripts/mr-zookeeper-health.sh", - "interval": "10s", - "timeout": "5s" - }, - { - "id": "mr-kafka", - "name": "Health Check: Message Router - Kafka", - "script": "/consul/scripts/mr-kafka-health.sh", - "interval": "30s", - "timeout": "5s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/msb-health.json b/kubernetes/consul/resources/config/consul-agent-config/msb-health.json deleted file mode 100644 index ad4e422be1..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/msb-health.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "service": { - "name": "Health Check: MSB", - "checks": [ - { - "id": "msb-eag", - "name": "MSB eag Health Check", - "http": "http://msb-eag:80/iui/microservices/default.html", - "method": "HEAD", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "msb-iag", - "name": "MSB iag Health Check", - "http": "http://msb-iag:80/iui/microservices/default.html", - "method": "HEAD", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "msb-consul", - "name": "MSB consul Health Check", - "tcp": "msb-consul:8500", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "msb-discovery", - "name": "MSB discovery Health Check", - "tcp": "msb-discovery:10081", - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/multicloud-health-check.json b/kubernetes/consul/resources/config/consul-agent-config/multicloud-health-check.json deleted file mode 100644 index f6e48fac6b..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/multicloud-health-check.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "service": { - "name": "Health Check: MULTICLOUD", - "checks": [ - { - "id": "framework", - "name": "Framework Health Check", - "http": "http://framework:9001/api/multicloud/v0/swagger.json", - "method": "HEAD", - "header": { - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "multicloud-pike", - "name": "Multicloud Pike Health Check", - "http": "http://multicloud-pike:9007/api/multicloud-pike/v0/swagger.json", - "method": "HEAD", - "header": { - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "multicloud-starlingx", - "name": "Multicloud Starlingx Health Check", - "http": "http://multicloud-starlingx:9009/api/multicloud-starlingx/v0/swagger.json", - "method": "HEAD", - "header": { - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "multicloud-vio", - "name": "Multicloud Vio Health Check", - "http": "http://multicloud-vio:9004/api/multicloud-vio/v0/swagger.json", - "method": "HEAD", - "header": { - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "multicloud-windriver", - "name": "Multicloud Windriver Health Check", - "http": "http://multicloud-windriver:9005/api/multicloud-titaniumcloud/v1/swagger.json", - "method": "HEAD", - "header": { - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/policy-health.json b/kubernetes/consul/resources/config/consul-agent-config/policy-health.json deleted file mode 100644 index 9cad9dc1d5..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/policy-health.json +++ /dev/null @@ -1,111 +0,0 @@ -{ - "service": { - "name": "Health Check: Policy", - "checks": [ - { - "id": "Policy-mariadb-healthcheck", - "name": "Policy Mariadb Health Check", - "script": "/consul/scripts/policy-mariadb-script.sh", - "interval": "10s", - "timeout": "1s" - }, - { - "id": "policy-nexus-local-status", - "name": "Policy Nexus Local Status", - "http": "http://nexus:8081/nexus/service/local/status", - "method": "GET", - "header": { - "Authorization": ["Basic YWRtaW46YWRtaW4xMjM="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "policy-nexus-internal-metrics", - "name": "Policy Nexus Internal Metrics", - "http": "http://nexus:8081/nexus/internal/metrics", - "method": "GET", - "header": { - "Authorization": ["Basic YWRtaW46YWRtaW4xMjM="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "policy-nexus-internal-healthcheck", - "name": "Policy Nexus Internal Healthcheck", - "http": "http://nexus:8081/nexus/internal/healthcheck", - "method": "GET", - "header": { - "Authorization": ["Basic YWRtaW46YWRtaW4xMjM="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "brmsgw-tcp", - "name": "BRMSGW Health Check", - "tcp": "brmsgw:9989", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "drools", - "name": "Drools Health Check", - "http": "https://drools:6969/healthcheck", - "method": "GET", - "header": { - "Authorization": ["Basic ZGVtb0BwZW9wbGUub3NhYWYub3JnOmRlbW8xMjM0NTYh"], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "pap", - "name": "PAP Health Check", - "http": "https://pap:9091/pap/test", - "method": "GET", - "header": { - "Authorization": ["Basic dGVzdHBhcDphbHBoYTEyMw=="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "pdp", - "name": "PDP Health Check", - "http": "https://pdp:8081/pdp/test", - "method": "GET", - "header": { - "Authorization": ["Basic dGVzdHBkcDphbHBoYTEyMw=="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/aai-search-storage-write-doc.txt b/kubernetes/consul/resources/config/consul-agent-config/scripts/aai-search-storage-write-doc.txt deleted file mode 100644 index a6e084cfea..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/aai-search-storage-write-doc.txt +++ /dev/null @@ -1,9 +0,0 @@ -{ - "vnfId" : "testwrite", - "device" : "10.198.1.31", - "timestamp" : "2017-08-23T19:13:56Z", - "jdmTotalMem" : "2097152", - "jdmAvailableMem" : "1877272", - "jdmUserCpu" : "16", - "jdmSystemCpu" : "3" -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/aai-search-storage-write-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/aai-search-storage-write-script.sh deleted file mode 100755 index 91223f527e..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/aai-search-storage-write-script.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -if curl -s -X PUT http://aai-elasticsearch:9200/searchhealth/stats/testwrite -d @/consul/scripts/aai-search-storage-write-doc.txt | grep '\"created\":true'; then - if curl -s -X DELETE http://aai-elasticsearch:9200/searchhealth/stats/testwrite | grep '\"failed\":0'; then - if curl -s -X GET http://aai-elasticsearch:9200/searchhealth/stats/testwrite | grep '\"found\":false'; then - echo Successful PUT, DELETE, GET from Search Document Storage 2>&1 - exit 0 - else - echo Failed GET from Search Document Storage 2>&1 - exit 1 - fi - else - echo Failed DELETE from Search Document Storage 2>&1 - exit 1 - fi -else - echo Failed PUT from Search Document Storage 2>&1 - exit 1 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/appc-dbhost-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/appc-dbhost-script.sh deleted file mode 100755 index 96e4864514..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/appc-dbhost-script.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -APPC_DBHOST_POD=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "appc-dbhost-[^[:space:]]*") -if [ -n "$APPC_DBHOST_POD" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $APPC_DBHOST_POD -- ./healthcheck.sh |grep -i "mysqld is alive"; then - echo Success. APPC DBHost is running. 2>&1 - exit 0 - else - echo Failed. APPC DBHost is not running. 2>&1 - exit 1 - fi -else - echo Failed. APPC DBHost is offline. 2>&1 - exit 1 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/clamp-mariadb-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/clamp-mariadb-script.sh deleted file mode 100644 index 1b721b363c..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/clamp-mariadb-script.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -NAME=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "[^[:space:]]*-clampdb[^[:space:]]*") - - if [ -n "$NAME" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $NAME -- sh -c 'mysqladmin status -u root -p$MYSQL_ROOT_PASSWORD' > /dev/null; then - echo Success. CLAMP DBHost is running. 2>&1 - exit 0 - else - echo Failed. CLAMP DBHost is not running. 2>&1 - exit 1 - fi - else - echo Failed. CLAMP DBHost is offline. 2>&1 - exit 1 - fi - diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/data-router-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/data-router-script.sh deleted file mode 100755 index 2e0078c72f..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/data-router-script.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -NAME=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "aai-data-router[^[:space:]]*") - -if [ -n "$NAME" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $NAME -- ps -efww | grep 'java' | grep 'data-router' > /dev/null; then - - echo Success. Synapse process is running. 2>&1 - exit 0 - else - echo Failed. Synapse process is not running. 2>&1 - exit 1 - fi -else - echo Failed. Synapse container is offline. 2>&1 - exit 1 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/model-loader-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/model-loader-script.sh deleted file mode 100755 index e049402578..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/model-loader-script.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -NAME=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "aai-model-loader[^[:space:]]*") - -if [ -n "$NAME" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $NAME -- ps -efww | grep 'java' | grep 'model-loader' > /dev/null; then - - echo Success. Model Loader process is running. 2>&1 - exit 0 - else - echo Failed. Model Loader process is not running. 2>&1 - exit 1 - fi -else - echo Failed. Model Loader container is offline. 2>&1 - exit 1 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/mr-kafka-health.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/mr-kafka-health.sh deleted file mode 100755 index 816a0103f6..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/mr-kafka-health.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -kafkapod=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "[^[:space:]]*-message-router-kafka-[^[:space:]]*") -if [ -n "$kafkapod" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $kafkapod -- ps ef | grep -i kafka; then - echo Success. Kafka process is running. 2>&1 - exit 0 - else - echo Failed. Kafka is not running. 2>&1 - exit 1 - fi -else - echo Failed. Kafka container is offline. 2>&1 - exit 1 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/mr-zookeeper-health.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/mr-zookeeper-health.sh deleted file mode 100755 index debcfd1868..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/mr-zookeeper-health.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -zkpod=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "[^[:space:]]*-message-router-zookeeper-[^[:space:]]*") -if [ -n "$zkpod" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $zkpod -- ps aux | grep -i zookeeper; then - echo Success. Zookeeper process is running. 2>&1 - exit 0 - else - echo Failed. Zookeeper is not running. 2>&1 - exit 1 - fi -else - echo Failed. Zookeeper container is offline. 2>&1 - exit 1 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/policy-mariadb-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/policy-mariadb-script.sh deleted file mode 100644 index 865d477b7d..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/policy-mariadb-script.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -NAME=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "[^[:space:]]*-policydb[^[:space:]]*") - - if [ -n "$NAME" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $NAME -- sh -c 'mysqladmin status -u root -p$MYSQL_ROOT_PASSWORD' > /dev/null; then - echo Success. mariadb process is running. 2>&1 - exit 0 - else - echo Failed. mariadb process is not running. 2>&1 - exit 1 - fi - else - echo Failed. mariadb container is offline. 2>&1 - exit 1 - fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-be-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-be-script.sh deleted file mode 100755 index c362ffed34..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-be-script.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -## Query the health check API. -HEALTH_CHECK_ENDPOINT="http://sdc-fe:8181/sdc1/rest/healthCheck" -HEALTH_CHECK_RESPONSE=$(curl -s $HEALTH_CHECK_ENDPOINT) - -## Strip out the ON_BOARDING section from the response XML (otherwise we will -## get duplicate results when we search for component BE) and check to see if -## the BE component is reported as up. -READY=$(echo "$HEALTH_CHECK_RESPONSE" | sed '/ON_BOARDING/,/]/d' | grep -A 1 "BE" | grep "UP") - -if [ -n $READY ]; then - echo "Query against health check endpoint: $HEALTH_CHECK_ENDPOINT" - echo "Produces response: $HEALTH_CHECK_RESPONSE" - echo "Application is not in an available state" - return 2 -else - echo "Application is available." - return 0 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-cs-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-cs-script.sh deleted file mode 100755 index 18b5b9d4bd..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-cs-script.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -## Query the health check API. -HEALTH_CHECK_ENDPOINT="http://sdc-fe:8181/sdc1/rest/healthCheck" -HEALTH_CHECK_RESPONSE=$(curl -s $HEALTH_CHECK_ENDPOINT) - -## Strip out the ON_BOARDING section from the response XML (otherwise we will -## get duplicate results when we search for component CASSANDRA) and check to see if -## the CASSANDRA component is reported as up. -READY=$(echo "$HEALTH_CHECK_RESPONSE" | sed '/ON_BOARDING/,/]/d' | grep -A 1 "CASSANDRA" | grep "UP") - -if [ -n $READY ]; then - echo "Query against health check endpoint: $HEALTH_CHECK_ENDPOINT" - echo "Produces response: $HEALTH_CHECK_RESPONSE" - echo "Application is not in an available state" - return 2 -else - echo "Application is available." - return 0 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-fe-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-fe-script.sh deleted file mode 100755 index 21a2b80a3d..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-fe-script.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -## Query the health check API. -HEALTH_CHECK_ENDPOINT="http://sdc-fe:8181/sdc1/rest/healthCheck" -HEALTH_CHECK_RESPONSE=$(curl -s $HEALTH_CHECK_ENDPOINT) - -## Strip out the ON_BOARDING section from the response XML (otherwise we will -## get duplicate results when we search for component FE) and check to see if -## the FE component is reported as up. -READY=$(echo "$HEALTH_CHECK_RESPONSE" | sed '/ON_BOARDING/,/]/d' | grep -A 1 "FE" | grep "UP") - -if [ -n $READY ]; then - echo "Query against health check endpoint: $HEALTH_CHECK_ENDPOINT" - echo "Produces response: $HEALTH_CHECK_RESPONSE" - echo "Application is not in an available state" - return 2 -else - echo "Application is available." - return 0 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-titan-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-titan-script.sh deleted file mode 100755 index fad3ddb293..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-titan-script.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -## Query the health check API. -HEALTH_CHECK_ENDPOINT="http://sdc-fe:8181/sdc1/rest/healthCheck" -HEALTH_CHECK_RESPONSE=$(curl -s $HEALTH_CHECK_ENDPOINT) - -## Strip out the ON_BOARDING section from the response XML (otherwise we will -## get duplicate results when we search for component TITAN) and check to see if -## the TITAN component is reported as up. -READY=$(echo "$HEALTH_CHECK_RESPONSE" | sed '/ON_BOARDING/,/]/d' | grep -A 1 "TITAN" | grep "UP") - -if [ -n $READY ]; then - echo "Query against health check endpoint: $HEALTH_CHECK_ENDPOINT" - echo "Produces response: $HEALTH_CHECK_RESPONSE" - echo "Application is not in an available state" - return 2 -else - echo "Application is available." - return 0 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdnc-cluster-health.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/sdnc-cluster-health.sh deleted file mode 100755 index ed7aefc0cf..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdnc-cluster-health.sh +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/sh -{{/* - -# Copyright © 2018 Amdocs -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -# query ODL cluster state -USERNAME="{{.Values.odl.jolokia.username}}" -PASSWORD="{{.Values.odl.jolokia.password}}" - -count=${SDNC_ODL_COUNT:-1} -siteId=0 -if [ "$SDNC_IS_PRIMARY_CLUSTER" = "false" ];then - siteId=1 -fi - -for instance in $(seq $count);do - shard=member-$(( $siteId*$count + $instance ))-shard-default-config - mbean=Category=Shards,name=$shard,type=DistributedConfigDatastore - url=http://{{ include "common.release" . }}-sdnc-$(( $instance-1 )).sdnc-cluster.{{.Release.Namespace}}:8181/jolokia/read/org.opendaylight.controller:$mbean - - response=$( curl -s -u $USERNAME:$PASSWORD $url ) - rc=$? - if [ $rc -ne 0 ];then - # failed to contact SDN-C instance - try another - echo "Unable to connect to $shard [rc=$?]" - continue - fi - - status=$( echo "$response" | jq -r ".status" ) - if [ "$status" != "200" ];then - # query failed, try another instance - echo "$shard query failed [http-status=$status]" - continue - fi - - raftState=$( echo "$response" | jq -r ".value.RaftState" ) - if [ "$raftState" = "Leader" -o "$raftState" = "Follower" ];then - # cluster has a leader and is healthy - echo "$shard is healthy [RaftState=$raftState]" - exit 0 - else - echo "$shard is not healthy [RaftState=$raftState]" - fi -done - -# ODL cluster is not healthy -exit 2 diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdnc-dbhost-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/sdnc-dbhost-script.sh deleted file mode 100755 index c0fbcfbbe3..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdnc-dbhost-script.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -SDNC_DBHOST_POD=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "sdnc-dbhost-[^[:space:]]*") -if [ -n "$SDNC_DBHOST_POD" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $SDNC_DBHOST_POD -- ./healthcheck.sh |grep -i "mysqld is alive"; then - echo Success. SDNC DBHost is running. 2>&1 - exit 0 - else - echo Failed. SDNC DBHost is not running. 2>&1 - exit 1 - fi -else - echo Failed. SDNC DBHost is offline. 2>&1 - exit 1 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/search-data-service-availability.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/search-data-service-availability.sh deleted file mode 100644 index 68ab27dbc9..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/search-data-service-availability.sh +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/sh -{{/* - -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -SEARCH_SERVICE_NAME="search-data-service.{{ include "common.namespace" . }}" -SEARCH_SERVICE_PORT=9509 -HEALTH_CHECK_INDEX="healthcheck" - -# 'Document Index' REST Endpoint -INDEX_URL="https://$SEARCH_SERVICE_NAME:$SEARCH_SERVICE_PORT/services/search-data-service/v1/search/indexes/$HEALTH_CHECK_INDEX" -INDEX_SCHEMA="{\"fields\":[{\"name\": \"field1\", \"data-type\": \"string\"}]}" - -SEARCH_CERT_FILE="/consul/certs/client-cert-onap.crt.pem" -SEARCH_KEY_FILE="/consul/certs/client-cert-onap.key.pem" - -## Try to create an index via the Search Data Service API. -CREATE_INDEX_RESP=$(curl -s -o /dev/null -w "%{http_code}" -k --cert $SEARCH_CERT_FILE --cert-type PEM --key $SEARCH_KEY_FILE --key-type PEM -d "$INDEX_SCHEMA" --header "Content-Type: application/json" --header "X-TransactionId: ConsulHealthCheck" -X PUT $INDEX_URL) - -RESULT_STRING=" " - -if [ $CREATE_INDEX_RESP -eq 201 ]; then - RESULT_STRING="Service Is Able To Communicate With Back End" -elif [ $CREATE_INDEX_RESP -eq 400 ]; then - # A 400 response could mean that the index already exists (ie: we didn't - # clean up after ourselves on a previous check), so log the response but - # don't exit yet. If we fail on the delete then we can consider the - # check a failure, otherwise, we are good. - RESULT_STRING="$RESULT_STRING Create Index [FAIL - 400 (possible index already exists)] " -else - RESULT_STRING="Service API Failure - $CREATE_INDEX_RESP" - echo $RESULT_STRING - exit 1 -fi - -## Now, clean up after ourselves. -DELETE_INDEX_RESP=$(curl -s -o /dev/null -w "%{http_code}" -k --cert $SEARCH_CERT_FILE --cert-type PEM --key $SEARCH_KEY_FILE --key-type PEM -d "{ }" --header "Content-Type: application/json" --header "X-TransactionId: ConsulHealthCheck" -X DELETE $INDEX_URL) - -if [ $DELETE_INDEX_RESP -eq 200 ]; then - RESULT_STRING="Service Is Able To Communicate With Back End" -else - RESULT_STRING="Service API Failure - $DELETE_INDEX_RESP" - echo $RESULT_STRING - exit 1 -fi - -echo $RESULT_STRING -return 0 diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/so-api-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/so-api-script.sh deleted file mode 100755 index e0acea7ce9..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/so-api-script.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -## Query the health check API. -HEALTH_CHECK_ENDPOINT="http://so:8080/ecomp/mso/infra/healthcheck" -HEALTH_CHECK_RESPONSE=$(curl -s $HEALTH_CHECK_ENDPOINT) - -READY=$(echo $HEALTH_CHECK_RESPONSE | grep "Application ready") - -if [ -n $READY ]; then - echo "Query against health check endpoint: $HEALTH_CHECK_ENDPOINT" - echo "Produces response: $HEALTH_CHECK_RESPONSE" - echo "Application is not in an available state" - return 2 -else - echo "Application is available." - return 0 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/so-camunda-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/so-camunda-script.sh deleted file mode 100755 index 2ef5f8c4dd..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/so-camunda-script.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -## Query the health check API. -HEALTH_CHECK_ENDPOINT="http://so:8080/mso/healthcheck" -HEALTH_CHECK_RESPONSE=$(curl -s $HEALTH_CHECK_ENDPOINT) - -READY=$(echo $HEALTH_CHECK_RESPONSE | grep "Application ready") - -if [ -n $READY ]; then - echo "Query against health check endpoint: $HEALTH_CHECK_ENDPOINT" - echo "Produces response: $HEALTH_CHECK_RESPONSE" - echo "Application is not in an available state" - return 2 -else - echo "Application is available." - return 0 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/so-jra-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/so-jra-script.sh deleted file mode 100755 index deee34c001..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/so-jra-script.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -## Query the health check API. -HEALTH_CHECK_ENDPOINT="http://so:8080/networks/rest/healthcheck" -HEALTH_CHECK_RESPONSE=$(curl -s $HEALTH_CHECK_ENDPOINT) - -READY=$(echo $HEALTH_CHECK_RESPONSE | grep "Application ready") - -if [ -n $READY ]; then - echo "Query against health check endpoint: $HEALTH_CHECK_ENDPOINT" - echo "Produces response: $HEALTH_CHECK_RESPONSE" - echo "Application is not in an available state" - return 2 -else - echo "Application is available." - return 0 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/so-mariadb-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/so-mariadb-script.sh deleted file mode 100755 index a0974c0a45..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/so-mariadb-script.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -NAME=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "[^[:space:]]*-so-db[^[:space:]]*") - - if [ -n "$NAME" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $NAME -- sh -c 'mysqladmin status -u root -p$MYSQL_ROOT_PASSWORD' > /dev/null; then - echo Success. mariadb process is running. 2>&1 - exit 0 - else - echo Failed. mariadb process is not running. 2>&1 - exit 1 - fi - else - echo Failed. mariadb container is offline. 2>&1 - exit 1 - fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/sparky-be-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/sparky-be-script.sh deleted file mode 100755 index 19134cfa76..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/sparky-be-script.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -NAME=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "aai-sparky-be[^[:space:]]*") - -if [ -n "$NAME" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $NAME -- ps -efww | grep 'java' | grep 'sparky' > /dev/null; then - - echo Success. UI Backend Service process is running. 2>&1 - exit 0 - else - echo Failed. UI Backend Service process is not running. 2>&1 - exit 1 - fi -else - echo Failed. UI Backend Service container is offline. 2>&1 - exit 1 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/vid-mariadb-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/vid-mariadb-script.sh deleted file mode 100755 index 7b0bc246f6..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/vid-mariadb-script.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -NAME=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "[^[:space:]]*-vid-mariadb[^[:space:]]*") - - if [ -n "$NAME" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $NAME -- sh -c 'mysqladmin status -u root -p$MYSQL_ROOT_PASSWORD' > /dev/null; then - echo Success. mariadb process is running. 2>&1 - exit 0 - else - echo Failed. mariadb process is not running. 2>&1 - exit 1 - fi - else - echo Failed. mariadb container is offline. 2>&1 - exit 1 - fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/sdc-health.json b/kubernetes/consul/resources/config/consul-agent-config/sdc-health.json deleted file mode 100644 index 105635b592..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/sdc-health.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "service": { - "name": "Health Check: SDC", - "checks": [ - { - "id": "sdc-fe-healthcheck", - "name": "SDC Front End Health Check", - "script": "/consul/scripts/sdc-fe-script.sh", - "interval": "10s", - "timeout": "1s" - }, - { - "id": "sdc-be-healthcheck", - "name": "SDC Back End Health Check", - "script": "/consul/scripts/sdc-be-script.sh", - "interval": "10s", - "timeout": "1s" - }, - { - "id": "sdc-titan-healthcheck", - "name": "SDC Titan Health Check", - "script": "/consul/scripts/sdc-titan-script.sh", - "interval": "10s", - "timeout": "1s" - }, - { - "id": "sdc-cs-healthcheck", - "name": "SDC Cassandra Health Check", - "script": "/consul/scripts/sdc-cs-script.sh", - "interval": "10s", - "timeout": "1s" - }, - { - "id": "sdc-catalog-healthcheck", - "name": "SDC Catalog Health Check", - "http": "https://sdc-be:8443/asdc/v1/catalog/services", - "header": { - "Authorization": ["Basic dmlkOktwOGJKNFNYc3pNMFdYbGhhazNlSGxjc2UyZ0F3ODR2YW9HR21KdlV5MlU="], - "X-ECOMP-InstanceID": ["VID"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/sdnc-cluster-health.json b/kubernetes/consul/resources/config/consul-agent-config/sdnc-cluster-health.json deleted file mode 100644 index 86a7630392..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/sdnc-cluster-health.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "Health Check: SDNC ODL Cluster", - "checks": [ - { - "id": "sdnc-odl-cluster-healthcheck", - "name": "SDNC ODL Cluster Health Check", - "script": "/consul/scripts/sdnc-cluster-health.sh", - "interval": "15s", - "timeout": "10s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/sdnc-dbhost.json b/kubernetes/consul/resources/config/consul-agent-config/sdnc-dbhost.json deleted file mode 100644 index ea0ae562e9..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/sdnc-dbhost.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "Health Check: SDNC - DB Host", - "checks": [ - { - "id": "sdnc-dbhost-healthcheck", - "name": "SDNC DBHOST Health Check", - "script": "/consul/scripts/sdnc-dbhost-script.sh", - "interval": "10s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/sdnc-dgbuilder.json b/kubernetes/consul/resources/config/consul-agent-config/sdnc-dgbuilder.json deleted file mode 100644 index 72e6be9093..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/sdnc-dgbuilder.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "service": { - "name": "Health Check: SDNC - DGBuilder", - "checks": [ - { - "id": "sdnc-dgbuilder", - "name": "SDNC-DGbuilder Health Check", - "http": "http://sdnc-dgbuilder:3000/", - "method": "HEAD", - "header": { - "Authorization": ["Basic ZGd1c2VyOnRlc3QxMjM="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/sdnc-health.json b/kubernetes/consul/resources/config/consul-agent-config/sdnc-health.json deleted file mode 100644 index 5f42835cf7..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/sdnc-health.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "service": { - "name": "Health Check: SDNC", - "checks": [ - { - "id": "odl-api-healthcheck", - "name": "SDNC API Health Check", - "http": "http://sdnc:8282/restconf/operations/SLI-API:healthcheck", - "method": "POST", - "header": { - "Authorization": ["Basic YWRtaW46S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ=="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/sdnc-sdnctldb01-healthcheck.json b/kubernetes/consul/resources/config/consul-agent-config/sdnc-sdnctldb01-healthcheck.json deleted file mode 100644 index ed196bd0cf..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/sdnc-sdnctldb01-healthcheck.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "Health Check: SDNC-SDN-CTL-DB-01", - "checks": [ - { - "id": "sdnctldb01", - "name": "SDNC SDNCTLDB01 Health Check", - "tcp": "sdnc-sdnctldb01:3306", - "interval": "10s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/sdnc-sdnctldb02-healthcheck.json b/kubernetes/consul/resources/config/consul-agent-config/sdnc-sdnctldb02-healthcheck.json deleted file mode 100644 index b63329f544..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/sdnc-sdnctldb02-healthcheck.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "Health Check: SDNC-SDN-CTL-DB-02", - "checks": [ - { - "id": "sdnctldb02", - "name": "SDNC SDNCTLDB02 Health Check", - "tcp": "sdnc-sdnctldb02:3306", - "interval": "10s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/sdnc-sdnhost.json b/kubernetes/consul/resources/config/consul-agent-config/sdnc-sdnhost.json deleted file mode 100644 index db84164fc7..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/sdnc-sdnhost.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "service": { - "name": "Health Check: SDNC - SDN Host", - "checks": [ - { - "id": "sdnc-sdnhost", - "name": "SDNC SDN Host Health Check", - "http": "http://sdnc:8282/apidoc/explorer/index.html", - "method": "HEAD", - "header": { - "Authorization": ["Basic YWRtaW46S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ=="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/so-health.json b/kubernetes/consul/resources/config/consul-agent-config/so-health.json deleted file mode 100644 index 565c4a4a7a..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/so-health.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "service": { - "name": "Health Check: SO", - "checks": [ - { - "id": "so-api-healthcheck", - "name": "SO API Health Check", - "script": "/consul/scripts/so-api-script.sh", - "interval": "10s", - "timeout": "1s" - }, - { - "id": "so-camunda-healthcheck", - "name": "SO Camunda Health Check", - "script": "/consul/scripts/so-camunda-script.sh", - "interval": "10s", - "timeout": "1s" - }, - { - "id": "so-jra-healthcheck", - "name": "SO JRA Health Check", - "script": "/consul/scripts/so-jra-script.sh", - "interval": "10s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/so-mariabdb.json b/kubernetes/consul/resources/config/consul-agent-config/so-mariabdb.json deleted file mode 100644 index fb554208e4..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/so-mariabdb.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "service": { - "name": "Health Check: SO - MariaDb", - "checks": [ - { - "id": "so-mariadb", - "name": "SO Mariadb Health Check", - "script": "/consul/scripts/so-mariadb-script.sh", - "interval": "10s", - "timeout": "1s" - } - ] - - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/vfc-health.json b/kubernetes/consul/resources/config/consul-agent-config/vfc-health.json deleted file mode 100644 index 3661ac708b..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/vfc-health.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "service": { - "name": "Health Check: VFC", - "checks": [ - { - "id": "vfc-catalog", - "name": "VFC catalog Health Check", - "tcp": "vfc-catalog:8806", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-emsdriver", - "name": "VFC emsdriver Health Check", - "tcp": "vfc-ems-driver:8206", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-gvnfmdriver", - "name": "VFC gvnfmdriver Health Check", - "tcp": "vfc-generic-vnfm-driver:8484", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-hwvnfmdriver", - "name": "VFC hwvnfmdriver Health Check", - "tcp": "vfc-huawei-vnfm-driver:8482", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-jujudriver", - "name": "VFC jujudriver Health Check", - "tcp": "vfc-juju-vnfm-driver:8483", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-nokiavnfmdriver", - "name": "VFC nokiavnfmdriver Health Check", - "tcp": "vfc-nokia-vnfm-driver:8486", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-nokiav2vnfmdriver", - "name": "VFC nokiav2vnfmdriver Health Check", - "tcp": "vfc-nokia-v2vnfm-driver:8089", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-nslcm", - "name": "VFC nslcm Health Check", - "tcp": "vfc-nslcm:8403", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-resmgr", - "name": "VFC resmgr Health Check", - "tcp": "vfc-resmgr:8480", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-vnflcm", - "name": "VFC vnflcm Health Check", - "tcp": "vfc-vnflcm:8801", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-vnfmgr", - "name": "VFC vnfmgr Health Check", - "tcp": "vfc-vnfmgr:8803", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-vnfres", - "name": "VFC vnfres Health Check", - "tcp": "vfc-vnfres:8802", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-workflow", - "name": "VFC workflow Health Check", - "tcp": "vfc-workflow:10550", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-workflowengineactiviti", - "name": "VFC workflow-engine Health Check", - "tcp": "vfc-workflow-engine:8080", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-ztesdncdriver", - "name": "VFC ztesdncdriver Health Check", - "tcp": "vfc-zte-sdnc-driver:8411", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-ztevnfmdriver", - "name": "VFC ztevnfmdriver Health Check", - "tcp": "vfc-zte-vnfm-driver:8410", - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/vid-health.json b/kubernetes/consul/resources/config/consul-agent-config/vid-health.json deleted file mode 100644 index d6d8d4c03d..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/vid-health.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "service": { - "name": "Health Check: VID", - "checks": [ - { - "id": "vid-server", - "name": "VID Server Health Check", - "http": "http://vid:8080/vid/healthCheck", - "method": "GET", - "header": { - "Authorization": ["Basic YWRtaW46S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ=="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vid-mariadb", - "name": "Vid Mariadb Health Check", - "script": "/consul/scripts/vid-mariadb-script.sh", - "interval": "10s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/templates/configmap.yaml b/kubernetes/consul/templates/configmap.yaml deleted file mode 100644 index 42c8cba6b4..0000000000 --- a/kubernetes/consul/templates/configmap.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/consul-agent-config/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-scripts-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/consul-agent-config/scripts/*").AsConfig . | indent 2 }} diff --git a/kubernetes/consul/templates/deployment.yaml b/kubernetes/consul/templates/deployment.yaml deleted file mode 100644 index c5d12a4693..0000000000 --- a/kubernetes/consul/templates/deployment.yaml +++ /dev/null @@ -1,99 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} - spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - initContainers: - - name: {{ include "common.name" . }}-chown - image: {{ .Values.global.busyboxRepository | default .Values.busyboxRepository }}/{{ .Values.global.busyboxImage | default .Values.busyboxImage }} - command: - - sh - args: - - -c - - | - cp -r -L /tmp/consul/config/* /consul/config/ - chown -R {{ .Values.consulUID }}:{{ .Values.consulGID }} /consul/config - ls -la /consul/config - volumeMounts: - - mountPath: /tmp/consul/config - name: consul-agent-config - - mountPath: /consul/config - name: consul-agent-config-dir - containers: - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - securityContext: - runAsUser: {{ .Values.securityContext.runAsUser }} - runAsGroup: {{ .Values.securityContext.runAsGroup }} - command: - - docker-entrypoint.sh - args: - - agent - - -client - - 0.0.0.0 - - -enable-script-checks - - -retry-join - - {{ .Values.consulServer.nameOverride }} - name: {{ include "common.name" . }} - env: - - name: SDNC_ODL_COUNT - value: "{{ .Values.sdnc.replicaCount }}" - - name: SDNC_IS_PRIMARY_CLUSTER - value: "{{ .Values.sdnc.config.isPrimaryCluster }}" - volumeMounts: - - mountPath: /consul/config - name: consul-agent-config-dir - - mountPath: /consul/scripts - name: consul-agent-scripts-config - - mountPath: /consul/certs - name: consul-agent-certs-config - resources: {{ include "common.resources" . | nindent 10 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: consul-agent-config-dir - emptyDir: {} - - configMap: - name: {{ include "common.fullname" . }}-configmap - name: consul-agent-config - - configMap: - name: {{ include "common.fullname" . }}-scripts-configmap - defaultMode: 0755 - name: consul-agent-scripts-config - - secret: - secretName: {{ include "common.fullname" . }}-certs-secret - name: consul-agent-certs-config diff --git a/kubernetes/consul/templates/ingress.yaml b/kubernetes/consul/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/consul/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/consul/templates/secrets.yaml b/kubernetes/consul/templates/secrets.yaml deleted file mode 100644 index 27cfbf00d0..0000000000 --- a/kubernetes/consul/templates/secrets.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-certs-secret - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/consul-agent-config/certs/*").AsSecrets . | indent 2 }} diff --git a/kubernetes/consul/values.yaml b/kubernetes/consul/values.yaml deleted file mode 100644 index e2aa181efb..0000000000 --- a/kubernetes/consul/values.yaml +++ /dev/null @@ -1,117 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - busyboxRepository: registry.hub.docker.com - busyboxImage: library/busybox:latest - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/oom/consul:2.1.0 -pullPolicy: Always - -#subchart name -consulServer: - nameOverride: consul-server - -consulUID: 100 -consulGID: 1000 - -# flag to enable debugging - application support required -debugEnabled: false - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 90 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 90 - periodSeconds: 10 - -service: {} - -ingress: - enabled: false - service: - - baseaddr: "consul.api" - name: "consul-server" - port: 8800 - config: - ssl: "none" - -#resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # - # Example: - # Configure resource requests and limits - # ref: http://kubernetes.io/docs/user-guide/compute-resources/ - # Minimum memory for development is 2 CPU cores and 4GB memory - # Minimum memory for production is 4 CPU cores and 8GB memory -resources: - small: - limits: - cpu: 1 - memory: 1500Mi - requests: - cpu: 650m - memory: 530Mi - large: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - unlimited: {} - -odl: - jolokia: - username: admin - password: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U - -sdnc: - config: - isPrimaryCluster: true - replicaCount: 1 - -securityContext: - fsGroup: 1000 - runAsUser: 100 - runAsGroup: 1000 - -#Pods Service Account -serviceAccount: - nameOverride: consul - roles: - - read diff --git a/kubernetes/contrib/.gitignore b/kubernetes/contrib/.gitignore deleted file mode 100644 index 7020381894..0000000000 --- a/kubernetes/contrib/.gitignore +++ /dev/null @@ -1 +0,0 @@ -components/dist diff --git a/kubernetes/contrib/.helmignore b/kubernetes/contrib/.helmignore deleted file mode 100644 index 68ffb32406..0000000000 --- a/kubernetes/contrib/.helmignore +++ /dev/null @@ -1 +0,0 @@ -components/ diff --git a/kubernetes/contrib/Chart.yaml b/kubernetes/contrib/Chart.yaml deleted file mode 100755 index 0d366ff68f..0000000000 --- a/kubernetes/contrib/Chart.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# Copyright © 2017 Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP optional tools -name: contrib -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: awx - version: ~11.x-0 - repository: 'file://components/awx' - condition: awx.enabled - - name: ejbca - version: ~11.x-0 - repository: 'file://components/ejbca' - condition: global.cmpv2Enabled - - name: netbox - version: ~11.x-0 - repository: 'file://components/netbox' - condition: netbox.enabled - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' \ No newline at end of file diff --git a/kubernetes/contrib/Makefile b/kubernetes/contrib/Makefile deleted file mode 100644 index 81e43acc82..0000000000 --- a/kubernetes/contrib/Makefile +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dns-server-for-vhost-ingress-testing ingress-nginx-post-inst metallb-loadbalancer-inst tools -HELM_BIN := helm -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/contrib/components/Makefile b/kubernetes/contrib/components/Makefile deleted file mode 100644 index f4c9784bc4..0000000000 --- a/kubernetes/contrib/components/Makefile +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/contrib/components/awx/Chart.yaml b/kubernetes/contrib/components/awx/Chart.yaml deleted file mode 100755 index 3eea511656..0000000000 --- a/kubernetes/contrib/components/awx/Chart.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# Copyright © 2019 Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Ansible AWX -name: awx -sources: - - https://github.com/ansible/awx -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: awx-postgres - version: ~11.x-0 - repository: 'file://components/awx-postgres' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' \ No newline at end of file diff --git a/kubernetes/contrib/components/awx/Makefile b/kubernetes/contrib/components/awx/Makefile deleted file mode 100644 index 51d7de122c..0000000000 --- a/kubernetes/contrib/components/awx/Makefile +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts docker -HELM_BIN := helm -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/contrib/components/awx/components/Makefile b/kubernetes/contrib/components/awx/components/Makefile deleted file mode 100644 index f4c9784bc4..0000000000 --- a/kubernetes/contrib/components/awx/components/Makefile +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/contrib/components/awx/components/awx-postgres/Chart.yaml b/kubernetes/contrib/components/awx/components/awx-postgres/Chart.yaml deleted file mode 100755 index be7254a892..0000000000 --- a/kubernetes/contrib/components/awx/components/awx-postgres/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2019 Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Ansible AWX database -name: awx-postgres -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/contrib/components/awx/components/awx-postgres/templates/NOTES.txt b/kubernetes/contrib/components/awx/components/awx-postgres/templates/NOTES.txt deleted file mode 100755 index 3ab092e848..0000000000 --- a/kubernetes/contrib/components/awx/components/awx-postgres/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/contrib/components/awx/components/awx-postgres/templates/deployment.yaml b/kubernetes/contrib/components/awx/components/awx-postgres/templates/deployment.yaml deleted file mode 100755 index 3b4dad55ec..0000000000 --- a/kubernetes/contrib/components/awx/components/awx-postgres/templates/deployment.yaml +++ /dev/null @@ -1,90 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - readinessProbe: - exec: - command: - - /bin/sh - - -i - - -c - - psql -h 127.0.0.1 -U $POSTGRES_USER -q -d {{ .Values.config.postgresDB }} - -c 'SELECT 1' - initialDelaySeconds: 5 - timeoutSeconds: 1 - env: - - name: POSTGRES_USER - value: "{{ .Values.config.postgresUser }}" - - name: POSTGRES_PASSWORD - value: "{{ .Values.config.postgresPassword }}" - - name: POSTGRES_DB - value: "{{ .Values.config.postgresDB }}" - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: {{ include "common.fullname" . }}-data - mountPath: /var/lib/postgresql/ - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - {{- if .Values.persistence.enabled }} - - name: {{ include "common.fullname" . }}-data - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - {{- else }} - emptyDir: {} - {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/contrib/components/awx/components/awx-postgres/templates/pv.yaml b/kubernetes/contrib/components/awx/components/awx-postgres/templates/pv.yaml deleted file mode 100755 index bfe63abafe..0000000000 --- a/kubernetes/contrib/components/awx/components/awx-postgres/templates/pv.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -{{- if eq "True" (include "common.needPV" .) -}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.persistence.size}} - accessModes: - - {{ .Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" . }}-data" - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/contrib/components/awx/components/awx-postgres/templates/pvc.yaml b/kubernetes/contrib/components/awx/components/awx-postgres/templates/pvc.yaml deleted file mode 100755 index e12dabf175..0000000000 --- a/kubernetes/contrib/components/awx/components/awx-postgres/templates/pvc.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -{{- if .Values.persistence.annotations }} - annotations: -{{ .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size }} -{{- end -}} diff --git a/kubernetes/contrib/components/awx/components/awx-postgres/templates/service.yaml b/kubernetes/contrib/components/awx/components/awx-postgres/templates/service.yaml deleted file mode 100755 index f560417425..0000000000 --- a/kubernetes/contrib/components/awx/components/awx-postgres/templates/service.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/contrib/components/awx/components/awx-postgres/values.yaml b/kubernetes/contrib/components/awx/components/awx-postgres/values.yaml deleted file mode 100755 index a6dc5ff90a..0000000000 --- a/kubernetes/contrib/components/awx/components/awx-postgres/values.yaml +++ /dev/null @@ -1,88 +0,0 @@ -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Default values for mariadb. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -global: # global defaults - nodePortPrefixExt: 304 - persistence: {} - -# application image -image: postgres:10.4-alpine -pullPolicy: Always - -# application configuration -config: - postgresUser: awx - postgresPassword: awx - postgresDB: awx - -ingress: - enabled: false - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -## Persist data to a persitent volume -persistence: - enabled: true - volumeReclaimPolicy: Retain - - # Uncomment the storageClass parameter to use an existing PV - # that will match the following class. - # When uncomment the storageClass, the PV is not created anymore. - - # storageClass: "nfs-dev-sc" - - accessMode: ReadWriteOnce - size: 1Gi - - # When using storage class, mountPath and mountSubPath are - # simply ignored. - - mountPath: /dockerdata-nfs - mountSubPath: awx/pgdata - -service: - type: ClusterIP - name: awx-postgresql - portName: tcp-postgresql - internalPort: 5432 - externalPort: 5432 - -resources: {} - -#Pods Service Account -serviceAccount: - nameOverride: awx-postgres - roles: - - read diff --git a/kubernetes/contrib/components/awx/resources/config/credentials.py b/kubernetes/contrib/components/awx/resources/config/credentials.py deleted file mode 100644 index 85808d10d4..0000000000 --- a/kubernetes/contrib/components/awx/resources/config/credentials.py +++ /dev/null @@ -1,38 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -DATABASES = { - 'default': { - 'ATOMIC_REQUESTS': True, - 'ENGINE': 'awx.main.db.profiled_pg', - 'NAME': "{{ .Values.config.postgresDB }}", - 'USER': "{{ .Values.config.postgresUser }}", - 'PASSWORD': "{{ .Values.config.postgresPassword }}", - 'HOST': "awx-postgresql", - 'PORT': "5432", - } -} -BROKER_URL = 'amqp://{}:{}@{}:{}/{}'.format( - "{{ .Values.config.rabbitmqUser }}", - "{{ .Values.config.rabbitmqPassword }}", - "localhost", - "5672", - "{{ .Values.config.rabbitmqVhost }}") -CHANNEL_LAYERS = { - 'default': {'BACKEND': 'asgi_amqp.AMQPChannelLayer', - 'ROUTING': 'awx.main.routing.channel_routing', - 'CONFIG': {'url': BROKER_URL}} -} \ No newline at end of file diff --git a/kubernetes/contrib/components/awx/resources/config/environment.sh b/kubernetes/contrib/components/awx/resources/config/environment.sh deleted file mode 100644 index cbfe2857ba..0000000000 --- a/kubernetes/contrib/components/awx/resources/config/environment.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -DATABASE_USER={{ .Values.config.postgresUser }} -DATABASE_NAME={{ .Values.config.postgresDB }} -DATABASE_HOST=awx-postgresql -DATABASE_PORT=5432 -DATABASE_PASSWORD={{ .Values.config.postgresPassword }} -MEMCACHED_HOST=localhost -RABBITMQ_HOST=localhost -AWX_ADMIN_USER={{ .Values.config.awxAdminUser }} -AWX_ADMIN_PASSWORD={{ .Values.config.awxAdminPassword }} \ No newline at end of file diff --git a/kubernetes/contrib/components/awx/templates/configmap.yaml b/kubernetes/contrib/components/awx/templates/configmap.yaml deleted file mode 100644 index 59900f1c64..0000000000 --- a/kubernetes/contrib/components/awx/templates/configmap.yaml +++ /dev/null @@ -1,238 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-init-mgnt - namespace: {{ include "common.namespace" . }} -data: - entrypoint: | - #/bin/sh - - awx-manage migrate --noinput - if [[ `echo 'from django.contrib.auth.models import User; nsu = User.objects.filter(is_superuser=True).count(); exit(0 if nsu > 0 else 1)' | awx-manage shell` > 0 ]] - then - echo 'from django.contrib.auth.models import User; User.objects.create_superuser('{{ .Values.config.awxAdminUser }}', '{{ .Values.config.awxAdminEmail }}', '{{ .Values.config.awxAdminPassword }}')' | awx-manage shell - awx-manage update_password --username='{{ .Values.config.awxAdminUser }}' --password='{{ .Values.config.awxAdminPassword }}' - fi ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-settings - namespace: {{ include "common.namespace" . }} -data: - awx_settings: | - import os - import socket - ADMINS = () - - AWX_PROOT_ENABLED = True - - # Automatically deprovision pods that go offline - AWX_AUTO_DEPROVISION_INSTANCES = True - - SYSTEM_TASK_ABS_CPU = 6 - SYSTEM_TASK_ABS_MEM = 20 - - INSIGHTS_URL_BASE = "https://example.org" - - #Autoprovisioning should replace this - CLUSTER_HOST_ID = socket.gethostname() - SYSTEM_UUID = '00000000-0000-0000-0000-000000000000' - - SESSION_COOKIE_SECURE = False - CSRF_COOKIE_SECURE = False - - REMOTE_HOST_HEADERS = ['HTTP_X_FORWARDED_FOR'] - - STATIC_ROOT = '/var/lib/awx/public/static' - PROJECTS_ROOT = '/var/lib/awx/projects' - JOBOUTPUT_ROOT = '/var/lib/awx/job_status' - SECRET_KEY = open('/etc/tower/SECRET_KEY', 'rb').read().strip() - ALLOWED_HOSTS = ['*'] - INTERNAL_API_URL = 'http://127.0.0.1:8052' - SERVER_EMAIL = 'root@localhost' - DEFAULT_FROM_EMAIL = 'webmaster@localhost' - EMAIL_SUBJECT_PREFIX = '[AWX] ' - EMAIL_HOST = 'localhost' - EMAIL_PORT = 25 - EMAIL_HOST_USER = '' - EMAIL_HOST_PASSWORD = '' - EMAIL_USE_TLS = False - - LOGGING['handlers']['console'] = { - '()': 'logging.StreamHandler', - 'level': 'DEBUG', - 'formatter': 'simple', - } - - LOGGING['loggers']['django.request']['handlers'] = ['console'] - LOGGING['loggers']['rest_framework.request']['handlers'] = ['console'] - LOGGING['loggers']['awx']['handlers'] = ['console'] - LOGGING['loggers']['awx.main.commands.run_callback_receiver']['handlers'] = ['console'] - LOGGING['loggers']['awx.main.commands.inventory_import']['handlers'] = ['console'] - LOGGING['loggers']['awx.main.tasks']['handlers'] = ['console'] - LOGGING['loggers']['awx.main.scheduler']['handlers'] = ['console'] - LOGGING['loggers']['django_auth_ldap']['handlers'] = ['console'] - LOGGING['loggers']['social']['handlers'] = ['console'] - LOGGING['loggers']['system_tracking_migrations']['handlers'] = ['console'] - LOGGING['loggers']['rbac_migrations']['handlers'] = ['console'] - LOGGING['loggers']['awx.isolated.manager.playbooks']['handlers'] = ['console'] - LOGGING['handlers']['callback_receiver'] = {'class': 'logging.NullHandler'} - LOGGING['handlers']['task_system'] = {'class': 'logging.NullHandler'} - LOGGING['handlers']['tower_warnings'] = {'class': 'logging.NullHandler'} - LOGGING['handlers']['rbac_migrations'] = {'class': 'logging.NullHandler'} - LOGGING['handlers']['system_tracking_migrations'] = {'class': 'logging.NullHandler'} - LOGGING['handlers']['management_playbooks'] = {'class': 'logging.NullHandler'} - - CACHES = { - 'default': { - 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache', - 'LOCATION': '{}:{}'.format("localhost", "11211") - }, - 'ephemeral': { - 'BACKEND': 'django.core.cache.backends.locmem.LocMemCache', - }, - } - - USE_X_FORWARDED_PORT = True ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-rabbitmq - namespace: {{ include "common.namespace" . }} -data: - enabled_plugins: | - [rabbitmq_management,rabbitmq_peer_discovery_k8s]. - rabbitmq.conf: | - ## Clustering - management.load_definitions = /etc/rabbitmq/rabbitmq_definitions.json - cluster_formation.peer_discovery_backend = rabbit_peer_discovery_k8s - cluster_formation.k8s.host = kubernetes.default.svc - cluster_formation.k8s.address_type = ip - cluster_formation.node_cleanup.interval = 10 - cluster_formation.node_cleanup.only_log_warning = false - cluster_partition_handling = autoheal - ## queue master locator - queue_master_locator=min-masters - ## enable guest user - loopback_users.guest = false - rabbitmq_definitions.json: | - { - "users":[{"name": "{{ .Values.config.rabbitmqUser }}", "password": "{{ .Values.config.rabbitmqPassword }}", "tags": ""}], - "permissions":[ - {"user":"{{ .Values.config.rabbitmqUser }}","vhost":"{{ .Values.config.rabbitmqVhost }}","configure":".*","write":".*","read":".*"} - ], - "vhosts":[{"name":"{{ .Values.config.rabbitmqVhost }}"}], - "policies":[ - {"vhost":"{{ .Values.config.rabbitmqVhost }}","name":"ha-all","pattern":".*","definition":{"ha-mode":"all","ha-sync-mode":"automatic"}} - ] - } ---- - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-nginx-conf - namespace: {{ include "common.namespace" . }} - labels: - app.kubernetes.io/name: {{ include "common.name" . }} - helm.sh/chart: {{ include "common.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -data: - nginx.conf: | - worker_processes 1; - pid /tmp/nginx.pid; - events { - worker_connections 1024; - } - http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - server_tokens off; - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - access_log /dev/stdout main; - map $http_upgrade $connection_upgrade { - default upgrade; - '' close; - } - sendfile on; - #tcp_nopush on; - #gzip on; - upstream uwsgi { - server 127.0.0.1:8050; - } - upstream daphne { - server 127.0.0.1:8051; - } - server { - listen 8052 default_server; - # If you have a domain name, this is where to add it - server_name _; - keepalive_timeout 65; - # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) - add_header Strict-Transport-Security max-age=15768000; - add_header Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/"; - add_header X-Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/"; - # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009) - add_header X-Frame-Options "DENY"; - location /nginx_status { - stub_status on; - access_log off; - allow 127.0.0.1; - deny all; - } - location /static/ { - alias /var/lib/awx/public/static/; - } - location /favicon.ico { alias /var/lib/awx/public/static/favicon.ico; } - location /websocket { - # Pass request to the upstream alias - proxy_pass http://daphne; - # Require http version 1.1 to allow for upgrade requests - proxy_http_version 1.1; - # We want proxy_buffering off for proxying to websockets. - proxy_buffering off; - # http://en.wikipedia.org/wiki/X-Forwarded-For - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # enable this if you use HTTPS: - proxy_set_header X-Forwarded-Proto https; - # pass the Host: header from the client for the sake of redirects - proxy_set_header Host $http_host; - # We've set the Host header, so we don't need Nginx to muddle - # about with redirects - proxy_redirect off; - # Depending on the request value, set the Upgrade and - # connection headers - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - } - location / { - # Add trailing / if missing - rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent; - uwsgi_read_timeout 120s; - uwsgi_pass uwsgi; - include /etc/nginx/uwsgi_params; - proxy_set_header X-Forwarded-Port 443; - } - } - } diff --git a/kubernetes/contrib/components/awx/templates/job.yaml b/kubernetes/contrib/components/awx/templates/job.yaml deleted file mode 100644 index 1ebe340a68..0000000000 --- a/kubernetes/contrib/components/awx/templates/job.yaml +++ /dev/null @@ -1,130 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - backoffLimit: 5 - template: - metadata: - labels: - app: {{ include "common.name" . }}-mgnt - release: {{ include "common.release" . }} - spec: - serviceAccount: {{ include "common.fullname" . }} - serviceAccountName: {{ include "common.fullname" . }} - restartPolicy: Never - initContainers: - - name: {{ include "common.name" . }}-init-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - awx-postgres - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - name: {{ include "common.name" . }}-mgnt - command: - - /bin/sh - - -cx - - | - {{- if include "common.onServiceMesh" . }} - echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} - /etc/tower/job-entrypoint.sh - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.task }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: - requests: - cpu: 1500m - memory: 2Gi - securityContext: - privileged: true - volumeMounts: - - mountPath: /etc/tower/job-entrypoint.sh - name: awx-mgnt - readOnly: true - subPath: job-entrypoint.py - - mountPath: /etc/tower/settings.py - name: awx-application-config - readOnly: true - subPath: settings.py - - mountPath: /etc/tower/conf.d/ - name: awx-application-credentials - readOnly: true - - mountPath: /etc/tower/SECRET_KEY - name: awx-secret-key - readOnly: true - subPath: SECRET_KEY - {{ include "common.waitForJobContainer" . | indent 6 | trim }} - volumes: - - configMap: - defaultMode: 0777 - items: - - key: entrypoint - path: job-entrypoint.py - name: {{ include "common.fullname" . }}-init-mgnt - name: awx-mgnt - - configMap: - defaultMode: 420 - items: - - key: awx_settings - path: settings.py - name: {{ include "common.fullname" . }}-settings - name: awx-application-config - - name: awx-application-credentials - secret: - defaultMode: 420 - items: - - key: credentials_py - path: credentials.py - - key: environment_sh - path: environment.sh - secretName: {{ include "common.fullname" . }}-secrets - - name: awx-secret-key - secret: - defaultMode: 420 - items: - - key: secret_key - path: SECRET_KEY - secretName: {{ include "common.fullname" . }}-secrets - - configMap: - defaultMode: 420 - items: - - key: rabbitmq.conf - path: rabbitmq.conf - - key: enabled_plugins - path: enabled_plugins - - key: rabbitmq_definitions.json - path: rabbitmq_definitions.json - name: {{ include "common.fullname" . }}-rabbitmq - name: rabbitmq-config - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/contrib/components/awx/templates/secret.yaml b/kubernetes/contrib/components/awx/templates/secret.yaml deleted file mode 100644 index 642f779214..0000000000 --- a/kubernetes/contrib/components/awx/templates/secret.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: v1 -kind: Secret -type: Opaque -metadata: - name: {{ include "common.fullname" . }}-secrets - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: - credentials_py: {{ tpl (.Files.Get "resources/config/credentials.py") . | b64enc }} - environment_sh: {{ tpl (.Files.Get "resources/config/environment.sh") . | b64enc }} - rabbitmq_erlang_cookie: {{ .Values.config.rabbitmqErlangCookie | b64enc | quote }} - secret_key: {{ .Values.config.secretKey | b64enc | quote }} \ No newline at end of file diff --git a/kubernetes/contrib/components/awx/templates/service.yaml b/kubernetes/contrib/components/awx/templates/service.yaml deleted file mode 100755 index 85ec8c8428..0000000000 --- a/kubernetes/contrib/components/awx/templates/service.yaml +++ /dev/null @@ -1,79 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }}-rmq-mgmt - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.rmqmgmt.type }} - ports: - - port: {{ .Values.service.rmqmgmt.externalPort }} - targetPort: {{ .Values.service.rmqmgmt.internalPort }} - name: {{ .Values.service.rmqmgmt.portName }} - selector: - app: {{ include "common.fullname" . }} - release: {{ include "common.release" . }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }}-web - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.web.type }} - ports: - - port: {{ .Values.service.web.externalPort }} - targetPort: {{ .Values.service.web.internalPort }} - name: {{ .Values.service.web.portName }} - selector: - app: {{ include "common.fullname" . }} - release: {{ include "common.release" . }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }}-rabbitmq - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - type: LoadBalancer -spec: - type: {{ .Values.service.rabbitmq.type }} - ports: - - port: {{ .Values.service.rabbitmq.http.externalPort }} - targetPort: {{ .Values.service.rabbitmq.http.internalPort }} - name: {{ .Values.service.rabbitmq.http.portName }} - - port: {{ .Values.service.rabbitmq.amqp.externalPort }} - targetPort: {{ .Values.service.rabbitmq.amqp.internalPort }} - name: {{ .Values.service.rabbitmq.amqp.portName }} - selector: - app: {{ include "common.fullname" . }} - release: {{ include "common.release" . }} \ No newline at end of file diff --git a/kubernetes/contrib/components/awx/templates/serviceaccount.yaml b/kubernetes/contrib/components/awx/templates/serviceaccount.yaml deleted file mode 100644 index 15baf0e308..0000000000 --- a/kubernetes/contrib/components/awx/templates/serviceaccount.yaml +++ /dev/null @@ -1,44 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "common.fullname" . }}-endpoint-reader - namespace: {{ include "common.namespace" . }} -rules: -- apiGroups: ["", "extensions", "apps", "batch"] - resources: ["endpoints", "deployments", "pods", "replicasets/status", "jobs/status"] - verbs: ["get", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "common.fullname" . }}-endpoint-reader - namespace: {{ include "common.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "common.fullname" . }}-endpoint-reader -subjects: -- kind: ServiceAccount - name: {{ include "common.fullname" . }} \ No newline at end of file diff --git a/kubernetes/contrib/components/awx/templates/statefulset.yaml b/kubernetes/contrib/components/awx/templates/statefulset.yaml deleted file mode 100644 index 1f2c093742..0000000000 --- a/kubernetes/contrib/components/awx/templates/statefulset.yaml +++ /dev/null @@ -1,227 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - podManagementPolicy: OrderedReady - replicas: {{ .Values.replicaCount }} - serviceName: {{ include "common.fullname" . }} - selector: - matchLabels: - app: {{ include "common.fullname" . }} - name: {{ include "common.name" . }}-web-deploy - service: django - template: - metadata: - labels: - app: {{ include "common.fullname" . }} - name: {{ include "common.name" . }}-web-deploy - release: {{ include "common.release" . }} - service: django - spec: - - initContainers: - - name: {{ include "common.name" . }}-init-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - {{ include "common.name" . }}-mgnt - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - containers: - - - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.web }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-web - ports: - - containerPort: {{ .Values.service.web.internalPort }} - protocol: TCP - resources: - requests: - cpu: 500m - memory: 1Gi - volumeMounts: - - mountPath: /etc/tower/settings.py - name: awx-application-config - readOnly: true - subPath: settings.py - - mountPath: /etc/tower/conf.d/ - name: awx-application-credentials - readOnly: true - - mountPath: /etc/tower/SECRET_KEY - name: awx-secret-key - readOnly: true - subPath: SECRET_KEY - - mountPath: /etc/nginx/nginx.conf - name: awx-nginx-conf - subPath: "nginx.conf" - - - command: ["/bin/sh","-c"] - args: ["/usr/bin/launch_awx_task.sh"] - env: - - name: AWX_SKIP_MIGRATIONS - value: "1" - - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.task }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-celery - resources: - requests: - cpu: 1500m - memory: 2Gi - securityContext: - privileged: true - volumeMounts: - - mountPath: /etc/tower/settings.py - name: awx-application-config - readOnly: true - subPath: settings.py - - mountPath: /etc/tower/conf.d/ - name: awx-application-credentials - readOnly: true - - mountPath: /etc/tower/SECRET_KEY - name: awx-secret-key - readOnly: true - subPath: SECRET_KEY - - mountPath: /etc/nginx/nginx.conf - name: awx-nginx-conf - subPath: "nginx.conf" - - env: - - name: MY_POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: RABBITMQ_USE_LONGNAME - value: "true" - - name: RABBITMQ_NODENAME - value: rabbit@$(MY_POD_IP) - - name: RABBITMQ_ERLANG_COOKIE - valueFrom: - secretKeyRef: - key: rabbitmq_erlang_cookie - name: {{ include "common.fullname" . }}-secrets - - name: K8S_SERVICE_NAME - value: {{ include "common.servicename" . }}-rabbitmq - - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.rabbitmq }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-rabbit - livenessProbe: - exec: - command: - - rabbitmqctl - - status - failureThreshold: 3 - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - successThreshold: 1 - timeoutSeconds: 10 - ports: - - containerPort: {{ .Values.service.rabbitmq.http.internalPort }} - name: {{ .Values.service.rabbitmq.http.portName }} - protocol: TCP - - containerPort: {{ .Values.service.rabbitmq.amqp.internalPort }} - name: {{ .Values.service.rabbitmq.amqp.portName }} - protocol: TCP - readinessProbe: - exec: - command: - - rabbitmqctl - - status - failureThreshold: 3 - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - successThreshold: 1 - timeoutSeconds: 10 - resources: - requests: - cpu: 500m - memory: 2Gi - volumeMounts: - - mountPath: /etc/rabbitmq - name: rabbitmq-config - - - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.memcached }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-memcached - resources: - requests: - cpu: 500m - memory: 1Gi - serviceAccount: {{ include "common.fullname" . }} - serviceAccountName: {{ include "common.fullname" . }} - volumes: - - configMap: - defaultMode: 420 - items: - - key: awx_settings - path: settings.py - name: {{ include "common.fullname" . }}-settings - name: awx-application-config - - name: awx-application-credentials - secret: - defaultMode: 420 - items: - - key: credentials_py - path: credentials.py - - key: environment_sh - path: environment.sh - secretName: {{ include "common.fullname" . }}-secrets - - name: awx-secret-key - secret: - defaultMode: 420 - items: - - key: secret_key - path: SECRET_KEY - secretName: {{ include "common.fullname" . }}-secrets - - configMap: - defaultMode: 420 - items: - - key: rabbitmq.conf - path: rabbitmq.conf - - key: enabled_plugins - path: enabled_plugins - - key: rabbitmq_definitions.json - path: rabbitmq_definitions.json - name: {{ include "common.fullname" . }}-rabbitmq - name: rabbitmq-config - - configMap: - defaultMode: 420 - items: - - key: nginx.conf - path: nginx.conf - name: {{ include "common.fullname" . }}-nginx-conf - name: awx-nginx-conf - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/contrib/components/awx/values.yaml b/kubernetes/contrib/components/awx/values.yaml deleted file mode 100755 index c30999fa6d..0000000000 --- a/kubernetes/contrib/components/awx/values.yaml +++ /dev/null @@ -1,120 +0,0 @@ -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Default values for mariadb. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -global: # global defaults - nodePortPrefixExt: 304 - commonConfigPrefix: awx - persistence: {} - -# application image -image: - web: ansible/awx_web:9.0.1 - task: ansible/awx_task:9.0.1 - rabbitmq: ansible/awx_rabbitmq:3.7.4 - memcached: memcached:1.5.20 -pullPolicy: Always - -# application configuration -config: - postgresUser: awx - postgresPassword: awx - postgresDB: awx -# RabbitMQ Configuration - rabbitmqUser: awx - rabbitmqPassword: awxpass - rabbitmqVhost: awx - rabbitmqErlangCookie: cookiemonster3 -# This will create or update a default admin (superuser) account in AWX, if not provided -# then these default values are used - awxAdminUser: admin - awxAdminPassword: password - awxAdminEmail: cds@onap.org -# AWX Secret key -# It's *very* important that this stay the same between upgrades or you will lose the ability to decrypt -# your credentials - secretKey: awxsecret - -ingress: - enabled: false - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - enabled: true - -## Persist data to a persitent volume -persistence: - enabled: true - volumeReclaimPolicy: Retain - - # Uncomment the storageClass parameter to use an existing PV - # that will match the following class. - # When uncomment the storageClass, the PV is not created anymore. - - # storageClass: "nfs-dev-sc" - - accessMode: ReadWriteOnce - size: 5Gi - - # When using storage class, mountPath and mountSubPath are - # simply ignored. - - mountPath: /dockerdata-nfs - mountSubPath: awx/pgdata - -service: - rmqmgmt: - type: ClusterIP - portName: http-rmqmgmt - internalPort: 15672 - externalPort: 15672 - web: - type: ClusterIP - portName: http-web - internalPort: 8052 - externalPort: 8052 - rabbitmq: - type: ClusterIP - http: - portName: http-rmq - internalPort: 15672 - externalPort: 15672 - amqp: - portName: tcp-amqp - internalPort: 5672 - externalPort: 5672 - -resources: {} - -#Pods Service Account -serviceAccount: - nameOverride: awx - roles: - - read - -wait_for_job_container: - containers: - - '{{ include "common.name" . }}-mgnt' diff --git a/kubernetes/contrib/components/ejbca/Chart.yaml b/kubernetes/contrib/components/ejbca/Chart.yaml deleted file mode 100644 index 9b675c8b1e..0000000000 --- a/kubernetes/contrib/components/ejbca/Chart.yaml +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright © 2020 Nokia -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP EJBCA test server -name: ejbca -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: mariadb-galera - version: ~11.x-0 - repository: '@local' - condition: global.mariadbGalera.localCluster - - name: mariadb-init - version: ~11.x-0 - repository: '@local' - condition: not global.mariadbGalera.localCluster - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: cmpv2Config - version: ~11.x-0 - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' \ No newline at end of file diff --git a/kubernetes/contrib/components/ejbca/resources/certprofile_CUSTOM_ENDUSER-1834889499.xml b/kubernetes/contrib/components/ejbca/resources/certprofile_CUSTOM_ENDUSER-1834889499.xml deleted file mode 100644 index e163aed82a..0000000000 --- a/kubernetes/contrib/components/ejbca/resources/certprofile_CUSTOM_ENDUSER-1834889499.xml +++ /dev/null @@ -1,595 +0,0 @@ - - - - - version - 46.0 - - - type - 1 - - - certversion - X509v3 - - - encodedvalidity - 2y - - - usecertificatevalidityoffset - false - - - certificatevalidityoffset - -10m - - - useexpirationrestrictionforweekdays - false - - - expirationrestrictionforweekdaysbefore - true - - - expirationrestrictionweekdays - - - true - - - true - - - false - - - false - - - false - - - true - - - true - - - - - allowvalidityoverride - false - - - allowextensionoverride - false - - - allowdnoverride - false - - - allowdnoverridebyeei - false - - - allowbackdatedrevokation - false - - - usecertificatestorage - true - - - storecertificatedata - true - - - storesubjectaltname - true - - - usebasicconstrants - true - - - basicconstraintscritical - true - - - usesubjectkeyidentifier - true - - - subjectkeyidentifiercritical - false - - - useauthoritykeyidentifier - true - - - authoritykeyidentifiercritical - false - - - usesubjectalternativename - true - - - subjectalternativenamecritical - false - - - useissueralternativename - true - - - issueralternativenamecritical - false - - - usecrldistributionpoint - false - - - usedefaultcrldistributionpoint - false - - - crldistributionpointcritical - false - - - crldistributionpointuri - - - - usefreshestcrl - false - - - usecadefinedfreshestcrl - false - - - freshestcrluri - - - - crlissuer - - - - usecertificatepolicies - false - - - certificatepoliciescritical - false - - - certificatepolicies - - - - availablekeyalgorithms - - - DSA - - - ECDSA - - - RSA - - - - - availableeccurves - - - ANY_EC_CURVE - - - - - availablebitlengths - - - 0 - - - 192 - - - 224 - - - 239 - - - 256 - - - 384 - - - 512 - - - 521 - - - 1024 - - - 1536 - - - 2048 - - - 3072 - - - 4096 - - - 6144 - - - 8192 - - - - - minimumavailablebitlength - 0 - - - maximumavailablebitlength - 8192 - - - signaturealgorithm - - - - usekeyusage - true - - - keyusage - - - true - - - true - - - true - - - false - - - false - - - false - - - false - - - false - - - false - - - - - allowkeyusageoverride - false - - - keyusagecritical - true - - - useextendedkeyusage - true - - - extendedkeyusage - - - 1.3.6.1.5.5.7.3.2 - - - 1.3.6.1.5.5.7.3.4 - - - 1.3.6.1.5.5.7.3.1 - - - - - extendedkeyusagecritical - false - - - usedocumenttypelist - false - - - documenttypelistcritical - false - - - documenttypelist - - - - availablecas - - - -1 - - - - - usedpublishers - - - - useocspnocheck - false - - - useldapdnorder - true - - - usecustomdnorder - false - - - usemicrosofttemplate - false - - - microsofttemplate - - - - usecardnumber - false - - - usecnpostfix - false - - - cnpostfix - - - - usesubjectdnsubset - false - - - subjectdnsubset - - - - usesubjectaltnamesubset - false - - - subjectaltnamesubset - - - - usepathlengthconstraint - false - - - pathlengthconstraint - 0 - - - useqcstatement - false - - - usepkixqcsyntaxv2 - false - - - useqcstatementcritical - false - - - useqcstatementraname - - - - useqcsematicsid - - - - useqcetsiqccompliance - false - - - useqcetsisignaturedevice - false - - - useqcetsivaluelimit - false - - - qcetsivaluelimit - 0 - - - qcetsivaluelimitexp - 0 - - - qcetsivaluelimitcurrency - - - - useqcetsiretentionperiod - false - - - qcetsiretentionperiod - 0 - - - useqccustomstring - false - - - qccustomstringoid - - - - qccustomstringtext - - - - qcetsipds - - - - qcetsitype - - - - usecertificatetransparencyincerts - false - - - usecertificatetransparencyinocsp - false - - - usecertificatetransparencyinpublisher - false - - - usesubjectdirattributes - false - - - usenameconstraints - false - - - useauthorityinformationaccess - false - - - caissuers - - - - usedefaultcaissuer - false - - - usedefaultocspservicelocator - false - - - ocspservicelocatoruri - - - - cvcaccessrights - 3 - - - usedcertificateextensions - - - - approvals - - - - org.cesecore.certificates.ca.ApprovalRequestType - REVOCATION - - -1 - - - - org.cesecore.certificates.ca.ApprovalRequestType - KEYRECOVER - - -1 - - - - org.cesecore.certificates.ca.ApprovalRequestType - ADDEDITENDENTITY - - -1 - - - - - useprivkeyusageperiodnotbefore - false - - - useprivkeyusageperiod - false - - - useprivkeyusageperiodnotafter - false - - - privkeyusageperiodstartoffset - 0 - - - privkeyusageperiodlength - 63072000 - - - usesingleactivecertificateconstraint - false - - - overridableextensionoids - - - - nonoverridableextensionoids - - - - allowcertsnoverride - false - - - usecustomdnorderldap - false - - - diff --git a/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh b/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh deleted file mode 100755 index a538238151..0000000000 --- a/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh +++ /dev/null @@ -1,58 +0,0 @@ -#!/bin/sh - -waitForEjbcaToStart() { - until $(curl -kI https://localhost:8443/ejbca/publicweb/healthcheck/ejbcahealth --output /dev/null --silent --head --fail) - do - sleep 5 - done -} - -configureEjbca() { - ejbca.sh ca init \ - --caname ManagementCA \ - --dn "O=EJBCA Container Quickstart,CN=ManagementCA,UID=12345" \ - --tokenType soft \ - --keyspec 3072 \ - --keytype RSA \ - -v 3652 \ - --policy null \ - -s SHA256WithRSA \ - -type "x509" - ejbca.sh config cmp addalias --alias cmpRA - ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra - ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value ${RA_IAK} - ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value signature - ejbca.sh config cmp updatealias --alias cmpRA --key authenticationmodule --value 'HMAC;EndEntityCertificate' - ejbca.sh config cmp updatealias --alias cmpRA --key authenticationparameters --value '-;ManagementCA' - ejbca.sh config cmp updatealias --alias cmpRA --key allowautomatickeyupdate --value true - #Custom EJBCA cert profile and endentity are imported to allow issuing certificates with correct extended usage (containing serverAuth) - ejbca.sh ca importprofiles -d /opt/primekey/custom_profiles - #Profile name taken from certprofile filename (certprofile_-.xml) - ejbca.sh config cmp updatealias --alias cmpRA --key ra.certificateprofile --value CUSTOM_ENDUSER - #ID taken from entityprofile filename (entityprofile_-.xml) - ejbca.sh config cmp updatealias --alias cmpRA --key ra.endentityprofileid --value 1356531849 - caSubject=$(ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout | grep 'Subject' | sed -e "s/^Subject: //" | sed -n '1p') - ejbca.sh config cmp updatealias --alias cmpRA --key defaultca --value "$caSubject" - ejbca.sh config cmp dumpalias --alias cmpRA - ejbca.sh config cmp addalias --alias cmp - ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true - ejbca.sh config cmp updatealias --alias cmp --key responseprotection --value pbe - ejbca.sh ra addendentity --username Node123 --dn "CN=Node123" --caname ManagementCA --password ${CLIENT_IAK} --type 1 --token USERGENERATED - ejbca.sh ra setclearpwd --username Node123 --password ${CLIENT_IAK} - ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN - ejbca.sh config cmp dumpalias --alias cmp - ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout > cacert.pem - #Add "Certificate Update Admin" role to allow performing KUR/CR for certs within specific organization (e.g. Linux-Foundation) - ejbca.sh roles addrole "Certificate Update Admin" - ejbca.sh roles changerule "Certificate Update Admin" /ca/ManagementCA/ ACCEPT - ejbca.sh roles changerule "Certificate Update Admin" /ca_functionality/create_certificate/ ACCEPT - ejbca.sh roles changerule "Certificate Update Admin" /endentityprofilesrules/Custom_EndEntity/ ACCEPT - ejbca.sh roles changerule "Certificate Update Admin" /ra_functionality/edit_end_entity/ ACCEPT - ejbca.sh roles addrolemember "Certificate Update Admin" ManagementCA WITH_ORGANIZATION --value "{{ .Values.cmpv2Config.global.certificate.default.subject.organization }}" - # workarround to exit successfully, as a reexecution of "addrolemember" returns an error - exit 0 -} - - -waitForEjbcaToStart -configureEjbca diff --git a/kubernetes/contrib/components/ejbca/resources/entityprofile_Custom_EndEntity-1356531849.xml b/kubernetes/contrib/components/ejbca/resources/entityprofile_Custom_EndEntity-1356531849.xml deleted file mode 100644 index ec51a80d5e..0000000000 --- a/kubernetes/contrib/components/ejbca/resources/entityprofile_Custom_EndEntity-1356531849.xml +++ /dev/null @@ -1,1107 +0,0 @@ - - - - - version - 14.0 - - - NUMBERARRAY - - - 1 - - - 1 - - - 0 - - - 0 - - - 0 - - - 1 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 1 - - - 1 - - - 1 - - - 1 - - - 0 - - - 1 - - - 3 - - - 3 - - - 3 - - - 0 - - - 3 - - - 0 - - - 0 - - - 0 - - - 0 - - - 1 - - - 0 - - - 0 - - - 1 - - - 1 - - - 1 - - - 1 - - - 1 - - - 1 - - - 0 - - - 0 - - - 1 - - - 1 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 1 - - - 1 - - - 0 - - - 1 - - - 0 - - - 1 - - - 1 - - - 1 - - - 1 - - - 1 - - - 1 - - - 1 - - - 0 - - - 0 - - - 0 - - - - - SUBJECTDNFIELDORDER - - - 500 - - - 1100 - - - 1200 - - - 1300 - - - 1400 - - - 1600 - - - - - SUBJECTALTNAMEFIELDORDER - - - 1800 - - - 1801 - - - 1802 - - - 1700 - - - 1701 - - - 1702 - - - 1900 - - - 1901 - - - 1902 - - - 2100 - - - 2101 - - - 2102 - - - - - SUBJECTDIRATTRFIELDORDER - - - - 0 - - - - 20000 - true - - - 10000 - true - - - 30000 - true - - - 1 - - - - 20001 - true - - - 10001 - true - - - 30001 - true - - - 95 - - - - 20095 - false - - - 10095 - true - - - 30095 - true - - - 96 - - - - 20096 - false - - - 10096 - true - - - 30096 - true - - - 5 - - - - 20005 - true - - - 10005 - true - - - 30005 - true - - - 26 - - - - 20026 - false - - - 10026 - true - - - 30026 - true - - - 29 - 1834889499 - - - 20029 - true - - - 10029 - true - - - 30029 - true - - - 30 - 1834889499 - - - 20030 - true - - - 10030 - true - - - 30030 - true - - - 31 - 1 - - - 20031 - true - - - 10031 - true - - - 30031 - true - - - 32 - 1;2;3;4 - - - 20032 - true - - - 10032 - true - - - 30032 - true - - - 33 - - - - 20033 - true - - - 10033 - true - - - 30033 - true - - - 34 - - - - 20034 - true - - - 10034 - false - - - 30034 - true - - - 38 - 1 - - - 20038 - true - - - 10038 - true - - - 30038 - true - - - 37 - -29939301 - - - 20037 - true - - - 10037 - true - - - 30037 - true - - - 98 - - - - 20098 - false - - - 10098 - false - - - 30098 - true - - - 99 - - - - 20099 - false - - - 10099 - false - - - 30099 - true - - - 97 - - - - 20097 - false - - - 10097 - false - - - 30097 - true - - - 91 - false - - - 20091 - false - - - 10091 - false - - - 30091 - true - - - 94 - -1 - - - 20094 - true - - - 10094 - false - - - 30094 - false - - - 93 - -1 - - - 20093 - false - - - 10093 - false - - - 30093 - false - - - 89 - - - - 20089 - false - - - 10089 - false - - - 30089 - true - - - 88 - - - - 20088 - false - - - 10088 - false - - - 30088 - true - - - ALLOW_MERGEDN_WEBSERVICES - false - - - 2 - - - - 20002 - false - - - 10002 - false - - - 10090 - true - - - 90 - 0 - - - REVERSEFFIELDCHECKS - false - - - 28 - false - - - 20028 - false - - - 10028 - false - - - REUSECERTIFICATE - false - - - 35 - false - - - 20035 - false - - - 10035 - false - - - 10092 - false - - - USEEXTENSIONDATA - false - - - PRINTINGUSE - false - - - PRINTINGDEFAULT - false - - - PRINTINGREQUIRED - false - - - PRINTINGCOPIES - 1 - - - PRINTINGPRINTERNAME - - - - PRINTINGSVGDATA - - - - PRINTINGSVGFILENAME - - - - 11 - - - - 20011 - false - - - 10011 - true - - - 30011 - true - - - 12 - - - - 20012 - true - - - 10012 - true - - - 30012 - true - - - 13 - - - - 20013 - false - - - 10013 - true - - - 30013 - true - - - 14 - - - - 20014 - true - - - 10014 - true - - - 30014 - true - - - 16 - - - - 20016 - true - - - 10016 - true - - - 30016 - true - - - 18 - - - - 20018 - false - - - 10018 - true - - - 30018 - true - - - 118 - - - - 20118 - false - - - 10118 - true - - - 30118 - true - - - 218 - - - - 20218 - false - - - 10218 - true - - - 30218 - true - - - 17 - - - - 20017 - false - - - 10017 - false - - - 30017 - true - - - 117 - - - - 20117 - false - - - 10117 - false - - - 30117 - true - - - 217 - - - - 20217 - false - - - 10217 - false - - - 30217 - true - - - 19 - - - - 20019 - false - - - 10019 - true - - - 30019 - true - - - 119 - - - - 20119 - false - - - 10119 - true - - - 30119 - true - - - 219 - - - - 20219 - false - - - 10219 - true - - - 30219 - true - - - 21 - - - - 20021 - false - - - 10021 - true - - - 30021 - true - - - 121 - - - - 20121 - false - - - 10121 - true - - - 30121 - true - - - 221 - - - - 20221 - false - - - 10221 - true - - - 30221 - true - - - diff --git a/kubernetes/contrib/components/ejbca/templates/configmap.yaml b/kubernetes/contrib/components/ejbca/templates/configmap.yaml deleted file mode 100644 index 093657dfe0..0000000000 --- a/kubernetes/contrib/components/ejbca/templates/configmap.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{/* -# Copyright © 2020, Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: "{{ include "common.fullname" . }}-config-script" -data: -{{ tpl (.Files.Glob "resources/ejbca-config.sh").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: "{{ include "common.fullname" . }}-profiles" -data: -{{ tpl (.Files.Glob "resources/certprofile_CUSTOM_ENDUSER-1834889499.xml").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/entityprofile_Custom_EndEntity-1356531849.xml").AsConfig . | indent 2 }} diff --git a/kubernetes/contrib/components/ejbca/templates/deployment.yaml b/kubernetes/contrib/components/ejbca/templates/deployment.yaml deleted file mode 100644 index a36dcacb23..0000000000 --- a/kubernetes/contrib/components/ejbca/templates/deployment.yaml +++ /dev/null @@ -1,120 +0,0 @@ -{{/* -# Copyright © 2020, Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - replicas: {{ .Values.replicaCount }} - selector: {{- include "common.selectors" . | nindent 4 }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - {{- if (include "common.onServiceMesh" . ) }} - annotations: - {{- if eq ( .Values.global.serviceMesh.engine ) "linkerd" }} - linkerd.io/inject: disabled - {{- end }} - {{- if eq ( .Values.global.serviceMesh.engine ) "istio" }} - sidecar.istio.io/rewriteAppHTTPProbers: "false" - proxy.istio.io/config: '{ "holdApplicationUntilProxyStarts": true }' - {{- end }} - {{- end }} - spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - initContainers: - - name: {{ include "common.name" . }}-db-readiness - command: - - /app/ready.py - args: - - --container-name - {{- if .Values.global.mariadbGalera.localCluster }} - - ejbca-galera - {{- else }} - - ejbca-config - {{- end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - containers: - - name: {{ include "common.name" . }}-ejbca - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.ejbca.image }} - imagePullPolicy: {{ .Values.pullPolicy }} - lifecycle: - postStart: - exec: - command: - - sh - - -c - - | - sleep 60; /opt/primekey/scripts/ejbca-config.sh - volumeMounts: - - name: "{{ include "common.fullname" . }}-volume" - mountPath: /opt/primekey/scripts/ - - name: "{{ include "common.fullname" . }}-profiles-volume" - mountPath: /opt/primekey/custom_profiles/ - ports: {{ include "common.containerPorts" . | nindent 10 }} - env: - - name: INITIAL_ADMIN - value: ";PublicAccessAuthenticationToken:TRANSPORT_ANY;" - - name: NO_CREATE_CA - value: "true" - - name: DATABASE_JDBC_URL - value: jdbc:mariadb://{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}/{{ .Values.mysqlDatabase }} - - name: DATABASE_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "ejbca-db-secret" "key" "login") | indent 10 }} - - name: DATABASE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "ejbca-db-secret" "key" "password") | indent 10 }} - - name: RA_IAK - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "ejbca-server-ra-iak" "key" "password") | indent 10 }} - - name: CLIENT_IAK - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "ejbca-server-client-iak" "key" "password") | indent 10 }} - livenessProbe: - httpGet: - port: {{ .Values.liveness.port }} - path: {{ .Values.liveness.path }} - scheme: HTTPS - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - readinessProbe: - httpGet: - port: {{ .Values.readiness.port }} - path: {{ .Values.readiness.path }} - scheme: HTTPS - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - {{- if .Values.nodeSelector }} - nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 10 }} - {{- end }} - resources: {{ include "common.resources" . | nindent 10 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - configMap: - name: "{{ include "common.fullname" . }}-config-script" - defaultMode: 0755 - name: "{{ include "common.fullname" . }}-volume" - - configMap: - name: "{{ include "common.fullname" . }}-profiles" - defaultMode: 0755 - name: "{{ include "common.fullname" . }}-profiles-volume" diff --git a/kubernetes/contrib/components/ejbca/templates/secret.yaml b/kubernetes/contrib/components/ejbca/templates/secret.yaml deleted file mode 100644 index 837da0959b..0000000000 --- a/kubernetes/contrib/components/ejbca/templates/secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020, Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/contrib/components/ejbca/templates/service.yaml b/kubernetes/contrib/components/ejbca/templates/service.yaml deleted file mode 100644 index 46eed4264c..0000000000 --- a/kubernetes/contrib/components/ejbca/templates/service.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020, Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/contrib/components/ejbca/values.yaml b/kubernetes/contrib/components/ejbca/values.yaml deleted file mode 100644 index b777a7d388..0000000000 --- a/kubernetes/contrib/components/ejbca/values.yaml +++ /dev/null @@ -1,132 +0,0 @@ -# Copyright © 2020, Nordix Foundation, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -global: - mariadbGalera: &mariadbGalera - #This flag allows EJBCA to instantiate its own mariadb-galera cluster - localCluster: false - service: mariadb-galera - internalPort: 3306 - nameOverride: mariadb-galera - -secrets: - - uid: ejbca-db-secret - name: &ejbca-db-secret '{{ include "common.release" . }}-ejbca-db-secret' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' - login: '{{ .Values.config.db.userName }}' - password: '{{ .Values.config.db.userPassword }}' - - uid: ejbca-server-ra-iak - name: '{{ include "common.release" . }}-ejbca-ra-iak' - type: password - password: '{{ .Values.config.ejbca.raIak }}' - - uid: ejbca-server-client-iak - name: '{{ include "common.release" . }}-ejbca-client-iak' - type: password - password: '{{ .Values.config.ejbca.clientIak }}' - -# application configuration -config: - db: - userName: ejbca - # userPassword: password - # userCredentialsExternalSecret: some-secret - ejbca: {} - # raIak: mypassword - # clientIak: mypassword - -mysqlDatabase: &dbName ejbca - -################################################################# -# Application configuration defaults. -################################################################# -# application configuration -replicaCount: 1 - -ejbca: - image: primekey/ejbca-ce:7.4.3.2 -pullPolicy: Always - -mariadb-galera: - db: - externalSecret: *ejbca-db-secret - name: *dbName - nameOverride: &ejbca-galera ejbca-galera - service: - name: ejbca-galera - portName: ejbca-galera - internalPort: 3306 - replicaCount: 1 - persistence: - enabled: true - mountSubPath: ejbca/maria/data - serviceAccount: - nameOverride: *ejbca-galera - -mariadb-init: - config: - userCredentialsExternalSecret: *ejbca-db-secret - mysqlDatabase: *dbName - nameOverride: ejbca-config - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - path: /ejbca/publicweb/healthcheck/ejbcahealth - port: 8443 - initialDelaySeconds: 180 - periodSeconds: 30 - -readiness: - path: /ejbca/publicweb/healthcheck/ejbcahealth - port: 8443 - initialDelaySeconds: 180 - periodSeconds: 30 - -service: - type: ClusterIP - both_tls_and_plain: true - ports: - - name: api - port: 8443 - plain_port: 8080 - port_protocol: http - -# Resource Limit flavor -By Default using small -flavor: unlimited -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 1500m - memory: 1536Mi - requests: - cpu: 10m - memory: 750Mi - large: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 20m - memory: 1Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: ejbca - roles: - - read diff --git a/kubernetes/contrib/components/netbox/.helmignore b/kubernetes/contrib/components/netbox/.helmignore deleted file mode 100755 index f0c1319444..0000000000 --- a/kubernetes/contrib/components/netbox/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/contrib/components/netbox/Chart.yaml b/kubernetes/contrib/components/netbox/Chart.yaml deleted file mode 100755 index a0a8cdc7fb..0000000000 --- a/kubernetes/contrib/components/netbox/Chart.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Netbox IPAM -name: netbox -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: netbox-app - version: ~11.x-0 - repository: 'file://components/netbox-app' - - name: netbox-nginx - version: ~11.x-0 - repository: 'file://components/netbox-nginx' - - name: netbox-postgres - version: ~11.x-0 - repository: 'file://components/netbox-postgres' \ No newline at end of file diff --git a/kubernetes/contrib/components/netbox/Makefile b/kubernetes/contrib/components/netbox/Makefile deleted file mode 100644 index 51d7de122c..0000000000 --- a/kubernetes/contrib/components/netbox/Makefile +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts docker -HELM_BIN := helm -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/contrib/components/netbox/components/Makefile b/kubernetes/contrib/components/netbox/components/Makefile deleted file mode 100644 index f4c9784bc4..0000000000 --- a/kubernetes/contrib/components/netbox/components/Makefile +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/.helmignore b/kubernetes/contrib/components/netbox/components/netbox-app/.helmignore deleted file mode 100755 index f0c1319444..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/Chart.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/Chart.yaml deleted file mode 100755 index d820ee4250..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Netbox - Application (WSGI + Gunicorn) -name: netbox-app -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/configuration/configuration.py b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/configuration/configuration.py deleted file mode 100755 index 7d704ae762..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/configuration/configuration.py +++ /dev/null @@ -1,156 +0,0 @@ -import os -import socket - -# For reference see http://netbox.readthedocs.io/en/latest/configuration/mandatory-settings/ -# Based on https://github.com/digitalocean/netbox/blob/develop/netbox/netbox/configuration.example.py - -# Read secret from file -def read_secret(secret_name): - try: - f = open('/run/secrets/' + secret_name, 'r', encoding='utf-8') - except EnvironmentError: - return '' - else: - with f: - return f.readline().strip() - -BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) - -######################### -# # -# Required settings # -# # -######################### - -# This is a list of valid fully-qualified domain names (FQDNs) for the NetBox server. NetBox will not permit write -# access to the server via any other hostnames. The first FQDN in the list will be treated as the preferred name. -# -# Example: ALLOWED_HOSTS = ['netbox.example.com', 'netbox.internal.local'] -ALLOWED_HOSTS = os.environ.get('ALLOWED_HOSTS', socket.gethostname()).split(' ') - -# PostgreSQL database configuration. -DATABASE = { - 'NAME': os.environ.get('DB_NAME', 'netbox'), # Database name - 'USER': os.environ.get('DB_USER', ''), # PostgreSQL username - 'PASSWORD': os.environ.get('DB_PASSWORD', read_secret('db_password')), - # PostgreSQL password - 'HOST': os.environ.get('DB_HOST', 'localhost'), # Database server - 'PORT': os.environ.get('DB_PORT', ''), # Database port (leave blank for default) -} - -# This key is used for secure generation of random numbers and strings. It must never be exposed outside of this file. -# For optimal security, SECRET_KEY should be at least 50 characters in length and contain a mix of letters, numbers, and -# symbols. NetBox will not run without this defined. For more information, see -# https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-SECRET_KEY -SECRET_KEY = os.environ.get('SECRET_KEY', read_secret('secret_key')) - -######################### -# # -# Optional settings # -# # -######################### - -# Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of -# application errors (assuming correct email settings are provided). -ADMINS = [ - # ['John Doe', 'jdoe@example.com'], -] - -# Optionally display a persistent banner at the top and/or bottom of every page. HTML is allowed. To display the same -# content in both banners, define BANNER_TOP and set BANNER_BOTTOM = BANNER_TOP. -BANNER_TOP = os.environ.get('BANNER_TOP', '') -BANNER_BOTTOM = os.environ.get('BANNER_BOTTOM', '') - -# Text to include on the login page above the login form. HTML is allowed. -BANNER_LOGIN = os.environ.get('BANNER_LOGIN', '') - -# Base URL path if accessing NetBox within a directory. For example, if installed at http://example.com/netbox/, set: -# BASE_PATH = 'netbox/' -BASE_PATH = os.environ.get('BASE_PATH', '') - -# API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be -# allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or -# CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers -CORS_ORIGIN_ALLOW_ALL = os.environ.get('CORS_ORIGIN_ALLOW_ALL', 'False').lower() == 'true' -CORS_ORIGIN_WHITELIST = os.environ.get('CORS_ORIGIN_WHITELIST', '').split(' ') -CORS_ORIGIN_REGEX_WHITELIST = [ - # r'^(https?://)?(\w+\.)?example\.com$', -] - -# Set to True to enable server debugging. WARNING: Debugging introduces a substantial performance penalty and may reveal -# sensitive information about your installation. Only enable debugging while performing testing. Never enable debugging -# on a production system. -DEBUG = os.environ.get('DEBUG', 'False').lower() == 'true' - -# Email settings -EMAIL = { - 'SERVER': os.environ.get('EMAIL_SERVER', 'localhost'), - 'PORT': int(os.environ.get('EMAIL_PORT', 25)), - 'USERNAME': os.environ.get('EMAIL_USERNAME', ''), - 'PASSWORD': os.environ.get('EMAIL_PASSWORD', read_secret('email_password')), - 'TIMEOUT': int(os.environ.get('EMAIL_TIMEOUT', 10)), # seconds - 'FROM_EMAIL': os.environ.get('EMAIL_FROM', ''), -} - -# Enforcement of unique IP space can be toggled on a per-VRF basis. -# To enforce unique IP space within the global table (all prefixes and IP addresses not assigned to a VRF), -# set ENFORCE_GLOBAL_UNIQUE to True. -ENFORCE_GLOBAL_UNIQUE = os.environ.get('ENFORCE_GLOBAL_UNIQUE', 'False').lower() == 'true' - -# Enable custom logging. Please see the Django documentation for detailed guidance on configuring custom logs: -# https://docs.djangoproject.com/en/1.11/topics/logging/ -LOGGING = {} - -# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users -# are permitted to access most data in NetBox (excluding secrets) but not make any changes. -LOGIN_REQUIRED = os.environ.get('LOGIN_REQUIRED', 'False').lower() == 'true' - -# Base URL path if accessing NetBox within a directory. For example, if installed at http://example.com/netbox/, set: -# BASE_PATH = 'netbox/' -BASE_PATH = os.environ.get('BASE_PATH', '') - -# Setting this to True will display a "maintenance mode" banner at the top of every page. -MAINTENANCE_MODE = os.environ.get('MAINTENANCE_MODE', 'False').lower() == 'true' - -# An API consumer can request an arbitrary number of objects =by appending the "limit" parameter to the URL (e.g. -# "?limit=1000"). This setting defines the maximum limit. Setting it to 0 or None will allow an API consumer to request -# all objects by specifying "?limit=0". -MAX_PAGE_SIZE = int(os.environ.get('MAX_PAGE_SIZE', 1000)) - -# The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that -# the default value of this setting is derived from the installed location. -MEDIA_ROOT = os.environ.get('MEDIA_ROOT', os.path.join(BASE_DIR, 'media')) - -# Credentials that NetBox will use to access live devices. -NAPALM_USERNAME = os.environ.get('NAPALM_USERNAME', '') -NAPALM_PASSWORD = os.environ.get('NAPALM_PASSWORD', read_secret('napalm_password')) - -# NAPALM timeout (in seconds). (Default: 30) -NAPALM_TIMEOUT = int(os.environ.get('NAPALM_TIMEOUT', 30)) - -# NAPALM optional arguments (see http://napalm.readthedocs.io/en/latest/support/#optional-arguments). Arguments must -# be provided as a dictionary. -NAPALM_ARGS = {} - -# Determine how many objects to display per page within a list. (Default: 50) -PAGINATE_COUNT = int(os.environ.get('PAGINATE_COUNT', 50)) - -# When determining the primary IP address for a device, IPv6 is preferred over IPv4 by default. Set this to True to -# prefer IPv4 instead. -PREFER_IPV4 = os.environ.get('PREFER_IPV4', 'False').lower() == 'true' - -# The file path where custom reports will be stored. A trailing slash is not needed. Note that the default value of -# this setting is derived from the installed location. -REPORTS_ROOT = os.environ.get('REPORTS_ROOT', '/etc/netbox/reports') - -# Time zone (default: UTC) -TIME_ZONE = os.environ.get('TIME_ZONE', 'UTC') - -# Date/time formatting. See the following link for supported formats: -# https://docs.djangoproject.com/en/dev/ref/templates/builtins/#date -DATE_FORMAT = os.environ.get('DATE_FORMAT', 'N j, Y') -SHORT_DATE_FORMAT = os.environ.get('SHORT_DATE_FORMAT', 'Y-m-d') -TIME_FORMAT = os.environ.get('TIME_FORMAT', 'g:i a') -SHORT_TIME_FORMAT = os.environ.get('SHORT_TIME_FORMAT', 'H:i:s') -DATETIME_FORMAT = os.environ.get('DATETIME_FORMAT', 'N j, Y g:i a') -SHORT_DATETIME_FORMAT = os.environ.get('SHORT_DATETIME_FORMAT', 'Y-m-d H:i') diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/configuration/gunicorn_config.py b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/configuration/gunicorn_config.py deleted file mode 100755 index c7d9f7b725..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/configuration/gunicorn_config.py +++ /dev/null @@ -1,8 +0,0 @@ -command = '/usr/bin/gunicorn' -pythonpath = '/opt/netbox/netbox' -bind = '0.0.0.0:{{ .Values.service.internalPort }}' -workers = 3 -errorlog = '-' -accesslog = '-' -capture_output = False -loglevel = 'debug' diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/configuration/ldap_config.py b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/configuration/ldap_config.py deleted file mode 100755 index c7e0d3bee9..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/configuration/ldap_config.py +++ /dev/null @@ -1,55 +0,0 @@ -import ldap -import os - -from django_auth_ldap.config import LDAPSearch, GroupOfNamesType - -# Server URI -AUTH_LDAP_SERVER_URI = os.environ.get('AUTH_LDAP_SERVER_URI', '') - -# The following may be needed if you are binding to Active Directory. -AUTH_LDAP_CONNECTION_OPTIONS = { - ldap.OPT_REFERRALS: 0 -} - -# Set the DN and password for the NetBox service account. -AUTH_LDAP_BIND_DN = os.environ.get('AUTH_LDAP_BIND_DN', '') -AUTH_LDAP_BIND_PASSWORD = os.environ.get('AUTH_LDAP_BIND_PASSWORD', '') - -# Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert. -# Note that this is a NetBox-specific setting which sets: -# ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) -LDAP_IGNORE_CERT_ERRORS = os.environ.get('LDAP_IGNORE_CERT_ERRORS', 'False').lower() == 'true' - -AUTH_LDAP_USER_SEARCH = LDAPSearch(os.environ.get('AUTH_LDAP_USER_SEARCH_BASEDN', ''), - ldap.SCOPE_SUBTREE, - "(sAMAccountName=%(user)s)") - -# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group -# heirarchy. -AUTH_LDAP_GROUP_SEARCH = LDAPSearch(os.environ.get('AUTH_LDAP_GROUP_SEARCH_BASEDN', ''), ldap.SCOPE_SUBTREE, - "(objectClass=group)") -AUTH_LDAP_GROUP_TYPE = GroupOfNamesType() - -# Define a group required to login. -AUTH_LDAP_REQUIRE_GROUP = os.environ.get('AUTH_LDAP_REQUIRE_GROUP_DN', '') - -# Define special user types using groups. Exercise great caution when assigning superuser status. -AUTH_LDAP_USER_FLAGS_BY_GROUP = { - "is_active": os.environ.get('AUTH_LDAP_REQUIRE_GROUP_DN', ''), - "is_staff": os.environ.get('AUTH_LDAP_IS_ADMIN_DN', ''), - "is_superuser": os.environ.get('AUTH_LDAP_IS_SUPERUSER_DN', '') -} - -# For more granular permissions, we can map LDAP groups to Django groups. -AUTH_LDAP_FIND_GROUP_PERMS = os.environ.get('AUTH_LDAP_FIND_GROUP_PERMS', 'True').lower() == 'true' - -# Cache groups for one hour to reduce LDAP traffic -AUTH_LDAP_CACHE_GROUPS = os.environ.get('AUTH_LDAP_CACHE_GROUPS', 'True').lower() == 'true' -AUTH_LDAP_GROUP_CACHE_TIMEOUT = int(os.environ.get('AUTH_LDAP_CACHE_GROUPS', 3600)) - -# Populate the Django user from the LDAP directory. -AUTH_LDAP_USER_ATTR_MAP = { - "first_name": os.environ.get('AUTH_LDAP_ATTR_FIRSTNAME', 'givenName'), - "last_name": os.environ.get('AUTH_LDAP_ATTR_LASTNAME', 'sn'), - "email": os.environ.get('AUTH_LDAP_ATTR_MAIL', 'mail') -} diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/custom_fields.yml b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/custom_fields.yml deleted file mode 100755 index 05bbfc7738..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/custom_fields.yml +++ /dev/null @@ -1,18 +0,0 @@ -external-key: - description: "The external-key uniquely identify the resources to a service within ONAP." - filterable: true - label: ONAP external key - on_objects: - - ipam.models.IPAddress - required: true - type: text - weight: 0 -resource-name: - description: "The resource-name of the element using this IP." - filterable: true - label: ONAP resource name - on_objects: - - ipam.models.IPAddress - required: true - type: text - weight: 0 \ No newline at end of file diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/groups.yml b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/groups.yml deleted file mode 100755 index 1f4a5a7a6e..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/groups.yml +++ /dev/null @@ -1,9 +0,0 @@ -# applications: -# users: -# - technical_user -# readers: -# users: -# - reader -# writers: -# users: -# - writer diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/users.yml b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/users.yml deleted file mode 100755 index 77d330beac..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/users.yml +++ /dev/null @@ -1,9 +0,0 @@ -onap: - first_name: Steve - last_name: McQueen - email: steve.mcqueen@onap.org - password: onap123$ - api_token: onceuponatimeiplayedwithnetbox20180814 # This API KEY is used by SDNC, if you edit it, make sure to change it in the netbox.properties file - is_staff: true # whether user is admin or not, default = false - is_active: true # whether user is active, default = true - is_superuser: true # Whether user has all edit rights or not, default = false \ No newline at end of file diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/provisioning/provision.sh b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/provisioning/provision.sh deleted file mode 100755 index 984801decb..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/provisioning/provision.sh +++ /dev/null @@ -1,136 +0,0 @@ -#!/bin/sh - -# Create region - -echo "Create region: RegionOne" -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/dcim/regions/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' \ - -d '{ - "name": "RegionOne", - "slug": "RegionOne" -}' - -# Create tenant group - -echo "Create tenant group: ONAP group" -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/tenancy/tenant-groups/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' \ - -d '{ - "name": "ONAP group", - "slug": "onap-group" -}' - -# Create tenant - -echo "Create tenant ONAP in ONAP group" -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/tenancy/tenants/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' \ - -d '{ - "name": "ONAP", - "slug": "onap", - "group": 1, - "description": "ONAP tenant", - "comments": "Tenant for ONAP demo use cases" -}' - -# Create site - -echo "Create ONAP demo site: Montreal Lab" -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/dcim/sites/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' \ - -d '{ - "name": "Montreal Lab D3", - "slug": "mtl-lab-d3", - "region": 1, - "tenant": 1, - "facility": "Campus", - "time_zone": "Canada/Atlantic", - "description": "Site hosting the ONAP use cases", - "physical_address": "1 Graham Bell", - "shipping_address": "1 Graham Bell", - "contact_name": "Alexis", - "contact_phone": "0000000000", - "contact_email": "adetalhouet89@gmail.com", - "comments": "ONAP lab" -}' - -# Create prefixes - -echo "Create Prefix for vFW protected network" -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/ipam/prefixes/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' \ - -d '{ - "prefix": "{{ .Values.service.private2 }}", - "site": 1, - "tenant": 1, - "is_pool": false, - "description": "IP Pool for private network 2" -}' - -echo "Create Prefix for vFW unprotected network" -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/ipam/prefixes/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' \ - -d '{ - "prefix": "{{ .Values.service.private1 }}", - "site": 1, - "tenant": 1, - "is_pool": false, - "description": "IP Pool for private network 1" -}' - -echo "Create Prefix for ONAP general purpose network" -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/ipam/prefixes/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' \ - -d '{ - "prefix": "{{ .Values.service.management }}", - "site": 1, - "tenant": 1, - "is_pool": false, - "description": "IP Pool for ONAP - general purpose" -}' - -# Reserve ports, gateway and dhcp, for each protected and unprotected networks. - -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/ipam/prefixes/1/available-ips/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' - -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/ipam/prefixes/1/available-ips/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' - -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/ipam/prefixes/2/available-ips/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' - -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/ipam/prefixes/2/available-ips/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' - -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/ipam/prefixes/3/available-ips/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' - -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/ipam/prefixes/3/available-ips/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/startup_scripts/00_users.py b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/startup_scripts/00_users.py deleted file mode 100755 index 7626058357..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/startup_scripts/00_users.py +++ /dev/null @@ -1,26 +0,0 @@ -from django.contrib.auth.models import Group, User -from users.models import Token - -from ruamel.yaml import YAML - -with open('/opt/netbox/initializers/users.yml', 'r') as stream: - yaml=YAML(typ='safe') - users = yaml.load(stream) - - if users is not None: - for username, user_details in users.items(): - if not User.objects.filter(username=username): - user = User.objects.create_user( - username = username, - password = user_details.get('password', 0) or User.objects.make_random_password, - is_staff = user_details.get('is_staff', 0) or false, - is_superuser = user_details.get('is_superuser', 0) or false, - is_active = user_details.get('is_active', 0) or true, - first_name = user_details.get('first_name', 0), - last_name = user_details.get('last_name', 0), - email = user_details.get('email', 0)) - - print("👤 Created user ",username) - - if user_details.get('api_token', 0): - Token.objects.create(user=user, key=user_details['api_token']) \ No newline at end of file diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/startup_scripts/10_groups.py b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/startup_scripts/10_groups.py deleted file mode 100755 index 7932874704..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/startup_scripts/10_groups.py +++ /dev/null @@ -1,19 +0,0 @@ -from django.contrib.auth.models import Group, User -from ruamel.yaml import YAML - -with open('/opt/netbox/initializers/groups.yml', 'r') as stream: - yaml=YAML(typ='safe') - groups = yaml.load(stream) - - if groups is not None: - for groupname, group_details in groups.items(): - group, created = Group.objects.get_or_create(name=groupname) - - if created: - print("👥 Created group", groupname) - - for username in group_details['users']: - user = User.objects.get(username=username) - - if user: - user.groups.add(group) diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/startup_scripts/20_custom_fields.py b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/startup_scripts/20_custom_fields.py deleted file mode 100755 index 5c40e37bf2..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/startup_scripts/20_custom_fields.py +++ /dev/null @@ -1,68 +0,0 @@ -from extras.constants import CF_TYPE_TEXT, CF_TYPE_INTEGER, CF_TYPE_BOOLEAN, CF_TYPE_DATE, CF_TYPE_URL, CF_TYPE_SELECT -from extras.models import CustomField, CustomFieldChoice - -from ruamel.yaml import YAML - -text_to_fields = { - 'boolean': CF_TYPE_BOOLEAN, - 'date': CF_TYPE_DATE, - 'integer': CF_TYPE_INTEGER, - 'selection': CF_TYPE_SELECT, - 'text': CF_TYPE_TEXT, - 'url': CF_TYPE_URL, -} - -def get_class_for_class_path(class_path): - import importlib - from django.contrib.contenttypes.models import ContentType - - module_name, class_name = class_path.rsplit(".", 1) - module = importlib.import_module(module_name) - clazz = getattr(module, class_name) - return ContentType.objects.get_for_model(clazz) - -with open('/opt/netbox/initializers/custom_fields.yml', 'r') as stream: - yaml = YAML(typ='safe') - customfields = yaml.load(stream) - - if customfields is not None: - for cf_name, cf_details in customfields.items(): - custom_field, created = CustomField.objects.get_or_create(name = cf_name) - - if created: - if cf_details.get('default', 0): - custom_field.default = cf_details['default'] - - if cf_details.get('description', 0): - custom_field.description = cf_details['description'] - - if cf_details.get('filterable', 0): - custom_field.is_filterables = cf_details['filterable'] - - if cf_details.get('label', 0): - custom_field.label = cf_details['label'] - - for object_type in cf_details.get('on_objects', []): - custom_field.obj_type.add(get_class_for_class_path(object_type)) - - if cf_details.get('required', 0): - custom_field.required = cf_details['required'] - - if cf_details.get('type', 0): - custom_field.type = text_to_fields[cf_details['type']] - - if cf_details.get('weight', 0): - custom_field.weight = cf_details['weight'] - - custom_field.save() - - for choice_details in cf_details.get('choices', []): - choice = CustomFieldChoice.objects.create( - field=custom_field, - value=choice_details['value']) - - if choice_details.get('weight', 0): - choice.weight = choice_details['weight'] - choice.save() - - print("🔧 Created custom field", cf_name) diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/templates/NOTES.txt b/kubernetes/contrib/components/netbox/components/netbox-app/templates/NOTES.txt deleted file mode 100755 index e70c418864..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.fullname" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/templates/configmap.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/templates/configmap.yaml deleted file mode 100755 index f785478e1b..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/templates/configmap.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-provisioning-configmap - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/provisioning/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-configuration-configmap - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/configuration/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-initializers-configmap - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/initializers/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-startupscripts-configmap - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/startup_scripts/*").AsConfig . | indent 2 }} diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/templates/deployment.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/templates/deployment.yaml deleted file mode 100755 index 302166fcd6..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/templates/deployment.yaml +++ /dev/null @@ -1,159 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if .Values.liveness.enabled }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: DB_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-pass - key: DB_PASSWORD - - name: EMAIL_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-pass - key: EMAIL_PASSWORD - - name: NAPALM_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-pass - key: NAPALM_PASSWORD - - name: SECRET_KEY - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-pass - key: SECRET_KEY - - name: SUPERUSER_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-pass - key: SUPERUSER_PASSWORD - - name: SUPERUSER_API_TOKEN - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-pass - key: SUPERUSER_API_TOKEN - - name: ALLOWED_HOSTS - value: {{ .Values.config.allowedHosts | quote }} - - name: DB_NAME - value: {{ .Values.config.dbName }} - - name: DB_USER - value: {{ .Values.config.dbUser }} - - name: DB_HOST - value: {{ .Values.config.dbHost }} - - name: EMAIL_SERVER - value: {{ .Values.config.emailServer }} - - name: EMAIL_PORT - value: {{ .Values.config.emailPort | quote }} - - name: EMAIL_USERNAME - value: {{ .Values.config.emailUsername }} - - name: EMAIL_TIMEOUT - value: {{ .Values.config.emailTimeout | quote }} - - name: EMAIL_FROM - value: {{ .Values.config.emailFrom }} - - name: MEDIA_ROOT - value: {{ .Values.config.mediaRoot }} - - name: NAPALM_USERNAME - value: {{ .Values.config.napalmUsername }} - - name: NAPALM_TIMEOUT - value: {{ .Values.config.napalmTimeout | quote }} - - name: MAX_PAGE_SIZE - value: {{ .Values.config.maxPageSize | quote }} - - name: SUPERUSER_NAME - value: {{ .Values.config.superuserName }} - - name: SUPERUSER_EMAIL - value: {{ .Values.config.superuserEmail }} - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /opt/netbox/startup_scripts - name: {{ include "common.fullname" . }}-startupscripts-config - - mountPath: /opt/netbox/initializers - name: {{ include "common.fullname" . }}-initializers-config - - mountPath: /etc/netbox/config - name: {{ include "common.fullname" . }}-configuration-config - - name: {{ include "common.fullname" . }} - mountPath: /opt/netbox/netbox/static - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }} - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-{{ .Values.persistence.staticPvName }} - - name: {{ include "common.fullname" . }}-startupscripts-config - configMap: - name: {{ include "common.fullname" . }}-startupscripts-configmap - - name: {{ include "common.fullname" . }}-initializers-config - configMap: - name: {{ include "common.fullname" . }}-initializers-configmap - - name: {{ include "common.fullname" . }}-configuration-config - configMap: - name: {{ include "common.fullname" . }}-configuration-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/templates/job.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/templates/job.yaml deleted file mode 100644 index 3b367a3d4a..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/templates/job.yaml +++ /dev/null @@ -1,67 +0,0 @@ -{{/* -# Copyright © 2018 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-provisioning - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-job - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - backoffLimit: 5 - template: - metadata: - labels: - app: {{ include "common.name" . }}-provisioning-job - release: {{ include "common.release" . }} - spec: - restartPolicy: Never - initContainers: - - name: {{ include "common.name" . }}-init-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - netbox-app - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - name: {{ include "common.name" . }}-provisioning-job - image: {{ include "repositoryGenerator.image.curl" . }} - volumeMounts: - - name: {{ include "common.fullname" . }}-provisioning - mountPath: /tmp - command: - - /bin/sh - - ./tmp/provision.sh - volumes: - - name: {{ include "common.fullname" . }}-provisioning - configMap: - name: {{ include "common.fullname" . }}-provisioning-configmap - defaultMode: 0755 - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Never diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/templates/pv.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/templates/pv.yaml deleted file mode 100755 index a61217fb94..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/templates/pv.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -{{- if not .Values.persistence.storageClass -}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }}-data - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.persistence.size}} - accessModes: - - {{ .Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" . }}-data" - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }}/app -{{- end -}} -{{- end -}} diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/templates/pvc.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/templates/pvc.yaml deleted file mode 100755 index 7e25a0f1ef..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/templates/pvc.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.release" . }}-{{ .Values.persistence.staticPvName }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - {{- if .Values.persistence.annotations }} - annotations: -{{ .Values.persistence.annotations | indent 4 }} - {{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode }} - resources: - requests: - storage: {{ .Values.persistence.size }} - storageClassName: {{ include "common.storageClass" . }} -{{- end -}} diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/templates/secrets.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/templates/secrets.yaml deleted file mode 100755 index c06bc5a333..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/templates/secrets.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{/* -# Copyright © 2018 Bell Canada, Amdocs -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-pass - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: - DB_PASSWORD: {{ .Values.config.dbPassword | b64enc | quote }} - EMAIL_PASSWORD: {{ .Values.config.emailPassword | b64enc | quote }} - NAPALM_PASSWORD: {{ .Values.config.napalmPassword | b64enc | quote }} - SECRET_KEY: {{ .Values.config.secretKey | b64enc | quote }} - SUPERUSER_PASSWORD: {{ .Values.config.superuserPassword | b64enc | quote }} - SUPERUSER_API_TOKEN: {{ .Values.config.superuserAPIToken | b64enc | quote }} \ No newline at end of file diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/templates/service.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/templates/service.yaml deleted file mode 100755 index 74d1116f50..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/templates/service.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - name: {{ include "common.name" . }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - name: {{ include "common.name" . }} - targetPort: {{ .Values.service.internalPort }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/values.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/values.yaml deleted file mode 100755 index 27cd811ec1..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/values.yaml +++ /dev/null @@ -1,120 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: # global defaults - nodePortPrefixExt: 304 - persistence: {} - -config: - # Secrets configuration values - dbPassword: J5brHrAXFLQSif0K - emailPassword: password - napalmPassword: password - secretKey: r8OwDznj!!dci#P9ghmRfdu1Ysxm0AiPeDCQhKE+N_rClfWNj - superuserPassword: admin - superuserAPIToken: 0123456789abcdef0123456789abcdef01234567 - - # Remaining environment configuration values - allowedHosts: "*" - dbName: netbox - dbUser: netbox - dbHost: netbox-postgres - emailServer: localhost - emailPort: 25 - emailUsername: netbox - emailTimeout: 5 - emailFrom: netbox@bar.com - mediaRoot: /opt/netbox/netbox/media - napalmUsername: napalm - napalmTimeout: 10 - maxPageSize: 0 - superuserName: admin - superuserEmail: admin@onap.org - -image: netboxcommunity/netbox:v2.5.8 - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: false - -readiness: - initialDelaySeconds: 30 - periodSeconds: 10 - -service: - type: ClusterIP - name: netbox-app - externalPort: 8001 - internalPort: 8001 - portName: netbox-app - - # The following subnet pool will be - # configured in Netbox by provisioning script. - private1: 192.168.10.0/24 - private2: 192.168.20.0/24 - management: 10.0.101.0/24 - -ingress: - enabled: false - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -## Persist data to a persitent volume -persistence: - enabled: true - volumeReclaimPolicy: Retain - accessMode: ReadWriteMany - size: 100Mi - - # Uncomment the storageClass parameter to use an existing PV - # that will match the following class. - # When uncomment the storageClass, the PV is not created anymore. - - # storageClass: "nfs-dev-sc" - - staticPvName: netbox-static - - # When using storage class, mountPath and mountSubPath are - # simply ignored. - - mountPath: /dockerdata-nfs - mountSubPath: netbox/app - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -resources: {} - -#Pods Service Account -serviceAccount: - nameOverride: netbox-app - roles: - - read diff --git a/kubernetes/contrib/components/netbox/components/netbox-nginx/.helmignore b/kubernetes/contrib/components/netbox/components/netbox-nginx/.helmignore deleted file mode 100755 index f0c1319444..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-nginx/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/contrib/components/netbox/components/netbox-nginx/Chart.yaml b/kubernetes/contrib/components/netbox/components/netbox-nginx/Chart.yaml deleted file mode 100755 index bad4be1585..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-nginx/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Netbox - Nginx web server -name: netbox-nginx -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/contrib/components/netbox/components/netbox-nginx/resources/config/nginx.conf b/kubernetes/contrib/components/netbox/components/netbox-nginx/resources/config/nginx.conf deleted file mode 100755 index 2ef2aca3a1..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-nginx/resources/config/nginx.conf +++ /dev/null @@ -1,34 +0,0 @@ -worker_processes 1; - -events { - worker_connections 1024; -} - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - sendfile on; - tcp_nopush on; - keepalive_timeout 65; - gzip on; - server_tokens off; - client_max_body_size 10M; - - server { - listen {{ .Values.service.internalPort }}; - server_name {{ .Values.service.portName }}; - access_log off; - - location /static/ { - alias /opt/netbox/netbox/static/; - } - - location / { - proxy_pass http://netbox-app:8001; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - add_header P3P 'CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"'; - } - } -} diff --git a/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/NOTES.txt b/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/NOTES.txt deleted file mode 100755 index bd74a42cd5..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/configmap.yaml b/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/configmap.yaml deleted file mode 100755 index 26242be8e2..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/configmap.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-config-configmap - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/deployment.yaml b/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/deployment.yaml deleted file mode 100755 index 2d115f74bf..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/deployment.yaml +++ /dev/null @@ -1,76 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["nginx"] - args: ["-c", "/etc/netbox-nginx/nginx.conf","-g", "daemon off;"] - ports: - - containerPort: {{ .Values.service.internalPort }} - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: {{ include "common.fullname" . }} - mountPath: /opt/netbox/netbox/static - - name: {{ include "common.fullname" . }}-config - mountPath: /etc/netbox-nginx - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }}-config-configmap - - name: {{ include "common.fullname" . }} - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-{{ .Values.persistence.staticPvName }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/service.yaml b/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/service.yaml deleted file mode 100755 index c01612e0f4..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/service.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.nodePort }} - {{- else -}} - - port: {{ .Values.service.internalPort }} - targetPort: {{ .Values.service.internalPort }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/contrib/components/netbox/components/netbox-nginx/values.yaml b/kubernetes/contrib/components/netbox/components/netbox-nginx/values.yaml deleted file mode 100755 index a7d0dadbf1..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-nginx/values.yaml +++ /dev/null @@ -1,89 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Default values for mariadb. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -global: # global defaults - nodePortPrefixExt: 304 - persistence: {} - pullPolicy: Always - -# application image -image: nginx:1.15-alpine -pullPolicy: Always - -ingress: - enabled: false - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -## Persist data to a persitent volume -persistence: - enabled: true - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - volumeReclaimPolicy: Retain - - ## database data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: "-" - accessMode: ReadWriteMany - size: 1Gi - mountPath: /dockerdata-nfs - mountSubPath: netbox/nginx/data - - # Names used for shared pv/pvcs across App & Nginx containers - staticPvName: netbox-static - -service: - type: ClusterIP - name: netbox-nginx - portName: netbox-nginx - internalPort: 8080 - nodePort: 20 - -resources: {} - -#Pods Service Account -serviceAccount: - nameOverride: netbox-nginx - roles: - - read diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/.helmignore b/kubernetes/contrib/components/netbox/components/netbox-postgres/.helmignore deleted file mode 100755 index f0c1319444..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-postgres/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/Chart.yaml b/kubernetes/contrib/components/netbox/components/netbox-postgres/Chart.yaml deleted file mode 100755 index 8aca215a71..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-postgres/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Netbox Posgres database -name: netbox-postgres -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/NOTES.txt b/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/NOTES.txt deleted file mode 100755 index bd74a42cd5..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/configmap.yaml b/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/configmap.yaml deleted file mode 100755 index 9bc530577a..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/configmap.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-docker-entry-initd - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/cassandra/docker-entrypoint-initdb.d/*").AsConfig . | indent 2 }} \ No newline at end of file diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/deployment.yaml b/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/deployment.yaml deleted file mode 100755 index 8e05524fd1..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/deployment.yaml +++ /dev/null @@ -1,80 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - env: - - name: POSTGRES_USER - value: "{{ .Values.config.postgresUser }}" - - name: POSTGRES_PASSWORD - value: "{{ .Values.config.postgresPassword }}" - - name: POSTGRES_DB - value: "{{ .Values.config.postgresDB }}" - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: {{ include "common.fullname" . }}-data - mountPath: /var/lib/postgresql/ - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - {{- if .Values.persistence.enabled }} - - name: {{ include "common.fullname" . }}-data - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - {{- else }} - emptyDir: {} - {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/pv.yaml b/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/pv.yaml deleted file mode 100755 index 37d07f05a1..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/pv.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -{{- if eq "True" (include "common.needPV" .) -}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.persistence.size}} - accessModes: - - {{ .Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" . }}-data" - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/pvc.yaml b/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/pvc.yaml deleted file mode 100755 index 30da3add0d..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/pvc.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -{{- if .Values.persistence.annotations }} - annotations: -{{ .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode }} - resources: - requests: - storage: {{ .Values.persistence.size }} - storageClassName: {{ include "common.storageClass" . }} -{{- end -}} diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/service.yaml b/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/service.yaml deleted file mode 100755 index 75335884df..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/service.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/values.yaml b/kubernetes/contrib/components/netbox/components/netbox-postgres/values.yaml deleted file mode 100755 index 7e0a324aa1..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-postgres/values.yaml +++ /dev/null @@ -1,88 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Default values for mariadb. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -global: # global defaults - nodePortPrefixExt: 304 - persistence: {} - -# application image -image: postgres:10.4-alpine -pullPolicy: Always - -# application configuration -config: - postgresUser: netbox - postgresPassword: J5brHrAXFLQSif0K - postgresDB: netbox - -ingress: - enabled: false - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -## Persist data to a persitent volume -persistence: - enabled: true - volumeReclaimPolicy: Retain - - # Uncomment the storageClass parameter to use an existing PV - # that will match the following class. - # When uncomment the storageClass, the PV is not created anymore. - - # storageClass: "nfs-dev-sc" - - accessMode: ReadWriteOnce - size: 1Gi - - # When using storage class, mountPath and mountSubPath are - # simply ignored. - - mountPath: /dockerdata-nfs - mountSubPath: netbox/postgres/data - -service: - type: ClusterIP - name: netbox-postgres - portName: netbox-postgres - internalPort: 5432 - externalPort: 5432 - -resources: {} - -#Pods Service Account -serviceAccount: - nameOverride: netbox-postgres - roles: - - read diff --git a/kubernetes/contrib/components/netbox/templates/ingress.yaml b/kubernetes/contrib/components/netbox/templates/ingress.yaml deleted file mode 100755 index 6f604a79ba..0000000000 --- a/kubernetes/contrib/components/netbox/templates/ingress.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- if .Values.ingress.enabled -}} -{{- $serviceName := include "common.fullname" . -}} -{{- $servicePort := .Values.service.externalPort -}} -apiVersion: networking.k8s.io/v1beta1 -kind: Ingress -metadata: - name: {{ $serviceName }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - {{- range $key, $value := .Values.ingress.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -spec: - rules: - {{- range $host := .Values.ingress.hosts }} - - host: {{ $host }} - http: - paths: - - path: / - backend: - serviceName: {{ $serviceName }} - servicePort: {{ $servicePort }} - {{- end -}} - {{- if .Values.ingress.tls }} - tls: -{{ toYaml .Values.ingress.tls | indent 4 }} - {{- end -}} -{{- end -}} diff --git a/kubernetes/contrib/components/netbox/values.yaml b/kubernetes/contrib/components/netbox/values.yaml deleted file mode 100755 index 04d2f27c7c..0000000000 --- a/kubernetes/contrib/components/netbox/values.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefixExt: 304 - commonConfigPrefix: netbox - -################################################################# -# Application configuration defaults. -################################################################# -# application image -pullPolicy: Always - -# default number of instances -replicaCount: 1 -nodeSelector: {} -affinity: {} - -ingress: - enabled: false - -resources: {} diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/README.md b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/README.md deleted file mode 100644 index 72f522a000..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/README.md +++ /dev/null @@ -1,23 +0,0 @@ -# Motivations -Ingress controller implementation in the ONAP cluster is based on the virtual host routing. -Testing ONAP cluster requires a lot of entries on the target machines in the /etc/hosts. -Adding many entries into the configuration files on testing machines is quite problematic and error prone. -The better wait is to create central DNS server with entries for all virtual host pointed to simpledemo.onap.org and add custom DNS server as a target DNS server for testing machines and/or as external DNS for kubernetes cluster. - -# How to deploy test DNS server: -Run script ./deploy\_dns.sh - -# How to add DNS address on testing machines: -See post deploy info - -# Test DNS inside cluster (optional) -1. You can add the following entry after DNS deploy on running cluster at the end of cluster.yaml file (rke) -~~~yaml -dns: - provider: coredns - upstreamnameservers: - - :31555 -~~~ -2. You can edit coredns configuration with command: - kubectl -n kube-system edit configmap coredns - diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/.helmignore b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/.helmignore deleted file mode 100644 index dacad44a66..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/.helmignore +++ /dev/null @@ -1,37 +0,0 @@ -# -# Copyright 2020 Samsung Electronics Co., Ltd. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/Chart.yaml b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/Chart.yaml deleted file mode 100644 index dede98e707..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/Chart.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# -# Copyright 2020 Samsung Electronics Co., Ltd. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -apiVersion: v2 -appVersion: "1.0" -description: bind9 DNS server for kubernetes cluster -name: bind9dns -version: 0.1.0 diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/NOTES.txt b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/NOTES.txt deleted file mode 100644 index 7211966b89..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/NOTES.txt +++ /dev/null @@ -1,21 +0,0 @@ -1. Get the installed DNS host and port by running this commands: -{{- if .Values.ingress.enabled }} -{{- range $host := .Values.ingress.hosts }} - {{- range $.Values.ingress.paths }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host }}{{ . }} - {{- end }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "bind9dns.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo DNS host: $NODE_IP dns port: $NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "bind9dns.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "bind9dns.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.port }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "bind9dns.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:80 -{{- end }} diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/_helpers.tpl b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/_helpers.tpl deleted file mode 100644 index 3efbbbf831..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/_helpers.tpl +++ /dev/null @@ -1,49 +0,0 @@ -{{/* - - Copyright 2020 Samsung Electronics Co., Ltd. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - -*/}} -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "bind9dns.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "bind9dns.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "bind9dns.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/deployment.yaml b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/deployment.yaml deleted file mode 100644 index 7640be64a6..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/deployment.yaml +++ /dev/null @@ -1,76 +0,0 @@ -{{/* - Copyright 2020 Samsung Electronics Co., Ltd. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "bind9dns.fullname" . }} - labels: - app.kubernetes.io/name: {{ include "bind9dns.name" . }} - helm.sh/chart: {{ include "bind9dns.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "bind9dns.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - template: - metadata: - labels: - app.kubernetes.io/name: {{ include "bind9dns.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - spec: - containers: - - name: {{ .Chart.Name }} - image: {{ .Values.image.repository }}:{{ .Values.image.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - - name: DNS_FORWARDER - value: {{ .Values.dnsconf.forwarder }} - - name: WILDCARD_DNS - value: {{ .Values.dnsconf.wildcard }} - - name: ALLOW_RECURSION - value: any - - name: ALLOW_QUERY - value: any - ports: - - name: dnsport - containerPort: {{ .Values.service.port }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.port }} - initialDelaySeconds: 15 - periodSeconds: 20 - readinessProbe: - tcpSocket: - port: {{ .Values.service.port }} - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/service.yaml b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/service.yaml deleted file mode 100644 index 715f2ff78e..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/service.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{/* - Copyright 2020 Samsung Electronics Co., Ltd. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - -*/}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "bind9dns.fullname" . }} - labels: - app.kubernetes.io/name: {{ include "bind9dns.name" . }} - helm.sh/chart: {{ include "bind9dns.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - nodePort: {{ .Values.service.nodePort }} - protocol: TCP - name: dnstcp - - port: {{ .Values.service.port }} - nodePort: {{ .Values.service.nodePort }} - protocol: UDP - name: dnsudp - selector: - app.kubernetes.io/name: {{ include "bind9dns.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/tests/test-connection.yaml b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/tests/test-connection.yaml deleted file mode 100644 index 4fe5d05b02..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/tests/test-connection.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{/* - Copyright 2020 Samsung Electronics Co., Ltd. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - -*/}} -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "bind9dns.fullname" . }}-test-connection" - labels: - app.kubernetes.io/name: {{ include "bind9dns.name" . }} - helm.sh/chart: {{ include "bind9dns.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - annotations: - "helm.sh/hook": test-success -spec: - containers: - - name: wget - image: busybox - command: ['wget'] - args: ['{{ include "bind9dns.fullname" . }}:{{ .Values.service.port }}'] - restartPolicy: Never diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/values.yaml b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/values.yaml deleted file mode 100644 index c9e19f41d0..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/values.yaml +++ /dev/null @@ -1,46 +0,0 @@ -# -# Copyright 2020 Samsung Electronics Co., Ltd. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -replicaCount: 1 - -image: - repository: luccksam/docker-bind - tag: 0.1.0 - pullPolicy: IfNotPresent - -nameOverride: "" -fullnameOverride: "" - -service: - type: NodePort - port: 53 - nodePort: 31555 - -ingress: - enabled: false - annotations: {} - paths: [] - hosts: - - dnsserver.local - tls: [] - -resources: {} -nodeSelector: {} -tolerations: [] -affinity: {} - -dnsconf: - forwarder: "8.8.8.8,8.8.4.4" - wildcard: "simpledemo.onap.org=0.0.0.0" diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/deploy_dns.sh b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/deploy_dns.sh deleted file mode 100755 index 294ae0a55e..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/deploy_dns.sh +++ /dev/null @@ -1,106 +0,0 @@ -#!/bin/sh -e - -# Copyright 2020 Samsung Electronics Co., Ltd. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -DNS_PORT=31555 -CLUSTER_CONTROL=$( kubectl get no -l node-role.kubernetes.io/controlplane=true -o jsonpath='{.items..metadata.name}') -CLUSTER_IP=$(kubectl get no $CLUSTER_CONTROL -o jsonpath='{.metadata.annotations.rke\.cattle\.io/external-ip }') -SPATH="$( dirname "$( which "$0" )" )" - - - -usage() { -cat << ==usage -$0 [cluster_domain] [lb_ip] [helm_chart_args] ... - [cluster_domain] Default value simpledemo.onap.org - [lb_ip] Default value LoadBalancer IP - [helm_chart_args] ... Optional arguments passed to helm install command -$0 --help This message -$0 --info Display howto configure target machine -==usage -} - - -target_machine_notice_info() -{ -cat << ==infodeploy -Extra DNS server already deployed: -1. You can add the DNS server to the target machine using following commands: - sudo iptables -t nat -A OUTPUT -p tcp -d 192.168.211.211 --dport 53 -j DNAT --to-destination $CLUSTER_IP:$DNS_PORT - sudo iptables -t nat -A OUTPUT -p udp -d 192.168.211.211 --dport 53 -j DNAT --to-destination $CLUSTER_IP:$DNS_PORT - sudo sysctl -w net.ipv4.conf.all.route_localnet=1 - sudo sysctl -w net.ipv4.ip_forward=1 -2. Update /etc/resolv.conf file with nameserver 192.168.211.211 entry on your target machine -==infodeploy -} - - -list_node_with_external_addrs() -{ - local WORKER_NODES - WORKER_NODES=$(kubectl get no -l node-role.kubernetes.io/worker=true -o jsonpath='{.items..metadata.name}') - for worker in $WORKER_NODES; do - local external_ip - external_ip=$(kubectl get no $worker -o jsonpath='{.metadata.annotations.rke\.cattle\.io/external-ip }') - local internal_ip - internal_ip=$(kubectl get no $worker -o jsonpath='{.metadata.annotations.rke\.cattle\.io/internal-ip }') - if [ $internal_ip != $external_ip ]; then - echo $external_ip - break - fi - done -} - -ingress_controller_ip() { - local metal_ns - metal_ns=$(kubectl get ns --no-headers --output=custom-columns=NAME:metadata.name |grep metallb-system) - if [ -z $metal_ns ]; then - echo $CLUSTER_IP - else - list_node_with_external_addrs - fi -} - -deploy() { - local ingress_ip - ingress_ip=$(ingress_controller_ip) - initdir = $(pwd) - cd $SPATH/bind9dns - if [ $# -eq 0 ]; then - local cl_domain - cl_domain="simpledemo.onap.org" - else - local cl_domain - cl_domain=$1 - shift - fi - if [ $# -ne 0 ]; then - ingress_ip=$1 - shift - fi - helm install . --set dnsconf.wildcard="$cl_domain=$ingress_ip" $@ - cd $initdir - target_machine_notice_info -} - -if [ $# -eq 1 ] && [ "$1" = "-h" ]; then - usage -elif [ $# -eq 1 ] && [ "$1" = "--help" ]; then - usage -elif [ $# -eq 1 ] && [ "$1" = "--info" ]; then - target_machine_notice_info -else - deploy $@ -fi diff --git a/kubernetes/contrib/ingress-nginx-post-inst/nginx_ingress_cluster_config.yaml b/kubernetes/contrib/ingress-nginx-post-inst/nginx_ingress_cluster_config.yaml deleted file mode 100644 index d579333157..0000000000 --- a/kubernetes/contrib/ingress-nginx-post-inst/nginx_ingress_cluster_config.yaml +++ /dev/null @@ -1,296 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ---- - -kind: ConfigMap -apiVersion: v1 -data: - enable-underscores-in-headers: "true" -metadata: - name: nginx-configuration - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: tcp-services - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: udp-services - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: nginx-ingress-serviceaccount - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: nginx-ingress-clusterrole - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -rules: - - apiGroups: - - "" - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - verbs: - - list - - watch - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - apiGroups: - - "extensions" - - "networking.k8s.io" - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - "extensions" - - "networking.k8s.io" - resources: - - ingresses/status - verbs: - - update - ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role -metadata: - name: nginx-ingress-role - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -rules: - - apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - namespaces - verbs: - - get - - apiGroups: - - "" - resources: - - configmaps - resourceNames: - # Defaults to "-" - # Here: "-" - # This has to be adapted if you change either parameter - # when launching the nginx-ingress-controller. - - "ingress-controller-leader-nginx" - verbs: - - get - - update - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - apiGroups: - - "" - resources: - - endpoints - verbs: - - get - ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - name: nginx-ingress-role-nisa-binding - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: nginx-ingress-role -subjects: - - kind: ServiceAccount - name: nginx-ingress-serviceaccount - namespace: ingress-nginx - ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: nginx-ingress-clusterrole-nisa-binding - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: nginx-ingress-clusterrole -subjects: - - kind: ServiceAccount - name: nginx-ingress-serviceaccount - namespace: ingress-nginx - ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-ingress-controller - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - template: - metadata: - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - annotations: - prometheus.io/port: "10254" - prometheus.io/scrape: "true" - spec: - serviceAccountName: nginx-ingress-serviceaccount - containers: - - name: nginx-ingress-controller - image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.25.1 - args: - - /nginx-ingress-controller - - --configmap=$(POD_NAMESPACE)/nginx-configuration - - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services - - --udp-services-configmap=$(POD_NAMESPACE)/udp-services - - --publish-service=$(POD_NAMESPACE)/ingress-nginx - - --annotations-prefix=nginx.ingress.kubernetes.io - - --enable-ssl-passthrough=true - securityContext: - allowPrivilegeEscalation: true - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - # www-data -> 33 - runAsUser: 33 - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - ports: - - name: http - containerPort: 80 - - name: https - containerPort: 443 - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 10 - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 10 - ---- - -apiVersion: v1 -kind: Service -metadata: - name: ingress-nginx - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -spec: - type: NodePort - ports: - - name: http - port: 80 - targetPort: 80 - protocol: TCP - - name: https - port: 443 - targetPort: 443 - protocol: TCP - selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ---- - diff --git a/kubernetes/contrib/ingress-nginx-post-inst/nginx_ingress_enable_optional_load_balacer_service.yaml b/kubernetes/contrib/ingress-nginx-post-inst/nginx_ingress_enable_optional_load_balacer_service.yaml deleted file mode 100644 index 57c0034775..0000000000 --- a/kubernetes/contrib/ingress-nginx-post-inst/nginx_ingress_enable_optional_load_balacer_service.yaml +++ /dev/null @@ -1,22 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: ingress-nginx - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -spec: - externalTrafficPolicy: Local - type: LoadBalancer - selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ports: - - name: http - port: 80 - targetPort: http - - name: https - port: 443 - targetPort: https - diff --git a/kubernetes/contrib/metallb-loadbalancer-inst/install-metallb-on-cluster.sh b/kubernetes/contrib/metallb-loadbalancer-inst/install-metallb-on-cluster.sh deleted file mode 100755 index 495d540905..0000000000 --- a/kubernetes/contrib/metallb-loadbalancer-inst/install-metallb-on-cluster.sh +++ /dev/null @@ -1,92 +0,0 @@ -#!/bin/sh -e - -# -# Copyright 2020 Samsung Electronics Co., Ltd. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -usage() -{ -cat << ==usage -$0 Automatic configuration using external addresess from nodes -$0 --help This message -$0 -h This message -$0 [cluster_ip1] ... [cluster_ipn] Cluster address or ip ranges -==usage -} - - -find_nodes_with_external_addrs() -{ - local WORKER_NODES - WORKER_NODES=$(kubectl get no -l node-role.kubernetes.io/worker=true -o jsonpath='{.items..metadata.name}') - for worker in $WORKER_NODES; do - local external_ip - external_ip=$(kubectl get no $worker -o jsonpath='{.metadata.annotations.rke\.cattle\.io/external-ip }') - local internal_ip - internal_ip=$(kubectl get no $worker -o jsonpath='{.metadata.annotations.rke\.cattle\.io/internal-ip }') - if [ $internal_ip != $external_ip ]; then - echo $external_ip - fi - done -} - -generate_config_map() -{ -cat <""".format(arg0)) - print(( - "\n" - "Options:\n" - "-h, --help Show this help message and exit\n" - "-t, --table Use the specified format to display the result table.\n" - " Valid formats are those from the python `tabulate'\n" - " module. When not available, a basic builtin tabular\n" - " function is used and this field has no effect\n" - "-f, --fields Comma separated list of resources fields to display.\n" - " You may use wildcard patterns, eg small.*. Implicit\n" - " value is *, ie all available fields will be used\n" - "Examples:\n" - " # {0} /opt/oom/kubernetes\n" - " # {0} -f small.\\* /opt/oom/kubernetes\n" - " # {0} -f '*requests.*' -t fancy_grid /opt/oom/kubernetes\n" - " # {0} -f small.requests.cpu,small.requests.memory /opt/oom/kubernetes\n" - ).format(arg0)) - if status is not None: - sys.exit(status) - - -def getopts(): - """ read options from cmdline """ - opts, args = getopt.getopt(sys.argv[1:], - "hf:t:", - ["help", "fields=", "table="]) - if len(args) != 1: - usage(1) - - root = args[0] - table = None - fields = ['*'] - patterns = [] - - for opt, arg in opts: - if opt in ("-h", '--help'): - usage(0) - elif opt in ("-f", "--fields"): - fields = arg.split(',') - elif opt in ("-t", "--table"): - table = arg - - return root, table, fields, patterns - - -def main(): - """ main """ - try: - root, table, fields, patterns = getopts() - except getopt.GetoptError as e: - print("Error: {}".format(e)) - usage(1) - - if not os.path.isdir(root): - info("Cannot open {}: Not a directory".format(root)) - return - - # find projects - projects = [] - for dirname, filename in values(root): - projects.append(Project(dirname, filename)) - if not projects: - info("No projects found in {} directory".format(root)) - return - - # check if we want to use pattern matching (wildcard only) - if fields and reduce(lambda x, y: x or y, - map(lambda string: '*' in string, fields)): - patterns = fields - fields = [] - - # if fields are not specified or patterns are used, discover available fields - # and use them (sort for readability) - if patterns or not fields: - avail = sorted(set(reduce(lambda x, y: x+y, - map(lambda p: p.keys(), projects)))) - if patterns: - for pattern in patterns: - fields += filter(lambda string: match(string, pattern), avail) - else: - fields = avail - - # collect values for each project - results = map(lambda project: [project.name] + map(project.get, - fields), - projects) - - # and then print - if results: - headers = ['project'] + fields - print(tabulate(sorted(results), headers, tablefmt=table)) - - -main() diff --git a/kubernetes/contrib/tools/registry-initialize.sh b/kubernetes/contrib/tools/registry-initialize.sh deleted file mode 100755 index 45ee44f3c5..0000000000 --- a/kubernetes/contrib/tools/registry-initialize.sh +++ /dev/null @@ -1,152 +0,0 @@ -#!/bin/sh -x - -# Copyright (c) 2021 AT&T. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Pre-requisite -# 1. Chart packages available under local directory provided as input/argument -# 2. helm client installed with push plugin -# 3. ONAP chartmuseum service deployed - -usage() -{ - echo "Chart Base directory or helm chart from local repo must be provided as input!!" - echo "Usage: registry-initialize.sh -d chartdirectory \ -<-n namespace override> <-r helmrelease override> <-p chart name prefix> | <-h helm charts from local repo>" - exit 1 -} - -if [ $# -eq 0 ]; then - usage -fi - -# defaults -NAMESPACE=onap -RLS_NAME=onap -LOGIN="" -PASSWORD="" -PREF="" -HELM_REPO=local - -while getopts ":d:n:r:p:h:c:" opt; do - case $opt in - d) BASEDIR="$OPTARG" - ;; - n) NAMESPACE="$OPTARG" - ;; - r) RLS_NAME="$OPTARG" - ;; - p) PREF="$OPTARG" - ;; - h) HELM_CHART="$OPTARG" - ;; - c) HELM_REPO="$OPTARG" - ;; - \?) echo "Invalid option -$OPTARG" >&2 - usage - ;; - esac -done - - -if [ -z "$BASEDIR" ] && [ -z "$HELM_CHART" ] ; then - echo "Chart base directory provided $BASEDIR and helm chart from local repo is empty" - exit -fi - -if [ -n "$BASEDIR" ] && [ -n "$HELM_CHART" ] ; then - echo "Both chart base directory $BASEDIR and helm chart from local repo $HELM_CHART cannot be used at the same time " - exit -fi - -if [ -n "$BASEDIR" ]; then - if [ "$(find $BASEDIR -maxdepth 1 -name '*tgz' -print -quit)" ]; then - echo "$BASEDIR valid" - else - echo "No chart package on $BASEDIR provided" - exit - fi -fi - -if [ -n "$HELM_CHART" ]; then - tmp_location=$(mktemp -d) - helm pull $HELM_REPO/$HELM_CHART -d $tmp_location - if [ $? -eq 0 ]; then - echo "Helm chart $HELM_CHART has been pulled out from in $HELM_REPO repo" - BASEDIR=$tmp_location - else - echo "No chart package $HELM_CHART on $HELM_REPO repo" - exit - fi -fi - -if [ -z "$PREF" ] && [ -z "$HELM_CHART" ] ; then - PREF=dcae -fi - -LOGIN=$(kubectl -n "$NAMESPACE" get secret \ - "${RLS_NAME}-chartmuseum-registrycred" \ - -o jsonpath='{.data.login}' | base64 -d) - -PASSWORD=$(kubectl -n "$NAMESPACE" get secret \ - "${RLS_NAME}-chartmuseum-registrycred" \ - -o jsonpath='{.data.password}' | base64 -d) - -if [ -z "$LOGIN" ] || [ -z "$PASSWORD" ]; then - echo "Login/Password credential for target registry cannot be retrieved" - exit 1 -fi - -# Expose cluster port via port-forwarding -kubectl -n $NAMESPACE port-forward service/chart-museum 27017:80 & -if [ $? -ne 0 ]; then - echo "Error in port forwarding; registry cannot be added!!" - exit 1 -fi - -sleep 5 - -# Add chartmuseum repo as helm repo -# Credentials should match config defined in -# oom\kubernetes\platform\components\chartmuseum\values.yaml -helm repo add k8s-registry http://127.0.0.1:27017 --username "$LOGIN" \ - --password "$PASSWORD" -if [ $? -ne 0 ]; then - echo "registry cannot be added!!" - pkill -f "port-forward service/chart-museum" - exit 1 -fi - -# Initial scope is pushing only dcae charts -# can be expanded to include all onap charts if required -for file in $BASEDIR/$PREF*tgz; do - # use helm plugin to push charts - helm push $file k8s-registry - if [ $? -eq 0 ]; then - echo "$file uploaded to registry successfully" - else - echo "registry upload failed!!" - pkill -f "port-forward service/chart-museum" - helm repo remove k8s-registry - exit 1 - fi -done - -echo "All Helm charts successfully uploaded into internal repository" - -# Remove the port-forwarding process -pkill -f "port-forward service/chart-museum" - -# Remove helm registry from local -helm repo remove k8s-registry diff --git a/kubernetes/contrib/tools/rke/rke_setup.sh b/kubernetes/contrib/tools/rke/rke_setup.sh deleted file mode 100755 index a8938a96ee..0000000000 --- a/kubernetes/contrib/tools/rke/rke_setup.sh +++ /dev/null @@ -1,353 +0,0 @@ -#!/bin/sh - -############################################################################# -# Copyright © 2019 Bell. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -############################################################################# -# -# This installation is for an RKE install of kubernetes -# after this run the standard oom install -# this installation can be run on any ubuntu 16.04/18.04 VM, RHEL 7.6 (root only), physical or cloud azure/aws host -# https://wiki.onap.org/display/DW/OOM+RKE+Kubernetes+Deployment -# source from https://jira.onap.org/browse/OOM-1598 -# -# master/dublin -# RKE 0.1.16 Kubernetes 1.11.6, kubectl 1.11.6, Helm 2.9.1, Docker 18.06 -# 20190428 RKE 0.2.1, Kubernetes 1.13.5, kubectl 1.13.5, Helm 2.12.3, Docker 18.09.5 -# single node install, HA pending - -usage() { -cat < cluster.yml <> /etc/hosts - echo "Install docker - If you must install as non-root - comment out the docker install below - run it separately, run the user mod, logout/login and continue this script" - curl https://releases.rancher.com/install-docker/$DOCKER_VERSION.sh | sh - sudo usermod -aG docker $USERNAME - - echo "Install RKE" - sudo wget https://github.com/rancher/rke/releases/download/v$RKE_VERSION/rke_linux-amd64 - mv rke_linux-amd64 rke - sudo chmod +x rke - sudo mv ./rke /usr/local/bin/rke - - echo "Install make - required for beijing+ - installed via yum groupinstall Development Tools in RHEL" - # ubuntu specific - sudo apt-get install make -y - - sudo curl -LO https://storage.googleapis.com/kubernetes-release/release/v$KUBECTL_VERSION/bin/linux/amd64/kubectl - sudo chmod +x ./kubectl - sudo mv ./kubectl /usr/local/bin/kubectl - sudo mkdir ~/.kube - wget http://storage.googleapis.com/kubernetes-helm/helm-v${HELM_VERSION}-linux-amd64.tar.gz - sudo tar -zxvf helm-v${HELM_VERSION}-linux-amd64.tar.gz - sudo mv linux-amd64/helm /usr/local/bin/helm - - echo "Bringing RKE up - using supplied cluster.yml" - sudo rke up - echo "wait 2 extra min for the cluster" - sleep 60 - echo "1 more min" - sleep 60 - echo "copy kube_config_cluter.yaml generated - to ~/.kube/config" - sudo cp kube_config_cluster.yml ~/.kube/config - # avoid using sudo for kubectl - sudo chmod 777 ~/.kube/config - echo "Verify all pods up on the kubernetes system - will return localhost:8080 until a host is added" - echo "kubectl get pods --all-namespaces" - kubectl get pods --all-namespaces - echo "install tiller/helm" - kubectl -n kube-system create serviceaccount tiller - kubectl create clusterrolebinding tiller --clusterrole=cluster-admin --serviceaccount=kube-system:tiller - helm init --service-account tiller - kubectl -n kube-system rollout status deploy/tiller-deploy - echo "upgrade server side of helm in kubernetes" - if [ "$USERNAME" = "root" ]; then - helm version - else - sudo helm version - fi - echo "sleep 30" - sleep 30 - if [ "$USERNAME" = "root" ]; then - helm init --upgrade - else - sudo helm init --upgrade - fi - echo "sleep 30" - sleep 30 - echo "verify both versions are the same below" - if [ "$USERNAME" = "root" ]; then - helm version - else - sudo helm version - fi - echo "start helm server" - if [ "$USERNAME" = "root" ]; then - helm serve & - else - sudo helm serve & - fi - echo "sleep 30" - sleep 30 - echo "add local helm repo" - if [ "$USERNAME" = "root" ]; then - helm repo add local http://127.0.0.1:8879 - helm repo list - else - sudo helm repo add local http://127.0.0.1:8879 - sudo helm repo list - fi - echo "To enable grafana dashboard - do this after running cd.sh which brings up onap - or you may get a 302xx port conflict" - echo "kubectl expose -n kube-system deployment monitoring-grafana --type=LoadBalancer --name monitoring-grafana-client" - echo "to get the nodeport for a specific VM running grafana" - echo "kubectl get services --all-namespaces | grep graf" - sudo docker version - helm version - kubectl version - kubectl get services --all-namespaces - kubectl get pods --all-namespaces - echo "finished!" -} - -BRANCH= -SERVER= -ENVIRON= -VALIDATE=false -USERNAME=ubuntu -SSHPATH_PREFIX=~/.ssh - -while getopts ":b:s:e:u:l:k:v" PARAM; do - case $PARAM in - u) - usage - exit 1 - ;; - b) - BRANCH=${OPTARG} - ;; - e) - ENVIRON=${OPTARG} - ;; - s) - SERVER=${OPTARG} - ;; - l) - USERNAME=${OPTARG} - ;; - k) - SSHKEY=${OPTARG} - ;; - v) - VALIDATE=${OPTARG} - ;; - ?) - usage - exit - ;; - esac -done - -if [ -z $BRANCH ]; then - usage - exit 1 -fi - -install_onap $BRANCH $SERVER $ENVIRON $USERNAME $SSHPATH_PREFIX $SSHKEY $VALIDATE diff --git a/kubernetes/contrib/values.yaml b/kubernetes/contrib/values.yaml deleted file mode 100644 index 8a44934d8f..0000000000 --- a/kubernetes/contrib/values.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - cmpv2Enabled: true - -awx: - enabled: true -netbox: - enabled: true diff --git a/kubernetes/cps/Chart.yaml b/kubernetes/cps/Chart.yaml index 7b60d63c19..06fdcf0305 100644 --- a/kubernetes/cps/Chart.yaml +++ b/kubernetes/cps/Chart.yaml @@ -17,25 +17,25 @@ apiVersion: v2 description: ONAP Configuration Persistance Service (CPS) name: cps -version: 11.0.0 +version: 13.0.1 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: roles-wrapper - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: standaloneDeployment - name: cps-core - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: cps-core.enabled - name: cps-temporal - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: cps-temporal.enabled - name: ncmp-dmi-plugin - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: ncmp-dmi-plugin.enabled diff --git a/kubernetes/cps/Makefile b/kubernetes/cps/Makefile index 0e0560c68e..5617b0d816 100644 --- a/kubernetes/cps/Makefile +++ b/kubernetes/cps/Makefile @@ -22,6 +22,12 @@ HELM_REPO := local EXCLUDES := HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -39,12 +45,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) push -f $$PACKAGE_NAME $(HELM_REPO); fi + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/cps/components/Makefile b/kubernetes/cps/components/Makefile index 9a84ab8375..616a5fc5ea 100644 --- a/kubernetes/cps/components/Makefile +++ b/kubernetes/cps/components/Makefile @@ -22,6 +22,12 @@ HELM_REPO := local EXCLUDES := HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + # Helm v2 and helm v3 uses different version format so we first try in helm v3 format # and if it fails then we fallback to helm v2 one HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}" 2>/dev/null) @@ -46,12 +52,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) push -f $$PACKAGE_NAME $(HELM_REPO); fi + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME $(HELM_REPO); fi @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/cps/components/cps-core/Chart.yaml b/kubernetes/cps/components/cps-core/Chart.yaml index fcaee60ac3..b1aa1046dd 100644 --- a/kubernetes/cps/components/cps-core/Chart.yaml +++ b/kubernetes/cps/components/cps-core/Chart.yaml @@ -18,26 +18,26 @@ apiVersion: v2 description: ONAP Configuration Persistance Service (CPS) - Core name: cps-core -version: 11.0.0 +version: 13.0.1 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: postgres - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: global.postgres.localCluster - name: postgres-init - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: postgres.postgresInit - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' \ No newline at end of file diff --git a/kubernetes/cps/components/cps-core/resources/config/application-helm.yml b/kubernetes/cps/components/cps-core/resources/config/application-helm.yml index e295a37b45..81b81341e5 100644 --- a/kubernetes/cps/components/cps-core/resources/config/application-helm.yml +++ b/kubernetes/cps/components/cps-core/resources/config/application-helm.yml @@ -1,7 +1,7 @@ {{/* # Copyright (C) 2021 Pantheon.tech # Modifications Copyright (C) 2020 Bell Canada. -# Modifications Copyright (C) 2021-2022 Nordix Foundation. +# Modifications Copyright (C) 2021-2023 Nordix Foundation. # Modifications Copyright (C) 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -37,8 +37,8 @@ spring: client-id: cps-core security: - # comma-separated uri patterns which do not require authorization - permit-uri: /manage/**,/swagger-ui/**,/swagger-resources/**,/api-docs +# comma-separated uri patterns which do not require authorization + permit-uri: /actuator/**,/swagger-ui.html,/swagger-ui/**,/swagger-resources/**,/api-docs/**,/v3/api-docs/** auth: username: ${CPS_USERNAME} password: ${CPS_PASSWORD} @@ -48,23 +48,35 @@ logging: org: springframework: {{ .Values.logging.level }} -dmi: - auth: - username: ${DMI_USERNAME} - password: ${DMI_PASSWORD} +ncmp: + dmi: + auth: + username: ${DMI_USERNAME} + password: ${DMI_PASSWORD} -{{- if .Values.config.useStrimziKafka }} -spring.kafka.bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 +{{- with (first .Values.kafkaUser.acls) }} +spring.kafka.consumer.group-id: {{ .name }} +{{- end }} +spring.kafka.bootstrap-servers: {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 spring.kafka.security.protocol: SASL_PLAINTEXT -spring.kafka.properties.sasl.mechanism: SCRAM-SHA-512 -spring.kafka.properties.sasl.jaas.config: ${JAASLOGIN} -{{ else }} -{{ toYaml .Values.config.eventPublisher | nindent 2 }} +spring.kafka.properties.sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} +spring.kafka.properties.sasl.jaas.config: ${SASL_JAAS_CONFIG} + +# Kafka Topics +{{- if .Values.topics.config }} +{{ toYaml .Values.topics.config | nindent 2 }} {{- end }} {{- if .Values.config.additional }} {{ toYaml .Values.config.additional | nindent 2 }} {{- end }} +# Custom Hazelcast config. +hazelcast: + mode: + kubernetes: + enabled: {{ .Values.hazelcast.config.kubernetesDiscovery }} + service-name: {{ .Values.hazelcast.config.kubernetesServiceName }} + # Last empty line is required otherwise the last property will be missing from application.yml file in the pod. diff --git a/kubernetes/cps/components/cps-core/resources/config/logback-spring.xml b/kubernetes/cps/components/cps-core/resources/config/logback-spring.xml new file mode 100644 index 0000000000..03076023b3 --- /dev/null +++ b/kubernetes/cps/components/cps-core/resources/config/logback-spring.xml @@ -0,0 +1,75 @@ + + + + + + + + + + + + + + + + + + true + + { + "logTimeStamp": "${currentTimeStamp:-}", + "logTypeName": "", + "logLevel": "%level", + "traceId": "%X{traceId:-}", + "statusCode": "", + "principalId": "${username:-}", + "serviceName": "${springAppName:-}", + "message": "%message", + "spanId": "%X{spanId:-}", + "processId": "${PID:-}", + "threadName": "%thread", + "class": "%logger{40}", + "exception": "%wEx" + } + + + + + + + + + + + + + + + + + + + + + + diff --git a/kubernetes/cps/components/cps-core/resources/config/logback.xml b/kubernetes/cps/components/cps-core/resources/config/logback.xml deleted file mode 100644 index 8256cfa18d..0000000000 --- a/kubernetes/cps/components/cps-core/resources/config/logback.xml +++ /dev/null @@ -1,36 +0,0 @@ - - - - - - - %d - %highlight(%-5level) [%-20.20thread] %cyan(%logger{36}) - %msg%n - - - - - - - - - - - - diff --git a/kubernetes/cps/components/cps-core/templates/deployment.yaml b/kubernetes/cps/components/cps-core/templates/deployment.yaml index a247f148a7..daf6fd3dfa 100644 --- a/kubernetes/cps/components/cps-core/templates/deployment.yaml +++ b/kubernetes/cps/components/cps-core/templates/deployment.yaml @@ -1,7 +1,7 @@ {{/* # Copyright (C) 2021 Pantheon.tech, Orange # Modifications Copyright (C) 2021 Bell Canada. -# Modifications Copyright (C) 2021-2022 Nordix Foundation. +# Modifications Copyright (C) 2021-2023 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -57,10 +57,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmi-plugin-user-creds" "key" "login") | indent 12 }} - name: DMI_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmi-plugin-user-creds" "key" "password") | indent 12 }} - {{- if .Values.config.useStrimziKafka }} - - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-kafka-user" "key" "sasl.jaas.config") | indent 12 }} - {{- end }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config volumeMounts: - mountPath: /config-input name: init-data-input @@ -97,6 +98,25 @@ spec: env: - name: SPRING_PROFILES_ACTIVE value: {{ .Values.config.spring.profile }} + - name: DB_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 12 }} + - name: DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 12 }} + - name: LIQUIBASE_LABELS + value: {{ .Values.config.liquibaseLabels }} + - name: CPS_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-user-creds" "key" "login") | indent 12 }} + - name: CPS_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-user-creds" "key" "password") | indent 12 }} + - name: DMI_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmi-plugin-user-creds" "key" "login") | indent 12 }} + - name: DMI_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmi-plugin-user-creds" "key" "password") | indent 12 }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 12 }} @@ -108,8 +128,8 @@ spec: - mountPath: /app/resources/application-helm.yml subPath: application-helm.yml name: init-data - - mountPath: /app/resources/logback.xml - subPath: logback.xml + - mountPath: /app/resources/logback-spring.xml + subPath: logback-spring.xml name: init-data - mountPath: /tmp name: init-temp @@ -122,5 +142,4 @@ spec: medium: Memory - name: init-temp emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/cps/components/cps-core/templates/kafkatopic.yaml b/kubernetes/cps/components/cps-core/templates/kafkatopic.yaml new file mode 100644 index 0000000000..7274ee02b2 --- /dev/null +++ b/kubernetes/cps/components/cps-core/templates/kafkatopic.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkatopic" . }} \ No newline at end of file diff --git a/kubernetes/cps/components/cps-core/templates/kafkauser.yaml b/kubernetes/cps/components/cps-core/templates/kafkauser.yaml new file mode 100644 index 0000000000..708e99dfe0 --- /dev/null +++ b/kubernetes/cps/components/cps-core/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} \ No newline at end of file diff --git a/kubernetes/cps/components/cps-core/templates/service.yaml b/kubernetes/cps/components/cps-core/templates/service.yaml index 97657bfc0b..52263a87ac 100644 --- a/kubernetes/cps/components/cps-core/templates/service.yaml +++ b/kubernetes/cps/components/cps-core/templates/service.yaml @@ -15,3 +15,5 @@ */}} {{ include "common.service" . }} +--- +{{ include "common.headlessService" . }} diff --git a/kubernetes/cps/components/cps-core/values.yaml b/kubernetes/cps/components/cps-core/values.yaml index 5a10b2f4ae..d72863955f 100644 --- a/kubernetes/cps/components/cps-core/values.yaml +++ b/kubernetes/cps/components/cps-core/values.yaml @@ -1,6 +1,6 @@ # Copyright (C) 2021 Pantheon.tech, Orange, Bell Canada. # Modifications Copyright (C) 2022 Bell Canada -# Modifications Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2022-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -43,13 +43,6 @@ secrets: login: '{{ .Values.config.dmiPluginUserName }}' password: '{{ .Values.config.dmiPluginUserPassword }}' passwordPolicy: generate - - uid: cps-kafka-user - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate ################################################################# # Global configuration defaults. @@ -75,30 +68,30 @@ global: container: name: postgres -image: onap/cps-and-ncmp:3.0.1 -containerPort: &svc_port 8080 -managementPort: &mgt_port 8081 +image: onap/cps-and-ncmp:3.3.11 service: type: ClusterIP + headless: {} name: cps-core + internalPort: &svc_port 8080 ports: - name: &port http port: *svc_port - - name: http-management - port: *mgt_port - targetPort: *mgt_port + headlessPorts: + - name: tcp-hazelcast + port: 5701 prometheus: enabled: false metrics: serviceMonitor: - port: http-management + port: http ## specify target port if name is not given to the port in the service definition ## # targetPort: 8080 - path: /manage/prometheus + path: /actuator/prometheus interval: 60s basicAuth: enabled: false @@ -116,18 +109,18 @@ replicaCount: 1 resources: small: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1.5Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1.5Gi" large: limits: - cpu: 4 - memory: 4Gi + cpu: "4" + memory: "3Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "3Gi" unlimited: {} # probe configuration parameters liveness: @@ -136,25 +129,25 @@ liveness: # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true - path: /manage/health - port: *mgt_port + path: /actuator/health + port: *svc_port readiness: initialDelaySeconds: 15 periodSeconds: 15 - path: /manage/health - port: *mgt_port + path: /actuator/health + port: *svc_port startup: failureThreshold: 5 periodSeconds: 60 - path: /manage/health - port: *mgt_port + path: /actuator/health + port: *svc_port ingress: enabled: true service: - - baseaddr: "cps-core" + - baseaddr: "cps-core-api" path: "/" name: "cps-core" port: *svc_port @@ -173,8 +166,7 @@ securityContext: ################################################################# config: - - # Set it for pre loading xnfdata, else set to null + # Set it for preloading xnfdata, else set to null liquibaseLabels: xnf-data-preload # REST API basic authentication credentials (passsword is generated if not provided) @@ -189,30 +181,48 @@ config: # spring.config.max-size: 200 # spring.config.min-size: 10 -# kafka config - useStrimziKafka: true - kafkaBootstrap: strimzi-kafka-bootstrap -# If targeting a custom kafka cluster, ie useStrimziKakfa: false -# uncomment below config and target your kafka bootstrap servers, -# along with any other security config. - -# eventPublisher: -# spring.kafka.bootstrap-servers: :9092 -# spring.kafka.security.protocol: SASL_PLAINTEXT -# spring.kafka.properties.sasl.mechanism: PLAIN -# spring.kafka.properties.sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required username=admin password=admin_secret; - additional: - notification.data-updated.enabled: true - notification.data-updated.topic: cps.data-updated-events + notification.enabled: true + notification.data-updated.topic: &dataUpdatedTopic cps.data-updated-events notification.data-updated.filters.enabled-dataspaces: "" notification.async.enabled: false notification.async.executor.core-pool-size: 2 - notification.async.executor.max-pool-size: 1 + notification.async.executor.max-pool-size: 10 notification.async.executor.queue-capacity: 500 notification.async.executor.wait-for-tasks-to-complete-on-shutdown: true notification.async.executor.thread-name-prefix: Async- +# Strimzi KafkaUser and Topic config +kafkaTopic: + - name: &dmiCmEventsTopic dmi-cm-events + retentionMs: 7200000 + segmentBytes: 1073741824 + +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: cps-core-group + type: group + operations: [Read] + - name: *dataUpdatedTopic + type: topic + operations: [Write] + - name: *dmiCmEventsTopic + type: topic + operations: [Read] + - name: &ncmpAsyncM2MTopic ncmp-async-m2m + type: topic + operations: [Read] + - name: &cmAvcSubscriptionTopic cm-avc-subscription + type: topic + operations: [Read] + +topics: + config: + app.ncmp.async-m2m.topic: *ncmpAsyncM2MTopic + app.ncmp.avc.subscription-topic: *cmAvcSubscriptionTopic + app.dmi.cm-events.topic: *dmiCmEventsTopic + logging: level: INFO path: /tmp @@ -250,6 +260,8 @@ postgres-init: pgDatabase: cpsdb pgDataPath: data pgUserExternalSecret: *pgUserCredsSecretName + serviceAccount: + nameOverride: cps-postgres-init # pgPrimaryPassword: password # pgUserPassword: password @@ -257,10 +269,19 @@ postgres-init: readinessCheck: wait_for: - - '{{ ternary .Values.postgres.service.name "postgres" .Values.global.postgres.localCluster }}' + services: + - '{{ .Values.global.postgres.service.name2 }}' minReadySeconds: 10 updateStrategy: type: RollingUpdate maxUnavailable: 0 maxSurge: 1 + +# Hazlecast custom configurations. +hazelcast: + config: + kubernetesDiscovery: true + kubernetesServiceName: cps-core-headless + + diff --git a/kubernetes/cps/components/cps-temporal/Chart.yaml b/kubernetes/cps/components/cps-temporal/Chart.yaml index cbda1175d6..4f3f317b29 100644 --- a/kubernetes/cps/components/cps-temporal/Chart.yaml +++ b/kubernetes/cps/components/cps-temporal/Chart.yaml @@ -21,21 +21,21 @@ apiVersion: v2 description: ONAP Configuration Persistance Service (CPS) - Temporal name: cps-temporal -version: 11.0.0 +version: 13.0.1 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: timescaledb - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' \ No newline at end of file diff --git a/kubernetes/cps/components/cps-temporal/resources/config/application-helm.yml b/kubernetes/cps/components/cps-temporal/resources/config/application-helm.yml index 6e80843949..bede7f1fdc 100644 --- a/kubernetes/cps/components/cps-temporal/resources/config/application-helm.yml +++ b/kubernetes/cps/components/cps-temporal/resources/config/application-helm.yml @@ -1,7 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (c) 2021 Bell Canada. -# Modifications Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2022-2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,23 +25,18 @@ spring: username: ${DB_USERNAME} password: ${DB_PASSWORD} - kafka: - consumer: - group-id: {{ .Values.config.kafka.consumer.groupId }} - app: listener: data-updated: topic: {{ .Values.config.app.listener.dataUpdatedTopic }} -{{- if .Values.config.useStrimziKafka }} -spring.kafka.bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 -spring.kafka.security.protocol: SASL_PLAINTEXT -spring.kafka.properties.sasl.mechanism: SCRAM-SHA-512 -spring.kafka.properties.sasl.jaas.config: ${JAASLOGIN} -{{ else }} -{{ toYaml .Values.config.eventPublisher | nindent 2 }} +{{- with (first .Values.kafkaUser.acls) }} +spring.kafka.consumer.group-id: {{ .name }} {{- end }} +spring.kafka.bootstrap-servers: {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 +spring.kafka.security.protocol: SASL_PLAINTEXT +spring.kafka.properties.sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} +spring.kafka.properties.sasl.jaas.config: ${SASL_JAAS_CONFIG} {{- if .Values.config.additional }} {{ toYaml .Values.config.additional | nindent 2 }} diff --git a/kubernetes/cps/components/cps-temporal/templates/deployment.yaml b/kubernetes/cps/components/cps-temporal/templates/deployment.yaml index 71ff37193b..143740d191 100644 --- a/kubernetes/cps/components/cps-temporal/templates/deployment.yaml +++ b/kubernetes/cps/components/cps-temporal/templates/deployment.yaml @@ -1,7 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (c) 2021 Bell Canada. -# Modifications Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2022-2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -54,10 +54,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-user-creds" "key" "login") | indent 12 }} - name: APP_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-user-creds" "key" "password") | indent 12 }} - {{- if .Values.config.useStrimziKafka }} - - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-kafka-user" "key" "sasl.jaas.config") | indent 12 }} - {{- end }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config volumeMounts: - mountPath: /config-input name: init-data-input @@ -113,6 +114,4 @@ spec: medium: Memory - name: init-temp emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/cps/components/cps-temporal/templates/kafkatopic.yaml b/kubernetes/cps/components/cps-temporal/templates/kafkatopic.yaml new file mode 100644 index 0000000000..d1d21a6dbc --- /dev/null +++ b/kubernetes/cps/components/cps-temporal/templates/kafkatopic.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkatopic" . }} diff --git a/kubernetes/cps/components/cps-temporal/templates/kafkauser.yaml b/kubernetes/cps/components/cps-temporal/templates/kafkauser.yaml new file mode 100644 index 0000000000..708e99dfe0 --- /dev/null +++ b/kubernetes/cps/components/cps-temporal/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} \ No newline at end of file diff --git a/kubernetes/cps/components/cps-temporal/values.yaml b/kubernetes/cps/components/cps-temporal/values.yaml index a92791e019..56e229a0cd 100644 --- a/kubernetes/cps/components/cps-temporal/values.yaml +++ b/kubernetes/cps/components/cps-temporal/values.yaml @@ -1,6 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (c) 2021 Bell Canada. -# Modifications Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2022-2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -40,15 +40,8 @@ secrets: login: '{{ .Values.config.appUserName }}' password: '{{ .Values.config.appUserPassword }}' passwordPolicy: generate - - uid: cps-kafka-user - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate - -image: onap/cps-temporal:1.1.0 + +image: onap/cps-temporal:1.2.1 containerPort: &svc_port 8080 managementPort: &mgt_port 8081 @@ -90,18 +83,18 @@ replicaCount: 1 resources: small: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "2Gi" large: limits: - cpu: 4 - memory: 4Gi + cpu: "4" + memory: "4Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "4Gi" unlimited: {} # probe configuration parameters liveness: @@ -122,7 +115,7 @@ readiness: ingress: enabled: true service: - - baseaddr: "cps-temporal" + - baseaddr: "cps-temporal-api" path: "/" name: "cps-temporal" port: *svc_port @@ -146,24 +139,9 @@ config: spring: profile: helm #appUserPassword: - -# Event consumption (kafka) properties - useStrimziKafka: true - kafkaBootstrap: strimzi-kafka-bootstrap - kafka: - consumer: - groupId: cps-temporal-group app: listener: - dataUpdatedTopic: cps.data-updated-events -# If targeting a custom kafka cluster, ie useStrimziKakfa: false -# uncomment below config and target your kafka bootstrap servers, -# along with any other security config. - -# eventConsumption: -# spring.kafka.bootstrap-servers: :9092 -# spring.kafka.security.protocol: PLAINTEXT -# spring.kafka.consumer.group-id: cps-temporal-group + dataUpdatedTopic: &dataUpdatedTopic cps.data-updated-events # Any new property can be added in the env by setting in overrides in the format mentioned below # All the added properties must be in "key: value" format instead of yaml. @@ -171,6 +149,17 @@ config: # spring.config.max-size: 200 # spring.config.min-size: 10 +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: cps-temporal-group + type: group + operations: [Read] + - name: *dataUpdatedTopic + type: topic + operations: [Read] + logging: level: INFO path: /tmp @@ -194,7 +183,8 @@ timescaledb: readinessCheck: wait_for: - - cps-temporal-db + services: + - cps-temporal-db minReadySeconds: 10 updateStrategy: diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/Chart.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/Chart.yaml index 669be9e274..fb578590e0 100644 --- a/kubernetes/cps/components/ncmp-dmi-plugin/Chart.yaml +++ b/kubernetes/cps/components/ncmp-dmi-plugin/Chart.yaml @@ -21,18 +21,18 @@ apiVersion: v2 description: ONAP Configuration Persistance Service (CPS) - NCMP-DMI-Plugin name: ncmp-dmi-plugin -version: 11.0.0 +version: 13.0.1 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' \ No newline at end of file diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/application-helm.yml b/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/application-helm.yml index 8e71114c8c..2b68b6c04f 100644 --- a/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/application-helm.yml +++ b/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/application-helm.yml @@ -37,7 +37,7 @@ sdnc: security: # comma-separated uri patterns which do not require authorization - permit-uri: /manage/**,/swagger-ui/**,/swagger-resources/**,/v3/api-docs + permit-uri: /actuator/**,/swagger-ui.html,/swagger-ui/**,/swagger-resources/**,/api-docs/**,/v3/api-docs auth: username: ${DMI_PLUGIN_USERNAME} password: ${DMI_PLUGIN_PASSWORD} @@ -49,6 +49,18 @@ logging: onap: cps: {{ .Values.logging.cps }} +{{- with (first .Values.kafkaUser.acls) }} +spring.kafka.consumer.group-id: {{ .name }} +{{- end }} +spring.kafka.bootstrap-servers: {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 +spring.kafka.security.protocol: SASL_PLAINTEXT +spring.kafka.properties.sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} +spring.kafka.properties.sasl.jaas.config: ${SASL_JAAS_CONFIG} + +# Kafka Topics +{{- if .Values.topics.config }} +{{ toYaml .Values.topics.config | nindent 2 }} +{{- end }} {{- if .Values.config.additional }} {{ toYaml .Values.config.additional | nindent 2 }} diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/templates/deployment.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/templates/deployment.yaml index 3d154dba64..351f8834a4 100644 --- a/kubernetes/cps/components/ncmp-dmi-plugin/templates/deployment.yaml +++ b/kubernetes/cps/components/ncmp-dmi-plugin/templates/deployment.yaml @@ -31,10 +31,7 @@ spec: maxSurge: {{ index .Values.updateStrategy.maxSurge }} selector: {{- include "common.selectors" . | nindent 4 }} template: - metadata: - labels: - app.kubernetes.io/name: {{ include "common.name" . }} - app.kubernetes.io/instance: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: {{ include "common.podSecurityContext" . | indent 6 | trim}} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . ) }} @@ -60,6 +57,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-core-creds" "key" "login") | indent 12 }} - name: CPS_CORE_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-core-creds" "key" "password") | indent 12 }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config volumeMounts: - mountPath: /config-input name: init-data-input @@ -90,6 +92,11 @@ spec: env: - name: SPRING_PROFILES_ACTIVE value: {{ .Values.config.spring.profile }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 12 }} @@ -112,5 +119,4 @@ spec: medium: Memory - name: init-temp emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/templates/kafkatopic.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/templates/kafkatopic.yaml new file mode 100644 index 0000000000..7274ee02b2 --- /dev/null +++ b/kubernetes/cps/components/ncmp-dmi-plugin/templates/kafkatopic.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkatopic" . }} \ No newline at end of file diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/templates/kafkauser.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/templates/kafkauser.yaml new file mode 100644 index 0000000000..708e99dfe0 --- /dev/null +++ b/kubernetes/cps/components/ncmp-dmi-plugin/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} \ No newline at end of file diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/values.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/values.yaml index 0edb648327..e0bc868c54 100644 --- a/kubernetes/cps/components/ncmp-dmi-plugin/values.yaml +++ b/kubernetes/cps/components/ncmp-dmi-plugin/values.yaml @@ -47,9 +47,8 @@ global: virtualhost: baseurl: "simpledemo.onap.org" -image: onap/ncmp-dmi-plugin:1.1.0 +image: onap/ncmp-dmi-plugin:1.4.0 containerPort: &svc_port 8080 -managementPort: &mgt_port 8081 prometheus: enabled: false @@ -60,17 +59,14 @@ service: ports: - name: &port http port: *svc_port - - name: http-management - port: *mgt_port - targetPort: *mgt_port metrics: serviceMonitor: - port: http-management + port: http ## specify target port if name is not given to the port in the service definition ## # targetPort: 8080 - path: /manage/prometheus + path: /actuator/prometheus interval: 60s basicAuth: enabled: false @@ -88,18 +84,18 @@ replicaCount: 1 resources: small: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 4 - memory: 4Gi + cpu: "4" + memory: "2Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" unlimited: {} # probe configuration parameters liveness: @@ -108,19 +104,19 @@ liveness: # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true - path: /manage/health - port: *mgt_port + path: /actuator/health + port: *svc_port readiness: initialDelaySeconds: 15 periodSeconds: 15 - path: /manage/health - port: *mgt_port + path: /actuator/health + port: *svc_port ingress: enabled: true service: - - baseaddr: "ncmp-dmi-plugin" + - baseaddr: "cps-ncmp-dmi-plugin-api" path: "/" name: *svc_name port: *svc_port @@ -164,16 +160,51 @@ config: # spring.config.min-size: 10 logging: - level: INFO + level: DEBUG cps: DEBUG path: /tmp readinessCheck: wait_for: - - cps-core + services: + - cps-core minReadySeconds: 10 updateStrategy: type: RollingUpdate maxUnavailable: 0 maxSurge: 1 + +# Strimzi KafkaUser and Topic config +kafkaTopic: + - name: &ncmpDmiCmAvcSubscriptionNcmpDmiPluginTopic ncmp-dmi-cm-avc-subscription-ncmp-dmi-plugin + retentionMs: 7200000 + segmentBytes: 1073741824 + - name: &dmiNcmpCmAvcSubscriptionTopic dmi-ncmp-cm-avc-subscription + retentionMs: 7200000 + segmentBytes: 1073741824 + - name: &ncmpAsyncM2MTopic ncmp-async-m2m + retentionMs: 7200000 + segmentBytes: 1073741824 + +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: ncmp-dmi-plugin-group + type: group + operations: [Read] + - name: *ncmpDmiCmAvcSubscriptionNcmpDmiPluginTopic + type: topic + operations: [Read] + - name: *dmiNcmpCmAvcSubscriptionTopic + type: topic + operations: [Write] + - name: *ncmpAsyncM2MTopic + type: topic + operations: [Write] + +topics: + config: + app.ncmp.async.topic: *ncmpAsyncM2MTopic + app.dmi.avc.subscription-topic: *ncmpDmiCmAvcSubscriptionNcmpDmiPluginTopic + app.dmi.avc.subscription-response-topic: *dmiNcmpCmAvcSubscriptionTopic diff --git a/kubernetes/cps/templates/cps-kafka-topic.yaml b/kubernetes/cps/templates/cps-kafka-topic.yaml deleted file mode 100644 index 1a23ddfc9b..0000000000 --- a/kubernetes/cps/templates/cps-kafka-topic.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- if .Values.config.useStrimziKafka }} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: {{ .Values.config.dataUpdatedTopic.name }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - partitions: {{ .Values.config.dataUpdatedTopic.partitions }} - config: - retention.ms: {{ .Values.config.dataUpdatedTopic.retentionMs }} - segment.bytes: {{ .Values.config.dataUpdatedTopic.segmentBytes }} -{{- end }} \ No newline at end of file diff --git a/kubernetes/cps/templates/cps-kafka-user.yaml b/kubernetes/cps/templates/cps-kafka-user.yaml deleted file mode 100644 index b3136d7f04..0000000000 --- a/kubernetes/cps/templates/cps-kafka-user.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- if .Values.config.useStrimziKafka }} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaUser -metadata: - name: {{ include "common.release" . }}-{{ .Values.global.cpsKafkaUser }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - authentication: - type: scram-sha-512 - authorization: - type: simple - acls: - - resource: - type: group - name: {{ .Values.config.dataUpdatedTopic.consumer.groupId }} - operation: Read - - resource: - type: topic - name: {{ .Values.config.dataUpdatedTopic.name }} - operation: Read - - resource: - type: topic - name: {{ .Values.config.dataUpdatedTopic.name }} - operation: Write -{{- end }} \ No newline at end of file diff --git a/kubernetes/cps/values.yaml b/kubernetes/cps/values.yaml index 700ad38844..a08690ed53 100755 --- a/kubernetes/cps/values.yaml +++ b/kubernetes/cps/values.yaml @@ -1,5 +1,5 @@ # Copyright (C) 2021 Bell Canada -# Modifications Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2022-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -48,13 +48,41 @@ config: coreUserName: cpsuser dmiPluginUserName: dmiuser useStrimziKafka: true - dataUpdatedTopic: - name: cps.data-updated-events - partitions: 10 + ncmpEventsTopic: + name: ncmp-events retentionMs: 7200000 - segmentBytes: 1073741824 consumer: - groupId: cps-temporal-group + groupId: ncmp-group + ncmpAsyncM2MTopic: + name: ncmp-async-m2m + retentionMs: 600000 + consumer: + groupId: ncmp-group + dmiCmEventsTopic: + name: dmi-cm-events + retentionMs: 7200000 + consumer: + groupId: ncmp-group + ncmpCmAvcSubscriptionTopic: + name: cm-avc-subscription + retentionMs: 7200000 + consumer: + groupId: ncmp-group + ncmpCmEventsTopic: + name: cm-events + retentionMs: 7200000 + consumer: + groupId: ncmp-group + dmiCmAvcSubscriptionTopic: + name: ncmp-dmi-cm-avc-subscription-ncmp-dmi-plugin + retentionMs: 7200000 + consumer: + groupId: ncmp-group + dmiCmAvcSubscriptionResponseTopic: + name: dmi-ncmp-cm-avc-subscription + retentionMs: 7200000 + consumer: + groupId: ncmp-group # Enable all CPS components by default cps-core: diff --git a/kubernetes/dcaegen2-services/Chart.yaml b/kubernetes/dcaegen2-services/Chart.yaml index 23d0bbd929..ade33b4c3f 100644 --- a/kubernetes/dcaegen2-services/Chart.yaml +++ b/kubernetes/dcaegen2-services/Chart.yaml @@ -1,8 +1,9 @@ #============LICENSE_START======================================================== # ================================================================================ -# Copyright (c) 2020 J. F. Lucas. All rights reserved. +# Copyright (c) 2020, 2024 J. F. Lucas. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom Intellectual Property. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,88 +19,88 @@ # ============LICENSE_END========================================================= apiVersion: v2 -appVersion: "Kohn" +appVersion: "NewDelhi" description: DCAE Microservices name: dcaegen2-services -version: 11.0.0 +version: 13.1.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: dcae-datafile-collector - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-datafile-collector.enabled - name: dcae-datalake-admin-ui - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-datalake-admin-ui.enabled - name: dcae-datalake-des - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-datalake-des.enabled - name: dcae-datalake-feeder - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-datalake-feeder.enabled - name: dcae-heartbeat - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-heartbeat.enabled - name: dcae-hv-ves-collector - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-hv-ves-collector.enabled - name: dcae-kpi-ms - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-kpi-ms.enabled - name: dcae-ms-healthcheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-ms-healthcheck.enabled - name: dcae-pm-mapper - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-pm-mapper.enabled - name: dcae-pmsh - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-pmsh.enabled - name: dcae-prh - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-prh.enabled - name: dcae-restconf-collector - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-restconf-collector.enabled - name: dcae-slice-analysis-ms - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-slice-analysis-ms.enabled - name: dcae-snmptrap-collector - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-snmptrap-collector.enabled - name: dcae-son-handler - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-son-handler.enabled - name: dcae-tcagen2 - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-tcagen2.enabled - name: dcae-ves-collector - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-ves-collector.enabled - name: dcae-ves-mapper - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-ves-mapper.enabled - name: dcae-ves-openapi-manager - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/dcae-ves-openapi-manager' condition: dcae-ves-openapi-manager.enabled diff --git a/kubernetes/dcaegen2-services/Makefile b/kubernetes/dcaegen2-services/Makefile index 0e0560c68e..501ab2c0da 100644 --- a/kubernetes/dcaegen2-services/Makefile +++ b/kubernetes/dcaegen2-services/Makefile @@ -22,6 +22,12 @@ HELM_REPO := local EXCLUDES := HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -39,12 +45,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) push -f $$PACKAGE_NAME $(HELM_REPO); fi + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME $(HELM_REPO); fi @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/dcaegen2-services/common/Makefile b/kubernetes/dcaegen2-services/common/Makefile index 9a84ab8375..616a5fc5ea 100644 --- a/kubernetes/dcaegen2-services/common/Makefile +++ b/kubernetes/dcaegen2-services/common/Makefile @@ -22,6 +22,12 @@ HELM_REPO := local EXCLUDES := HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + # Helm v2 and helm v3 uses different version format so we first try in helm v3 format # and if it fails then we fallback to helm v2 one HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}" 2>/dev/null) @@ -46,12 +52,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) push -f $$PACKAGE_NAME $(HELM_REPO); fi + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME $(HELM_REPO); fi @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/Chart.yaml b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/Chart.yaml index 25fa92b696..64fee4bba7 100644 --- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/Chart.yaml +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/Chart.yaml @@ -21,9 +21,9 @@ apiVersion: v2 appVersion: "Kohn" description: DCAE Microservices Common templates name: dcaegen2-services-common -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_configmap.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_configmap.tpl index afd3c38f31..bb35e80848 100644 --- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_configmap.tpl +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_configmap.tpl @@ -1,7 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2019 AT&T -# Copyright (c) 2021-2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2021-2023 J. F. Lucas. All rights reserved. # Copyright (c) 2021 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -33,14 +33,10 @@ The template always produces a configMap containing the microservice's initial configuration data. (See the documentation for dcaegen2-services-common.microserviceDeployment for more details.) -If the microservice is using one or more Data Router (DR) feeds, the +If the microservice is publishing to one or more Data Router (DR) feeds, the template produces a configMap containing the information needed to provision the feed(s). An init container performs the provisioning. -If the microservice acts as a DR publisher for one or more feeds, the -template produces a configMap containing the information needed to -provision the publisher(s). An init container performs the provisioning. - If the microservice acts as a DR subscriber for one or more feeds, the template produces a configMap containing the information needed to provision the subscribeer(s). An init container performs the provisioning. @@ -70,22 +66,22 @@ metadata: data: {{- range $i, $feed := .Values.drFeedConfig }} feedConfig-{{$i}}.json: |- - {{ $feed | toJson | indent 2 }} - {{- end }} -{{- end }} - -{{- if .Values.drPubConfig }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-drpub-config - namespace: {{ include "common.namespace" . }} - labels: {{ include "common.labels" . | nindent 6 }} -data: - {{- range $i, $drpub := .Values.drPubConfig }} - drpubConfig-{{$i}}.json: |- - {{ $drpub | toJson | indent 2 }} + { + "name": {{ $feed.feedName | quote }}, + "version": {{ $feed.feedVersion | quote }}, + "description": {{ $feed.feedDescription | default "None" | quote }}, + "authorization": { + "classification": {{ $feed.classification | quote }}, + "endpoint_addrs": [ + ], + "endpoint_ids": [ + { + "id": {{ $feed.publisher.username | quote }}, + "password": {{ $feed.publisher.password | quote }} + } + ] + } + } {{- end }} {{- end }} @@ -100,7 +96,23 @@ metadata: data: {{- range $i, $drsub := .Values.drSubConfig }} drsubConfig-{{$i}}.json: |- - {{ $drsub | toJson | indent 2 }} + { + "feed": { + "name": {{ $drsub.feedName | quote }}, + "version": {{ $drsub.feedVersion | quote }} + }, + "delivery": { + "url": {{ $drsub.deliveryURL | quote }}, + "user": {{ $drsub.username | quote }}, + "password": {{ $drsub.userpwd | quote }}, + "use100": {{ $drsub.use100 | default false }} + }, + "metadataOnly": {{ $drsub.metadataOnly | default false }}, + "groupid": {{ $drsub.groupId | default 0 }}, + "follow_redirect": {{ $drsub.followRedirect | default true }}, + "privileged_subscriber": {{ $drsub.privilegedSubscriber | default false }}, + "decompress": {{ $drsub.decompress | default false }} + } {{- end }} {{- end }} {{- end }} diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl index 6c742c07de..c841d6df50 100644 --- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl @@ -1,7 +1,7 @@ {{/* #============LICENSE_START======================================================== # ================================================================================ -# Copyright (c) 2021-2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2021-2023 J. F. Lucas. All rights reserved. # Copyright (c) 2021 AT&T Intellectual Property. All rights reserved. # Copyright (c) 2021 Nokia. All rights reserved. # Copyright (c) 2021 Nordix Foundation. @@ -60,11 +60,19 @@ the the literal string "An example value". - name: {{ $envName }} value: {{ tpl $envValue $global | quote }} {{- else }} - {{ if or (not $envValue.secretUid) (not $envValue.key) }} - {{ fail (printf "Env %s definition is not a string and does not contain secretUid or key fields" $envName) }} - {{- end }} + {{- if and (hasKey $envValue "externalSecret") ($envValue.externalSecret) }} +- name: {{ $envName }} + valueFrom: + secretKeyRef: + name: {{ tpl $envValue.externalSecretUid $global | quote }} + key: {{ tpl $envValue.key $global | quote }} + {{- else }} + {{ if or (not $envValue.secretUid) (not $envValue.key) }} + {{ fail (printf "Env %s definition is not a string and does not contain secretUid or key fields" $envName) }} + {{- end }} - name: {{ $envName }} {{- include "common.secret.envFromSecretFast" (dict "global" $global "uid" $envValue.secretUid "key" $envValue.key) | indent 2 }} + {{- end }} {{- end -}} {{- end }} {{- end }} @@ -173,7 +181,14 @@ The exact content of the Deployment generated from this template depends on the content of .Values. The Deployment always includes a single Pod, with a container that uses -the DCAE microservice image. +the DCAE microservice image. The image name and tag are specified by +.Values.image. By default, the image comes from the ONAP repository +(registry) set up by the common repositoryGenerator template. A different +repository for the microservice image can be set using +.Values.imageRepositoryOverride. Note that this repository must not +require authentication, because there is no way to specify credentials for +the override repository. imageRepositoryOverride is intended primarily +for testing purposes. The Deployment Pod may also include a logging sidecar container. The sidecar is included if .Values.log.path is set. The @@ -213,16 +228,6 @@ process into the microservice's configuration. See the documentation for the common DMaaP provisioning template (oom/kubernetes/common/common/templates/_dmaapProvisioning.tpl). -If the microservice acts as a TLS client or server, the Deployment will -include an initContainer that retrieves certificate information from -the AAF certificate manager. The information is mounted at the -mount point specified in .Values.certDirectory. If the microservice is -a TLS server (indicated by setting .Values.tlsServer to true), the -certificate information will include a server cert and key, in various -formats. It will also include the AAF CA cert. If the microservice is -a TLS client only (indicated by setting .Values.tlsServer to false), the -certificate information includes only the AAF CA cert. - If the microservice uses certificates from an external CMPv2 provider, the Deployment will include an initContainer that performs certificate post-processing. @@ -231,12 +236,11 @@ post-processing. {{- define "dcaegen2-services-common.microserviceDeployment" -}} {{- $log := default dict .Values.log -}} {{- $logDir := default "" $log.path -}} -{{- $certDir := default "" .Values.certDirectory . -}} -{{- $tlsServer := default "" .Values.tlsServer -}} +{{- $certDir := (eq "true" (include "common.needTLS" .)) | ternary (default "" .Values.certDirectory . ) "" -}} {{- $commonRelease := print (include "common.release" .) -}} {{- $policy := default dict .Values.policies -}} {{- $policyRls := default $commonRelease $policy.policyRelease -}} -{{- $drFeedConfig := default "" .Values.drFeedConfig -}} +{{- $drNeedProvisioning := or .Values.drFeedConfig .Values.drSubConfig -}} {{- $dcaeName := print (include "common.fullname" .) }} {{- $dcaeLabel := (dict "dcaeMicroserviceName" $dcaeName) -}} {{- $dot := . -}} @@ -250,28 +254,13 @@ spec: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: + {{- if .Values.readinessCheck }} {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} - {{- include "common.dmaap.provisioning.initContainer" . | nindent 6 }} - {{- if $certDir }} - - name: init-tls - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.tlsImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - env: - - name: TLS_SERVER - value: {{ $tlsServer | quote }} - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - resources: {{ include "common.resources" . | nindent 2 }} - volumeMounts: - - mountPath: /opt/app/osaaf - name: tls-info {{- end }} + {{- include "common.dmaap.provisioning.initContainer" . | nindent 6 }} {{ include "dcaegen2-services-common._certPostProcessor" . | nindent 4 }} containers: - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + - image: {{ default ( include "repositoryGenerator.repository" . ) .Values.imageRepositoryOverride }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }} env: @@ -318,10 +307,10 @@ spec: {{- end }} {{- end }} {{- end }} - resources: {{ include "common.resources" . | nindent 2 }} + resources: {{ include "common.resources" . | nindent 10 }} volumeMounts: - mountPath: /app-config - name: {{ ternary "app-config-input" "app-config" (not $drFeedConfig) }} + name: {{ ternary "app-config-input" "app-config" (not $drNeedProvisioning) }} - mountPath: /app-config-input name: app-config-input {{- if $logDir }} @@ -381,14 +370,10 @@ spec: - name: POLICY_SYNC_DURATION value: "{{ $policy.duration }}" {{- end }} - resources: {{ include "common.resources" . | nindent 2 }} + resources: {{ include "common.resources" . | nindent 10 }} volumeMounts: - mountPath: /etc/policies name: policy-shared - {{- if $certDir }} - - mountPath: /opt/ca-certificates/ - name: tls-info - {{- end }} {{- end }} hostname: {{ include "common.name" . }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} @@ -418,8 +403,7 @@ spec: {{- end }} {{- include "common.dmaap.provisioning._volumes" . | nindent 6 -}} {{- include "dcaegen2-services-common._externalVolumes" . | nindent 6 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} {{ end -}} {{/* diff --git a/kubernetes/dcaegen2-services/components/Makefile b/kubernetes/dcaegen2-services/components/Makefile index 0f8aa99e0e..7a8d304690 100644 --- a/kubernetes/dcaegen2-services/components/Makefile +++ b/kubernetes/dcaegen2-services/components/Makefile @@ -22,6 +22,12 @@ HELM_REPO := local EXCLUDES := HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -39,12 +45,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) push -f $$PACKAGE_NAME $(HELM_REPO); fi - @sleep 5 + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME $(HELM_REPO); fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/Chart.yaml index c51c2221dd..d5cc948cb4 100644 --- a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/Chart.yaml @@ -3,6 +3,7 @@ # Copyright (C) 2021 Nordix Foundation. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Deutsche Telekom AG. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,27 +19,27 @@ # ================================= LICENSE_END ============================== apiVersion: v2 -appVersion: "Kohn" +appVersion: "London" description: DCAE DataFile Collector Helm charts name: dcae-datafile-collector -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: certManagerCertificate - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/ingress.yaml b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/ingress.yaml new file mode 100644 index 0000000000..79df5ced0c --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright (C) 2022 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml index 3fffb9c79b..30da823e60 100644 --- a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml @@ -2,7 +2,8 @@ # ========================================================================= # Copyright (c) 2021 Nordix Foundation. # Copyright (c) 2022 Nokia. All rights reserved. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. +# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved. # ========================================================================= # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -45,14 +46,13 @@ secrets: ################################################################# # InitContainer Images. ################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.5.0 ################################################################# # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.collectors.datafile.datafile-app-server:1.8.0 +image: onap/org.onap.dcaegen2.collectors.datafile.datafile-app-server:1.10.0 pullPolicy: Always # Log directory where logging sidecar should look for log files @@ -66,11 +66,6 @@ logConfigMapNamePrefix: '{{ include "common.fullname" . }}' # if absent, no certs will be retrieved and stored certDirectory: /opt/app/datafile/etc/cert -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: true - # CMPv2 certificate # It is used only when: # - certDirectory is set @@ -94,12 +89,13 @@ certificates: create: true # Dependencies +# Waiting for dmaap-dr-node (which depends on dmaap-dr-prov) +# to be sure that we can provision the DR feed that's needed readinessCheck: wait_for: - containers: - - aaf-cm - - dmaap-bc - - dmaap-provisioning-job + services: + - dmaap-dr-node + - message-router # Probe Configuration readiness: @@ -115,11 +111,29 @@ service: type: ClusterIP name: datafile-collector ports: - - name: https + - name: http port: 8443 plain_port: 8100 port_protocol: http +ingress: + enabled: false + service: + - baseaddr: "dcae-datafile-collector-api" + name: "datafile-collector" + port: 8443 + plain_port: 8100 + config: + ssl: "redirect" + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: dcae-pm-mapper-read + - serviceAccount: message-router-read + - serviceAccount: istio-ingress + namespace: istio-ingress + # Data Router Publisher Credentials drPubscriberCreds: username: username @@ -139,11 +153,11 @@ applicationConfig: dmaap.certificateConfig.keyPasswordPath: /opt/app/datafile/etc/cert/p12.pass dmaap.certificateConfig.trustedCa: /opt/app/datafile/etc/cert/trust.jks dmaap.certificateConfig.trustedCaPasswordPath: /opt/app/datafile/etc/cert/trust.pass - dmaap.certificateConfig.enableCertAuth: true + dmaap.certificateConfig.enableCertAuth: false dmaap.dmaapConsumerConfiguration.consumerGroup: OpenDcae-c12 dmaap.dmaapConsumerConfiguration.consumerId: C12 dmaap.dmaapConsumerConfiguration.timeoutMs: -1 - dmaap.security.enableDmaapCertAuth: true + dmaap.security.enableDmaapCertAuth: false dmaap.security.keyStorePasswordPath: /opt/app/datafile/etc/cert/jks.pass dmaap.security.keyStorePath: /opt/app/datafile/etc/cert/cert.jks dmaap.security.trustStorePasswordPath: /opt/app/datafile/etc/cert/trust.pass @@ -153,40 +167,38 @@ applicationConfig: streams_publishes: PM_MEAS_FILES: dmaap_info: - publisher_id: ${DR_FILES_PUBLISHER_ID_0} + publisher_id: "dummy_id" location: loc00 - log_url: ${DR_LOG_URL_0} - publish_url: ${DR_FILES_PUBLISHER_URL_0} + log_url: ${DR_FEED_LOGURL_0} + publish_url: ${DR_FEED_PUBURL_0} username: ${DR_USERNAME} password: ${DR_PASSWORD} type: data_router streams_subscribes: dmaap_subscriber: dmaap_info: - topic_url: "https://message-router:3905/events/unauthenticated.VES_NOTIFICATION_OUTPUT" + topic_url: "http://message-router:3904/events/unauthenticated.VES_NOTIFICATION_OUTPUT" type: message_router +applicationEnv: + #CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' + #Temporary Dummy CBS Port Value until internal SDK library is updated + CONFIG_BINDING_SERVICE_SERVICE_PORT: '0000' + # DataRouter Feed Configuration drFeedConfig: - feedName: bulk_pm_feed - owner: dcaecm feedVersion: "0.0" - asprClassification: unclassified + classification: unclassified feedDescription: DFC Feed Creation - -# DataRouter Publisher Configuration -drPubConfig: - - feedName: bulk_pm_feed - username: ${DR_USERNAME} - userpwd: ${DR_PASSWORD} - dcaeLocationName: loc00 + publisher: + username: ${DR_USERNAME} + password: ${DR_PASSWORD} # ConfigMap Configuration for Feed, Dr_Publisher volumes: - name: feeds-config path: /opt/app/config/feeds - - name: drpub-config - path: /opt/app/config/dr_pubs # Resource Limit Flavor -By Default Using Small flavor: small @@ -195,18 +207,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 500m - memory: 768Mi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "4" + memory: "2Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "2" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/Chart.yaml index c4843d639c..b997fbeb27 100644 --- a/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/Chart.yaml @@ -21,21 +21,21 @@ apiVersion: v2 appVersion: "Kohn" description: DCAE datalake-admin-ui helm chart name: dcae-datalake-admin-ui -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/values.yaml index 8573e077f5..f7c9381611 100644 --- a/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/values.yaml @@ -1,7 +1,7 @@ # ============= LICENSE_START ================================================ # ============================================================================ # Copyright (C) 2021 Wipro Limited. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -31,21 +31,6 @@ filebeatConfig: logstashServiceName: log-ls logstashPort: 5044 -################################################################# -# Secrets Configuration. -################################################################# -secrets: - - uid: &aafCredsUID aafcreds - type: basicAuth - login: '{{ .Values.aafCreds.identity }}' - password: '{{ .Values.aafCreds.password }}' - passwordPolicy: required - -################################aafcreds################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application Configuration Defaults. ################################################################# @@ -59,20 +44,11 @@ log: path: /var/log/ONAP/dcaegen2/services/datalake-admin-ui logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/datalake-admin-ui/etc/cert/ - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: true - # Dependencies readinessCheck: wait_for: - - aaf-cm - - dcae-datalake-feeder + services: + - dl-feeder # Probe Configuration readiness: @@ -92,10 +68,9 @@ service: port: 8088 port_protocol: http -# AAF Credentials -aafCreds: - identity: dcae@dcae.onap.org - password: demo123456! +serviceMesh: + authorizationPolicy: + authorizedPrincipals: [] # Initial Application Configuration applicationConfig: @@ -107,18 +82,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "2" + memory: "500Mi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "500Mi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "4" + memory: "1Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-des/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-des/Chart.yaml index 20b65f03f9..317695ecfc 100644 --- a/kubernetes/dcaegen2-services/components/dcae-datalake-des/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-datalake-des/Chart.yaml @@ -21,21 +21,21 @@ apiVersion: v2 appVersion: "Kohn" description: DCAE Datalake DES MS charts name: dcae-datalake-des -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-des/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-des/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-datalake-des/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-des/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-des/values.yaml index bab9c05097..f45905cd12 100644 --- a/kubernetes/dcaegen2-services/components/dcae-datalake-des/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-datalake-des/values.yaml @@ -1,7 +1,7 @@ # ============= LICENSE_START ================================================ # ============================================================================ # Copyright (C) 2021 Wipro Limited. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -36,22 +36,12 @@ filebeatConfig: # Secrets Configuration. ################################################################# secrets: - - uid: &aafCredsUID aafcreds - type: basicAuth - login: '{{ .Values.aafCreds.identity }}' - password: '{{ .Values.aafCreds.password }}' - passwordPolicy: required - uid: &pgUserCredsSecretUid pg-user-creds externalSecret: '{{ include "common.release" . }}-datalake-pg-user-creds' type: basicAuth login: '{{ .Values.postgres.config.pgUserName }}' passwordPolicy: required -################################aafcreds################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application Configuration Defaults. ################################################################# @@ -65,20 +55,11 @@ log: path: /var/log/ONAP/dcaegen2/services/datalake logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/datalake/etc/cert/ - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: true - # Dependencies readinessCheck: wait_for: - - aaf-cm - - dcae-datalake-feeder + services: + - dl-feeder # Probe Configuration readiness: @@ -98,10 +79,9 @@ service: port: 1681 port_protocol: http -# AAF Credentials -aafCreds: - identity: dcae@dcae.onap.org - password: demo123456! +serviceMesh: + authorizationPolicy: + authorizedPrincipals: [] #postgres configuration postgres: @@ -137,18 +117,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "4" + memory: "2Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/Chart.yaml index 3d1ea6e1f3..4f085d5504 100644 --- a/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/Chart.yaml @@ -21,24 +21,24 @@ apiVersion: v2 appVersion: "Kohn" description: DCAE Datalake feeder MS charts name: dcae-datalake-feeder -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: postgres - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..30d173c2d8 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/templates/authorizationpolicy.yaml @@ -0,0 +1,136 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "primary" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "replica" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/values.yaml index 4de71c3ece..36e1d7bda6 100644 --- a/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/values.yaml @@ -1,7 +1,7 @@ # ================================ LICENSE_START ============================= # ============================================================================ # Copyright (C) 2021 Wipro Limited. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -35,11 +35,6 @@ filebeatConfig: # Secrets Configuration. ################################################################# secrets: - - uid: &aafCredsUID aafcreds - type: basicAuth - login: '{{ .Values.aafCreds.identity }}' - password: '{{ .Values.aafCreds.password }}' - passwordPolicy: required - uid: &pgUserCredsSecretUid pg-user-creds name: &pgUserCredsSecretName '{{ include "common.release" . }}-datalake-pg-user-creds' type: basicAuth @@ -48,11 +43,6 @@ secrets: password: '{{ .Values.postgres.config.pgUserPassword }}' passwordPolicy: generate -################################################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application Configuration Defaults. ################################################################# @@ -67,21 +57,6 @@ log: path: /var/log/ONAP/dcaegen2/services/datalake logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/datalake/etc/certs - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: true - -# Dependencies -readinessCheck: - wait_for: - - aaf-cm - - &postgresName dcae-datalake-postgres - # Probe Configuration readiness: initialDelaySeconds: 90 @@ -100,10 +75,14 @@ service: port: 1680 port_protocol: http -# AAF Credentials -aafCreds: - identity: dcae@dcae.onap.org - password: demo123456! +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: dcae-datalake-admin-ui-read + - serviceAccount: dcae-datalake-des-read + authorizedPrincipalsPostgres: + - serviceAccount: dcae-datalake-des-read + - serviceAccount: dcae-datalake-feeder-read credentials: - name: PG_USER @@ -142,25 +121,25 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "4" + memory: "2Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" unlimited: {} ################################################################# # Application configuration Overriding Defaults in the Postgres. ################################################################# postgres: - nameOverride: *postgresName + nameOverride: &postgresName dcae-datalake-postgres service: name: *postgresName name2: dcae-datalake-pg-primary @@ -177,6 +156,11 @@ postgres: pgDatabase: datalake pgUserExternalSecret: *pgUserCredsSecretName +readinessCheck: + wait_for: + services: + - '{{ .Values.postgres.service.name2 }}' + #Pods Service Account serviceAccount: nameOverride: dcae-datalake-feeder diff --git a/kubernetes/dcaegen2-services/components/dcae-heartbeat/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-heartbeat/Chart.yaml index 056696a45c..6ff60f4de5 100644 --- a/kubernetes/dcaegen2-services/components/dcae-heartbeat/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-heartbeat/Chart.yaml @@ -21,24 +21,24 @@ apiVersion: v2 appVersion: "Kohn" description: DCAE Heartbeat Microservice name: dcae-heartbeat -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: postgres - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-heartbeat/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-heartbeat/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..30d173c2d8 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-heartbeat/templates/authorizationpolicy.yaml @@ -0,0 +1,136 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "primary" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "replica" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml b/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml index b76656727a..da8f2c6561 100644 --- a/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml @@ -1,7 +1,7 @@ # ================================ LICENSE_START ============================= # ============================================================================ -# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2021-2023 AT&T Intellectual Property. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -35,11 +35,6 @@ filebeatConfig: # Secrets Configuration. ################################################################# secrets: - - uid: &aafCredsUID aafcreds - type: basicAuth - login: '{{ .Values.aafCreds.identity }}' - password: '{{ .Values.aafCreds.password }}' - passwordPolicy: required - uid: &pgUserCredsSecretUid pg-user-creds name: &pgUserCredsSecretName '{{ include "common.release" . }}-heartbeat-pg-user-creds' type: basicAuth @@ -48,16 +43,11 @@ secrets: password: '{{ .Values.postgres.config.pgUserPassword }}' passwordPolicy: generate -################################################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.services.heartbeat:2.3.1 +image: onap/org.onap.dcaegen2.services.heartbeat:2.6.1 pullPolicy: Always # Log directory where logging sidecar should look for log files @@ -67,21 +57,6 @@ log: path: /var/log/ONAP/dcaegen2/services/heartbeat logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/heartbeat/etc/certs - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: true - -# Dependencies -readinessCheck: - wait_for: - - aaf-cm - - &postgresName dcae-heartbeat-postgres - # Probe Configuration readiness: initialDelaySeconds: 10 @@ -100,18 +75,14 @@ service: port: 10002 port_protocol: http -# AAF Credentials -aafCreds: - identity: dcae@dcae.onap.org - password: demo123456! +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + authorizedPrincipalsPostgres: + - serviceAccount: dcae-heartbeat-read credentials: -- name: AAF_IDENTITY - uid: *aafCredsUID - key: login -- name: AAF_PASSWORD - uid: *aafCredsUID - key: password - name: HEARTBEAT_PG_USERNAME uid: *pgUserCredsSecretUid key: login @@ -159,25 +130,25 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "4" + memory: "2Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" unlimited: {} ################################################################# # Application configuration Overriding Defaults in the Postgres. ################################################################# postgres: - nameOverride: *postgresName + nameOverride: &postgresName dcae-heartbeat-postgres service: name: *postgresName name2: dcae-heartbeat-pg-primary @@ -194,6 +165,13 @@ postgres: pgDatabase: heartbeat pgUserExternalSecret: *pgUserCredsSecretName +# Dependencies +readinessCheck: + wait_for: + services: + - '{{ .Values.postgres.service.name2 }}' + - message-router + #Pods Service Account serviceAccount: nameOverride: dcae-heartbeat diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/Chart.yaml index 0c9732a242..48ffbd2c71 100644 --- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/Chart.yaml @@ -21,24 +21,21 @@ apiVersion: v2 appVersion: "Kohn" description: DCAE HV VES collector name: dcae-hv-ves-collector -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: certManagerCertificate - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/hv-ves-kafka-user.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/hv-ves-kafka-user.yaml deleted file mode 100644 index ff977aaa32..0000000000 --- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/hv-ves-kafka-user.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaUser -metadata: - name: {{ include "common.release" . }}-{{ .Values.hvVesKafkaUser }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - authentication: - type: scram-sha-512 - authorization: - type: simple - acls: - - resource: - type: topic - name: {{ index .Values "applicationConfig" "streams_publishes" "ves-3gpp-fault-supervision" "kafka_info" "topic_name" }} - operation: Write - - resource: - type: topic - name: {{ index .Values "applicationConfig" "streams_publishes" "ves-3gpp-provisioning" "kafka_info" "topic_name" }} - operation: Write - - resource: - type: topic - name: {{ index .Values "applicationConfig" "streams_publishes" "ves-3gpp-heartbeat" "kafka_info" "topic_name" }} - operation: Write - - resource: - type: topic - name: {{ index .Values "applicationConfig" "streams_publishes" "ves-3gpp-performance-assurance" "kafka_info" "topic_name" }} - operation: Write - - resource: - type: topic - name: {{ .Values.applicationConfig.streams_publishes.perf3gpp.kafka_info.topic_name }} - operation: Write diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/hv-ves-topics.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/hv-ves-topics.yaml deleted file mode 100644 index e40775833a..0000000000 --- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/hv-ves-topics.yaml +++ /dev/null @@ -1,79 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: ves-3gpp-fault-supervision - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - topicName: {{ index .Values "applicationConfig" "streams_publishes" "ves-3gpp-fault-supervision" "kafka_info" "topic_name" }} - partitions: 10 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: ves-3gpp-provisioning - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - topicName: {{ index .Values "applicationConfig" "streams_publishes" "ves-3gpp-provisioning" "kafka_info" "topic_name" }} - partitions: 10 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: ves-3gpp-heartbeat - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - topicName: {{ index .Values "applicationConfig" "streams_publishes" "ves-3gpp-heartbeat" "kafka_info" "topic_name" }} - partitions: 10 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: ves-3gpp-performance-assurance - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - topicName: {{ index .Values "applicationConfig" "streams_publishes" "ves-3gpp-performance-assurance" "kafka_info" "topic_name" }} - partitions: 10 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: perf3gpp - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - topicName: {{ .Values.applicationConfig.streams_publishes.perf3gpp.kafka_info.topic_name }} - partitions: 10 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/ingress.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/ingress.yaml new file mode 100644 index 0000000000..df12117b3e --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright (C) 2022 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/kafkatopic.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/kafkatopic.yaml new file mode 100644 index 0000000000..d1d21a6dbc --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/kafkatopic.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkatopic" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/kafkauser.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml index 67add37cea..2365c17e28 100644 --- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml @@ -1,8 +1,8 @@ #============LICENSE_START======================================================== # ================================================================================ -# Copyright (c) 2021-2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2021-2023 J. F. Lucas. All rights reserved. # Copyright (c) 2021-2022 Nokia. All rights reserved. -# Copyright © 2022 Nordix Foundation +# Modifications Copyright (C) 2022-2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -35,16 +35,18 @@ filebeatConfig: ################################################################# # initContainer images. ################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.5.0 ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/org.onap.dcaegen2.collectors.hv-ves.hv-collector-main:1.10.0 +image: onap/org.onap.dcaegen2.collectors.hv-ves.hv-collector-main:1.11.0 pullPolicy: Always +commonName: &commonName dcae-hv-ves-collector +containerPort: &containerPort 6061 + # log directory where logging sidecar should look for log files # if path is set to null sidecar won't be deployed in spite of # global.centralizedLoggingEnabled setting. @@ -56,22 +58,6 @@ logConfigMapNamePrefix: '{{ include "common.fullname" . }}' # if absent, no certs will be retrieved and stored certDirectory: /etc/ves-hv/ssl -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: true - -secrets: - - uid: hv-ves-kafka-secret - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate -config: - someConfig: blah - # CMPv2 certificate # It is used only when: # - certDirectory is set @@ -81,9 +67,9 @@ config: useCmpv2Certificates: false certificates: - mountPath: /etc/ves-hv/ssl/external - commonName: dcae-hv-ves-collector + commonName: *commonName dnsNames: - - dcae-hv-ves-collector + - *commonName - hv-ves-collector - hv-ves keystore: @@ -94,11 +80,6 @@ certificates: key: password create: true -# dependencies -readinessCheck: - wait_for: - - aaf-cm - # probe configuration readiness: type: exec @@ -108,64 +89,115 @@ readiness: command: - /opt/ves-hv-collector/healthcheck.sh +# since there are problems receiving binary data via the sidecar +# the service port is excluded in the sidecar processing +podAnnotations: + traffic.sidecar.istio.io/excludeInboundPorts: '6061' + traffic.sidecar.istio.io/includeInboundPorts: '*' + # service configuration service: type: NodePort - name: dcae-hv-ves-collector + name: *commonName ports: - - name: http - port: 6061 - port_protocol: http + - name: tcp + port: *containerPort + port_protocol: tcp + app_protocol: tcp nodePort: 22 -#strimzi kafka config -hvVesKafkaUser: dcae-hv-ves-kafka-user +ingress: + enabled: false + service: + - baseaddr: "dcae-hv-ves-collector-api" + name: *commonName + port: *containerPort + config: + ssl: "redirect" + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: istio-ingress + namespace: istio-ingress # initial application configuration applicationConfig: logLevel: INFO server.idleTimeoutSec: 300 - server.listenPort: 6061 + server.listenPort: *containerPort cbs.requestIntervalSec: 5 - security.sslDisable: false + security.sslDisable: true security.keys.keyStoreFile: /etc/ves-hv/ssl/cert.jks security.keys.keyStorePasswordFile: /etc/ves-hv/ssl/jks.pass security.keys.trustStoreFile: /etc/ves-hv/ssl/trust.jks security.keys.trustStorePasswordFile: /etc/ves-hv/ssl/trust.pass streams_publishes: ves-3gpp-fault-supervision: - type: kafka + type: ${MESSAGING_TYPE} kafka_info: bootstrap_servers: ${KAFKA_BOOTSTRAP_SERVERS} - topic_name: SEC_3GPP_FAULTSUPERVISION_OUTPUT + topic_name: &ves3gppFaultSupervision SEC_3GPP_FAULTSUPERVISION_OUTPUT ves-3gpp-provisioning: - type: kafka + type: ${MESSAGING_TYPE} kafka_info: bootstrap_servers: ${KAFKA_BOOTSTRAP_SERVERS} - topic_name: SEC_3GPP_PROVISIONING_OUTPUT + topic_name: &ves3gppProvisioning SEC_3GPP_PROVISIONING_OUTPUT ves-3gpp-heartbeat: - type: kafka + type: ${MESSAGING_TYPE} kafka_info: bootstrap_servers: ${KAFKA_BOOTSTRAP_SERVERS} - topic_name: SEC_3GPP_HEARTBEAT_OUTPUT + topic_name: &ves3gppHeartbeat SEC_3GPP_HEARTBEAT_OUTPUT ves-3gpp-performance-assurance: - type: kafka + type: ${MESSAGING_TYPE} kafka_info: bootstrap_servers: ${KAFKA_BOOTSTRAP_SERVERS} - topic_name: SEC_3GPP_PERFORMANCEASSURANCE_OUTPUT + topic_name: &ves3gppPerformanceAssurance SEC_3GPP_PERFORMANCEASSURANCE_OUTPUT perf3gpp: - type: kafka + type: ${MESSAGING_TYPE} kafka_info: bootstrap_servers: ${KAFKA_BOOTSTRAP_SERVERS} - topic_name: HV_VES_PERF3GPP + topic_name: &perf3gpp HV_VES_PERF3GPP + +# Strimzi Kafka config +kafkaUser: + acls: + - name: SEC_3GPP + type: topic + patternType: prefix + operations: [Write, DescribeConfigs] + - name: *perf3gpp + type: topic + operations: [Write, DescribeConfigs] + +kafkaTopic: + - name: *ves3gppFaultSupervision + strimziTopicName: dcae-ves-3gpp-fault-supervision + # the default retention values below can be updated + # to meet use case requirements for each topic. + retentionMs: 7200000 + segmentBytes: 1073741824 + - name: *ves3gppProvisioning + strimziTopicName: dcae-ves-3gpp-provisioning + - name: *ves3gppHeartbeat + strimziTopicName: dcae-ves-3gpp-heartbeat + - name: *ves3gppPerformanceAssurance + strimziTopicName: dcae-ves-3gpp-performance-assurance + - name: *perf3gpp + strimziTopicName: dcae-ves-3gpp-perf + applicationEnv: JAVA_OPTS: '-Dlogback.configurationFile=/etc/ONAP/dcae-hv-ves-collector/logback.xml' CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' + #Temporary Dummy CBS Port Value until internal SDK library is updated + CONFIG_BINDING_SERVICE_SERVICE_PORT: '0000' + MESSAGING_TYPE: 'kafka' KAFKA_BOOTSTRAP_SERVERS: '{{ include "common.release" . }}-strimzi-kafka-bootstrap:9092' USE_SCRAM: 'true' JAAS_CONFIG: - secretUid: hv-ves-kafka-secret + externalSecret: true + externalSecretUid: '{{ include "common.name" . }}-ku' key: sasl.jaas.config # Resource Limit flavor -By Default using small @@ -174,22 +206,22 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 4 - memory: 4Gi + cpu: "4" + memory: "2Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" unlimited: {} #Pods Service Account serviceAccount: - nameOverride: dcae-hv-ves-collector + nameOverride: *commonName roles: - read diff --git a/kubernetes/dcaegen2-services/components/dcae-kpi-ms/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-kpi-ms/Chart.yaml index ff18e15e3d..b4c79c915b 100644 --- a/kubernetes/dcaegen2-services/components/dcae-kpi-ms/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-kpi-ms/Chart.yaml @@ -3,6 +3,7 @@ # Copyright (c) 2021 Wipro Limited. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Deutsche Telekom AG. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,24 +19,24 @@ # ============LICENSE_END========================================================= apiVersion: v2 -appVersion: "Kohn" +appVersion: "London" description: DCAE KPI MS chart name: dcae-kpi-ms -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-kpi-ms/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-kpi-ms/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-kpi-ms/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-kpi-ms/values.yaml b/kubernetes/dcaegen2-services/components/dcae-kpi-ms/values.yaml index 6ce0a1f98a..61b78fa01f 100644 --- a/kubernetes/dcaegen2-services/components/dcae-kpi-ms/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-kpi-ms/values.yaml @@ -1,7 +1,8 @@ # ============= LICENSE_START ================================================ # ============================================================================ # Copyright (C) 2021-2022 Wipro Limited. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. +# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -31,26 +32,11 @@ filebeatConfig: logstashServiceName: log-ls logstashPort: 5044 -################################################################# -# Secrets Configuration. -################################################################# -secrets: - - uid: &aafCredsUID aafcreds - type: basicAuth - login: '{{ .Values.aafCreds.identity }}' - password: '{{ .Values.aafCreds.password }}' - passwordPolicy: required - -################################################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.services.components.kpi-ms:1.0.4 +image: onap/org.onap.dcaegen2.services.components.kpi-ms:1.2.1 pullPolicy: Always # Log directory where logging sidecar should look for log files @@ -60,16 +46,6 @@ log: path: /var/log/ONAP/dcaegen2/services/kpims logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/kpims/etc/cert/ - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: true -enable_tls: true - # Optional Policy configuration properties # if present, policy-sync side car will be deployed #dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1 @@ -80,7 +56,8 @@ enable_tls: true # Dependencies readinessCheck: wait_for: - - aaf-cm + services: + - message-router # Probe Configuration readiness: @@ -100,18 +77,10 @@ service: port: 8080 port_protocol: http -# AAF Credentials -aafCreds: - identity: dcae@dcae.onap.org - password: demo123456! - -credentials: -- name: AAF_IDENTITY - uid: *aafCredsUID - key: login -- name: AAF_PASSWORD - uid: *aafCredsUID - key: password +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read # Initial Application Configuration applicationConfig: @@ -133,9 +102,12 @@ applicationConfig: type: message-router dmaap_info: topic_url: http://message-router:3904/events/unauthenticated.DCAE_KPI_OUTPUT - kpi.policy: '{"domain":"measurementsForKpi","methodForKpi":[{"eventName":"perf3gpp_CORE-AMF_pmMeasResult","controlLoopSchemaType":"SLICE","policyScope":"resource=networkSlice;type=configuration","policyName":"configuration.dcae.microservice.kpi-computation","policyVersion":"v0.0.1","kpis":[{"measType":"AMFRegNbr","operation":"SUM","operands":"RM.RegisteredSubNbrMean"}]},{"eventName":"perf3gpp_CORE-UPF_pmMeasResult","controlLoopSchemaType":"SLICE","policyScope":"resource=networkSlice;type=configuration","policyName":"configuration.dcae.microservice.kpi-computation","policyVersion":"v0.0.1","kpis":[{"measType":"UpstreamThr","operation":"SUM","operands":"GTP.InDataOctN3UPF"},{"measType":"DownstreamThr","operation":"SUM","operands":"GTP.OutDataOctN3UPF"}]}]}' + kpi.policy: '{"domain":"measurementsForKpi","methodForKpi":[{"eventName":"perf3gpp_CORE-AMF_pmMeasResult","controlLoopSchemaType":"SLICE","policyScope":"resource=networkSlice;type=configuration","policyName":"configuration.dcae.microservice.kpi-computation","policyVersion":"v0.0.1","kpis":[{"measType":"AMFRegNbr","operation":"SUM","operands":"RM.RegisteredSubNbrMean"}]},{"eventName":"perf3gpp_CORE-UPF_pmMeasResult","controlLoopSchemaType":"SLICE","policyScope":"resource=networkSlice;type=configuration","policyName":"configuration.dcae.microservice.kpi-computation","policyVersion":"v0.0.1","kpis":[{"measType":"UpstreamDownstreamThr","operation":"SUM","operands":["GTP.InDataOctN3UPF","GTP.OutDataOctN3UPF"]}]}]' applicationEnv: + CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' + #Temporary Dummy CBS Port Value until internal SDK library is updated + CONFIG_BINDING_SERVICE_SERVICE_PORT: '0000' STANDALONE: 'false' # Resource Limit Flavor -By Default Using Small @@ -145,18 +117,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "2" + memory: "500Mi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "500Mi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "4" + memory: "1Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/Chart.yaml index 2e13863cbe..e293252f66 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/Chart.yaml @@ -23,15 +23,15 @@ apiVersion: v2 appVersion: "Kohn" description: ONAP DCAE Microservice Health Check name: dcae-ms-healthcheck -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/deployment.yaml b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/deployment.yaml index 4a51c7f9d8..f6d179428a 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/deployment.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/deployment.yaml @@ -31,8 +31,7 @@ spec: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container @@ -65,5 +64,4 @@ spec: - name: {{ include "common.fullname" . }}-expected-components configMap: name: {{ include "common.release" . }}-dcae-expected-microservices - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/values.yaml index 3b47e7f70e..8b8f928c39 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/values.yaml @@ -31,6 +31,10 @@ service: - port: 8080 name: http +serviceMesh: + authorizationPolicy: + authorizedPrincipals: [] + # Label on DCAE microservice deployments # (Used by healthcheck code to find deployments # created after initial DCAE installation) @@ -48,7 +52,7 @@ readiness: initialDelaySeconds: 10 periodSeconds: 10 # application image -image: onap/org.onap.dcaegen2.deployments.healthcheck-container:2.4.0 +image: onap/org.onap.dcaegen2.deployments.healthcheck-container:2.4.1 # Resource Limit flavor -By Default using small flavor: small @@ -56,18 +60,18 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "500Mi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "500Mi" large: limits: - cpu: 4 - memory: 4Gi + cpu: "4" + memory: "1Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/Chart.yaml index 5aa8feaab0..30cb9cfe6c 100644 --- a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/Chart.yaml @@ -3,6 +3,7 @@ # Copyright (C) 2021 Nordix Foundation. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Deutsche Telekom AG. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,24 +19,24 @@ # ================================= LICENSE_END ============================== apiVersion: v2 -appVersion: "Kohn" +appVersion: "London" description: DCAE PM-Mapper Helm charts name: dcae-pm-mapper -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../../common/dcaegen2-services-common' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml index eaa961c53a..290c313b52 100644 --- a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml @@ -2,7 +2,8 @@ # ========================================================================= # Copyright (C) 2021 Nordix Foundation. # Copyright (c) 2022 Nokia. All rights reserved. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. +# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved. # ========================================================================= # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -36,27 +37,17 @@ filebeatConfig: # Secrets Configuration. ################################################################# secrets: - - uid: &aafCredsUID aafcreds - type: basicAuth - login: '{{ .Values.aafCreds.identity }}' - password: '{{ .Values.aafCreds.password }}' - passwordPolicy: required - uid: &drSubCredsUID drsubcreds type: basicAuth login: '{{ .Values.drSubscriberCreds.username }}' password: '{{ .Values.drSubscriberCreds.password }}' passwordPolicy: required -################################################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.services.pm-mapper:1.8.0 +image: onap/org.onap.dcaegen2.services.pm-mapper:1.10.1 pullPolicy: Always # Log directory where logging sidecar should look for log files @@ -66,23 +57,17 @@ log: path: /var/log/ONAP/dcaegen2/services/pm-mapper logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/pm-mapper/etc/cert - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: true - # Dependencies +# Depend on the datafile-collector, which guarantees that +# the DR feed that pm-mapper susbscribes to will be created +# already by the datafile-collector DMaaP provisioning init +# container. Also guarantees that DR provisioning will be +# available for pm-mapper initContainter to create the +# subscription to the feed. readinessCheck: wait_for: - containers: - - aaf-cm - - dmaap-bc - - dmaap-provisioning-job - - dcae-datafile-collector + services: + - datafile-collector # Probe Configuration readiness: @@ -99,15 +84,15 @@ service: name: dcae-pm-mapper both_tls_and_plain: true ports: - - name: https + - name: http port: 8443 plain_port: 8081 port_protocol: http -# AAF Credentials -aafCreds: - identity: dcae@dcae.onap.org - password: demo123456! +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read # Data Router Subscriber Credentials drSubscriberCreds: @@ -115,12 +100,6 @@ drSubscriberCreds: password: password credentials: -- name: AAF_IDENTITY - uid: *aafCredsUID - key: login -- name: AAF_PASSWORD - uid: *aafCredsUID - key: password - name: DR_USERNAME uid: *drSubCredsUID key: login @@ -130,21 +109,21 @@ credentials: # Initial Application Configuration applicationConfig: - enable_tls: true + enable_tls: false enable_http: true aaf_identity: "" aaf_password: "" pm-mapper-filter: "{ \"filters\":[] }" - key_store_path: /opt/app/pm-mapper/etc/cert/cert.jks - key_store_pass_path: /opt/app/pm-mapper/etc/cert/jks.pass + #key_store_path: /opt/app/pm-mapper/etc/cert/cert.jks + #key_store_pass_path: /opt/app/pm-mapper/etc/cert/jks.pass trust_store_path: /opt/app/pm-mapper/etc/cert/trust.jks trust_store_pass_path: /opt/app/pm-mapper/etc/cert/trust.pass - dmaap_dr_delete_endpoint: https://dmaap-dr-node:8443/delete + dmaap_dr_delete_endpoint: http://dmaap-dr-node:8080/delete streams_publishes: dmaap_publisher: type: message_router dmaap_info: - client_id: ${MR_FILES_PUBLISHER_CLIENT_ID_0} + client_id: "dummy_id" location: san-francisco client_role: org.onap.dcae.pmPublisher topic_url: http://message-router:3904/events/unauthenticated.PERFORMANCE_MEASUREMENTS @@ -152,7 +131,7 @@ applicationConfig: dmaap_subscriber: type: data_router dmaap_info: - subscriber_id: ${DR_FILES_SUBSCRIBER_ID_0} + subscriber_id: "dummy_id" decompress: true privileged: true username: ${DR_USERNAME} @@ -160,28 +139,23 @@ applicationConfig: location: san-francisco delivery_url: http://dcae-pm-mapper:8081/delivery -# DataRouter Feed Configuration -drFeedConfig: - - feedName: bulk_pm_feed - owner: dcaecm - feedVersion: "0.0" - asprClassification: unclassified - feedDescription: DFC Feed Creation +applicationEnv: + #CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' + #Temporary Dummy CBS Port Value until internal SDK library is updated + CONFIG_BINDING_SERVICE_SERVICE_PORT: '0000' # DataRouter Subscriber Configuration drSubConfig: - feedName: bulk_pm_feed + feedVersion: "0.0" decompress: true username: ${DR_USERNAME} userpwd: ${DR_PASSWORD} - dcaeLocationName: loc00 privilegedSubscriber: true deliveryURL: http://dcae-pm-mapper:8081/delivery -# ConfigMap Configuration for Dr Feed, Subscriber, MR Topics +# ConfigMap Configuration for DR Subscriber volumes: - - name: feeds-config - path: /opt/app/config/feeds - name: drsub-config path: /opt/app/config/dr_subs @@ -192,18 +166,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "4" + memory: "2Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/dcaegen2-services/components/dcae-pmsh/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-pmsh/Chart.yaml index f68e715184..f721f0aba4 100644 --- a/kubernetes/dcaegen2-services/components/dcae-pmsh/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-pmsh/Chart.yaml @@ -22,24 +22,24 @@ apiVersion: v2 appVersion: "Kohn" description: DCAE PMSH Service name: dcae-pmsh -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: postgres - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-pmsh/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-pmsh/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..30d173c2d8 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-pmsh/templates/authorizationpolicy.yaml @@ -0,0 +1,136 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "primary" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "replica" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-pmsh/values.yaml b/kubernetes/dcaegen2-services/components/dcae-pmsh/values.yaml index 971d7bfd24..0f7289cc07 100644 --- a/kubernetes/dcaegen2-services/components/dcae-pmsh/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-pmsh/values.yaml @@ -1,7 +1,7 @@ # ================================ LICENSE_START ============================= # ============================================================================ # Copyright (C) 2021 Nordix Foundation. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -35,11 +35,6 @@ filebeatConfig: # Secrets Configuration. ################################################################# secrets: - - uid: &aafCredsUID aafcreds - type: basicAuth - login: '{{ .Values.aafCreds.identity }}' - password: '{{ .Values.aafCreds.password }}' - passwordPolicy: required - uid: &pgUserCredsSecretUid pg-user-creds name: &pgUserCredsSecretName '{{ include "common.release" . }}-pmsh-pg-user-creds' type: basicAuth @@ -48,16 +43,11 @@ secrets: password: '{{ .Values.postgres.config.pgUserPassword }}' passwordPolicy: generate -################################################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.services.pmsh:2.2.2 +image: onap/org.onap.dcaegen2.services.pmsh:2.2.3 pullPolicy: Always # Log directory where logging sidecar should look for log files @@ -67,57 +57,37 @@ log: path: /var/log/ONAP/dcaegen2/services/pmsh logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/pmsh/etc/certs - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: true - -# Dependencies -readinessCheck: - wait_for: - - aaf-cm - - &postgresName dcae-pmsh-postgres - # Probe Configuration readiness: initialDelaySeconds: 10 periodSeconds: 15 timeoutSeconds: 1 path: /healthcheck - scheme: HTTPS - port: 8443 + scheme: HTTP + port: 8080 # Service Configuration service: type: ClusterIP name: dcae-pmsh ports: - - name: https - port: 8443 + - name: http + port: 8080 + plain_port: 8080 port_protocol: http -# AAF Credentials -aafCreds: - identity: dcae@dcae.onap.org - password: demo123456! - -credentials: -- name: AAF_IDENTITY - uid: *aafCredsUID - key: login -- name: AAF_PASSWORD - uid: *aafCredsUID - key: password +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + authorizedPrincipalsPostgres: + - serviceAccount: dcae-pmsh-read # Initial Application Configuration applicationConfig: - enable_tls: true - aaf_identity: ${AAF_IDENTITY} - aaf_password: ${AAF_PASSWORD} + enable_tls: false + aaf_identity: dummy_value + aaf_password: dummy_value key_path: /opt/app/pmsh/etc/certs/key.pem cert_path: /opt/app/pmsh/etc/certs/cert.pem ca_cert_path: /opt/app/pmsh/etc/certs/cacert.pem @@ -135,16 +105,16 @@ applicationConfig: policy_pm_publisher: type: message_router dmaap_info: - topic_url: "https://message-router:3905/events/unauthenticated.DCAE_CL_OUTPUT" + topic_url: "http://message-router:3904/events/unauthenticated.DCAE_CL_OUTPUT" streams_subscribes: policy_pm_subscriber: type: message_router dmaap_info: - topic_url: "https://message-router:3905/events/unauthenticated.PMSH_CL_INPUT" + topic_url: "http://message-router:3904/events/unauthenticated.PMSH_CL_INPUT" aai_subscriber: type: message_router dmaap_info: - topic_url: "https://message-router:3905/events/AAI-EVENT" + topic_url: "http://message-router:3904/events/AAI-EVENT" applicationEnv: PMSH_PG_URL: &dcaePmshPgPrimary dcae-pmsh-pg-primary @@ -154,6 +124,7 @@ applicationEnv: PMSH_PG_PASSWORD: secretUid: *pgUserCredsSecretUid key: password + PMSH_API_PORT: '8080' # Resource Limit Flavor -By Default Using Small flavor: small @@ -162,25 +133,25 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" unlimited: {} ################################################################# # Application configuration Overriding Defaults in the Postgres. ################################################################# postgres: - nameOverride: *postgresName + nameOverride: &postgresName dcae-pmsh-postgres service: name: *postgresName name2: *dcaePmshPgPrimary @@ -197,6 +168,13 @@ postgres: pgDatabase: pmsh pgUserExternalSecret: *pgUserCredsSecretName +# Dependencies +readinessCheck: + wait_for: + services: + - '{{ .Values.postgres.service.name2 }}' + - message-router + #Pods Service Account serviceAccount: nameOverride: dcae-pmsh diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/Chart.yaml index 54d1fce96a..fefc06e805 100644 --- a/kubernetes/dcaegen2-services/components/dcae-prh/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-prh/Chart.yaml @@ -3,6 +3,7 @@ # Copyright (c) 2021 J. F. Lucas. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom Intellectual Property. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,24 +19,21 @@ # ============LICENSE_END========================================================= apiVersion: v2 -appVersion: "Kohn" +appVersion: "NewDelhi" description: DCAE PRH name: dcae-prh -version: 11.0.0 +version: 13.1.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-prh/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/templates/kafkatopic.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/templates/kafkatopic.yaml new file mode 100644 index 0000000000..8e3ee32cb2 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-prh/templates/kafkatopic.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkatopic" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/templates/kafkauser.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/templates/kafkauser.yaml new file mode 100644 index 0000000000..5c7edd5b19 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-prh/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml index ddb0b08833..11cb72690c 100644 --- a/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml @@ -1,7 +1,8 @@ #============LICENSE_START======================================================== # ================================================================================ -# Copyright (c) 2021-2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2021-2023 J. F. Lucas. All rights reserved. # Copyright (c) 2022 Nokia. All rights reserved. +# Copyright (c) 2024 Deutsche Telekom Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -31,16 +32,11 @@ filebeatConfig: logstashServiceName: log-ls logstashPort: 5044 -################################################################# -# initContainer images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/org.onap.dcaegen2.services.prh.prh-app-server:1.8.0 +image: onap/org.onap.dcaegen2.services.prh.prh-app-server:1.10.1 pullPolicy: Always # log directory where logging sidecar should look for log files @@ -50,15 +46,6 @@ log: path: /opt/app/prh/logs logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/prh/etc/cert - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: true - secrets: - uid: &aaiCredsUID aaicreds type: basicAuth @@ -66,11 +53,6 @@ secrets: password: '{{ .Values.aaiCreds.password }}' passwordPolicy: required -# dependencies -readinessCheck: - wait_for: - - aaf-cm - # probe configuration readiness: initialDelaySeconds: 5 @@ -87,6 +69,11 @@ service: - port: 8100 name: http +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + aaiCreds: user: AAI password: AAI @@ -107,11 +94,11 @@ applicationConfig: dmaap.dmaapConsumerConfiguration.timeoutMs: -1 dmaap.dmaapProducerConfiguration.dmaapContentType: "application/json" dmaap.dmaapUpdateProducerConfiguration.dmaapContentType: "application/json" - aai.aaiClientConfiguration.pnfUrl: https://aai.onap.svc.cluster.local:8443/aai/v23/network/pnfs/pnf - aai.aaiClientConfiguration.baseUrl: https://aai.onap.svc.cluster.local:8443/aai/v23 - aai.aaiClientConfiguration.aaiHost: aai.onap.svc.cluster.local - aai.aaiClientConfiguration.aaiHostPortNumber: 8443 - aai.aaiClientConfiguration.aaiProtocol: "https" + aai.aaiClientConfiguration.pnfUrl: http://aai-internal.onap.svc.cluster.local:80/aai/v23/network/pnfs/pnf + aai.aaiClientConfiguration.baseUrl: http://aai-internal.onap.svc.cluster.local:80/aai/v23 + aai.aaiClientConfiguration.aaiHost: aai-internal.onap.svc.cluster.local + aai.aaiClientConfiguration.aaiHostPortNumber: 80 + aai.aaiClientConfiguration.aaiProtocol: "http" aai.aaiClientConfiguration.aaiUserName: ${AAI_USER} aai.aaiClientConfiguration.aaiUserPassword: ${AAI_PASSWORD} aai.aaiClientConfiguration.aaiIgnoreSslCertificateErrors: true @@ -148,6 +135,42 @@ applicationConfig: applicationEnv: CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' AUTH_HDR: '{{ printf "Basic %s" (print .Values.aaiCreds.user ":" .Values.aaiCreds.password | b64enc) }}' + BOOTSTRAP_SERVERS: '{{ include "common.release" . }}-strimzi-kafka-bootstrap:9092' + JAAS_CONFIG: + externalSecret: true + externalSecretUid: '{{ include "common.name" . }}-ku' + key: sasl.jaas.config + +# Strimzi Kafka User config +kafkaUser: + acls: + - name: OpenDCAE-c12 + type: group + patternType: literal + operations: [Read] + - name: \"*\" + type: topic + patternType: literal + operations: [DescribeConfigs] + - name: unauthenticated.VES_PNFREG_OUTPUT + type: topic + patternType: literal + operations: [Read] + - name: unauthenticated.PNF_READY + type: topic + patternType: literal + operations: [Write] + - name: unauthenticated.PNF_UPDATE + type: topic + patternType: literal + operations: [Write] + +# Strimzi Kafka Topics +kafkaTopic: + - name: unauthenticated.PNF_READY + strimziTopicName: unauthenticated.pnf-ready + - name: unauthenticated.PNF_UPDATE + strimziTopicName: unauthenticated.pnf-update # Resource Limit flavor -By Default using small flavor: small @@ -155,18 +178,18 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 2Gi + cpu: "1" + memory: "3Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "0.5" + memory: "3Gi" large: limits: - cpu: 4 - memory: 4Gi + cpu: "2" + memory: "6Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "1" + memory: "6Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/Chart.yaml index e78d480a2f..72d43e9481 100644 --- a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/Chart.yaml @@ -3,6 +3,7 @@ # Copyright (c) 2021 AT&T Intellectual Property # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Deutsche Telekom AG. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,24 +19,24 @@ # ================================= LICENSE_END ============================== apiVersion: v2 -appVersion: "Kohn" +appVersion: "London" description: DCAE RESTConf Collector name: dcae-restconf-collector -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/templates/ingress.yaml b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/templates/ingress.yaml new file mode 100644 index 0000000000..df12117b3e --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright (C) 2022 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml index ecbfb72661..8e6cc7a4a6 100644 --- a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml @@ -1,7 +1,8 @@ # ================================ LICENSE_START ============================= # ============================================================================ # Copyright (c) 2021-2022 AT&T Intellectual Property. All rights reserved. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. +# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -41,17 +42,11 @@ secrets: password: '{{ .Values.controllerCreds.password }}' passwordPolicy: required - -################################################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.collectors.restconfcollector:1.3.2 +image: onap/org.onap.dcaegen2.collectors.restconfcollector:1.4.1 pullPolicy: Always # Log directory where logging sidecar should look for log files @@ -61,19 +56,11 @@ log: path: null # /opt/app/restconfcollector/logs logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/dcae-certificate - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: true - # Dependencies readinessCheck: wait_for: - - aaf-cm + services: + - message-router # Probe Configuration readiness: @@ -97,6 +84,22 @@ service: nodePort: 16 useNodePortExt: true +ingress: + enabled: false + service: + - baseaddr: "dcae-restconf-collector-api" + name: "dcae-restconf-collector" + port: 8443 + plain_port: 8080 + config: + ssl: "redirect" + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: istio-ingress + namespace: istio-ingress + # AAF Credentials controllerCreds: username: access @@ -122,12 +125,14 @@ applicationConfig: collector.rcc.inputQueue.maxPending: '8096' tomcat.maxthreads: '200' collector.rcc.service.port: '8080' - collector.rcc.service.secure.port: '8687' - collector.rcc.keystore.file.location: /opt/app/dcae-certificate/cert.jks - collector.rcc.keystore.passwordfile: /opt/app/dcae-certificate/jks.pass - collector.rcc.keystore.alias: dynamically generated - collector.rcc.truststore.file.location: /opt/app/dcae-certificate/trust.jks - collector.rcc.truststore.passwordfile: /opt/app/dcae-certificate/trust.pass + # Disabling of secure port not working (DCAEGEN2-3336) + collector.rcc.service.secure.port: '0' + #collector.rcc.service.secure.port: '8687' + #collector.rcc.keystore.file.location: /opt/app/dcae-certificate/cert.jks + #collector.rcc.keystore.passwordfile: /opt/app/dcae-certificate/jks.pass + #collector.rcc.keystore.alias: dynamically generated + #collector.rcc.truststore.file.location: /opt/app/dcae-certificate/trust.jks + #collector.rcc.truststore.passwordfile: /opt/app/dcae-certificate/trust.pass #collector.keystore.file.location: /opt/app/dcae-certificate/external/cert.jks #collector.keystore.passwordfile: /opt/app/dcae-certificate/external/jks.pass collector.header.authflag: '0' @@ -138,11 +143,7 @@ applicationConfig: dmaap_info: topic_url: http://message-router:3904/events/unauthenticated.DCAE_RCC_OUTPUT type: message_router - #rcc_policy: '[{"controller_name":"AccessM&C","controller_restapiUrl":"${CONTROLLER_IP}:{CONTROLLER_PORT}","controller_restapiUser":"${CONTROLLER_USERNAME}","controller_restapiPassword":"${CONTROLLER_PASSWORD}","controller_accessTokenUrl":"/rest/plat/smapp/v1/oauth/token","controller_accessTokenFile":"./etc/access-token.json","controller_accessTokenMethod":"put","controller_subsMethod":"post","controller_subscriptionUrl":"/restconf/v1/operations/huawei-nce-notification-action:establish-subscription","controller_disableSsl":"true","event_details":[{"event_name":"ONT_registration","event_description":"ONTregistartionevent","event_sseventUrlEmbed":"true","event_sseventsField":"output.url","event_sseventsUrl":"null","event_subscriptionTemplate":"./etc/ont_registartion_subscription_template.json","event_unSubscriptionTemplate":"./etc/ont_registartion_unsubscription_template.json","event_ruleId":"12345678","modifyData":"true","modifyMethod": "modifyOntEvent","userData": "remote_id=AC9.0234.0337;svlan=100;cvlan=10;"}]}]' - # Workaround while DCAEGEN2-3234 is being resolved--hardcording the ${CONTROLLER_USERNAME} and ${CONTROLLER_PASSWORD} until the restconf-collector uses the latest CBS client SDK that can handle multiple substitutions in a string. - # The line immediately below this one should be used once DCAEGEN-3234 is resolved. - #rcc_policy: '[{"controller_name":"AccessM&C","controller_restapiUrl":"172.30.0.55:26335","controller_restapiUser":"${CONTROLLER_USERNAME}","controller_restapiPassword":"${CONTROLLER_PASSWORD}","controller_accessTokenUrl":"/rest/plat/smapp/v1/oauth/token","controller_accessTokenFile":"./etc/access-token.json","controller_accessTokenMethod":"put","controller_subsMethod":"post","controller_subscriptionUrl":"/restconf/v1/operations/huawei-nce-notification-action:establish-subscription","controller_disableSsl":"true","event_details":[{"event_name":"ONT_registration","event_description":"ONTregistartionevent","event_sseventUrlEmbed":"true","event_sseventsField":"output.url","event_sseventsUrl":"null","event_subscriptionTemplate":"./etc/ont_registartion_subscription_template.json","event_unSubscriptionTemplate":"./etc/ont_registartion_unsubscription_template.json","event_ruleId":"12345678","modifyData":"true","modifyMethod": "modifyOntEvent","userData": "remote_id=AC9.0234.0337;svlan=100;cvlan=10;"}]}]' - rcc_policy: '[{"controller_name":"AccessM&C","controller_restapiUrl":"172.30.0.55:26335","controller_restapiUser":"access","controller_restapiPassword":"Huawei@123","controller_accessTokenUrl":"/rest/plat/smapp/v1/oauth/token","controller_accessTokenFile":"./etc/access-token.json","controller_accessTokenMethod":"put","controller_subsMethod":"post","controller_subscriptionUrl":"/restconf/v1/operations/huawei-nce-notification-action:establish-subscription","controller_disableSsl":"true","event_details":[{"event_name":"ONT_registration","event_description":"ONTregistartionevent","event_sseventUrlEmbed":"true","event_sseventsField":"output.url","event_sseventsUrl":"null","event_subscriptionTemplate":"./etc/ont_registartion_subscription_template.json","event_unSubscriptionTemplate":"./etc/ont_registartion_unsubscription_template.json","event_ruleId":"12345678","modifyData":"true","modifyMethod": "modifyOntEvent","userData": "remote_id=AC9.0234.0337;svlan=100;cvlan=10;"}]}]' + rcc_policy: '[{"controller_name":"AccessM&C","controller_restapiUrl":"172.30.0.55:26335","controller_restapiUser":"${CONTROLLER_USERNAME}","controller_restapiPassword":"${CONTROLLER_PASSWORD}","controller_accessTokenUrl":"/rest/plat/smapp/v1/oauth/token","controller_accessTokenFile":"./etc/access-token.json","controller_accessTokenMethod":"put","controller_subsMethod":"post","controller_subscriptionUrl":"/restconf/v1/operations/huawei-nce-notification-action:establish-subscription","controller_disableSsl":"true","event_details":[{"event_name":"ONT_registration","event_description":"ONTregistartionevent","event_sseventUrlEmbed":"true","event_sseventsField":"output.url","event_sseventsUrl":"null","event_subscriptionTemplate":"./etc/ont_registartion_subscription_template.json","event_unSubscriptionTemplate":"./etc/ont_registartion_unsubscription_template.json","event_ruleId":"12345678","modifyData":"true","modifyMethod": "modifyOntEvent","userData": "remote_id=AC9.0234.0337;svlan=100;cvlan=10;"}]}]' #applicationEnv: # CONTROLLER_IP: "172.30.0.55" @@ -156,18 +157,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/Chart.yaml index 8dbed7c646..f90bd1ef95 100644 --- a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/Chart.yaml @@ -3,6 +3,7 @@ # Copyright (c) 2021 Wipro Limited. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Deutsche Telekom AG. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,27 +19,27 @@ # ============LICENSE_END========================================================= apiVersion: v2 -appVersion: "Kohn" +appVersion: "London" description: DCAE SliceAnalysis MS charts name: dcae-slice-analysis-ms -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: postgres - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..30d173c2d8 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/templates/authorizationpolicy.yaml @@ -0,0 +1,136 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "primary" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "replica" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml index b5959ae765..fd70e36619 100644 --- a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml @@ -1,8 +1,9 @@ # ============= LICENSE_START ================================================ # ============================================================================ # Copyright (C) 2021-2022 Wipro Limited. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. # Copyright (C) 2022 Huawei Canada Limited. +# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -36,11 +37,6 @@ filebeatConfig: # Secrets Configuration. ################################################################# secrets: - - uid: &aafCredsUID aafcreds - type: basicAuth - login: '{{ .Values.aafCreds.identity }}' - password: '{{ .Values.aafCreds.password }}' - passwordPolicy: required - uid: &pgUserCredsSecretUid pg-user-creds name: &pgUserCredsSecretName '{{ include "common.release" . }}-sliceanalysisms-pg-user-creds' type: basicAuth @@ -49,16 +45,29 @@ secrets: password: '{{ .Values.postgres.config.pgUserPassword }}' passwordPolicy: generate -################################aafcreds################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.services.components.slice-analysis-ms:1.1.3 +repository: nexus3.onap.org:10001 +image: onap/org.onap.dcaegen2.services.components.slice-analysis-ms:1.2.1 +pullPolicy: IfNotPresent + +################################################################# +# Policy Sync Container Image. +################################################################# +# optional Policy configuration properties +# if present, policy-sync side car will be deployed +# policy sync is used for provide runtime configuration for slicems +# policy id is originally set to "onap.dcae.slicems.config" + +#dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1 +#pullPolicy: IfNotPresent +#policies: +# duration: +# 10 +# policyID: | +# '["onap.dcae.slicems.config"]' # Log directory where logging sidecar should look for log files # if path is set to null sidecar won't be deployed in spite of @@ -67,21 +76,6 @@ log: path: /var/log/ONAP/dcaegen2/services/sliceanalysisms logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/sliceanalysisms/etc/cert/ - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: true - -# Dependencies -readinessCheck: - wait_for: - - aaf-cm - - &postgresName dcae-sliceanalysisms-postgres - # Probe Configuration readiness: initialDelaySeconds: 60 @@ -96,22 +90,18 @@ service: type: ClusterIP name: dcae-slice-analysis-ms ports: - - name: https + - name: http port: 8080 port_protocol: http -# AAF Credentials -aafCreds: - identity: dcae@dcae.onap.org - password: demo123456! +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + authorizedPrincipalsPostgres: + - serviceAccount: dcae-slice-analysis-ms-read credentials: -- name: AAF_IDENTITY - uid: *aafCredsUID - key: login -- name: AAF_PASSWORD - uid: *aafCredsUID - key: password - name: PG_USERNAME uid: *pgUserCredsSecretUid key: login @@ -137,8 +127,8 @@ applicationConfig: sliceanalysisms.cid: sliceanalysisms-cid sliceanalysisms.configDb.service: http://config-db:8080 sliceanalysisms.configDbEnabled: true - sliceanalysisms.aai.url: https://aai.onap.svc.cluster.local:8443/aai/v21 - sliceanalysisms.cps.url: https://cps:8088 + sliceanalysisms.aai.url: http://aai-internal.onap.svc.cluster.local:80/aai/v21 + sliceanalysisms.cps.url: http://cps:8080 sliceanalysisms.samples: 3 sliceanalysisms.minPercentageChange: 5 sliceanalysisms.initialDelaySeconds: 120000 @@ -151,11 +141,13 @@ applicationConfig: sliceanalysisms.aaiNotif.targetAction: UPDATE sliceanalysisms.aaiNotif.targetSource: UUI sliceanalysisms.aaiNotif.targetEntity: service-instance - sliceanalysisms.ccvpnEvalInterval: 15 - sliceanalysisms.ccvpnEvalThreshold: 0.8 + sliceanalysisms.ccvpnEvalInterval: 5 + sliceanalysisms.ccvpnEvalUpperThreshold: 0.8 + sliceanalysisms.ccvpnEvalLowerThreshold: 0.3 sliceanalysisms.ccvpnEvalPrecision: 100.0 sliceanalysisms.ccvpnEvalPeriodicCheckOn: true sliceanalysisms.ccvpnEvalOnDemandCheckOn: true + sliceanalysisms.ccvpnEvalStrategy: FlexibleThresholdStrategy streams_publishes: CL_topic: type: message-router @@ -189,6 +181,9 @@ applicationConfig: topic_url: http://message-router:3904/events/AAI-EVENT applicationEnv: + CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' + #Temporary Dummy CBS Port Value until internal SDK library is updated + CONFIG_BINDING_SERVICE_SERVICE_PORT: '0000' STANDALONE: 'false' # Resource Limit Flavor -By Default Using Small @@ -197,25 +192,25 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "2Gi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "4" + memory: "4Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "4Gi" unlimited: {} ################################################################# # Application configuration Overriding Defaults in the Postgres. ################################################################# postgres: - nameOverride: *postgresName + nameOverride: &postgresName dcae-sliceanalysisms-postgres service: name: *postgresName name2: dcae-sliceanalysisms-pg-primary @@ -232,6 +227,13 @@ postgres: pgDatabase: sliceanalysisms pgUserExternalSecret: *pgUserCredsSecretName +# Dependencies +readinessCheck: + wait_for: + services: + - '{{ .Values.postgres.service.name2 }}' + - message-router + #Pods Service Account serviceAccount: nameOverride: dcae-slice-analysis-ms diff --git a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/Chart.yaml index b05f35f660..5f2eb49546 100644 --- a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/Chart.yaml @@ -3,6 +3,7 @@ # Copyright (c) 2021 AT&T Intellectual Property # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Copyright (c) 2024 J. F. Lucas. All rights reserved. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,24 +19,24 @@ # ================================= LICENSE_END ============================== apiVersion: v2 -appVersion: "Kohn" +appVersion: "NewDelhi" description: DCAE SNMPTrap Collector name: dcae-snmptrap-collector -version: 11.0.0 +version: 13.0.1 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml index 63844a1da2..599b3d21b9 100644 --- a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml @@ -1,7 +1,7 @@ # ================================ LICENSE_START ============================= # ============================================================================ # Copyright (c) 2021 AT&T Intellectual Property. All rights reserved. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -31,17 +31,11 @@ filebeatConfig: logstashServiceName: log-ls logstashPort: 5044 - -################################################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.collectors.snmptrap:2.0.6 +image: onap/org.onap.dcaegen2.collectors.snmptrap:2.0.8 pullPolicy: Always # Log directory where logging sidecar should look for log files @@ -51,17 +45,11 @@ log: path: /opt/app/snmptrap/logs logConfigMapNamePrefix: '{{ include "common.fullname" . }}' - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: true - - # Dependencies readinessCheck: wait_for: - - message-router + services: + - message-router # Probe Configuration readiness: @@ -82,6 +70,10 @@ service: nodePort: 70 useNodePortExt: true +serviceMesh: + authorizationPolicy: + authorizedPrincipals: [] + # Initial Application Configuration applicationConfig: StormWatchPolicy: '' @@ -89,7 +81,7 @@ applicationConfig: dns_cache_ttl_seconds: 60 services_calls: {} snmptrapd: - version: '2.0.4' + version: '2.0.8' title: ONAP SNMP Trap Receiver sw_interval_in_seconds: 60 streams_publishes: @@ -97,8 +89,8 @@ applicationConfig: dmaap_info: topic_url: http://message-router:3904/events/unauthenticated.ONAP-COLLECTOR-SNMPTRAP type: message_router - aaf_password: null - aaf_username: null + aaf_password: "" + aaf_username: "" files: runtime_base_dir: "/opt/app/snmptrap" log_dir: logs @@ -137,18 +129,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/dcaegen2-services/components/dcae-son-handler/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-son-handler/Chart.yaml index edc2efc0fe..b4bde7f0fe 100644 --- a/kubernetes/dcaegen2-services/components/dcae-son-handler/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-son-handler/Chart.yaml @@ -3,6 +3,7 @@ # Copyright (C) 2021 Wipro Limited. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Deutsche Telekom AG. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,27 +19,27 @@ # ============= LICENSE_END ================================================== apiVersion: v2 -appVersion: "Kohn" +appVersion: "London" description: DCAE Son-handler helm chart name: dcae-son-handler -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: postgres - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-son-handler/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-son-handler/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..30d173c2d8 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-son-handler/templates/authorizationpolicy.yaml @@ -0,0 +1,136 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "primary" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "replica" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml b/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml index e8a9403a1c..5e16967203 100644 --- a/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml @@ -1,7 +1,8 @@ # ============= LICENSE_START ================================================ # ============================================================================ # Copyright (C) 2021-2022 Wipro Limited. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. +# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -35,11 +36,6 @@ filebeatConfig: # Secrets Configuration. ################################################################# secrets: - - uid: &aafCredsUID aafcreds - type: basicAuth - login: '{{ .Values.aafCreds.identity }}' - password: '{{ .Values.aafCreds.password }}' - passwordPolicy: required - uid: &cpsCredsUID cpscreds type: basicAuth login: '{{ .Values.cpsCreds.identity }}' @@ -53,16 +49,11 @@ secrets: password: '{{ .Values.postgres.config.pgUserPassword }}' passwordPolicy: generate -################################################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.services.son-handler:2.1.7 +image: onap/org.onap.dcaegen2.services.son-handler:2.2.1 pullPolicy: Always # Log directory where logging sidecar should look for log files @@ -72,15 +63,6 @@ log: path: /var/log/ONAP/dcaegen2/services/sonhms logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/sonhms/etc/certs - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: false - # Optional Policy configuration properties # if present, policy-sync side car will be deployed #dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1 @@ -88,12 +70,6 @@ tlsServer: false # policyID: | # '["com.Config_PCIMS_CONFIG_POLICY"]' -# Dependencies -readinessCheck: - wait_for: - - aaf-cm - - &postgresName dcae-sonhms-postgres - # Probe Configuration readiness: initialDelaySeconds: 10 @@ -108,25 +84,23 @@ service: type: ClusterIP name: dcae-son-handler ports: - - name: https + - name: http port: 8080 port_protocol: http -# AAF Credentials -aafCreds: - identity: dcae@dcae.onap.org - password: demo123456! +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + authorizedPrincipalsPostgres: + - serviceAccount: dcae-son-handler-read + +# Credentials cpsCreds: identity: cps password: cpsr0cks! credentials: -- name: AAF_IDENTITY - uid: *aafCredsUID - key: login -- name: AAF_PASSWORD - uid: *aafCredsUID - key: password - name: CPS_IDENTITY uid: *cpsCredsUID key: login @@ -165,6 +139,7 @@ applicationConfig: sonhandler.cg: sonhms-cg sonhandler.cid: sonhms-cid sonhandler.clientType: cps + sonhandler.nearRtricUrl: "https://a1-policy-management:30294/a1-policy/v2/policies" cps.service.url: http://cps-tbdmt:8080 cps.get.celldata: execute/cps-ran-schemaset/get-cell-data cps.get.nbr.list.url: execute/cps-ran-schemaset/get-nbr-list @@ -214,6 +189,9 @@ applicationConfig: policy-req: [] applicationEnv: + CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' + #Temporary Dummy CBS Port Value until internal SDK library is updated + CONFIG_BINDING_SERVICE_SERVICE_PORT: '0000' STANDALONE: 'false' # Resource Limit Flavor -By Default Using Small @@ -223,25 +201,25 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "4" + memory: "2Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" unlimited: {} ################################################################# # Application configuration Overriding Defaults in the Postgres. ################################################################# postgres: - nameOverride: *postgresName + nameOverride: &postgresName dcae-sonhms-postgres service: name: *postgresName name2: *dcaeSonhmsPgPrimary @@ -258,6 +236,13 @@ postgres: pgDatabase: sonhms pgUserExternalSecret: *pgUserCredsSecretName +# Dependencies +readinessCheck: + wait_for: + services: + - '{{ .Values.postgres.service.name2 }}' + - message-router + #Pods Service Account serviceAccount: nameOverride: dcae-son-handler diff --git a/kubernetes/dcaegen2-services/components/dcae-tcagen2/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-tcagen2/Chart.yaml index 6eb8528e76..ffddeb55f2 100644 --- a/kubernetes/dcaegen2-services/components/dcae-tcagen2/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-tcagen2/Chart.yaml @@ -3,6 +3,7 @@ # Copyright (c) 2021 J. F. Lucas. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Deutsche Telekom AG. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,30 +19,27 @@ # ============LICENSE_END========================================================= apiVersion: v2 -appVersion: "Kohn" +appVersion: "NewDelhi" description: DCAE TCA (Gen 2) name: dcae-tcagen2 -version: 11.0.0 +version: 13.1.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' - - name: mongo - version: ~11.x-0 + - name: mongodb + version: 14.12.2 repository: '@local' \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-tcagen2/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-tcagen2/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-tcagen2/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml b/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml index 4cd47dccb5..393d7936a0 100644 --- a/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml @@ -1,7 +1,8 @@ #============LICENSE_START======================================================== # ================================================================================ -# Copyright (c) 2021-2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2021-2023 J. F. Lucas. All rights reserved. # Copyright (c) 2021 AT&T Intellectual Property. All rights reserved. +# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,6 +24,15 @@ global: nodePortPrefix: 302 nodePortPrefixExt: 304 centralizedLoggingEnabled: true + # Docker Repository used by RepositoryGenerator + dockerHubRepository: docker.io + # Additions for MongoDB**************************** + # If dockerHubRepository is changes the following entry needs + # to be changed as well + imageRegistry: docker.io + imagePullSecrets: + - '{{ include "common.names.namespace" . }}-docker-registry-key' + # ************************************************* ################################################################# # Filebeat configuration defaults. @@ -31,16 +41,11 @@ filebeatConfig: logstashServiceName: log-ls logstashPort: 5044 -################################################################# -# initContainer images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/org.onap.dcaegen2.analytics.tca-gen2.dcae-analytics-tca-web:1.3.2 +image: onap/org.onap.dcaegen2.analytics.tca-gen2.dcae-analytics-tca-web:1.4.0 pullPolicy: Always # log directory where logging sidecar should look for log files @@ -50,15 +55,6 @@ log: path: /opt/logs/dcae-analytics-tca logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /etc/tca-gen2/ssl - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: true - secrets: - uid: &aaiCredsUID aaicreds type: basicAuth @@ -69,7 +65,8 @@ secrets: # dependencies readinessCheck: wait_for: - - aaf-cm + services: + - message-router # probe configuration readiness: @@ -87,20 +84,32 @@ service: - port: 9091 name: http +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + # mongoDB overrides -mongo: +mongodb: nameOverride: dcae-mongo - config: - dbName: dcaecommondb + #config: + # dbName: dcaecommondb + auth: + enabled: false + databases: + - "dcaecommondb" + usernames: + - "dcae" service: - name: dcae-mongohost + nameOverride: dcae-mongohost internalPort: 27017 - nfsprovisionerPrefix: dcaemongo - sdnctlPrefix: tcagen2 - persistence: - mountSubPath: dcae/mongo/data - enabled: true - disableNfsProvisioner: true + resources: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "500m" + memory: "1Gi" # Policy configuraiton properties # if enabled, policy-sync side car will be deployed @@ -152,31 +161,35 @@ applicationConfig: tca.aai.generic_vnf_path: aai/v11/network/generic-vnfs/generic-vnf tca.aai.node_query_path: aai/v11/search/nodes-query tca.aai.password: ${AAI_PASSWORD} - tca.aai.url: https://aai:8443 + tca.aai.url: http://aai-internal:80 tca.aai.username: ${AAI_USERNAME} - tca.policy: '{"domain":"measurementsForVfScaling","metricsPerEventName":[{"eventName":"vFirewallBroadcastPackets","controlLoopSchemaType":"VM","policyScope":"DCAE","policyName":"DCAE.Config_tca-hi-lo","policyVersion":"v0.0.1","thresholds":[{"closedLoopControlName":"ControlLoop-vFirewall-d0a1dfc6-94f5-4fd4-a5b5-4630b438850a","version":"1.0.2","fieldPath":"$.event.measurementsForVfScalingFields.vNicPerformanceArray[*].receivedTotalPacketsDelta","thresholdValue":300,"direction":"LESS_OR_EQUAL","severity":"MAJOR","closedLoopEventStatus":"ONSET"},{"closedLoopControlName":"ControlLoop-vFirewall-d0a1dfc6-94f5-4fd4-a5b5-4630b438850a","version":"1.0.2","fieldPath":"$.event.measurementsForVfScalingFields.vNicPerformanceArray[*].receivedTotalPacketsDelta","thresholdValue":700,"direction":"GREATER_OR_EQUAL","severity":"CRITICAL","closedLoopEventStatus":"ONSET"}]},{"eventName":"vLoadBalancer","controlLoopSchemaType":"VM","policyScope":"DCAE","policyName":"DCAE.Config_tca-hi-lo","policyVersion":"v0.0.1","thresholds":[{"closedLoopControlName":"ControlLoop-vDNS-6f37f56d-a87d-4b85-b6a9-cc953cf779b3","version":"1.0.2","fieldPath":"$.event.measurementsForVfScalingFields.vNicPerformanceArray[*].receivedTotalPacketsDelta","thresholdValue":300,"direction":"GREATER_OR_EQUAL","severity":"CRITICAL","closedLoopEventStatus":"ONSET"}]},{"eventName":"Measurement_vGMUX","controlLoopSchemaType":"VNF","policyScope":"DCAE","policyName":"DCAE.Config_tca-hi-lo","policyVersion":"v0.0.1","thresholds":[{"closedLoopControlName":"ControlLoop-vCPE-48f0c2c3-a172-4192-9ae3-052274181b6e","version":"1.0.2","fieldPath":"$.event.measurementsForVfScalingFields.additionalMeasurements[*].arrayOfFields[0].value","thresholdValue":0,"direction":"EQUAL","severity":"MAJOR","closedLoopEventStatus":"ABATED"},{"closedLoopControlName":"ControlLoop-vCPE-48f0c2c3-a172-4192-9ae3-052274181b6e","version":"1.0.2","fieldPath":"$.event.measurementsForVfScalingFields.additionalMeasurements[*].arrayOfFields[0].value","thresholdValue":0,"direction":"GREATER","severity":"CRITICAL","closedLoopEventStatus":"ONSET"}]}]}' + tca.policy: "[{\"domain\":\"measurementsForVfScaling\",\"violatedMetricsPerEventName\":[{\"eventName\":\"Mfvs_eNodeB_RANKPI\",\"controlLoopSchemaType\":\"VNF\",\"policyScope\":\"resource=vFirewall;type=configuration\",\"policyName\":\"configuration.dcae.microservice.tca.xml\",\"policyVersion\":\"v0.0.1\",\"thresholds\":[{\"closedLoopControlName\":\"CL-FRWL-LOW-TRAFFIC-SIG-d925ed73-8231-4d02-9545-db4e101f88f8\",\"closedLoopEventStatus\":\"ONSET\",\"version\":\"1.0.2\",\"fieldPath\":\"$.event.measurementsForVfScalingFields.vNicPerformanceArray[*].receivedBroadcastPacketsAccumulated\",\"thresholdValue\":4000,\"direction\":\"LESS_OR_EQUAL\",\"severity\":\"MAJOR\"},{\"closedLoopControlName\":\"CL-FRWL-HIGH-TRAFFIC-SIG-EA36FE84-9342-5E13-A656-EC5F21309A09\",\"closedLoopEventStatus\":\"ONSET\",\"version\":\"1.0.2\",\"fieldPath\":\"$.event.measurementsForVfScalingFields.vNicPerformanceArray[*].receivedBroadcastPacketsAccumulated\",\"thresholdValue\":20000,\"direction\":\"GREATER_OR_EQUAL\",\"severity\":\"CRITICAL\"}]},{\"eventName\":\"vLoadBalancer\",\"controlLoopSchemaType\":\"VNF\",\"policyScope\":\"resource=vLoadBalancer;type=configuration\",\"policyName\":\"configuration.dcae.microservice.tca.xml\",\"policyVersion\":\"v0.0.1\",\"thresholds\":[{\"closedLoopControlName\":\"CL-LBAL-LOW-TRAFFIC-SIG-FB480F95-A453-6F24-B767-FD703241AB1A\",\"closedLoopEventStatus\":\"ONSET\",\"version\":\"1.0.2\",\"fieldPath\":\"$.event.measurementsForVfScalingFields.vNicPerformanceArray[*].receivedBroadcastPacketsAccumulated\",\"thresholdValue\":500,\"direction\":\"LESS_OR_EQUAL\",\"severity\":\"MAJOR\"},{\"closedLoopControlName\":\"CL-LBAL-LOW-TRAFFIC-SIG-0C5920A6-B564-8035-C878-0E814352BC2B\",\"closedLoopEventStatus\":\"ONSET\",\"version\":\"1.0.2\",\"fieldPath\":\"$.event.measurementsForVfScalingFields.vNicPerformanceArray[*].receivedBroadcastPacketsAccumulated\",\"thresholdValue\":5000,\"direction\":\"GREATER_OR_EQUAL\",\"severity\":\"CRITICAL\"}]}]},{\"domain\":\"measurement\",\"metricsPerEventName\":[{\"eventName\":\"vFirewallBroadcastPackets\",\"controlLoopSchemaType\":\"VM\",\"policyScope\":\"DCAE\",\"policyName\":\"DCAE.Config_tca-hi-lo\",\"policyVersion\":\"v0.0.1\",\"thresholds\":[{\"closedLoopControlName\":\"ControlLoop-vFirewall-d0a1dfc6-94f5-4fd4-a5b5-4630b438850a\",\"version\":\"1.0.2\",\"fieldPath\":\"$.event.measurementFields.nicPerformanceArray[*].receivedTotalPacketsDelta\",\"thresholdValue\":300,\"direction\":\"LESS_OR_EQUAL\",\"severity\":\"MAJOR\",\"closedLoopEventStatus\":\"ABATED\"},{\"closedLoopControlName\":\"ControlLoop-vFirewall-d0a1dfc6-94f5-4fd4-a5b5-4630b438850a\",\"version\":\"1.0.2\",\"fieldPath\":\"$.event.measurementFields.nicPerformanceArray[*].receivedTotalPacketsDelta\",\"thresholdValue\":700,\"direction\":\"GREATER_OR_EQUAL\",\"severity\":\"CRITICAL\",\"closedLoopEventStatus\":\"ONSET\"}]},{\"eventName\":\"vLoadBalancer\",\"controlLoopSchemaType\":\"VM\",\"policyScope\":\"DCAE\",\"policyName\":\"DCAE.Config_tca-hi-lo\",\"policyVersion\":\"v0.0.1\",\"thresholds\":[{\"closedLoopControlName\":\"ControlLoop-vDNS-6f37f56d-a87d-4b85-b6a9-cc953cf779b3\",\"version\":\"1.0.2\",\"fieldPath\":\"$.event.measurementFields.nicPerformanceArray[*].receivedTotalPacketsDelta\",\"thresholdValue\":300,\"direction\":\"GREATER_OR_EQUAL\",\"severity\":\"CRITICAL\",\"closedLoopEventStatus\":\"ONSET\"}]},{\"eventName\":\"Measurement_vGMUX\",\"controlLoopSchemaType\":\"VNF\",\"policyScope\":\"DCAE\",\"policyName\":\"DCAE.Config_tca-hi-lo\",\"policyVersion\":\"v0.0.1\",\"thresholds\":[{\"closedLoopControlName\":\"ControlLoop-vCPE-48f0c2c3-a172-4192-9ae3-052274181b6e\",\"version\":\"1.0.2\",\"fieldPath\":\"$.event.measurementFields.additionalMeasurements[*].arrayOfFields[0].value\",\"thresholdValue\":0,\"direction\":\"EQUAL\",\"severity\":\"MAJOR\",\"closedLoopEventStatus\":\"ABATED\"},{\"closedLoopControlName\":\"ControlLoop-vCPE-48f0c2c3-a172-4192-9ae3-052274181b6e\",\"version\":\"1.0.2\",\"fieldPath\":\"$.event.measurementFields.additionalMeasurements[*].arrayOfFields[0].value\",\"thresholdValue\":0,\"direction\":\"GREATER\",\"severity\":\"CRITICAL\",\"closedLoopEventStatus\":\"ONSET\"}]}]}]" tca.processing_batch_size: 10000 tca.enable_abatement: true tca.enable_ecomp_logging: true +applicationEnv: + #Temporary Dummy CBS Port Value until internal SDK library is updated + CONFIG_BINDING_SERVICE_SERVICE_PORT: '0000' + # Resource Limit flavor -By Default using small flavor: small # Segregation for Different environment (Small and Large) resources: small: limits: - cpu: 2 - memory: 2Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 4 - memory: 4Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml index ac1b8128df..61a5f03b7e 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml @@ -3,6 +3,7 @@ # Copyright (c) 2021 J. F. Lucas. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom Intellectual Property. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,27 +19,24 @@ # ============LICENSE_END========================================================= apiVersion: v2 -appVersion: "Kohn" +appVersion: "NewDelhi" description: DCAE VES Collector name: dcae-ves-collector -version: 11.0.0 +version: 13.1.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: certManagerCertificate - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/ingress.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/ingress.yaml new file mode 100644 index 0000000000..df12117b3e --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright (C) 2022 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/kafkatopic.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/kafkatopic.yaml new file mode 100644 index 0000000000..8e3ee32cb2 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/kafkatopic.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkatopic" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/kafkauser.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/kafkauser.yaml new file mode 100644 index 0000000000..5c7edd5b19 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/secret.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/secret.yaml new file mode 100644 index 0000000000..4d82cf3b47 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/secret.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml index 9754ea8558..ae75bacb57 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml @@ -1,8 +1,9 @@ #============LICENSE_START======================================================== # ================================================================================ # Copyright (c) 2021-2022 Nokia. All rights reserved. -# Copyright (c) 2021-2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2021-2023 J. F. Lucas. All rights reserved. # Copyright (c) 2022 AT&T Intellectual Property. All rights reserved. +# Copyright (c) 2024 Deutsche Telekom Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -35,14 +36,13 @@ filebeatConfig: ################################################################# # initContainer images. ################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.5.0 ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/org.onap.dcaegen2.collectors.ves.vescollector:1.11.0 +image: onap/org.onap.dcaegen2.collectors.ves.vescollector:1.12.4 pullPolicy: Always # log directory where logging sidecar should look for log files @@ -56,11 +56,6 @@ logConfigMapNamePrefix: '{{ include "common.fullname" . }}' # if absent, no certs will be retrieved and stored certDirectory: /opt/app/dcae-certificate -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: true - # CMPv2 certificate # It is used only when: # - certDirectory is set @@ -83,12 +78,8 @@ certificates: key: password create: true -# dependencies -readinessCheck: - wait_for: - - aaf-cm - # probe configuration +readiness: initialDelaySeconds: 5 periodSeconds: 15 path: /healthcheck @@ -107,10 +98,97 @@ service: nodePort: 17 useNodePortExt: true +ingress: + enabled: false + service: + - baseaddr: "dcae-ves-collector-api" + name: "dcae-ves-collector" + port: 8443 + plain_port: 8080 + config: + ssl: "redirect" + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: istio-ingress + namespace: istio-ingress + # application environments applicationEnv: CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' LOG4J_FORMAT_MSG_NO_LOOKUPS: 'true' + BOOTSTRAP_SERVERS: '{{ include "common.release" . }}-strimzi-kafka-bootstrap:9092' + JAAS_CONFIG: + externalSecret: true + externalSecretUid: '{{ include "common.name" . }}-ku' + key: sasl.jaas.config + +# Strimzi Kafka config +kafkaUser: + acls: + - name: unauthenticated.VES_PNFREG_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.VES_NOTIFICATION_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.SEC_HEARTBEAT_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.SEC_OTHER_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.SEC_FAULT_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.VES_MEASUREMENT_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.SEC_3GPP_FAULTSUPERVISION_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.SEC_3GPP_PROVISIONING_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.SEC_3GPP_HEARTBEAT_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.SEC_3GPP_PERFORMANCEASSURANCE_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + +kafkaTopic: + - name: unauthenticated.VES_PNFREG_OUTPUT + strimziTopicName: unauthenticated.ves-pnfreg-output + - name: unauthenticated.VES_NOTIFICATION_OUTPUT + strimziTopicName: unauthenticated.ves-notification-output + - name: unauthenticated.SEC_HEARTBEAT_OUTPUT + strimziTopicName: unauthenticated.sec-heartbeat-output + - name: unauthenticated.SEC_OTHER_OUTPUT + strimziTopicName: unauthenticated.sec-other-output + - name: unauthenticated.SEC_FAULT_OUTPUT + strimziTopicName: unauthenticated.sec-fault-output + - name: unauthenticated.VES_MEASUREMENT_OUTPUT + strimziTopicName: unauthenticated.ves-measurment-output + - name: unauthenticated.SEC_3GPP_FAULTSUPERVISION_OUTPUT + strimziTopicName: unauthenticated.sec-3gpp-faultsupervision-output + - name: unauthenticated.SEC_3GPP_PROVISIONING_OUTPUT + strimziTopicName: unauthenticated.sec-3gpp-provisioning-output + - name: unauthenticated.SEC_3GPP_HEARTBEAT_OUTPUT + strimziTopicName: unauthenticated.sec-3gpp-heartbeat-output + - name: unauthenticated.SEC_3GPP_PERFORMANCEASSURANCE_OUTPUT + strimziTopicName: unauthenticated.sec-3gpp-performanceassurance-output # initial application configuration applicationConfig: @@ -130,7 +208,7 @@ applicationConfig: collector.service.port: "8080" collector.service.secure.port: "8443" event.transform.flag: "0" - auth.method: "certBasicAuth" + auth.method: "noAuth" header.authlist: "sample1,$2a$10$0buh.2WeYwN868YMwnNNEuNEAMNYVU9.FSMJGyIKV3dGET/7oGOi6|demouser,$2a$10$1cc.COcqV/d3iT2N7BjPG.S6ZKv2jpb9a5MV.o7lMih/GpjJRX.Ce" services_calls: [] streams_publishes: @@ -191,18 +269,18 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1.5Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1.5Gi" large: limits: - cpu: 4 - memory: 4Gi + cpu: "4" + memory: "3Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "3Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/Chart.yaml index 82f4881220..4d1eb4a595 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/Chart.yaml @@ -3,6 +3,7 @@ # Copyright (c) 2021 AT&T Intellectual Property # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Deutsche Telekom AG. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,24 +19,24 @@ # ================================= LICENSE_END ============================== apiVersion: v2 -appVersion: "Kohn" +appVersion: "London" description: DCAE VES-Mapper Microservice name: dcae-ves-mapper -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml index 714a875612..b886ae40d3 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml @@ -1,7 +1,8 @@ # ================================ LICENSE_START ============================= # ============================================================================ # Copyright (c) 2021-2022 AT&T Intellectual Property. All rights reserved. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. +# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -31,16 +32,11 @@ filebeatConfig: logstashServiceName: log-ls logstashPort: 5044 -################################################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application Configuration Defaults. ################################################################# # Application Image -image: onap/org.onap.dcaegen2.services.mapper.vesadapter.universalvesadaptor:1.4.0 +image: onap/org.onap.dcaegen2.services.mapper.vesadapter.universalvesadaptor:1.5.0 pullPolicy: Always # Log directory where logging sidecar should look for log files @@ -50,19 +46,11 @@ log: path: /opt/app/VESAdapter/logs logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -#certDirectory: /opt/app/ves-mapper/etc/certs - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -#tlsServer: true - # Dependencies readinessCheck: wait_for: - - aaf-cm + services: + - message-router # Service Configuration service: @@ -73,6 +61,11 @@ service: port: 80 port_protocol: http +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + # application environments applicationEnv: LOG4J_FORMAT_MSG_NO_LOOKUPS: 'true' @@ -185,18 +178,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/Chart.yaml index 74fd5578c7..afcb14aeaa 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/Chart.yaml @@ -20,18 +20,21 @@ apiVersion: v2 description: ONAP DCAE VES OpenApi Manager name: dcae-ves-openapi-manager -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 + repository: '@local' + - name: dcaegen2-services-common + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/configmap.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/configmap.yaml new file mode 100644 index 0000000000..7253125d50 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/configmap.yaml @@ -0,0 +1,20 @@ +{{/* +#============LICENSE_START======================================================== +# ================================================================================ +# Copyright (c) 2022 Nokia. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +*/}} + +{{ include "dcaegen2-services-common.configMap" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/deployment.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/deployment.yaml index 1c6e3593ac..64d88119a8 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/deployment.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/deployment.yaml @@ -2,6 +2,7 @@ #============LICENSE_START======================================================== # ================================================================================ # Copyright (c) 2021 Nokia. All rights reserved. +# Modifications Copyright © 2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -45,13 +46,20 @@ spec: periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end }} env: - - name: ASDC_ADDRESS - value: {{ .Values.externalServices.sdc_be_https }} - - name: SCHEMA_MAP_PATH - value: {{ .Values.schemaMap.directory }}/{{ .Values.schemaMap.filename }} + - name: SDC_ADDRESS + value: sdc-be.{{include "common.namespace" .}}:8080 + - name: SCHEMA_MAP_PATH + value: {{ .Values.schemaMap.directory }}/{{ .Values.schemaMap.filename }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config volumeMounts: - name: schema-map mountPath: {{ .Values.schemaMap.directory }} + - name: app-config + mountPath: /app/config/ serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: schema-map @@ -61,5 +69,9 @@ spec: items: - key: {{ .Values.schemaMap.filename }} path: {{ .Values.schemaMap.filename }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" \ No newline at end of file + - name: app-config + configMap: + name: {{ include "common.fullname" . }}-application-config-configmap + defaultMode: 420 + optional: true + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/kafkauser.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/secrets.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/secrets.yaml new file mode 100644 index 0000000000..6ff81501a4 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/secrets.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright (C) 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.secretFast" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/values.yaml index a09437eba2..6b6ed67fe4 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/values.yaml @@ -1,6 +1,7 @@ #============LICENSE_START======================================================== #================================================================================= # Copyright (c) 2021-2022 Nokia. All rights reserved. +# Modifications Copyright © 2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,7 +19,7 @@ # Global values global: pullPolicy: Always -image: onap/org.onap.dcaegen2.platform.ves-openapi-manager:1.1.0 +image: onap/org.onap.dcaegen2.platform.ves-openapi-manager:1.3.1 containerPort: &svc_port 8080 service: @@ -26,8 +27,9 @@ service: - name: &port http port: *svc_port -externalServices: - sdc_be_https: "sdc-be:8443" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: [] schemaMap: filename: "schema-map.json" @@ -45,25 +47,25 @@ liveness: readinessCheck: wait_for: - - message-router - - sdc-be + services: + - sdc-be flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "2" + memory: "500Mi" requests: - cpu: 1 - memory: 512Mi + cpu: "1" + memory: "500Mi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "4" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "2" + memory: "1Gi" unlimited: {} #Pods Service Account @@ -71,3 +73,34 @@ serviceAccount: nameOverride: dcae-ves-openapi-manager roles: - read + +# initial application configuration +applicationConfig: + vesopenapimanager: + validation: + schemaMapPath: ${SCHEMA_MAP_PATH:./src/main/resources/schema-map.json} + eventDomainPath: /event/structure/commonEventHeader/structure/domain/value + eventSchemaReferencePath: /event/structure/stndDefinedFields/structure/schemaReference/value + distribution: + sdcAddress: ${SDC_ADDRESS:sdc-be.onap:8080} + isUseHttpsWithSDC: false + user: dcae + password: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U + pollingInterval: 20 + pollingTimeout: 20 + consumerGroup: dcaegen2 + environmentName: AUTO + consumerID: dcae-ves-openapi-manager + activateServerTLSAuth: false + isFilterInEmptyResources: false + +# Strimzi KafkaUser config +kafkaUser: + acls: + - name: dcaegen2 + type: group + operations: [Read] + - name: SDC-DISTR + type: topic + patternType: prefix + operations: [Read, Write] \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/values.yaml b/kubernetes/dcaegen2-services/values.yaml index 1652f04f0f..ba3607f047 100644 --- a/kubernetes/dcaegen2-services/values.yaml +++ b/kubernetes/dcaegen2-services/values.yaml @@ -1,6 +1,6 @@ # Copyright (c) 2021 J. F. Lucas. All rights reserved. # Copyright (c) 2021 AT&T. All rights reserved. -# Modifications Copyright (C) 2021 Nordix Foundation. +# Modifications Copyright (C) 2021-2023 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,7 +16,6 @@ global: centralizedLoggingEnabled: true - hvVesKafkaUser: dcae-hv-ves-kafka-user ################################################################# # Filebeat Configuration Defaults. @@ -47,8 +46,6 @@ dcae-heartbeat: dcae-hv-ves-collector: enabled: true logConfigMapNamePrefix: '{{ include "common.release" . }}-dcaegen2-services' - config: - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.hvVesKafkaUser }}' dcae-kpi-ms: enabled: false logConfigMapNamePrefix: '{{ include "common.release" . }}-dcaegen2-services' diff --git a/kubernetes/dcaegen2/.helmignore b/kubernetes/dcaegen2/.helmignore deleted file mode 100644 index 7ddbad7ef4..0000000000 --- a/kubernetes/dcaegen2/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -components/ diff --git a/kubernetes/dcaegen2/Chart.yaml b/kubernetes/dcaegen2/Chart.yaml deleted file mode 100644 index ba1e47a353..0000000000 --- a/kubernetes/dcaegen2/Chart.yaml +++ /dev/null @@ -1,62 +0,0 @@ -# Copyright © 2018 Amdocs, AT&T, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP DCAE Gen2 -name: dcaegen2 -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: dcae-bootstrap - version: ~11.x-0 - repository: 'file://components/dcae-bootstrap' - condition: dcae-bootstrap.enabled - - name: dcae-cloudify-manager - version: ~11.x-0 - repository: 'file://components/dcae-cloudify-manager' - condition: dcae-cloudify-manager.enabled - - name: dcae-config-binding-service - version: ~11.x-0 - repository: 'file://components/dcae-config-binding-service' - condition: dcae-config-binding-service.enabled - - name: dcae-healthcheck - version: ~11.x-0 - repository: 'file://components/dcae-healthcheck' - condition: dcae-healthcheck.enabled - - name: dcae-servicechange-handler - version: ~11.x-0 - repository: 'file://components/dcae-servicechange-handler' - condition: dcae-servicechange-handler.enabled - - name: dcae-inventory-api - version: ~11.x-0 - repository: 'file://components/dcae-inventory-api' - condition: dcae-inventory-api.enabled - - name: dcae-deployment-handler - version: ~11.x-0 - repository: 'file://components/dcae-deployment-handler' - condition: dcae-deployment-handler.enabled - - name: dcae-policy-handler - version: ~11.x-0 - repository: 'file://components/dcae-policy-handler' - condition: dcae-policy-handler.enabled - - name: dcae-dashboard - version: ~11.x-0 - repository: 'file://components/dcae-dashboard' - condition: dcae-dashboard.enabled - diff --git a/kubernetes/dcaegen2/Makefile b/kubernetes/dcaegen2/Makefile deleted file mode 100644 index d72ab60dc6..0000000000 --- a/kubernetes/dcaegen2/Makefile +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright © 2021 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts docker -HELM_BIN := helm -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/dcaegen2/components/Makefile b/kubernetes/dcaegen2/components/Makefile deleted file mode 100644 index 2681615221..0000000000 --- a/kubernetes/dcaegen2/components/Makefile +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright © 2021 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/.helmignore b/kubernetes/dcaegen2/components/dcae-bootstrap/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/dcaegen2/components/dcae-bootstrap/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/Chart.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/Chart.yaml deleted file mode 100644 index 21e685008c..0000000000 --- a/kubernetes/dcaegen2/components/dcae-bootstrap/Chart.yaml +++ /dev/null @@ -1,39 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE Bootstrap -name: dcae-bootstrap -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: postgres - version: ~11.x-0 - repository: '@local' - alias: postgres - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' \ No newline at end of file diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/certs/cacert.pem b/kubernetes/dcaegen2/components/dcae-bootstrap/resources/certs/cacert.pem deleted file mode 100644 index 897c8ae499..0000000000 --- a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/certs/cacert.pem +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFPjCCAyagAwIBAgIJAJ6u7cCnzrWdMA0GCSqGSIb3DQEBCwUAMCwxDjAMBgNV -BAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQMQswCQYDVQQGEwJVUzAeFw0xODA0MDUx -NDE1MjhaFw0zODAzMzExNDE1MjhaMCwxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQK -DARPTkFQMQswCQYDVQQGEwJVUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC -ggIBAMA5pkgRs7NhGG4ew5JouhyYakgYUyFaG121+/h8qbSdt0hVQv56+EA41Yq7 -XGie7RYDQK9NmAFF3gruE+6X7wvJiChp+Cyd7sFMnb65uWhxEdxWTM2BJFrgfzUn -H8ZCxgaCo3XH4PzlKRy2LQQJEJECwl/RZmRCXijMt5e9h8XoZY/fKkKcZZUsWNCM -pTo266wjvA9MXLmdgReRj0+vrCjrNqy+htwJDztoiHWiYPqT6o8EvGcgjNqjlZx7 -NUNf8MfLDByqKF6+wRbHv1GKjn3/Vijd45Fv8riyRYROiFanvbV6jIfBkv8PZbXg -2VDWsYsgp8NAvMxK+iV8cO+Ck3lBI2GOPZbCEqpPVTYbLUz6sczAlCXwQoPzDIZY -wYa3eR/gYLY1gP2iEVHORag3bLPap9ZX5E8DZkzTNTjovvLk8KaCmfcaUMJsBtDd -ApcUitz10cnRyZc1sX3gE1f3DpzQM6t9C5sOVyRhDcSrKqqwb9m0Ss04XAS9FsqM -P3UWYQyqDXSxlUAYaX892u8mV1hxnt2gjb22RloXMM6TovM3sSrJS0wH+l1nznd6 -aFXftS/G4ZVIVZ/LfT1is4StoyPWZCwwwly1z8qJQ/zhip5NgZTxQw4mi7ww35DY -PdAQOCoajfSvFjqslQ/cPRi/MRCu079heVb5fQnnzVtnpFQRAgMBAAGjYzBhMB0G -A1UdDgQWBBRTVTPyS+vQUbHBeJrBKDF77+rtSTAfBgNVHSMEGDAWgBRTVTPyS+vQ -UbHBeJrBKDF77+rtSTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAN -BgkqhkiG9w0BAQsFAAOCAgEAPx/IaK94n02wPxpnYTy+LVLIxwdq/kawNd6IbiMz -L87zmNMDmHcGbfoRCj8OkhuggX9Lx1/CkhpXimuYsZOFQi5blr/u+v4mIbsgbmi9 -7j+cUHDP0zLycvSvxKHty51LwmaX9a4wkJl5zBU4O1sd/H9tWcEmwJ39ltKoBKBx -c94Zc3iMm5ytRWGj+0rKzLDAXEWpoZ5bE5PLJauA6UDCxDLfs3FwhbS7uDggxYvf -jySF5FCNET94oJ+m8s7VeHvoa8iPGKvXrIqdd7XDHnqJJlVKr7m9S0fMbyEB8ci2 -RtOXDt93ifY1uhoEtEykn4dqBSp8ezvNMnwoXdYPDvTd9uCAFeWFLVreBAWxd25h -PsBTkZA5hpa/rA+mKv6Af4VBViYr8cz4dZCsFChuioVebe9ighrfjB//qKepFjPF -CyjzKN1u0JKm/2x/ORqxkTONG8p3uDwoIOyimUcTtTMv42bfYD88RKakqSFXE9G+ -Z0LlaKABqfjK49o/tsAp+c5LoNlYllKhnetO3QAdraHwdmC36BhoghzR1jpX751A -cZn2VH3Q4XKyp01cJNCJIrua+A+bx6zh3RyW6zIIkbRCbET+UD+4mr8WIcSE3mtR -ZVlnhUDO4z9//WKMVzwS9Rh8/kuszrGFI1KQozXCHLrce3YP6RYZfOed79LXaRwX -dYY= ------END CERTIFICATE----- \ No newline at end of file diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-hv_ves-inputs.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-hv_ves-inputs.yaml deleted file mode 100644 index 0108d9a8ce..0000000000 --- a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-hv_ves-inputs.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2018-2019 AT&T Intellectual Property. All rights reserved. -# Copyright (c) 2020 Nokia. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ if .Values.componentImages.hv_ves }} -tag_version: {{ include "repositoryGenerator.repository" . }}/{{ .Values.componentImages.hv_ves }} -{{ end }} -use_tls: true -security_ssl_disable: false -external_cert_ca_name: "RA" -external_cert_common_name: "dcae-hv-ves-collector" -external_cert_sans: "dcae-hv-ves-collector,hv-ves-collector,hv-ves" -external_cert_cert_type: "JKS" -external_cert_use_external_tls: false diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-pgaas-initdb-inputs.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-pgaas-initdb-inputs.yaml deleted file mode 100644 index 71c91b4f77..0000000000 --- a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-pgaas-initdb-inputs.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -#================================================================================= -# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -k8s_pgaas_instance_fqdn: {{ .Values.postgres.service.name2 }}.{{include "common.namespace" . }} -k8s_initial_password: $PG_ROOT_PASSWORD diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-prh-inputs.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-prh-inputs.yaml deleted file mode 100644 index efc8c77366..0000000000 --- a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-prh-inputs.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ if .Values.componentImages.prh }} -tag_version: {{ include "repositoryGenerator.repository" . }}/{{ .Values.componentImages.prh }} -{{ end }} diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-tcagen2-inputs.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-tcagen2-inputs.yaml deleted file mode 100644 index eb7caf1eee..0000000000 --- a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-tcagen2-inputs.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ if .Values.componentImages.tcagen2 }} -tag_version: {{ include "repositoryGenerator.repository" . }}/{{ .Values.componentImages.tcagen2 }} -{{ end }} -tca_handle_in_subscribe_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.VES_MEASUREMENT_OUTPUT/" -tca_handle_out_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.DCAE_CL_OUTPUT/" diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-ves-inputs-tls.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-ves-inputs-tls.yaml deleted file mode 100644 index c284612c79..0000000000 --- a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-ves-inputs-tls.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2020 Nokia. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ if .Values.componentImages.ves }} -tag_version: {{ include "repositoryGenerator.repository" . }}/{{ .Values.componentImages.ves }} -{{ end }} -external_port: 0 -external_port_tls: {{ .Values.config.address.ves.portSecure }} -auth_method: "certBasicAuth" -service_component_type: "dcae-ves-collector" -service_id: "dcae-ves-collector" -service_component_name_override: "dcae-ves-collector" -enable_tls: true -ves_other_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.SEC_OTHER_OUTPUT/" -ves_heartbeat_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.SEC_HEARTBEAT_OUTPUT/" -ves_fault_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.SEC_FAULT_OUTPUT/" -ves_measurement_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.VES_MEASUREMENT_OUTPUT/" -ves_pnfRegistration_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.VES_PNFREG_OUTPUT/" -ves_notification_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.VES_NOTIFICATION_OUTPUT/" -ves_3gpp_fault_supervision_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.SEC_3GPP_FAULTSUPERVISION_OUTPUT/" -ves_3gpp_provisioning_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.SEC_3GPP_PROVISIONING_OUTPUT/" -ves_3gpp_hearbeat_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.SEC_3GPP_HEARTBEAT_OUTPUT/" -ves_3gpp_performance_assurance_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.SEC_3GPP_PERFORMANCEASSURANCE_OUTPUT/" -user_list: "sample1,$2a$10$0buh.2WeYwN868YMwnNNEuNEAMNYVU9.FSMJGyIKV3dGET/7oGOi6|demouser,$2a$10$1cc.COcqV/d3iT2N7BjPG.S6ZKv2jpb9a5MV.o7lMih/GpjJRX.Ce" -external_cert_ca_name: "RA" -external_cert_common_name: "dcae-ves-collector" -external_cert_sans: "dcae-ves-collector,ves-collector,ves" -external_cert_cert_type: "JKS" -external_cert_use_external_tls: false diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-ves-inputs.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-ves-inputs.yaml deleted file mode 100644 index 349645bb7b..0000000000 --- a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/inputs/k8s-ves-inputs.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2017-2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# Modifications (c) 2020 Nokia. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ if .Values.componentImages.ves }} -tag_version: {{ include "repositoryGenerator.repository" . }}/{{ .Values.componentImages.ves }} -{{ end }} -external_port_tls: 0 -external_port: {{ .Values.config.address.ves.port }} -auth_method: "noAuth" -service_component_type: "dcae-http-ves-collector" -service_id: "dcae-http-ves-collector-http" -service_component_name_override: "dcae-http-ves-collector" -ves_other_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.SEC_OTHER_OUTPUT/" -ves_heartbeat_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.SEC_HEARTBEAT_OUTPUT/" -ves_fault_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.SEC_FAULT_OUTPUT/" -ves_measurement_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.VES_MEASUREMENT_OUTPUT/" -ves_pnfRegistration_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.VES_PNFREG_OUTPUT/" -ves_notification_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.VES_NOTIFICATION_OUTPUT/" -ves_3gpp_fault_supervision_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.SEC_3GPP_FAULTSUPERVISION_OUTPUT/" -ves_3gpp_provisioning_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.SEC_3GPP_PROVISIONING_OUTPUT/" -ves_3gpp_hearbeat_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.SEC_3GPP_HEARTBEAT_OUTPUT/" -ves_3gpp_performance_assurance_publish_url: "http://{{ .Values.config.address.message_router }}:3904/events/unauthenticated.SEC_3GPP_PERFORMANCEASSURANCE_OUTPUT/" diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/templates/configmap.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/templates/configmap.yaml deleted file mode 100644 index 135572fb2f..0000000000 --- a/kubernetes/dcaegen2/components/dcae-bootstrap/templates/configmap.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2017-2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# Copyright (c) 2021 J. F. Lucas. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dcae-inputs - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/inputs/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dcae-cacert - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/certs/*").AsConfig . | indent 2 }} diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/templates/deployment.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/templates/deployment.yaml deleted file mode 100644 index 4addb2b863..0000000000 --- a/kubernetes/dcaegen2/components/dcae-bootstrap/templates/deployment.yaml +++ /dev/null @@ -1,153 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2017-2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# Copyright (c) 2021 J. F. Lucas. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: 1 - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - command: - - sh - args: - - -c - - "cd /config-input && for PFILE in `find . -not -type d | grep -v -F ..`; do envsubst <${PFILE} >/config/${PFILE}; done" - env: - - name: PG_ROOT_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-root-pass" "key" "password") | indent 10 }} - volumeMounts: - - mountPath: /config-input - name: {{ include "common.fullname" . }}-dcae-inputs-input - - mountPath: /config - name: {{ include "common.fullname" . }}-dcae-inputs - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - dcae-cloudify-manager - - --container-name - - consul-server - - --container-name - - dcae-config-binding-service - - --container-name - - dcae-db - - --container-name - - dcae-inventory-api - - "-t" - - "15" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: init-tls - env: - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: aaf_locator_fqdn - value: dcae - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.tlsImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: {} - volumeMounts: - - mountPath: /opt/app/osaaf - name: tls-info - - name: init-consul - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.consulLoaderImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - args: - - --service - - "config-binding-service|config-binding-service.{{ include "common.namespace" . }}|10000" - - --service - - "config_binding_service|config-binding-service.{{ include "common.namespace" . }}|10000" - resources: {} - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: -{{ include "common.resources" . | indent 12 }} - volumeMounts: - - mountPath: /inputs - name: {{ include "common.fullname" . }}-dcae-inputs - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /certs - name: tls-info - readOnly: true - env: - - name: CMADDR - value: {{ .Values.config.address.cm.host }} - - name: CMPASS - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cm-pass" "key" "password") | indent 14}} - - name: CMPROTO - value: {{ .Values.config.address.cm.proto }} - - name: CMPORT - value: !!string {{ .Values.config.address.cm.port }} - - name: CONSUL - value: {{ .Values.config.address.consul.host }}:{{ .Values.config.address.consul.port }} - - name: DCAE_NAMESPACE - value: {{ .Values.dcae_ns | default "" }} - - name: ONAP_NAMESPACE - value: {{ include "common.namespace" . }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: {{ include "common.fullname" . }}-dcae-inputs-input - configMap: - name: {{ include "common.fullname" . }}-dcae-inputs - - name: {{ include "common.fullname" . }}-dcae-inputs - emptyDir: - medium: Memory - - name: localtime - hostPath: - path: /etc/localtime - - name: tls-info - emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/templates/secret.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/templates/secret.yaml deleted file mode 100644 index c8fbd04150..0000000000 --- a/kubernetes/dcaegen2/components/dcae-bootstrap/templates/secret.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2017-2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml deleted file mode 100644 index 417d968ac9..0000000000 --- a/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml +++ /dev/null @@ -1,132 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2018-2021 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# Copyright (c) 2021 J. F. Lucas. All rights reserved. -# Copyright (c) 2022 Nokia. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.1 - -secrets: - - uid: pg-root-pass - name: &pgRootPassSecretName '{{ include "common.release" . }}-dcae-bootstrap-pg-root-pass' - type: password - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "dcae-bootstrap-pg-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret) }}' - password: '{{ .Values.postgres.config.pgRootpassword }}' - policy: generate - - uid: 'cm-pass' - type: password - externalSecret: '{{ tpl (default "" .Values.config.cloudifyManagerPasswordExternalSecret) . }}' - password: '{{ .Values.config.cloudifyManagerPassword }}' - -config: - logstashServiceName: log-ls - logstashPort: 5044 - # Addresses of ONAP components - address: - consul: - host: consul-server - port: 8500 - consul_ui: consul-server-ui - cm: - host: dcae-cloudify-manager - port: 443 - proto: https - #Temporary assignment to avoid conflict - #To be removed after bootstrap changes done to remove dashboard - dashboard: - port: 30473 - portSecure: 30474 - datafile_collector: - port: 30223 - portSecure: 30262 - dmaap_dr_prov: dmaap-dr-prov - message_router: message-router - msb_discovery: msb-discovery - msb_iag: msb-iag - policy_pdp: pdp - sdc: sdc-be - snmptrap: - port: 30470 - ves: - port: 30235 - portSecure: 30417 - -# postgres values--overriding defaults in the postgres subchart -postgres: - nameOverride: dcae-db - service: - name: dcae-postgres - name2: dcae-pg-primary - name3: dcae-pg-replica - suffix: svc.cluster.local - container: - name: - primary: dcae-pg-primary - replica: dcae-pg-replica - config: - pgRootPasswordExternalSecret: *pgRootPassSecretName - persistence: - mountSubPath: dcae/data - mountInitPath: dcae - -# application image -image: onap/org.onap.dcaegen2.deployments.k8s-bootstrap-container:3.3.6 -default_k8s_location: central - -# DCAE component images to be deployed via Cloudify Manager -# Use to override default setting in blueprints -componentImages: - tcagen2: onap/org.onap.dcaegen2.analytics.tca-gen2.dcae-analytics-tca-web:1.3.1 - ves: onap/org.onap.dcaegen2.collectors.ves.vescollector:1.11.0 - prh: onap/org.onap.dcaegen2.services.prh.prh-app-server:1.8.0 - hv_ves: onap/org.onap.dcaegen2.collectors.hv-ves.hv-collector-main:1.10.0 - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} -# Kubernetes namespace for components deployed via Cloudify manager -# If empty, use the common namespace -# dcae_ns: "onap" - -#Pods Service Account -serviceAccount: - nameOverride: dcae-bootstrap - roles: - - read diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/.helmignore b/kubernetes/dcaegen2/components/dcae-cloudify-manager/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/Chart.yaml b/kubernetes/dcaegen2/components/dcae-cloudify-manager/Chart.yaml deleted file mode 100644 index b268ca8bc9..0000000000 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/Chart.yaml +++ /dev/null @@ -1,38 +0,0 @@ -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE Cloudify Manager -name: dcae-cloudify-manager -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: cmpv2Config - version: ~11.x-0 - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' \ No newline at end of file diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/README.md b/kubernetes/dcaegen2/components/dcae-cloudify-manager/README.md deleted file mode 100644 index fa2d597caa..0000000000 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/README.md +++ /dev/null @@ -1,49 +0,0 @@ -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -# DCAE Cloudify Manager Chart - -This chart is used to deploy a containerized version of -[Cloudify Manager](http://docs.getcloudify.org/4.3.0/intro/cloudify-manager/), -the orchestration tool used by DCAE. DCAE uses Cloudify Manager ("CM") to -deploy the rest of the DCAE platform as well to deploy DCAE monitoring and -analytics services dynamically, in response to network events such as VNF startups. - -Deployment of CM is the first of two steps in deploying DCAE into ONAP. After this chart -brings up CM, a second chart (the "bootstrap" chart) installs some plugin extensions onto CM -and uses CM to deploy some DCAE components. - -## Prerequisites -The chart requires one Kubernetes secret to be available in the namespace where it is -being deployed: - - `-docker-registry-key`, the docker registry secret needed to pull images - from the Docker repository. This is the same secret used by other OOM charts. - -## DCAE Namespace -DCAE will use CM deploy a number of containers into the ONAP Kubernetes cluster. In a production -environment, DCAE's dynamic deployment of monitoring and analytics services could result in dozens -of containers being launched. This chart allows the configuration, through the `dcae_ns` property -in the `values.yaml` of a separate namespace used by CM when it needs to deploy containers into -Kubernetes. If `dcae_ns` is set, this chart will: - - create the namespace. - - create the Docker registry key secret in the namespace. - - create some Kubernetes `Services` (of the `ExternalName` type) to map some addresses from the common namespace into the DCAE namespace. - -## Use of Consul -DCAE uses [Consul](http://consul.io) to store configuration data for DCAE components. In R1, DCAE -deployed its own Consul cluster. In R2, DCAE will use the Consul server deployed by OOM. diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/config.txt b/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/config.txt deleted file mode 100644 index e079ec81c0..0000000000 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/config.txt +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -[consul] -address={{ .Values.config.address.consul.host }}:{{ .Values.config.address.consul.port }} diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/log/filebeat.yml b/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/log/filebeat.yml deleted file mode 100644 index 06e553d9d4..0000000000 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/log/filebeat.yml +++ /dev/null @@ -1,74 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -filebeat.prospectors: -#it is mandatory, in our case it's log -- input_type: log - #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. - paths: - - /var/log/onap/*/*/*/*.log - - /var/log/onap/*/*/*.log - - /var/log/onap/*/*.log - #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive - ignore_older: 48h - # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit - clean_inactive: 96h - - -# Name of the registry file. If a relative path is used, it is considered relative to the -# data path. Else full qualified file name. -#filebeat.registry_file: ${path.data}/registry - - -output.logstash: - #List of logstash server ip addresses with port number. - #But, in our case, this will be the loadbalancer IP address. - #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. - hosts: ["{{.Values.config.logstashServiceName}}.{{.Release.Namespace}}:{{.Values.config.logstashPort}}"] - #If enable will do load balancing among availabe Logstash, automatically. - loadbalance: true - - #The list of root certificates for server verifications. - #If certificate_authorities is empty or not set, the trusted - #certificate authorities of the host system are used. - #ssl.certificate_authorities: $ssl.certificate_authorities - - #The path to the certificate for SSL client authentication. If the certificate is not specified, - #client authentication is not available. - #ssl.certificate: $ssl.certificate - - #The client certificate key used for client authentication. - #ssl.key: $ssl.key - - #The passphrase used to decrypt an encrypted key stored in the configured key file - #ssl.key_passphrase: $ssl.key_passphrase - -logging: - level: debug - - # enable file rotation with default configuration - to_files: true - - # do not log to syslog - to_syslog: false - - files: - path: /usr/share/filebeat/logs - name: mybeat.log - keepfiles: 7 diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/plugins/dmaap-plugin.json b/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/plugins/dmaap-plugin.json deleted file mode 100644 index 44a345455a..0000000000 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/plugins/dmaap-plugin.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "dmaap": { - "username": "notused", - "password": "doesnotmatter", - "owner": "dcaecm" - } -} \ No newline at end of file diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/plugins/k8s-plugin.json b/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/plugins/k8s-plugin.json deleted file mode 100644 index fb1a40edfd..0000000000 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/plugins/k8s-plugin.json +++ /dev/null @@ -1,64 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2018-2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# Modifications (c) 2020-2021 Nokia. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -{ - "namespace": "{{ if .Values.dcae_ns }}{{ .Values.dcae_ns}}{{ else }}{{include "common.namespace" . }}{{ end}}", - "consul_dns_name": "{{ .Values.config.address.consul.host }}.{{ include "common.namespace" . }}", - "default_k8s_location": "{{ .Values.default_k8s_location }}", - "image_pull_secrets": [ - "{{ include "common.namespace" . }}-docker-registry-key" - ], - "filebeat": { - "log_path": "/var/log/onap", - "data_path": "/usr/share/filebeat/data", - "config_path": "/usr/share/filebeat/filebeat.yml", - "config_subpath": "filebeat.yml", - "image": "{{ include "repositoryGenerator.image.logging" . }}", - "config_map": "{{ include "common.release" . }}-dcae-filebeat-configmap" - }, - "tls": { - "cert_path": "/opt/app/osaaf", - "image": "{{ include "repositoryGenerator.repository" . }}/{{ .Values.global.tlsImage }}", - "component_cert_dir": "/opt/dcae/cacert", - "component_ca_cert_path": "/opt/dcae/cacert/cacert.pem", - "ca_cert_configmap": "{{ include "common.fullname" . }}-dcae-cacert" - }, - "external_cert": { - "country": "{{ .Values.cmpv2Config.global.certificate.default.subject.country }}", - "organization": "{{ .Values.cmpv2Config.global.certificate.default.subject.organization }}", - "state": "{{ .Values.cmpv2Config.global.certificate.default.subject.province }}", - "organizational_unit": "{{ .Values.cmpv2Config.global.certificate.default.subject.organizationalUnit }}", - "location": "{{ .Values.cmpv2Config.global.certificate.default.subject.locality }}", - "cert_secret_name": "{{ .Values.cmpv2Config.global.platform.certificates.clientSecretName }}", - "keystore_secret_key": "{{ .Values.cmpv2Config.global.platform.certificates.keystoreKeyRef }}", - "truststore_secret_key": "{{ .Values.cmpv2Config.global.platform.certificates.truststoreKeyRef }}", - "keystore_password_secret_name": "{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretName }}", - "keystore_password_secret_key": "{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretKey }}", - "truststore_password_secret_name": "{{ .Values.cmpv2Config.global.platform.certificates.truststorePasswordSecretName }}", - "truststore_password_secret_key": "{{ .Values.cmpv2Config.global.platform.certificates.truststorePasswordSecretKey }}" - }, - "cert_post_processor": { - "image_tag": "{{ include "repositoryGenerator.repository" . }}/{{ .Values.cmpv2Config.global.platform.certPostProcessor.image }}" - }, - "cmpv2_issuer": { - "enabled": "true", - "name": "{{ .Values.cmpv2issuer.name }}" - } -} diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/configmap.yaml b/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/configmap.yaml deleted file mode 100644 index 806b06ed8a..0000000000 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/configmap.yaml +++ /dev/null @@ -1,60 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# Copyright (c) 2021 J. F. Lucas. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-configmap - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-plugins - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/plugins/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.release" . }}-dcae-filebeat-configmap - namespace: {{include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/log/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ .Values.multisiteConfigMapName }} - namespace: {{include "common.namespace" . }} -{{ if .Values.dcae_ns }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.release" . }}-dcae-filebeat-configmap - namespace: {{ .Values.dcae_ns }} -data: -{{ tpl (.Files.Glob "resources/config/log/*").AsConfig . | indent 2 }} -{{ end }} - diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/deployment.yaml b/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/deployment.yaml deleted file mode 100644 index f5fc9cac30..0000000000 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/deployment.yaml +++ /dev/null @@ -1,205 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2018-2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# Copyright (c) 2020-2021 J. F. Lucas. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: 1 - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - # host alias allows local 'cfy' command to use https and match - # the host name in the certificate - hostAliases: - - ip: "127.0.0.1" - hostnames: - - "dcae-cloudify-manager" - # Cloudify requires a fixed hostname across restarts - hostname: dcae-cloudify-manager - initContainers: - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - aaf-cm - - --container-name - - consul-server - - "-t" - - "15" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: {{ include "common.name" . }}-multisite-init - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.multisiteInitImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - args: - - --namespace - - {{ include "common.namespace" . }} - - --configmap - - {{ .Values.multisiteConfigMapName }} - - name: init-consul - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.consulLoaderImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - args: - - --key - - k8s-plugin|/plugin-configs/k8s-plugin.json - - --key - - dmaap-plugin|/plugin-configs/dmaap-plugin.json - resources: {} - volumeMounts: - - mountPath: /plugin-configs - name: plugin-configs - - name: init-tls - env: - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: aaf_locator_fqdn - value: dcae - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.tlsImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: {} - volumeMounts: - - mountPath: /opt/app/osaaf - name: tls-info - {{- if .Values.persistence.enabled }} - - name: remove-lost-found - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /cfy-persist - name: cm-persistent - command: - - /bin/sh - args: - - -c - - "rm -rf '/cfy-persist/lost+found';" - {{- end }} - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - env: - - name: REQUESTS_CA_BUNDLE - value: "/opt/onap/certs/cacert.pem" - resources: -{{ include "common.resources" . | indent 12 }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - {{ end }} - readinessProbe: - exec: - command: - - /scripts/readiness-check.sh - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} - volumeMounts: - - mountPath: /opt/onap/config.txt - subPath: config.txt - name: {{ include "common.fullname" .}}-config - readOnly: true - - mountPath: /opt/onap/kube - name: {{ include "common.fullname" .}}-kubeconfig - readOnly: true - - mountPath: /secret - name: dcae-token - readOnly: true - - mountPath: /sys/fs/cgroup - name: {{ include "common.fullname" . }}-cgroup - readOnly: true - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /cfy-persist - name: cm-persistent - - mountPath: /opt/onap/certs - name: tls-info - - mountPath: /opt/onap/cm-secrets - name: cm-secrets - readOnly: true - securityContext: - privileged: True - serviceAccountName: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}} - volumes: - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }}-configmap - - name: {{ include "common.fullname" .}}-kubeconfig - configMap: - name: {{ .Values.multisiteConfigMapName }} - - name: plugin-configs - configMap: - name: {{ include "common.fullname" . }}-plugins - - name: dcae-token - secret: - secretName: dcae-token - - name: {{ include "common.fullname" . }}-cgroup - hostPath: - path: /sys/fs/cgroup - - name: localtime - hostPath: - path: /etc/localtime - - name: cm-persistent - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }}-data - {{- else }} - emptyDir: {} - {{- end }} - - emptyDir: {} - name: tls-info - - name: cm-secrets - secret: - secretName: {{ include "common.secret.getSecretNameFast" (dict "global" . "uid" "cm-pass") }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/job.yaml b/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/job.yaml deleted file mode 100644 index f01edd240b..0000000000 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/job.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-cleanup - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - "helm.sh/hook": pre-delete - "helm.sh/hook-delete-policy": hook-succeeded,hook-failed -spec: - template: - metadata: - name: {{ include "common.fullname" . }}-cleanup - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Never - containers: - - name: dcae-cleanup - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.cleanupImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/namespace.yaml b/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/namespace.yaml deleted file mode 100644 index 960ec786b2..0000000000 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/namespace.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -{{ if .Values.dcae_ns}} -# Create the namespace -apiVersion: v1 -kind: Namespace -metadata: - name: {{ .Values.dcae_ns }} -spec: - finalizers: - - kubernetes -{{ end }} diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/pv.yaml b/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/pv.yaml deleted file mode 100644 index 95c841a9fd..0000000000 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/pv.yaml +++ /dev/null @@ -1,44 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} -{{- if eq "True" (include "common.needPV" .) }} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.persistence.size }} - accessModes: - - {{ .Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" . }}-data" - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/pvc.yaml b/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/pvc.yaml deleted file mode 100644 index 3fbdc91d66..0000000000 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/pvc.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{/* -# ================================================================================ -# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }}-data - labels: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} -spec: - accessModes: - - {{ .Values.persistence.accessMode }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size }} -{{- end -}} diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/secret.yaml b/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/secret.yaml deleted file mode 100644 index 91666c1422..0000000000 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/secret.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ if .Values.dcae_ns}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.namespace" . }}-docker-registry-key - namespace: {{ .Values.dcae_ns }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: - .dockercfg: {{ include "repositoryGenerator.secret" . }} -type: kubernetes.io/dockercfg ---- -{{ end }} -# Copy of the API token secret, needed to work around /var/run/secrets mount problem -apiVersion: v1 -kind: Secret -metadata: - name: dcae-token - namespace: {{ include "common.namespace" . }} - annotations: - kubernetes.io/service-account.name: default -type: kubernetes.io/service-account-token ---- -{{ include "common.secretFast" . }} diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/service.yaml b/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/service.yaml deleted file mode 100644 index 3a28616687..0000000000 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/templates/service.yaml +++ /dev/null @@ -1,78 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.name }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} -{{ if .Values.dcae_ns}} ---- -# Make consul visible inside DCAE component namespace under a well-known name -apiVersion: v1 -kind: Service -metadata: - name: consul - namespace: {{ .Values.dcae_ns }} -spec: - type: ExternalName - externalName: {{ .Values.config.address.consul.host }}.{{ include "common.namespace" . }}.svc.cluster.local ---- -# Make Cloudify Manager visible inside DCAE component namespace under a well-known name -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ .Values.dcae_ns }} -spec: - type: ExternalName - externalName: {{ .Values.service.name }}.{{ include "common.namespace" . }}.svc.cluster.local -{{ end }} ---- -# Provide alternate name for consul in common namespace to support CM plugin discovery -apiVersion: v1 -kind: Service -metadata: - name: consul - namespace: {{ include "common.namespace" . }} -spec: - type: ExternalName - externalName: {{ .Values.config.address.consul.host }}.{{ include "common.namespace" . }}.svc.cluster.local ---- diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml b/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml deleted file mode 100644 index 17ba5ec71e..0000000000 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml +++ /dev/null @@ -1,136 +0,0 @@ -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2018-2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# Copyright (c) 2020-2021 J. F. Lucas. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - persistence: {} - tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.1 - repositoryCred: - user: docker - password: docker - -cmpv2issuer: - name: cmpv2-issuer-onap - -secrets: - - uid: 'cm-pass' - type: password - externalSecret: '{{ tpl (default "" .Values.config.cloudifyManagerPasswordExternalSecret) . }}' - password: '{{ .Values.config.cloudifyManagerPassword }}' - policy: required - -config: - cloudifyManagerPassword: "override me" - logstashServiceName: log-ls - logstashPort: 5044 - # Addresses of other ONAP entities - address: - consul: - host: consul-server - port: 8500 - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/org.onap.dcaegen2.deployments.cm-container:4.6.1 -pullPolicy: Always - -# name of shared ConfigMap with kubeconfig for multiple clusters -multisiteConfigMapName: multisite-kubeconfig-configmap - -# image for init container to initialize shared ConfigMap -multisiteInitImage: onap/org.onap.dcaegen2.deployments.multisite-init-container:1.0.0 - -# image for cleanup job container -cleanupImage: onap/org.onap.dcaegen2.deployments.dcae-k8s-cleanup-container:1.0.0 - -# default location for k8s deployments via Cloudify -default_k8s_location: central - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 5 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - # liveness not desirable for Cloudify Manager container - enabled: false - -readiness: - initialDelaySeconds: 60 - # In some environments we see CM coming up - # properly but readiness probe timing out. - # Increasing the timeout and adjusting the - # period so it's longer than the timeout. - # (DCAEGEN2-2465) - periodSeconds: 30 - timeoutSeconds: 10 - -service: - type: ClusterIP - name: dcae-cloudify-manager - externalPort: 443 - internalPort: 443 - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -# Due to memory issues in ONAP integration environment, -# we've increased the memory amounts for both flavors. -resources: - small: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - large: - limits: - cpu: 4 - memory: 8Gi - requests: - cpu: 2 - memory: 4Gi - unlimited: {} -# Kubernetes namespace for components deployed via Cloudify manager -# If empty, use the common namespace -# dcae_ns: "dcae" - -# Parameters for persistent storage -persistence: - enabled: true - accessMode: ReadWriteOnce - size: 4Gi - mountPath: /dockerdata-nfs - mountSubPath: dcae-cm/data - volumeReclaimPolicy: Retain - -#Pods Service Account -serviceAccount: - nameOverride: dcae-cloudify-manager - roles: - - create - diff --git a/kubernetes/dcaegen2/components/dcae-config-binding-service/Chart.yaml b/kubernetes/dcaegen2/components/dcae-config-binding-service/Chart.yaml deleted file mode 100644 index 9ffacf422d..0000000000 --- a/kubernetes/dcaegen2/components/dcae-config-binding-service/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE Config Binding Service -name: dcae-config-binding-service -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' \ No newline at end of file diff --git a/kubernetes/dcaegen2/components/dcae-config-binding-service/resources/config/log/filebeat/filebeat.yml b/kubernetes/dcaegen2/components/dcae-config-binding-service/resources/config/log/filebeat/filebeat.yml deleted file mode 100644 index 06e553d9d4..0000000000 --- a/kubernetes/dcaegen2/components/dcae-config-binding-service/resources/config/log/filebeat/filebeat.yml +++ /dev/null @@ -1,74 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -filebeat.prospectors: -#it is mandatory, in our case it's log -- input_type: log - #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. - paths: - - /var/log/onap/*/*/*/*.log - - /var/log/onap/*/*/*.log - - /var/log/onap/*/*.log - #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive - ignore_older: 48h - # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit - clean_inactive: 96h - - -# Name of the registry file. If a relative path is used, it is considered relative to the -# data path. Else full qualified file name. -#filebeat.registry_file: ${path.data}/registry - - -output.logstash: - #List of logstash server ip addresses with port number. - #But, in our case, this will be the loadbalancer IP address. - #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. - hosts: ["{{.Values.config.logstashServiceName}}.{{.Release.Namespace}}:{{.Values.config.logstashPort}}"] - #If enable will do load balancing among availabe Logstash, automatically. - loadbalance: true - - #The list of root certificates for server verifications. - #If certificate_authorities is empty or not set, the trusted - #certificate authorities of the host system are used. - #ssl.certificate_authorities: $ssl.certificate_authorities - - #The path to the certificate for SSL client authentication. If the certificate is not specified, - #client authentication is not available. - #ssl.certificate: $ssl.certificate - - #The client certificate key used for client authentication. - #ssl.key: $ssl.key - - #The passphrase used to decrypt an encrypted key stored in the configured key file - #ssl.key_passphrase: $ssl.key_passphrase - -logging: - level: debug - - # enable file rotation with default configuration - to_files: true - - # do not log to syslog - to_syslog: false - - files: - path: /usr/share/filebeat/logs - name: mybeat.log - keepfiles: 7 diff --git a/kubernetes/dcaegen2/components/dcae-config-binding-service/templates/configmap.yaml b/kubernetes/dcaegen2/components/dcae-config-binding-service/templates/configmap.yaml deleted file mode 100644 index 67fcce4d53..0000000000 --- a/kubernetes/dcaegen2/components/dcae-config-binding-service/templates/configmap.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2019 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.release" . }}-cbs-filebeat-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/log/filebeat/*").AsConfig . | indent 2 }} diff --git a/kubernetes/dcaegen2/components/dcae-config-binding-service/templates/deployment.yaml b/kubernetes/dcaegen2/components/dcae-config-binding-service/templates/deployment.yaml deleted file mode 100644 index 171fc7c807..0000000000 --- a/kubernetes/dcaegen2/components/dcae-config-binding-service/templates/deployment.yaml +++ /dev/null @@ -1,192 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved. -# Copyright (c) 2021 J. F. Lucas. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: 1 - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - consul-server - - --container-name - - aaf-cm - - "-t" - - "15" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: aaf_locator_fqdn - value: dcae - {{- if .Values.service.secure.enabled }} - - name: init-tls - env: - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.tlsImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: {} - volumeMounts: - - mountPath: /opt/app/osaaf - name: tls-info - {{ end }} - containers: - {{- if .Values.service.secure.enabled }} - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: -{{ include "common.resources" . | indent 12 }} - ports: - - containerPort: {{ .Values.service.secure.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.secure.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - httpGet: - scheme: "HTTPS" - path: {{ .Values.readiness.path }} - port: {{ .Values.service.secure.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: - - name: {{ include "common.fullname" . }}-logs - mountPath: /opt/logs - - name: tls-info - mountPath: /opt/tls - env: - - name: CONSUL_HOST - value: consul-server-ui.{{ include "common.namespace" . }} - - name: USE_HTTPS - value: "1" - - name: HTTPS_CERT_PATH - value: "/opt/tls/cert.pem" - - name: HTTPS_KEY_PATH - value: "/opt/tls/key.pem" - - name: {{ include "common.name" . }}-fb-onap - image: {{ include "repositoryGenerator.image.logging" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - name: {{ include "common.fullname" . }}-fb-conf - mountPath: /usr/share/filebeat/filebeat.yml - subPath: filebeat.yml - - name: {{ include "common.fullname" . }}-data-fb - mountPath: /usr/share/filebeat/data - - name: {{ include "common.fullname" . }}-logs - mountPath: /var/log/onap/config-binding-service - {{ end }} - {{- if .Values.service.insecure.enabled }} - - name: {{ include "common.name" . }}-insecure - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: -{{ include "common.resources" . | indent 12 }} - ports: - - containerPort: {{ .Values.service.insecure.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.insecure.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - httpGet: - scheme: "HTTP" - path: {{ .Values.readiness.path }} - port: {{ .Values.service.insecure.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: - - name: {{ include "common.fullname" . }}-logs-i - mountPath: /opt/logs - env: - - name: CONSUL_HOST - value: consul-server-ui.{{ include "common.namespace" . }} - - name: {{ include "common.name" . }}-fb-onap-i - image: {{ include "repositoryGenerator.image.logging" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - name: {{ include "common.fullname" . }}-fb-conf - mountPath: /usr/share/filebeat/filebeat.yml - subPath: filebeat.yml - - name: {{ include "common.fullname" . }}-data-fb-i - mountPath: /usr/share/filebeat/data - - name: {{ include "common.fullname" . }}-logs-i - mountPath: /var/log/onap/config-binding-service - {{ end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: {{ include "common.fullname" . }}-fb-conf - configMap: - name: {{ include "common.release" . }}-cbs-filebeat-configmap - {{- if .Values.service.secure.enabled }} - - name: {{ include "common.fullname" . }}-data-fb - emptyDir: {} - - name: {{ include "common.fullname" . }}-logs - emptyDir: {} - - name: tls-info - emptyDir: {} - {{ end }} - {{- if .Values.service.insecure.enabled }} - - name: {{ include "common.fullname" . }}-data-fb-i - emptyDir: {} - - name: {{ include "common.fullname" . }}-logs-i - emptyDir: {} - {{ end }} - - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaegen2/components/dcae-config-binding-service/templates/service.yaml b/kubernetes/dcaegen2/components/dcae-config-binding-service/templates/service.yaml deleted file mode 100644 index c4cc0a9902..0000000000 --- a/kubernetes/dcaegen2/components/dcae-config-binding-service/templates/service.yaml +++ /dev/null @@ -1,58 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{ if eq .Values.service.type "NodePort" -}} - {{ if .Values.service.insecure.enabled -}} - - port: {{ .Values.service.insecure.externalPort }} - nodePort: {{ .Values.global.nodePortPrefixExt| default .Values.nodePortPrefixExt }}{{ .Values.service.insecure.nodePort }} - name: {{ .Values.service.name }}-insecure - {{- end }} - {{ if .Values.service.secure.enabled -}} - - port: {{ .Values.service.secure.externalPort }} - nodePort: {{ .Values.global.nodePortPrefixExt| default .Values.nodePortPrefixExt }}{{ .Values.service.secure.nodePort }} - name: {{ .Values.service.name }}-secure - {{- end }} - {{- else -}} - {{ if .Values.service.insecure.enabled -}} - - port: {{ .Values.service.insecure.externalPort }} - targetPort: {{ .Values.service.insecure.internalPort }} - name: {{ .Values.service.name }}-insecure - {{- end }} - {{ if .Values.service.secure.enabled -}} - - port: {{ .Values.service.secure.externalPort }} - targetPort: {{ .Values.service.secure.internalPort }} - name: {{ .Values.service.name }}-secure - {{- end }} - {{- end }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/dcaegen2/components/dcae-config-binding-service/values.yaml b/kubernetes/dcaegen2/components/dcae-config-binding-service/values.yaml deleted file mode 100644 index 719e73f43c..0000000000 --- a/kubernetes/dcaegen2/components/dcae-config-binding-service/values.yaml +++ /dev/null @@ -1,99 +0,0 @@ -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - -config: - logstashServiceName: log-ls - logstashPort: 5044 - # Addresses of other ONAP entities - address: - consul: - host: consul-server - port: 8500 - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/org.onap.dcaegen2.platform.configbinding:2.5.4 -pullPolicy: Always - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - # liveness not desirable for Cloudify Manager container - enabled: false - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - path: /healthcheck - -service: - type: ClusterIP - name: config-binding-service - # TLS service - secure: - enabled: true - externalPort: 10443 - internalPort: 10443 - nodePort: 14 - # Non-TLS service - insecure: - enabled: true - externalPort: 10000 - internalPort: 10000 - nodePort: 15 - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} -# Kubernetes namespace for components deployed via Cloudify manager -# If empty, use the common namespace -# dcae_ns: "dcae" - -#Pods Service Account -serviceAccount: - nameOverride: dcae-config-binding-service - roles: - - read diff --git a/kubernetes/dcaegen2/components/dcae-dashboard/.helmignore b/kubernetes/dcaegen2/components/dcae-dashboard/.helmignore deleted file mode 100644 index 50af031725..0000000000 --- a/kubernetes/dcaegen2/components/dcae-dashboard/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/kubernetes/dcaegen2/components/dcae-dashboard/Chart.yaml b/kubernetes/dcaegen2/components/dcae-dashboard/Chart.yaml deleted file mode 100644 index 3b1bcdd271..0000000000 --- a/kubernetes/dcaegen2/components/dcae-dashboard/Chart.yaml +++ /dev/null @@ -1,37 +0,0 @@ -#================================================================================= -# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -appVersion: "1.0" -description: DCAE Dashboard -name: dcae-dashboard -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: postgres - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/dcaegen2/components/dcae-dashboard/resources/log/filebeat.yml b/kubernetes/dcaegen2/components/dcae-dashboard/resources/log/filebeat.yml deleted file mode 100644 index 1e33eb3684..0000000000 --- a/kubernetes/dcaegen2/components/dcae-dashboard/resources/log/filebeat.yml +++ /dev/null @@ -1,74 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2018-2019 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -filebeat.prospectors: -#it is mandatory, in our case it's log -- input_type: log - #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. - paths: - - /var/log/onap/*/*/*/*.log - - /var/log/onap/*/*/*.log - - /var/log/onap/*/*.log - #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive - ignore_older: 48h - # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit - clean_inactive: 96h - - -# Name of the registry file. If a relative path is used, it is considered relative to the -# data path. Else full qualified file name. -#filebeat.registry_file: ${path.data}/registry - - -output.logstash: - #List of logstash server ip addresses with port number. - #But, in our case, this will be the loadbalancer IP address. - #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. - hosts: ["{{.Values.config.logstashServiceName}}.{{.Release.Namespace}}:{{.Values.config.logstashPort}}"] - #If enable will do load balancing among availabe Logstash, automatically. - loadbalance: true - - #The list of root certificates for server verifications. - #If certificate_authorities is empty or not set, the trusted - #certificate authorities of the host system are used. - #ssl.certificate_authorities: $ssl.certificate_authorities - - #The path to the certificate for SSL client authentication. If the certificate is not specified, - #client authentication is not available. - #ssl.certificate: $ssl.certificate - - #The client certificate key used for client authentication. - #ssl.key: $ssl.key - - #The passphrase used to decrypt an encrypted key stored in the configured key file - #ssl.key_passphrase: $ssl.key_passphrase - -logging: - level: debug - - # enable file rotation with default configuration - to_files: true - - # do not log to syslog - to_syslog: false - - files: - path: /usr/share/filebeat/logs - name: mybeat.log - keepfiles: 7 diff --git a/kubernetes/dcaegen2/components/dcae-dashboard/templates/configmap.yaml b/kubernetes/dcaegen2/components/dcae-dashboard/templates/configmap.yaml deleted file mode 100644 index 958e810178..0000000000 --- a/kubernetes/dcaegen2/components/dcae-dashboard/templates/configmap.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2019 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{include "common.fullname" . }}-filebeat-configmap - namespace: {{include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/log/*").AsConfig . | indent 2 }} - diff --git a/kubernetes/dcaegen2/components/dcae-dashboard/templates/deployment.yaml b/kubernetes/dcaegen2/components/dcae-dashboard/templates/deployment.yaml deleted file mode 100644 index dbb6c67580..0000000000 --- a/kubernetes/dcaegen2/components/dcae-dashboard/templates/deployment.yaml +++ /dev/null @@ -1,177 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: 1 - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - dcae-cloudify-manager - - --container-name - - consul-server - - --container-name - - dcae-inventory-api - - --container-name - - dcae-deployment-handler - - --container-name - - {{ .Values.postgres.nameOverride }} - - "-t" - - "45" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: init-tls - env: - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: aaf_locator_fqdn - value: dcae - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.tlsImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: {} - volumeMounts: - - mountPath: /opt/app/osaaf - name: tls-info - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: -{{ include "common.resources" . | indent 12 }} - ports: - - containerPort: {{ .Values.service.internalPort }} - protocol: TCP - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - httpGet: - path: {{ .Values.readiness.path }} - port: {{ .Values.service.internalPort }} - scheme: {{ .Values.readiness.scheme }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - failureThreshold: 1 - successThreshold: 1 - timeoutSeconds: 1 - volumeMounts: - - mountPath: /opt/app/osaaf/ - name: tls-info - - mountPath: /opt/logs/dcae/dashboard - name: component-log - env: - - name: CONSUL_HOST - value: consul-server.{{ include "common.namespace" . }} - - name: CONFIG_BINDING_SERVICE - value: config-binding-service - - name: inventory_url - value: {{ .Values.config.inventory_url }} - - name: postgres_port - value: "{{ .Values.postgres.config.pgPort }}" - - name: cloudify_password - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cm-pass" "key" "password") | indent 14 }} - - name: dhandler_url - value: {{ .Values.config.dhandler_url }} - - name: cfy_url - value: {{ .Values.config.cfy_url }} - - name: cloudify_user - value: admin - - name: consul_url - value: http://consul-server-ui:8500 - - name: postgres_user_dashboard - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 14 }} - - name: postgres_password_dashboard - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 14 }} - - name: postgres_db_name - value: {{ .Values.postgres.config.pgDatabase }} - - name: postgres_ip - value: {{ .Values.postgres.service.name2 }} - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: {{ include "common.name" . }}-filebeat - env: - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - image: {{ include "repositoryGenerator.image.logging" . }} - imagePullPolicy: IfNotPresent - resources: {} - volumeMounts: - - mountPath: /var/log/onap/dashboard - name: component-log - - mountPath: /usr/share/filebeat/data - name: filebeat-data - - mountPath: /usr/share/filebeat/filebeat.yml - name: filebeat-conf - subPath: filebeat.yml - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - emptyDir: {} - name: component-log - - emptyDir: {} - name: filebeat-data - - configMap: - defaultMode: 420 - name: {{ include "common.fullname" . }}-filebeat-configmap - name: filebeat-conf - - emptyDir: {} - name: tls-info - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaegen2/components/dcae-dashboard/templates/secret.yaml b/kubernetes/dcaegen2/components/dcae-dashboard/templates/secret.yaml deleted file mode 100644 index 34932b713d..0000000000 --- a/kubernetes/dcaegen2/components/dcae-dashboard/templates/secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/dcaegen2/components/dcae-dashboard/templates/service.yaml b/kubernetes/dcaegen2/components/dcae-dashboard/templates/service.yaml deleted file mode 100644 index 9cd3197f3b..0000000000 --- a/kubernetes/dcaegen2/components/dcae-dashboard/templates/service.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.nodePort }} - name: {{ .Values.service.name }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - diff --git a/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml b/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml deleted file mode 100644 index a083b519d6..0000000000 --- a/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml +++ /dev/null @@ -1,127 +0,0 @@ -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2021 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefixExt: 304 - tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - -secrets: - - uid: pg-user-creds - name: &pgUserCredsSecretName '{{ include "common.release" . }}-dcae-dashboard-pg-user-creds' - type: basicAuth - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "dcae-dashboard-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' - login: '{{ .Values.postgres.config.pgUserName }}' - password: '{{ .Values.postgres.config.pgUserPassword }}' - passwordPolicy: generate - - uid: 'cm-pass' - type: password - externalSecret: '{{ tpl (default "" .Values.config.cloudifyManagerPasswordExternalSecret) . }}' - password: '{{ .Values.config.cloudifyManagerPassword }}' - policy: required - -config: - cloudifyManagerPassword: "override me" - logstashServiceName: log-ls - logstashPort: 5044 - dhandler_url: https://deployment-handler:8443 - cfy_url: https://dcae-cloudify-manager/api/v3.1 - inventory_url: https://inventory:8080 - # Addresses of other ONAP entities - address: - consul: - host: consul-server - port: 8500 - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/org.onap.ccsdk.dashboard.ccsdk-app-os:1.4.4 -pullPolicy: Always - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - # liveness not desirable for Cloudify Manager container - enabled: false - -readiness: - initialDelaySeconds: 300 - periodSeconds: 90 - path: /ccsdk-app/health - scheme: HTTPS - -service: - type: NodePort - name: dashboard - externalPort: 8443 - internalPort: 8443 - nodePort: 18 -# application configuration override for postgres -postgres: - nameOverride: dcae-dashboard-pg - service: - name: dcae-dashboard-postgres - name2: dcae-dashboard-pg-primary - name3: dcae-dashboard-pg-replica - container: - name: - primary: dcae-dashboard-pg-primary - replica: dcae-dashboard-pg-replica - config: - pgUserName: dashboard_pg_admin - pgUserExternalSecret: *pgUserCredsSecretName - pgDatabase: dashboard_pg_db_common - pgPort: "5432" - persistence: - mountSubPath: dcae-dashboard/data - mountInitPath: dcae-dashboard - -#Resource Limit flavor -By Default using small -flavor: small -#Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} -# Kubernetes namespace for components deployed via Cloudify manager -# If empty, use the common namespace -# dcae_ns: "dcae" - -#Pods Service Account -serviceAccount: - nameOverride: dcae-dashboard - roles: - - read diff --git a/kubernetes/dcaegen2/components/dcae-deployment-handler/.helmignore b/kubernetes/dcaegen2/components/dcae-deployment-handler/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/dcaegen2/components/dcae-deployment-handler/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/dcaegen2/components/dcae-deployment-handler/Chart.yaml b/kubernetes/dcaegen2/components/dcae-deployment-handler/Chart.yaml deleted file mode 100644 index e8193ab3c0..0000000000 --- a/kubernetes/dcaegen2/components/dcae-deployment-handler/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE Deployment Handler -name: dcae-deployment-handler -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/dcaegen2/components/dcae-deployment-handler/resources/config/config.json b/kubernetes/dcaegen2/components/dcae-deployment-handler/resources/config/config.json deleted file mode 100644 index 026355a909..0000000000 --- a/kubernetes/dcaegen2/components/dcae-deployment-handler/resources/config/config.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "cloudify": { - "protocol": "https" - }, - "inventory": { - "protocol": "https" - } -} diff --git a/kubernetes/dcaegen2/components/dcae-deployment-handler/resources/log/filebeat.yml b/kubernetes/dcaegen2/components/dcae-deployment-handler/resources/log/filebeat.yml deleted file mode 100644 index 1e33eb3684..0000000000 --- a/kubernetes/dcaegen2/components/dcae-deployment-handler/resources/log/filebeat.yml +++ /dev/null @@ -1,74 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2018-2019 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -filebeat.prospectors: -#it is mandatory, in our case it's log -- input_type: log - #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. - paths: - - /var/log/onap/*/*/*/*.log - - /var/log/onap/*/*/*.log - - /var/log/onap/*/*.log - #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive - ignore_older: 48h - # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit - clean_inactive: 96h - - -# Name of the registry file. If a relative path is used, it is considered relative to the -# data path. Else full qualified file name. -#filebeat.registry_file: ${path.data}/registry - - -output.logstash: - #List of logstash server ip addresses with port number. - #But, in our case, this will be the loadbalancer IP address. - #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. - hosts: ["{{.Values.config.logstashServiceName}}.{{.Release.Namespace}}:{{.Values.config.logstashPort}}"] - #If enable will do load balancing among availabe Logstash, automatically. - loadbalance: true - - #The list of root certificates for server verifications. - #If certificate_authorities is empty or not set, the trusted - #certificate authorities of the host system are used. - #ssl.certificate_authorities: $ssl.certificate_authorities - - #The path to the certificate for SSL client authentication. If the certificate is not specified, - #client authentication is not available. - #ssl.certificate: $ssl.certificate - - #The client certificate key used for client authentication. - #ssl.key: $ssl.key - - #The passphrase used to decrypt an encrypted key stored in the configured key file - #ssl.key_passphrase: $ssl.key_passphrase - -logging: - level: debug - - # enable file rotation with default configuration - to_files: true - - # do not log to syslog - to_syslog: false - - files: - path: /usr/share/filebeat/logs - name: mybeat.log - keepfiles: 7 diff --git a/kubernetes/dcaegen2/components/dcae-deployment-handler/resources/log4js/log4js.json b/kubernetes/dcaegen2/components/dcae-deployment-handler/resources/log4js/log4js.json deleted file mode 100644 index a1a8b4a1f4..0000000000 --- a/kubernetes/dcaegen2/components/dcae-deployment-handler/resources/log4js/log4js.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "appenders": { - "out": {"type": "stdout"}, - "audit": { - "type": "file", - "filename": "log/audit.log", - "maxLogSize": 10240000, - "backups": 10, - "layout": { - "type": "messagePassThrough" - } - }, - "metrics": { - "type": "file", - "filename": "log/metrics.log", - "maxLogSize": 10240000, - "backups": 10, - "layout": { - "type": "messagePassThrough" - } - }, - "error": {"type": "stdout"}, - "debug": {"type": "stdout"} - }, - "categories": { - "default": {"appenders": ["out"], "level": "debug"}, - "audit": {"appenders": ["audit"], "level": "info"}, - "metrics": {"appenders": ["metrics"], "level": "info"}, - "error": {"appenders": ["error"], "level": "error"}, - "debug": {"appenders": ["debug"], "level": "debug"} - } -} \ No newline at end of file diff --git a/kubernetes/dcaegen2/components/dcae-deployment-handler/templates/configmap.yaml b/kubernetes/dcaegen2/components/dcae-deployment-handler/templates/configmap.yaml deleted file mode 100755 index cda7029319..0000000000 --- a/kubernetes/dcaegen2/components/dcae-deployment-handler/templates/configmap.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2019 AT&T -# Modifications Copyright © 2020 Nokia -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{include "common.fullname" . }}-filebeat-configmap - namespace: {{include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/log/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{include "common.fullname" . }}-log4js-configmap - namespace: {{include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/log4js/*").AsConfig . | indent 2 }} diff --git a/kubernetes/dcaegen2/components/dcae-deployment-handler/templates/deployment.yaml b/kubernetes/dcaegen2/components/dcae-deployment-handler/templates/deployment.yaml deleted file mode 100755 index 1ad42e02b2..0000000000 --- a/kubernetes/dcaegen2/components/dcae-deployment-handler/templates/deployment.yaml +++ /dev/null @@ -1,178 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2020 Nokia -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: 1 - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - dcae-cloudify-manager - - --container-name - - consul-server - - --container-name - - dcae-inventory-api - - "-t" - - "45" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: init-tls - env: - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: aaf_locator_fqdn - value: dcae - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.tlsImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: {} - volumeMounts: - - mountPath: /opt/app/osaaf - name: tls-info - - name: init-consul - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.consulLoaderImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - args: - - --service - - "cloudify_manager|dcae-cloudify-manager.{{ include "common.namespace" . }}|443" - - --service - - "inventory|inventory.{{ include "common.namespace" . }}|8080" - - --key - - deployment_handler|/dhconfig/config.json - resources: {} - volumeMounts: - - mountPath: /dhconfig - name: dh-config - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: -{{ include "common.resources" . | indent 12 }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - httpGet: - path: {{ .Values.readiness.path }} - port: {{ .Values.service.internalPort }} - scheme: {{ .Values.readiness.scheme }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: - - mountPath: /opt/app/dh/log - name: component-log - - mountPath: /opt/app/dh/etc/cert/ - name: tls-info - - mountPath: /opt/app/dh/etc/ - name: log4js-conf - env: - - name: CONSUL_HOST - value: consul-server.{{ include "common.namespace" . }} - - name: CLOUDIFY_USER - value: admin - - name: CLOUDIFY_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cm-pass" "key" "password") | indent 14 }} - - name: CONFIG_BINDING_SERVICE - value: config-binding-service - - name: NODE_EXTRA_CA_CERTS - value: /opt/app/dh/etc/cert/cacert.pem - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: {{ include "common.name" . }}-filebeat - env: - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - image: {{ include "repositoryGenerator.image.logging" . }} - imagePullPolicy: IfNotPresent - resources: {} - volumeMounts: - - mountPath: /var/log/onap/deployment-handler - name: component-log - - mountPath: /usr/share/filebeat/data - name: filebeat-data - - mountPath: /usr/share/filebeat/filebeat.yml - name: filebeat-conf - subPath: filebeat.yml - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - emptyDir: {} - name: component-log - - emptyDir: {} - name: filebeat-data - - configMap: - defaultMode: 420 - name: {{ include "common.fullname" . }}-filebeat-configmap - name: filebeat-conf - - emptyDir: {} - name: tls-info - - configMap: - defaultMode: 422 - name: {{ include "common.fullname" . }}-configmap - name: dh-config - - configMap: - defaultMode: 420 - name: {{include "common.fullname" . }}-log4js-configmap - name: log4js-conf - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaegen2/components/dcae-deployment-handler/templates/secrets.yaml b/kubernetes/dcaegen2/components/dcae-deployment-handler/templates/secrets.yaml deleted file mode 100644 index 34932b713d..0000000000 --- a/kubernetes/dcaegen2/components/dcae-deployment-handler/templates/secrets.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/dcaegen2/components/dcae-deployment-handler/templates/service.yaml b/kubernetes/dcaegen2/components/dcae-deployment-handler/templates/service.yaml deleted file mode 100644 index cca0b640bb..0000000000 --- a/kubernetes/dcaegen2/components/dcae-deployment-handler/templates/service.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.name }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - diff --git a/kubernetes/dcaegen2/components/dcae-deployment-handler/values.yaml b/kubernetes/dcaegen2/components/dcae-deployment-handler/values.yaml deleted file mode 100644 index 3435462c1d..0000000000 --- a/kubernetes/dcaegen2/components/dcae-deployment-handler/values.yaml +++ /dev/null @@ -1,98 +0,0 @@ -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.1 - -secrets: - - uid: 'cm-pass' - type: password - externalSecret: '{{ tpl (default "" .Values.config.cloudifyManagerPasswordExternalSecret) . }}' - password: '{{ .Values.config.cloudifyManagerPassword }}' - policy: required - -config: - cloudifyManagerPassword: "override me" - logstashServiceName: log-ls - logstashPort: 5044 - # Addresses of other ONAP entities - address: - consul: - host: consul-server - port: 8500 - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/org.onap.dcaegen2.platform.deployment-handler:4.4.1 -pullPolicy: Always - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - # liveness not desirable for Cloudify Manager container - enabled: false - -readiness: - initialDelaySeconds: 30 - periodSeconds: 30 - path: / - scheme: HTTPS - -service: - type: ClusterIP - name: deployment-handler - externalPort: 8443 - internalPort: 8443 - - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} -# Kubernetes namespace for components deployed via Cloudify manager -# If empty, use the common namespace -# dcae_ns: "dcae" - -serviceAccount: - nameOverride: dcae-deployment-handler - roles: - - read diff --git a/kubernetes/dcaegen2/components/dcae-healthcheck/Chart.yaml b/kubernetes/dcaegen2/components/dcae-healthcheck/Chart.yaml deleted file mode 100644 index 29693c4d28..0000000000 --- a/kubernetes/dcaegen2/components/dcae-healthcheck/Chart.yaml +++ /dev/null @@ -1,35 +0,0 @@ -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE Health Check -name: dcae-healthcheck -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/dcaegen2/components/dcae-healthcheck/templates/deployment.yaml b/kubernetes/dcaegen2/components/dcae-healthcheck/templates/deployment.yaml deleted file mode 100644 index 641dfdf926..0000000000 --- a/kubernetes/dcaegen2/components/dcae-healthcheck/templates/deployment.yaml +++ /dev/null @@ -1,83 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2018-2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: 1 - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: -{{ include "common.resources" . | indent 12 }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: - - mountPath: /opt/app/expected-components.json - subPath: expected-components.json - name: {{ include "common.fullname" .}}-expected-components - env: - - name: DCAE_NAMESPACE - value: {{ .Values.dcae_ns }} - - name: ONAP_NAMESPACE - value: {{ include "common.namespace" . }} - - name: HELM_RELEASE - value: {{ include "common.release" . }} - - name: DEPLOY_LABEL - value: cfydeployment - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: {{ include "common.fullname" . }}-expected-components - configMap: - name: {{ include "common.release" . }}-dcae-expected-components - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaegen2/components/dcae-healthcheck/templates/service.yaml b/kubernetes/dcaegen2/components/dcae-healthcheck/templates/service.yaml deleted file mode 100644 index f0d1bbb3c7..0000000000 --- a/kubernetes/dcaegen2/components/dcae-healthcheck/templates/service.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - #Example internal target port if required - #targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.name }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/dcaegen2/components/dcae-healthcheck/values.yaml b/kubernetes/dcaegen2/components/dcae-healthcheck/values.yaml deleted file mode 100644 index 67312d73a0..0000000000 --- a/kubernetes/dcaegen2/components/dcae-healthcheck/values.yaml +++ /dev/null @@ -1,74 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# Modifications Copyright © 2020 Nokia -# Copyright (c) 2021 J. F. Lucas. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - -service: - name: dcae-healthcheck - internalPort: 8080 - externalPort: 80 - type: ClusterIP - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 -# application image -image: onap/org.onap.dcaegen2.deployments.healthcheck-container:2.4.0 - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} -# Kubernetes namespace for components deployed via Cloudify manager -# If empty, use the common namespace -# dcae_ns: "onap" - -#Pods Service Account -serviceAccount: - nameOverride: dcae-healthcheck - roles: - - read diff --git a/kubernetes/dcaegen2/components/dcae-inventory-api/Chart.yaml b/kubernetes/dcaegen2/components/dcae-inventory-api/Chart.yaml deleted file mode 100644 index 7d69c019ed..0000000000 --- a/kubernetes/dcaegen2/components/dcae-inventory-api/Chart.yaml +++ /dev/null @@ -1,37 +0,0 @@ -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE Inventory API Service -name: dcae-inventory-api -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: postgres - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/dcaegen2/components/dcae-inventory-api/resources/config/config.json b/kubernetes/dcaegen2/components/dcae-inventory-api/resources/config/config.json deleted file mode 100644 index 4be8c195d2..0000000000 --- a/kubernetes/dcaegen2/components/dcae-inventory-api/resources/config/config.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "database": { - "driverClass": "org.postgresql.Driver", - "user": "${PG_USER}", - "password": "${PG_PASSWORD}", - "url": "jdbc:postgresql://{{ .Values.postgres.service.name2 }}:5432/{{ .Values.postgres.config.pgDatabase }}", - "properties": { - "charSet": "UTF-8" - }, - "maxWaitForConnection": "1s", - "validationQuery": "/* MyService Health Check */ SELECT 1", - "minSize": 2, - "maxSize": 8, - "initialSize": 2, - "checkConnectionWhileIdle": false, - "evictionInterval": "10s", - "minIdleTime": "1 minute" - }, - "databusControllerConnection": { - "host": "databus-controller-hostname", - "port": 8443, - "mechId": null, - "password": null, - "required": false - }, - "httpClient": { - "minThreads": 1, - "maxThreads": 128, - "gzipEnabled": false, - "gzipEnabledForRequests": false, - "timeout": "5000milliseconds", - "connectionTimeout": "5000milliseconds" - }, - "server": { - "applicationConnectors": [{ - "type": "https", - "port": 8080, - "keyStorePath": "/opt/cert/cert.jks", - "keyStorePassword": "/opt/cert/jks.pass", - "keyStoreType": "JKS" - }] - } - } diff --git a/kubernetes/dcaegen2/components/dcae-inventory-api/resources/log/filebeat.yml b/kubernetes/dcaegen2/components/dcae-inventory-api/resources/log/filebeat.yml deleted file mode 100644 index 1e33eb3684..0000000000 --- a/kubernetes/dcaegen2/components/dcae-inventory-api/resources/log/filebeat.yml +++ /dev/null @@ -1,74 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2018-2019 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -filebeat.prospectors: -#it is mandatory, in our case it's log -- input_type: log - #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. - paths: - - /var/log/onap/*/*/*/*.log - - /var/log/onap/*/*/*.log - - /var/log/onap/*/*.log - #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive - ignore_older: 48h - # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit - clean_inactive: 96h - - -# Name of the registry file. If a relative path is used, it is considered relative to the -# data path. Else full qualified file name. -#filebeat.registry_file: ${path.data}/registry - - -output.logstash: - #List of logstash server ip addresses with port number. - #But, in our case, this will be the loadbalancer IP address. - #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. - hosts: ["{{.Values.config.logstashServiceName}}.{{.Release.Namespace}}:{{.Values.config.logstashPort}}"] - #If enable will do load balancing among availabe Logstash, automatically. - loadbalance: true - - #The list of root certificates for server verifications. - #If certificate_authorities is empty or not set, the trusted - #certificate authorities of the host system are used. - #ssl.certificate_authorities: $ssl.certificate_authorities - - #The path to the certificate for SSL client authentication. If the certificate is not specified, - #client authentication is not available. - #ssl.certificate: $ssl.certificate - - #The client certificate key used for client authentication. - #ssl.key: $ssl.key - - #The passphrase used to decrypt an encrypted key stored in the configured key file - #ssl.key_passphrase: $ssl.key_passphrase - -logging: - level: debug - - # enable file rotation with default configuration - to_files: true - - # do not log to syslog - to_syslog: false - - files: - path: /usr/share/filebeat/logs - name: mybeat.log - keepfiles: 7 diff --git a/kubernetes/dcaegen2/components/dcae-inventory-api/templates/configmap.yaml b/kubernetes/dcaegen2/components/dcae-inventory-api/templates/configmap.yaml deleted file mode 100644 index 81bac5465e..0000000000 --- a/kubernetes/dcaegen2/components/dcae-inventory-api/templates/configmap.yaml +++ /dev/null @@ -1,36 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2019 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{include "common.fullname" . }}-filebeat-configmap - namespace: {{include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/log/*").AsConfig . | indent 2 }} diff --git a/kubernetes/dcaegen2/components/dcae-inventory-api/templates/deployment.yaml b/kubernetes/dcaegen2/components/dcae-inventory-api/templates/deployment.yaml deleted file mode 100644 index 7c3746a0a3..0000000000 --- a/kubernetes/dcaegen2/components/dcae-inventory-api/templates/deployment.yaml +++ /dev/null @@ -1,174 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: 1 - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - command: - - sh - args: - - -c - - "cd /config-input && for PFILE in `find . -not -type d | grep -v -F ..`; do envsubst <${PFILE} >/config/${PFILE}; done" - env: - - name: PG_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 12 }} - - name: PG_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 12 }} - volumeMounts: - - mountPath: /config-input - name: {{ include "common.fullname" . }}-inv-config-input - - mountPath: /config - name: {{ include "common.fullname" . }}-inv-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - {{ .Values.postgres.nameOverride }} - - --container-name - - aaf-cm - - "-t" - - "15" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: init-tls - env: - - name: aaf_locator_fqdn - value: dcae - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.tlsImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: {} - volumeMounts: - - mountPath: /opt/app/osaaf - name: tls-info - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - # Assumes that the Docker image is built with ENTRYPOINT set to - # ["java", "-jar", "/opt/inventory-api-x.y.z.jar", "server"] - # where "x.y.z" is the version number (matches the Docker image version number) - # The arg below adds a parameter, the path to a config file. - # This tells the inventory-api app to get its configuration from the file - # rather than querying Consul. - args: - - "/opt/config.json" - resources: -{{ include "common.resources" . | indent 12 }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - httpGet: - path: {{ .Values.readiness.path }} - port: {{ .Values.service.internalPort }} - scheme: {{ .Values.readiness.scheme }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: - - name: {{ include "common.fullname" . }}-inv-config - mountPath: /opt/config.json - subPath: config.json - - mountPath: /opt/cert/ - name: tls-info - - mountPath: /opt/logs/ - name: component-log - env: - - name: CONSUL_HOST - value: consul.{{ include "common.namespace" . }} - - name: {{ include "common.name" . }}-filebeat - env: - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - image: {{ include "repositoryGenerator.image.logging" . }} - imagePullPolicy: IfNotPresent - resources: {} - volumeMounts: - - mountPath: /var/log/onap/inventory - name: component-log - - mountPath: /usr/share/filebeat/data - name: filebeat-data - - mountPath: /usr/share/filebeat/filebeat.yml - name: filebeat-conf - subPath: filebeat.yml - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - emptyDir: {} - name: component-log - - emptyDir: {} - name: filebeat-data - - configMap: - defaultMode: 420 - name: {{ include "common.fullname" . }}-filebeat-configmap - name: filebeat-conf - - name: {{ include "common.fullname" . }}-inv-config-input - configMap: - name: {{ include "common.fullname" . }}-configmap - - name: {{ include "common.fullname" . }}-inv-config - emptyDir: - medium: Memory - - emptyDir: {} - name: tls-info - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaegen2/components/dcae-inventory-api/templates/secret.yaml b/kubernetes/dcaegen2/components/dcae-inventory-api/templates/secret.yaml deleted file mode 100644 index b143034d8f..0000000000 --- a/kubernetes/dcaegen2/components/dcae-inventory-api/templates/secret.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{/* -# Copyright © 2020 Samsung Electronics -# # -# # Licensed under the Apache License, Version 2.0 (the "License"); -# # you may not use this file except in compliance with the License. -# # You may obtain a copy of the License at -# # -# # http://www.apache.org/licenses/LICENSE-2.0 -# # -# # Unless required by applicable law or agreed to in writing, software -# # distributed under the License is distributed on an "AS IS" BASIS, -# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# # See the License for the specific language governing permissions and -# # limitations under the License. -*/}} -{{ include "common.secretFast" . }} diff --git a/kubernetes/dcaegen2/components/dcae-inventory-api/templates/service.yaml b/kubernetes/dcaegen2/components/dcae-inventory-api/templates/service.yaml deleted file mode 100644 index cca0b640bb..0000000000 --- a/kubernetes/dcaegen2/components/dcae-inventory-api/templates/service.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.name }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - diff --git a/kubernetes/dcaegen2/components/dcae-inventory-api/values.yaml b/kubernetes/dcaegen2/components/dcae-inventory-api/values.yaml deleted file mode 100644 index fe39269c27..0000000000 --- a/kubernetes/dcaegen2/components/dcae-inventory-api/values.yaml +++ /dev/null @@ -1,118 +0,0 @@ -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - -secrets: - - uid: pg-user-creds - name: &pgUserCredsSecretName '{{ include "common.release" . }}-dcae-inventory-api-pg-user-creds' - type: basicAuth - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "dcae-inventory-api-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' - login: '{{ .Values.postgres.config.pgUserName }}' - password: '{{ .Values.postgres.config.pgUserPassword }}' - passwordPolicy: generate - -config: - logstashServiceName: log-ls - logstashPort: 5044 - # Addresses of other ONAP entities - address: - consul: - host: consul-server - port: 8500 - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/org.onap.dcaegen2.platform.inventory-api:3.5.2 - -pullPolicy: Always - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - # liveness not desirable for Cloudify Manager container - enabled: false - -readiness: - initialDelaySeconds: 30 - periodSeconds: 30 - path: /dcae-service-types - scheme: HTTPS - -service: - type: ClusterIP - name: inventory - externalPort: 8080 - internalPort: 8080 - -# application configuration override for postgres -postgres: - nameOverride: dcae-inv-pg - service: - name: dcae-inv-postgres - name2: dcae-inv-pg-primary - name3: dcae-inv-pg-replica - container: - name: - primary: dcae-inv-pg-primary - replica: dcae-inv-pg-replica - config: - pgUserName: dcae_inv - pgUserExternalSecret: *pgUserCredsSecretName - pgDatabase: dcae_inventory - persistence: - mountSubPath: dcae-inv/data - mountInitPath: dcae-inv - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} -# Kubernetes namespace for components deployed via Cloudify manager -# If empty, use the common namespace -# dcae_ns: "dcae" - -#Pods Service Account -serviceAccount: - nameOverride: dcae-inventory-api - roles: - - read diff --git a/kubernetes/dcaegen2/components/dcae-policy-handler/.helmignore b/kubernetes/dcaegen2/components/dcae-policy-handler/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/dcaegen2/components/dcae-policy-handler/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/dcaegen2/components/dcae-policy-handler/Chart.yaml b/kubernetes/dcaegen2/components/dcae-policy-handler/Chart.yaml deleted file mode 100644 index b15740b906..0000000000 --- a/kubernetes/dcaegen2/components/dcae-policy-handler/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE Policy Handler -name: dcae-policy-handler -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/dcaegen2/components/dcae-policy-handler/resources/config/config.json b/kubernetes/dcaegen2/components/dcae-policy-handler/resources/config/config.json deleted file mode 100644 index 2e47c9e118..0000000000 --- a/kubernetes/dcaegen2/components/dcae-policy-handler/resources/config/config.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "policy_handler": { - "thread_pool_size": 4, - "pool_connections": 20, - "policy_retry_count": 5, - "policy_retry_sleep": 5, - "catch_up": { - "interval": 1200 - }, - "reconfigure": { - "interval": 600 - }, - "policy_engine": { - "url": "https://{{ .Values.config.address.policy_xacml_pdp }}:6969", - "path_decision": "/policy/pdpx/v1/decision", - "headers": { - "Accept": "application/json", - "Content-Type": "application/json", - "Authorization": "Basic aGVhbHRoY2hlY2s6emIhWHp0RzM0", - "Environment": "TEST" - }, - "target_entity": "policy_engine", - "tls_ca_mode": "cert_directory", - "timeout_in_secs": 60 - }, - "dmaap_mr" : { - "url" : "https://message-router:3905/events/POLICY-NOTIFICATION/policy-handler/ph1", - "query": { - "timeout": 15000 - }, - "headers" : { - "Content-Type" : "application/json" - }, - "target_entity" : "dmaap_mr", - "tls_ca_mode" : "cert_directory", - "timeout_in_secs": 60 - }, - "deploy_handler": { - "target_entity": "deployment_handler", - "url": "https://deployment-handler:8443", - "max_msg_length_mb": 5, - "query": { - "cfy_tenant_name": "default_tenant" - }, - "tls_ca_mode": "cert_directory", - "timeout_in_secs": 60 - } - } -} diff --git a/kubernetes/dcaegen2/components/dcae-policy-handler/resources/log/filebeat.yml b/kubernetes/dcaegen2/components/dcae-policy-handler/resources/log/filebeat.yml deleted file mode 100644 index 06e553d9d4..0000000000 --- a/kubernetes/dcaegen2/components/dcae-policy-handler/resources/log/filebeat.yml +++ /dev/null @@ -1,74 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -filebeat.prospectors: -#it is mandatory, in our case it's log -- input_type: log - #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. - paths: - - /var/log/onap/*/*/*/*.log - - /var/log/onap/*/*/*.log - - /var/log/onap/*/*.log - #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive - ignore_older: 48h - # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit - clean_inactive: 96h - - -# Name of the registry file. If a relative path is used, it is considered relative to the -# data path. Else full qualified file name. -#filebeat.registry_file: ${path.data}/registry - - -output.logstash: - #List of logstash server ip addresses with port number. - #But, in our case, this will be the loadbalancer IP address. - #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. - hosts: ["{{.Values.config.logstashServiceName}}.{{.Release.Namespace}}:{{.Values.config.logstashPort}}"] - #If enable will do load balancing among availabe Logstash, automatically. - loadbalance: true - - #The list of root certificates for server verifications. - #If certificate_authorities is empty or not set, the trusted - #certificate authorities of the host system are used. - #ssl.certificate_authorities: $ssl.certificate_authorities - - #The path to the certificate for SSL client authentication. If the certificate is not specified, - #client authentication is not available. - #ssl.certificate: $ssl.certificate - - #The client certificate key used for client authentication. - #ssl.key: $ssl.key - - #The passphrase used to decrypt an encrypted key stored in the configured key file - #ssl.key_passphrase: $ssl.key_passphrase - -logging: - level: debug - - # enable file rotation with default configuration - to_files: true - - # do not log to syslog - to_syslog: false - - files: - path: /usr/share/filebeat/logs - name: mybeat.log - keepfiles: 7 diff --git a/kubernetes/dcaegen2/components/dcae-policy-handler/templates/configmap.yaml b/kubernetes/dcaegen2/components/dcae-policy-handler/templates/configmap.yaml deleted file mode 100644 index 1a3a7fd302..0000000000 --- a/kubernetes/dcaegen2/components/dcae-policy-handler/templates/configmap.yaml +++ /dev/null @@ -1,36 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2019 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{include "common.fullname" . }}-filebeat-configmap - namespace: {{include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/log/*").AsConfig . | indent 2 }} \ No newline at end of file diff --git a/kubernetes/dcaegen2/components/dcae-policy-handler/templates/deployment.yaml b/kubernetes/dcaegen2/components/dcae-policy-handler/templates/deployment.yaml deleted file mode 100644 index b8c24355e6..0000000000 --- a/kubernetes/dcaegen2/components/dcae-policy-handler/templates/deployment.yaml +++ /dev/null @@ -1,165 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: 1 - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - dcae-deployment-handler - - --container-name - - consul-server - - --container-name - - policy-xacml-pdp - - "-t" - - "45" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: init-tls - env: - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: aaf_locator_fqdn - value: dcae - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.tlsImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: {} - volumeMounts: - - mountPath: /opt/app/osaaf - name: tls-info - - name: init-consul - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.consulLoaderImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - args: - - --key - - policy_handler|/phconfig/config.json - resources: {} - volumeMounts: - - mountPath: /phconfig - name: ph-config - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: -{{ include "common.resources" . | indent 12 }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - httpGet: - path: {{ .Values.readiness.path }} - port: {{ .Values.service.internalPort }} - scheme: {{ .Values.readiness.scheme }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: - - mountPath: /app/logs - name: component-log - - mountPath: /app/etc/tls/certs/ - name: tls-info - env: - - name: CONSUL_HOST - value: consul-server.{{ include "common.namespace" . }} - - name: CLOUDIFY_USER - value: admin - - name: CLOUDIFY_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cm-pass" "key" "password") | indent 14 }} - - name: CONFIG_BINDING_SERVICE - value: config-binding-service - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: {{ include "common.name" . }}-filebeat - env: - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - image: {{ include "repositoryGenerator.image.logging" . }} - imagePullPolicy: IfNotPresent - resources: {} - volumeMounts: - - mountPath: /var/log/onap/policy-handler - name: component-log - - mountPath: /usr/share/filebeat/data - name: filebeat-data - - mountPath: /usr/share/filebeat/filebeat.yml - name: filebeat-conf - subPath: filebeat.yml - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - emptyDir: {} - name: component-log - - emptyDir: {} - name: filebeat-data - - configMap: - defaultMode: 420 - name: {{ include "common.fullname" . }}-filebeat-configmap - name: filebeat-conf - - emptyDir: {} - name: tls-info - - configMap: - defaultMode: 422 - name: {{ include "common.fullname" . }}-configmap - name: ph-config - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaegen2/components/dcae-policy-handler/templates/secrets.yaml b/kubernetes/dcaegen2/components/dcae-policy-handler/templates/secrets.yaml deleted file mode 100644 index 34932b713d..0000000000 --- a/kubernetes/dcaegen2/components/dcae-policy-handler/templates/secrets.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/dcaegen2/components/dcae-policy-handler/templates/service.yaml b/kubernetes/dcaegen2/components/dcae-policy-handler/templates/service.yaml deleted file mode 100644 index cca0b640bb..0000000000 --- a/kubernetes/dcaegen2/components/dcae-policy-handler/templates/service.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.name }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - diff --git a/kubernetes/dcaegen2/components/dcae-policy-handler/values.yaml b/kubernetes/dcaegen2/components/dcae-policy-handler/values.yaml deleted file mode 100644 index 00ce47b451..0000000000 --- a/kubernetes/dcaegen2/components/dcae-policy-handler/values.yaml +++ /dev/null @@ -1,100 +0,0 @@ -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# Copyright (c) 2021 J. F. Lucas. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.1 -secrets: - - uid: 'cm-pass' - type: password - externalSecret: '{{ tpl (default "" .Values.config.cloudifyManagerPasswordExternalSecret) . }}' - password: '{{ .Values.config.cloudifyManagerPassword }}' - policy: required - -config: - cloudifyManagerPassword: "override me" - logstashServiceName: log-ls - logstashPort: 5044 - # Addresses of other ONAP entities - address: - consul: - host: consul-server - port: 8500 - policy_xacml_pdp: policy-xacml-pdp - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/org.onap.dcaegen2.platform.policy-handler:5.1.3 -pullPolicy: Always - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - # liveness not desirable for Cloudify Manager container - enabled: false - -readiness: - initialDelaySeconds: 60 - periodSeconds: 300 - path: /healthcheck - scheme: HTTP - -service: - type: ClusterIP - name: policy-handler - externalPort: 80 - internalPort: 25577 - - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} -# Kubernetes namespace for components deployed via Cloudify manager -# If empty, use the common namespace -# dcae_ns: "dcae" - -#Pods Service Account -serviceAccount: - nameOverride: dcae-policy-handler - roles: - - read diff --git a/kubernetes/dcaegen2/components/dcae-servicechange-handler/Chart.yaml b/kubernetes/dcaegen2/components/dcae-servicechange-handler/Chart.yaml deleted file mode 100644 index 7f3a04ab78..0000000000 --- a/kubernetes/dcaegen2/components/dcae-servicechange-handler/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE Service Change Handler -name: dcae-servicechange-handler -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/dcaegen2/components/dcae-servicechange-handler/resources/config/config.json b/kubernetes/dcaegen2/components/dcae-servicechange-handler/resources/config/config.json deleted file mode 100644 index 4578d4c4ee..0000000000 --- a/kubernetes/dcaegen2/components/dcae-servicechange-handler/resources/config/config.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "asdcDistributionClient": { - "asdcAddress": "{{ .Values.config.address.sdc }}.{{include "common.namespace" . }}:8443", - "asdcUri": "https://{{ .Values.config.address.sdc }}.{{include "common.namespace" . }}:8443", - "msgBusAddress": "{{ .Values.config.address.message_router }}.{{include "common.namespace" . }}", - "user": "{{ .Values.sdc.user }}", - "password": "{{ .Values.sdc.password }}", - "pollingInterval": 20, - "pollingTimeout": 20, - "consumerGroup": "dcae", - "consumerId": "dcae-sch", - "environmentName": "{{ .Values.sdc.environmentName }}", - "keyStorePath": null, - "keyStorePassword": null, - "activateServerTLSAuth": {{ .Values.sdc.useHttps }}, - "useHttpsWithDmaap": {{ .Values.dmaap.useHttps }}, - "isFilterInEmptyResources": false - }, - "dcaeInventoryClient": { - "uri": "https://inventory:8080" - } -} diff --git a/kubernetes/dcaegen2/components/dcae-servicechange-handler/templates/configmap.yaml b/kubernetes/dcaegen2/components/dcae-servicechange-handler/templates/configmap.yaml deleted file mode 100644 index a2da32d051..0000000000 --- a/kubernetes/dcaegen2/components/dcae-servicechange-handler/templates/configmap.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2019 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/dcaegen2/components/dcae-servicechange-handler/templates/deployment.yaml b/kubernetes/dcaegen2/components/dcae-servicechange-handler/templates/deployment.yaml deleted file mode 100644 index 6c4e695228..0000000000 --- a/kubernetes/dcaegen2/components/dcae-servicechange-handler/templates/deployment.yaml +++ /dev/null @@ -1,117 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: 1 - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - "dcae-inventory-api" - - --container-name - - "message-router" - - --container-name - - "sdc-be" - - "-t" - - "45" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: init-tls - env: - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.tlsImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: {} - volumeMounts: - - mountPath: /opt/app/osaaf - name: tls-info - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: -{{ include "common.resources" . | indent 12 }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - exec: - command: [{{ .Values.liveness.script }}] - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - exec: - command: [{{ .Values.readiness.script }}] - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: - - name: {{ include "common.fullname" . }}-sch-config - mountPath: /opt/config.json - subPath: config.json - # NOTE: This is tied to the PATH_TO_CACERT env variable - - mountPath: /opt/cert/ - name: tls-info - env: - - name: CONSUL_HOST - value: consul.{{ include "common.namespace" . }} - - name: PATH_TO_CACERT - value: "/opt/cert/cacert.pem" - - name: SCH_ARGS - value: "prod /opt/config.json" - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: {{ include "common.fullname" . }}-sch-config - configMap: - name: {{ include "common.fullname" . }}-configmap - - emptyDir: {} - name: tls-info - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaegen2/components/dcae-servicechange-handler/values.yaml b/kubernetes/dcaegen2/components/dcae-servicechange-handler/values.yaml deleted file mode 100644 index 8686db49ba..0000000000 --- a/kubernetes/dcaegen2/components/dcae-servicechange-handler/values.yaml +++ /dev/null @@ -1,94 +0,0 @@ -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - -config: - logstashServiceName: log-ls - logstashPort: 5044 - address: - # Addresses of ONAP components - message_router: message-router - sdc: sdc-be -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/org.onap.dcaegen2.platform.servicechange-handler:1.4.0 - -pullPolicy: Always - -# configuration for accessing SDC -sdc: - user: "dcae" - password: !!str Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U - environmentName: "AUTO" - useHttps: false - -# configuration for accessing DMaaP -dmaap: - useHttps: false - -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 30 - script: /opt/health.sh - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - # liveness not desirable for Cloudify Manager container - enabled: false - -readiness: - initialDelaySeconds: 30 - periodSeconds: 30 - script: /opt/health.sh - - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} -# Kubernetes namespace for components deployed via Cloudify manager -# If empty, use the common namespace -# dcae_ns: "dcae" - -#Pods Service Account -serviceAccount: - nameOverride: dcae-servicechange-handler - roles: - - read diff --git a/kubernetes/dcaegen2/resources/expected-components.json b/kubernetes/dcaegen2/resources/expected-components.json deleted file mode 100644 index 43125d6195..0000000000 --- a/kubernetes/dcaegen2/resources/expected-components.json +++ /dev/null @@ -1,51 +0,0 @@ -{{/* - ============LICENSE_START======================================================== - ================================================================================= - Copyright (c) 2021 J. F. Lucas. All rights reserved. - ================================================================================= - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - =============LICENSE_END========================================================= -*/}} - -{{/* - - This template generates a JSON file with an array containing the names of the - components that the healthcheck container always expects to see--that is, the - components that are enabled in the top-level values.yaml file. - - The code loops through the list of components ($components) and checks each component's - entry in the values.yaml file is set to "enabled". It adds the name of each enabled - component to the list. - - There is a bit of Helm trickery here--the code uses a dict ($enabled), because that's - apparently the only way to create a variable outside of a range loop that can be updated - from within the range loop. The code here generates a list of the components that are - enabled in values.yaml, and stores it into the list called "enabled" in the dictionary - $enabled. - - Note also the assignment to an otherwise unused variable ($x) in the loop. Without that - assignment, the updated value of the $enabled.enabled list would be rendered into the - file each time an enabled component is found. - -*/}} - -{{- $ctx := . -}} -{{- $components := list "dcae-cloudify-manager" "dcae-config-binding-service" "dcae-dashboard" "dcae-deployment-handler" "dcae-inventory-api" "dcae-policy-handler" "dcae-servicechange-handler" -}} -{{- $enabled := dict "enabled" list -}} -{{- range $components -}} - {{- if index $ctx.Values . "enabled" -}} - {{- $x:= . | append $enabled.enabled | set $enabled "enabled" -}} - {{- end -}} -{{- end -}} -{{- $enabled.enabled | toJson }} - diff --git a/kubernetes/dcaegen2/templates/configmap.yaml b/kubernetes/dcaegen2/templates/configmap.yaml deleted file mode 100644 index 8a389ed408..0000000000 --- a/kubernetes/dcaegen2/templates/configmap.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.release" . }}-dcae-expected-components - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/*").AsConfig . | indent 2 }} diff --git a/kubernetes/dcaegen2/templates/secrets.yaml b/kubernetes/dcaegen2/templates/secrets.yaml deleted file mode 100644 index 34932b713d..0000000000 --- a/kubernetes/dcaegen2/templates/secrets.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/dcaegen2/values.yaml b/kubernetes/dcaegen2/values.yaml deleted file mode 100644 index d4452480a0..0000000000 --- a/kubernetes/dcaegen2/values.yaml +++ /dev/null @@ -1,70 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# Modifications Copyright © 2018-2019 AT&T -# Modifications Copyright © 2020 Samsung Electronics -# Modifications Copyright © 2021 Nokia -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.1 - -################################################################# -# Secrets metaconfig -################################################################# -secrets: -- name: &cmPassSecretName '{{ include "common.release" . }}-dcaegen2-cm-pass' - type: password - externalSecret: '{{ tpl (default "" .Values.config.cloudifyManagerPasswordExternalSecret) . }}' - password: '{{ .Values.config.cloudifyManagerPassword }}' - -config: {} - -# To work around DCAEGEN2-2450, set password strength to "basic" -# to ensure password contains only alphanumerics -passwordStrengthOverride: basic - -# Enable all DCAE components by default -dcae-bootstrap: - enabled: false - config: - cloudifyManagerPasswordExternalSecret: *cmPassSecretName -dcae-cloudify-manager: - enabled: false - config: - cloudifyManagerPasswordExternalSecret: *cmPassSecretName -dcae-config-binding-service: - enabled: false -dcae-dashboard: - enabled: false - config: - cloudifyManagerPasswordExternalSecret: *cmPassSecretName -dcae-deployment-handler: - enabled: false - config: - cloudifyManagerPasswordExternalSecret: *cmPassSecretName -dcae-healthcheck: - enabled: false -dcae-inventory-api: - enabled: false -dcae-policy-handler: - enabled: false - config: - cloudifyManagerPasswordExternalSecret: *cmPassSecretName -dcae-servicechange-handler: - enabled: false - diff --git a/kubernetes/dcaemod/.helmignore b/kubernetes/dcaemod/.helmignore deleted file mode 100644 index 7ddbad7ef4..0000000000 --- a/kubernetes/dcaemod/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -components/ diff --git a/kubernetes/dcaemod/Chart.yaml b/kubernetes/dcaemod/Chart.yaml deleted file mode 100644 index 60a57653ce..0000000000 --- a/kubernetes/dcaemod/Chart.yaml +++ /dev/null @@ -1,56 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE MOD -name: dcaemod -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: dcaemod-genprocessor - version: ~11.x-0 - repository: 'file://components/dcaemod-genprocessor' - condition: dcaemod-genprocessor.enabled - - name: dcaemod-distributor-api - version: ~11.x-0 - repository: 'file://components/dcaemod-distributor-api' - condition: dcaemod-distributor-api.enabled - - name: dcaemod-designtool - version: ~11.x-0 - repository: 'file://components/dcaemod-designtool' - condition: dcaemod-designtool.enabled - - name: dcaemod-onboarding-api - version: ~11.x-0 - repository: 'file://components/dcaemod-onboarding-api' - condition: dcaemod-onboarding-api.enabled - - name: dcaemod-runtime-api - version: ~11.x-0 - repository: 'file://components/dcaemod-runtime-api' - condition: dcaemod-runtime-api.enabled - - name: dcaemod-nifi-registry - version: ~11.x-0 - repository: 'file://components/dcaemod-nifi-registry' - condition: dcaemod-nifi-registry.enabled - - name: dcaemod-healthcheck - version: ~11.x-0 - repository: 'file://components/dcaemod-healthcheck' - condition: dcaemod-healthcheck.enabled diff --git a/kubernetes/dcaemod/Makefile b/kubernetes/dcaemod/Makefile deleted file mode 100644 index 044e0cdd7d..0000000000 --- a/kubernetes/dcaemod/Makefile +++ /dev/null @@ -1,41 +0,0 @@ -# Copyright © 2020 AT&T Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -HELM_BIN := helm - -make-dcaemod: make-dcaemod-distributor-api make-dcaemod-genprocessor make-dcaemod-designtool make-dcaemod-onboarding-api make-dcaemod-runtime-api make-dcaemod-nifi-registry make-dcaemod-healthcheck - -make-dcaemod-distributor-api: - cd components && $(HELM_BIN) dep up dcaemod-genprocessor && $(HELM_BIN) lint dcaemod-genprocessor - -make-dcaemod-genprocessor: - cd components && $(HELM_BIN) dep up dcaemod-distributor-api && $(HELM_BIN) lint dcaemod-distributor-api - -make-dcaemod-designtool: - cd components && $(HELM_BIN) dep up dcaemod-designtool && $(HELM_BIN) lint dcaemod-designtool - -make-dcaemod-onboarding-api: - cd components && $(HELM_BIN) dep up dcaemod-onboarding-api && $(HELM_BIN) lint dcaemod-onboarding-api - -make-dcaemod-runtime-api: - cd components && $(HELM_BIN) dep up dcaemod-runtime-api && $(HELM_BIN) lint dcaemod-runtime-api - -make-dcaemod-nifi-registry: - cd components && $(HELM_BIN) dep up dcaemod-nifi-registry && $(HELM_BIN) lint dcaemod-nifi-registry - -make-dcaemod-healthcheck: - cd components && $(HELM_BIN) dep up dcaemod-healthcheck && $(HELM_BIN) lint dcaemod-healthcheck - -clean: - @find . -type f -name '*.tgz' -delete - @find . -type f -name '*.lock' -delete diff --git a/kubernetes/dcaemod/components/dcaemod-designtool/Chart.yaml b/kubernetes/dcaemod/components/dcaemod-designtool/Chart.yaml deleted file mode 100644 index d5f61a3e0b..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-designtool/Chart.yaml +++ /dev/null @@ -1,33 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE MOD Design Tool -name: dcaemod-designtool -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/dcaemod/components/dcaemod-designtool/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-designtool/templates/deployment.yaml deleted file mode 100644 index 556ac90e02..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-designtool/templates/deployment.yaml +++ /dev/null @@ -1,89 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - replicas: 1 - selector: {{- include "common.selectors" . | nindent 4 }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - dcaemod-genprocessor-http - - --container-name - - dcaemod-nifi-registry - - --container-name - - dcaemod-distributor-api - - "-t" - - "15" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: {{ include "common.name" . }}-create-bucket - image: {{ include "repositoryGenerator.image.curl" . }} - args: - - -kv - - -X - - POST - - -H - - "Content-Type: application/json" - - --data-binary - - '{"name": "dcaemod-flows"}' - - http://dcaemod-nifi-registry:18080/nifi-registry-api/buckets - - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 12 }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.liveness.port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - httpGet: - path: {{ .Values.readiness.path }} - port: {{ .Values.readiness.port }} - scheme: {{ .Values.readiness.scheme }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: {{ include "common.resources" . | nindent 12 }} - env: - - name: NIFI_DCAE_JARS_INDEX_URL - value: {{ .Values.config.nifiJarsIndexURL }} - - name: NIFI_DCAE_DISTRIBUTOR_API_URL - value: {{ .Values.config.distributorAPIURL }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaemod/components/dcaemod-designtool/templates/ingress.yaml b/kubernetes/dcaemod/components/dcaemod-designtool/templates/ingress.yaml deleted file mode 100644 index e7f8e2da8f..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-designtool/templates/ingress.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -{{ include "common.ingress" . }} \ No newline at end of file diff --git a/kubernetes/dcaemod/components/dcaemod-designtool/templates/service.yaml b/kubernetes/dcaemod/components/dcaemod-designtool/templates/service.yaml deleted file mode 100644 index 7fc4e896d2..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-designtool/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-designtool/values.yaml b/kubernetes/dcaemod/components/dcaemod-designtool/values.yaml deleted file mode 100644 index 86aad57b1b..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-designtool/values.yaml +++ /dev/null @@ -1,98 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - persistence: {} - nodePortPrefix: 302 - nodePortPrefixExt: 304 - ingress: - virtualhost: - baseurl: "simpledemo.onap.org" - -config: - nifiJarsIndexURL: http://dcaemod-genprocessor:8080/nifi-jars - distributorAPIURL: /distributor - -# application image -image: onap/org.onap.dcaegen2.platform.mod.designtool-web:1.0.2 - -service: - type: ClusterIP - name: dcaemod-designtool - ports: - - name: http - port: 8080 - -ingress: - enabled: true - enabledOverride: true - service: - - baseaddr: "dcaemod" - path: "/nifi" - name: "dcaemod-designtool" - port: 8080 - - baseaddr: "dcaemod" - path: "/nifi-api" - name: "dcaemod-designtool" - port: 8080 - config: - ssl: "none" - -# probe configuration parameters -liveness: - initialDelaySeconds: 90 - periodSeconds: 30 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: http - -readiness: - initialDelaySeconds: 60 - periodSeconds: 20 - path: /nifi-api/system-diagnostics - scheme: HTTP - port: http - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dcaemod-designtool - roles: - - read diff --git a/kubernetes/dcaemod/components/dcaemod-distributor-api/Chart.yaml b/kubernetes/dcaemod/components/dcaemod-distributor-api/Chart.yaml deleted file mode 100644 index 0643257eb8..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-distributor-api/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE MOD Distributor API -name: dcaemod-distributor-api -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/deployment.yaml deleted file mode 100644 index f36c2af002..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/deployment.yaml +++ /dev/null @@ -1,77 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - replicas: 1 - selector: {{- include "common.selectors" . | nindent 4 }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - dcaemod-runtime-api - - --container-name - - dcaemod-nifi-registry - - --container-name - - dcaemod-onboarding-api - - "-t" - - "15" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 12 }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.liveness.port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - httpGet: - path: {{ .Values.readiness.path }} - port: {{ .Values.readiness.port }} - scheme: {{ .Values.readiness.scheme }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: NIFI_REGISTRY_URL - value: {{ .Values.config.nifiRegistryURL }} - - name : ONBOARDING_API_URL - value: {{ .Values.config.onboardingAPIURL }} - resources: {{ include "common.resources" . | nindent 12 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/ingress.yaml b/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/ingress.yaml deleted file mode 100644 index 4a4ee7c876..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/ingress.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -{{ include "common.ingress" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/service.yaml b/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/service.yaml deleted file mode 100644 index 100c3d5670..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-distributor-api/values.yaml b/kubernetes/dcaemod/components/dcaemod-distributor-api/values.yaml deleted file mode 100644 index 61ccfdef79..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-distributor-api/values.yaml +++ /dev/null @@ -1,97 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - persistence: {} - nodePortPrefix: 302 - nodePortPrefixExt: 304 - ingress: - virtualhost: - baseurl: "simpledemo.onap.org" - -config: - nifiRegistryURL: http://dcaemod-nifi-registry:18080/nifi-registry-api - onboardingAPIURL: http://dcaemod-onboarding-api:8080/onboarding - -# application image -image: onap/org.onap.dcaegen2.platform.mod.distributorapi:1.1.0 - -service: - type: ClusterIP - name: dcaemod-distributor-api - ports: - - name: http - port: 8080 - -ingress: - enabled: true - enabledOverride: true - service: - - baseaddr: "dcaemod" - path: "/distributor" - name: dcaemod-distributor-api - port: 8080 - config: - ssl: "none" - -# probe configuration parameters -liveness: - initialDelaySeconds: 60 - periodSeconds: 30 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: http - -readiness: - initialDelaySeconds: 60 - periodSeconds: 20 - # Should have a proper readiness endpoint - # This will be OK as long as we have a small number - # of distribution targets - path: /distributor/distribution-targets - scheme: HTTP - port: http - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dcaemod-distributor-api - roles: - - read diff --git a/kubernetes/dcaemod/components/dcaemod-genprocessor/Chart.yaml b/kubernetes/dcaemod/components/dcaemod-genprocessor/Chart.yaml deleted file mode 100644 index 864ac0d8a3..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-genprocessor/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE MOD Genprocessor -name: dcaemod-genprocessor -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/deployment.yaml deleted file mode 100644 index 26f6586688..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/deployment.yaml +++ /dev/null @@ -1,81 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - replicas: 1 - selector: {{- include "common.selectors" . | nindent 4 }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: - # apps run as uid 1000, gid 1000 - # the volume is mounted with root permissions - # this initContainer changes ownership to uid 1000 gid 1000 - # (tried using a securityContext in the pod spec, but it didn't seem to work) - - name: set-permissions - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - - -c - - chown -R 1000:1000 /genprocessor-data - volumeMounts: - - mountPath: /genprocessor-data - name: genprocessor-data - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 12 }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.liveness.port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.readiness.port }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: GENPROC_ONBOARDING_API_HOST - value: {{ .Values.config.onboardingAPIURL }} - volumeMounts: - - mountPath: /work/ - name: genprocessor-data - resources: {{ include "common.resources" . | nindent 12 }} - - name: {{ include "common.name" . }}-http - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.httpImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /www/data - name: genprocessor-data - readOnly: true - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: genprocessor-data - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/ingress.yaml b/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/ingress.yaml deleted file mode 100644 index 4a4ee7c876..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/ingress.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -{{ include "common.ingress" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/pv.yaml b/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/pv.yaml deleted file mode 100644 index 2831c151d2..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/pv.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.PV" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/pvc.yaml b/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/pvc.yaml deleted file mode 100644 index 1e6c62a653..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/pvc.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.PVC" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/service.yaml b/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/service.yaml deleted file mode 100644 index 100c3d5670..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-genprocessor/values.yaml b/kubernetes/dcaemod/components/dcaemod-genprocessor/values.yaml deleted file mode 100644 index 81c5888f10..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-genprocessor/values.yaml +++ /dev/null @@ -1,104 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - persistence: {} - nodePortPrefix: 302 - nodePortPrefixExt: 304 - ingress: - virtualhost: - baseurl: "simpledemo.onap.org" - -config: - onboardingAPIURL: http://dcaemod-onboarding-api:8080/onboarding - -# application image -image: onap/org.onap.dcaegen2.platform.mod.genprocessor-job:1.0.2 -httpImage: onap/org.onap.dcaegen2.platform.mod.genprocessor-http:1.0.2 - -service: - type: ClusterIP - name: dcaemod-genprocessor - ports: - - name: http - port: 8080 - -ingress: - enabled: true - enabledOverride: true - service: - - baseaddr: "dcaemod" - path: "/nifi-jars" - name: dcaemod-genprocessor - port: 8080 - config: - ssl: "none" - -# probe configuration parameters -liveness: - initialDelaySeconds: 60 - periodSeconds: 30 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: http - -readiness: - initialDelaySeconds: 60 - periodSeconds: 20 - port: http - # Should have a proper readiness endpoint or script - -# Parameters for persistent storage -persistence: - enabled: true -# Only the genprocessor-job writes, genprocessor-http mounts readOnly - accessMode: ReadWriteMany - size: 4Gi - mountPath: /dockerdata-nfs - mountSubPath: dcae-mod-genprocessor/data - volumeReclaimPolicy: Retain - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dcaemod-genprocessor - roles: - - read - diff --git a/kubernetes/dcaemod/components/dcaemod-healthcheck/Chart.yaml b/kubernetes/dcaemod/components/dcaemod-healthcheck/Chart.yaml deleted file mode 100644 index 55dbc3306c..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-healthcheck/Chart.yaml +++ /dev/null @@ -1,35 +0,0 @@ -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE MOD Health Check -name: dcaemod-healthcheck -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/dcaemod/components/dcaemod-healthcheck/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-healthcheck/templates/deployment.yaml deleted file mode 100644 index f46dc5f287..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-healthcheck/templates/deployment.yaml +++ /dev/null @@ -1,67 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - replicas: 1 - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: -{{ include "common.resources" . | indent 12 }} - ports: {{ include "common.containerPorts" . | nindent 10 }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ include "common.getPort" (dict "global" . "name" "http") }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ include "common.getPort" (dict "global" . "name" "http") }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: - - mountPath: /opt/app/expected-components.json - subPath: expected-components.json - name: {{ include "common.fullname" .}}-expected-components - env: - - name: DCAE_NAMESPACE - value: {{ .Values.dcae_ns }} - - name: ONAP_NAMESPACE - value: {{ include "common.namespace" . }} - - name: HELM_RELEASE - value: {{ include "common.release" . }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: {{ include "common.fullname" . }}-expected-components - configMap: - name: {{ include "common.release" . }}-dcaemod-expected-components - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaemod/components/dcaemod-healthcheck/templates/service.yaml b/kubernetes/dcaemod/components/dcaemod-healthcheck/templates/service.yaml deleted file mode 100644 index 7fc4e896d2..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-healthcheck/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-healthcheck/values.yaml b/kubernetes/dcaemod/components/dcaemod-healthcheck/values.yaml deleted file mode 100644 index 73661ac843..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-healthcheck/values.yaml +++ /dev/null @@ -1,72 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2018-2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# Copyright (c) 2021 J. F. Lucas. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - -service: - name: dcaemod-healthcheck - type: ClusterIP - ports: - - name: http - port: 8080 - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 -# application image -image: onap/org.onap.dcaegen2.deployments.healthcheck-container:2.4.0 - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dcaemod-healthcheck - roles: - - read - diff --git a/kubernetes/dcaemod/components/dcaemod-nifi-registry/Chart.yaml b/kubernetes/dcaemod/components/dcaemod-nifi-registry/Chart.yaml deleted file mode 100644 index ce3d0430be..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-nifi-registry/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE MOD Nifi Registry -name: dcaemod-nifi-registry -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/deployment.yaml deleted file mode 100644 index 53f1de59bc..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/deployment.yaml +++ /dev/null @@ -1,78 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - replicas: 1 - selector: {{- include "common.selectors" . | nindent 4 }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: - # nifi-registry app runs as user "nifi", uid 1000, group "nifi", gid 1000 - # the volume is mounted with root permissions - # this initContainer changes ownership to uid 1000 gid 1000 - # (tried using a securityContext in the pod spec, but it didn't seem to work) - - name: set-permissions - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - - -c - - chown -R 1000:1000 /opt/nifi-registry/nifi-registry-0.4.0/flow_storage - volumeMounts: - - mountPath: /opt/nifi-registry/nifi-registry-0.4.0/flow_storage - name: flow-storage - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 12 }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.liveness.port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.readiness.port }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: - - mountPath: /opt/nifi-registry/nifi-registry-0.4.0/flow_storage - name: flow-storage - resources: {{ include "common.resources" . | nindent 12 }} - env: - - name: NIFI_REGISTRY_DB_URL - value: {{ .Values.config.dbURL }} - - name: NIFI_REGISTRY_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dbsecret" "key" "login") | indent 12 }} - - name: NIFI_REGISTRY_DB_PASS - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dbsecret" "key" "password") | indent 12 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: flow-storage - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/pv.yaml b/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/pv.yaml deleted file mode 100644 index b351573f83..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/pv.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - - -{{ include "common.PV" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/pvc.yaml b/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/pvc.yaml deleted file mode 100644 index 1e6c62a653..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/pvc.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.PVC" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/secrets.yaml b/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/secrets.yaml deleted file mode 100644 index 869e3d3912..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/secrets.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -{{ include "common.secretFast" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/service.yaml b/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/service.yaml deleted file mode 100644 index 100c3d5670..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-nifi-registry/values.yaml b/kubernetes/dcaemod/components/dcaemod-nifi-registry/values.yaml deleted file mode 100644 index a0bbacc7ef..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-nifi-registry/values.yaml +++ /dev/null @@ -1,96 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - persistence: {} - nodePortPrefix: 302 - nodePortPrefixExt: 304 - -config: - dbURL: jdbc:h2:./database/nifi-registry-primary - dbUser: nobody - dbPassword: nobody - -secrets: - - uid: "dbsecret" - type: basicAuth - login: '{{ .Values.config.dbUser }}' - password: '{{ .Values.config.dbPassword }}' - passwordPolicy: generate - -# application image -image: apache/nifi-registry:0.5.0 - -service: - type: ClusterIP - name: dcaemod-nifi-registry - ports: - - name: http - port: 18080 - -# probe configuration parameters -liveness: - initialDelaySeconds: 60 - periodSeconds: 30 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: http - -readiness: - initialDelaySeconds: 60 - periodSeconds: 20 - port: http - # Should have a proper readiness endpoint or script - -# Parameters for persistent storage -persistence: - enabled: true - accessMode: ReadWriteOnce - size: 4Gi - mountPath: /dockerdata-nfs - mountSubPath: dcae-mod-nifi-registry/data - volumeReclaimPolicy: Retain - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dcaemod-nifi-registry - roles: - - read diff --git a/kubernetes/dcaemod/components/dcaemod-onboarding-api/.helmignore b/kubernetes/dcaemod/components/dcaemod-onboarding-api/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-onboarding-api/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/dcaemod/components/dcaemod-onboarding-api/Chart.yaml b/kubernetes/dcaemod/components/dcaemod-onboarding-api/Chart.yaml deleted file mode 100644 index 73bade4ac0..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-onboarding-api/Chart.yaml +++ /dev/null @@ -1,37 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE MOD Onboarding API -name: dcaemod-onboarding-api -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: postgres - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/deployment.yaml deleted file mode 100644 index 5c7d1b6d0d..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/deployment.yaml +++ /dev/null @@ -1,83 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - replicas: 1 - selector: {{- include "common.selectors" . | nindent 4 }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - {{ .Values.postgres.nameOverride }} - - "-t" - - "15" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - name: {{ include "common.name" . }} - command: - - sh - args: - - -c - - 'PG_CONN=postgresql://${PG_USER}:${PG_PASSWORD}@${PG_ADDR}:${PG_PORT}/${PG_DB_NAME} ./start.sh' - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 12 }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.liveness.port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.readiness.port }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: {{ include "common.resources" . | nindent 12 }} - env: - - name: PG_ADDR - value: {{ .Values.postgres.service.name2 }} - # This should be kept in secret but it needs a fix in postgres common chart - - name: PG_USER - value: postgres - - name: PG_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-pass" "key" "password") | indent 14 }} - - name: PG_PORT - value: "5432" - - name: PG_DB_NAME - value: dcae_onboarding_db - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/ingress.yaml b/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/ingress.yaml deleted file mode 100644 index 4a4ee7c876..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/ingress.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -{{ include "common.ingress" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/secret.yaml b/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/secret.yaml deleted file mode 100644 index 34932b713d..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/service.yaml b/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/service.yaml deleted file mode 100644 index 100c3d5670..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-onboarding-api/values.yaml b/kubernetes/dcaemod/components/dcaemod-onboarding-api/values.yaml deleted file mode 100644 index 2aefedbc86..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-onboarding-api/values.yaml +++ /dev/null @@ -1,122 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - ingress: - virtualhost: - baseurl: "simpledemo.onap.org" - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: db-root-pass - name: &rootPassSecretName '{{ include "common.release" . }}-dcaemod-db-root-pass' - type: password - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "dcaemod-db-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret)}}' - password: '{{ .Values.postgres.config.pgRootPassword }}' - - uid: db-primary-pass - name: &primaryPassSecretName '{{ include "common.release" . }}-dcaemod-db-primary-pass' - type: password - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgPrimaryPasswordExternalSecret) .) (hasSuffix "dcaemod-db-primary-pass" .Values.postgres.config.pgPrimaryPasswordExternalSecret)}}' - password: '{{ .Values.postgres.config.pgPrimaryPassword }}' - -service: - type: ClusterIP - name: dcaemod-onboarding-api - ports: - - name: http - port: 8080 -ingress: - enabled: true - enabledOverride: true - service: - - baseaddr: "dcaemod" - path: "/onboarding" - name: dcaemod-onboarding-api - port: 8080 - config: - ssl: "none" - -# probe configuration parameters -liveness: - initialDelaySeconds: 60 - periodSeconds: 30 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: http - -readiness: - initialDelaySeconds: 60 - periodSeconds: 20 - port: http - # Should have a proper readiness endpoint or script - -# postgres values--overriding defaults in the postgres subchart -postgres: - nameOverride: dcaemod-db - service: - name: dcaemod-postgres - name2: dcaemod-pg-primary - name3: dcaemod-pg-replica - suffix: svc.cluster.local - container: - name: - primary: dcaemod-pg-primary - replica: dcaemod-pg-replica - config: - pgPrimaryPasswordExternalSecret: *primaryPassSecretName - pgRootPasswordExternalSecret: *rootPassSecretName - persistence: - mountSubPath: dcaemod/data - mountInitPath: dcaemod - -# application image -image: onap/org.onap.dcaegen2.platform.mod.onboardingapi:2.13.0 - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dcaemod-onboarding-api - roles: - - read - diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/.helmignore b/kubernetes/dcaemod/components/dcaemod-runtime-api/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/Chart.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/Chart.yaml deleted file mode 100644 index 4e1c94020d..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/Chart.yaml +++ /dev/null @@ -1,37 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE MOD Runtime API -name: dcaemod-runtime-api -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' - - name: readinessCheck - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/addons/templates/certificates.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/addons/templates/certificates.yaml deleted file mode 100644 index 8c964ecd02..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/addons/templates/certificates.yaml +++ /dev/null @@ -1,3 +0,0 @@ -{{ if and .Values.certDirectory .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration }} -{{ include "certManagerCertificate.certificate" . }} -{{ end }} \ No newline at end of file diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/Chart.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/Chart.yaml deleted file mode 100644 index db16451688..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/Chart.yaml +++ /dev/null @@ -1,47 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2021-2022 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -appVersion: "Kohn" -description: TBD -name: TBD -version: TBD - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: readinessCheck - version: ~11.x-0 - repository: '@local' - - name: dcaegen2-services-common - version: ~11.x-0 - repository: '@local' - - name: postgres - version: ~11.x-0 - repository: '@local' - condition: postgres.enabled - - name: serviceAccount - version: ~11.x-0 - repository: '@local' - - name: mongo - version: ~11.x-0 - repository: '@local' - condition: mongo.enabled diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/configmap.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/configmap.yaml deleted file mode 100644 index 866a9ad672..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/configmap.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "dcaegen2-services-common.configMap" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/deployment.yaml deleted file mode 100644 index bef31a7a3a..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/deployment.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "dcaegen2-services-common.microserviceDeployment" . }} \ No newline at end of file diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/secret.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/secret.yaml deleted file mode 100644 index 6ee9297869..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/secret.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.secretFast" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/service.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/service.yaml deleted file mode 100644 index f024c64864..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/service.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.service" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/values.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/values.yaml deleted file mode 100644 index 99160210d0..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/values.yaml +++ /dev/null @@ -1,110 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2021-2022 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - -################################################################# -# initContainer images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 -consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.0 - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: TBD #DONE -pullPolicy: Always - -#policy sync image -dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1 - -#postgres enable/disable -postgres: - enabled: false - -#mongo enable/disable -mongo: - enabled: false - nameOverride: dcae-mongo - config: - dbName: dcaecommondb - service: - name: dcae-mongohost - internalPort: 27017 - nfsprovisionerPrefix: dcaemongo - sdnctlPrefix: tcagen2 - persistence: - mountSubPath: dcae/mongo/data - enabled: true - disableNfsProvisioner: true - -# log directory where logging sidecar should look for log files -# if absent, no sidecar will be deployed -#log: -# path: TBD #/opt/app/VESCollector/logs #DONE -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' - -# directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -#certDirectory: TBD #/opt/app/dcae-certificate #DONE - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -#tlsServer: TBD #DONE - -# dependencies -readinessCheck: - wait_for: - - aaf-cm - -# probe configuration #NEED DISCUSSION -readiness: - initialDelaySeconds: TBD - periodSeconds: TBD - path: TBD - scheme: TBD - port: TBD - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} -serviceAccount: - nameOverride: TBD - roles: - - read diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/configmap.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/configmap.yaml deleted file mode 100644 index 7d90f5812c..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/configmap.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dcae-helmgen-templates - namespace: {{ include "common.namespace" . }} -data: -{{ (.Files.Glob "resources/config/base/templates/*.yaml").AsConfig | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dcae-helmgen-base - namespace: {{ include "common.namespace" . }} -data: -{{ (.Files.Glob "resources/config/base/*.yaml").AsConfig | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dcae-helmgen-addons-templates - namespace: {{ include "common.namespace" . }} -data: -{{ (.Files.Glob "resources/config/addons/templates/*").AsConfig | indent 2 }} \ No newline at end of file diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/deployment.yaml deleted file mode 100644 index 39044465dc..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/deployment.yaml +++ /dev/null @@ -1,107 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2021 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - replicas: 1 - selector: {{- include "common.selectors" . | nindent 4 }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 12 }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.liveness.port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.readiness.port }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: {{ include "common.resources" . | nindent 12 }} - volumeMounts: - - mountPath: {{ .Values.config.basehelmchartlocation }}/base/values.yaml - subPath: values.yaml - name: dcae-helmgen-base - - mountPath: {{ .Values.config.basehelmchartlocation }}/base/Chart.yaml - subPath: Chart.yaml - name: dcae-helmgen-base - - mountPath: {{ .Values.config.basehelmchartlocation }}/base/templates - name: dcae-helmgen-templates - - mountPath: {{ .Values.config.basehelmchartlocation }}/addons/templates - name: dcae-helmgen-addon-templates - env: - - name: DASHBOARD_URL - value: {{ .Values.config.dashboardURL }} - - name: DASHBOARD_USERNAME - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dashsecret" "key" "login") | indent 14 }} - - name: DASHBOARD_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dashsecret" "key" "password") | indent 14 }} - - name: ONAP_TOPICURL - value: {{ .Values.config.mrTopicURL }} - - name: ONAP_IMPORT_CLOUDIFYPLUGIN - value: {{ .Values.config.importCloudify }} - - name: ONAP_IMPORT_K8SPLUGIN - value: {{ .Values.config.importK8S }} - - name: ONAP_IMPORT_POLICYPLUGIN - value: {{ .Values.config.importPolicy }} - - name: ONAP_IMPORT_POSTGRESPLUGIN - value: {{ .Values.config.importPostgres }} - - name: ONAP_IMPORT_CLAMPPLUGIN - value: {{ .Values.config.importClamp }} - - name: ONAP_IMPORT_DMAAPPLUGIN - value: {{ .Values.config.importDMaaP }} - - name: ONAP_USEDMAAPPLUGIN - value: {{ .Values.config.useDmaapPlugin | quote }} - - name: BP_RESOURCES_CPU_LIMIT - value: {{ .Values.config.bpResourcesCpuLimit }} - - name: BP_RESOURCES_MEMORY_LIMIT - value: {{ .Values.config.bpResourcesMemoryLimit }} - - name: ARTIFACT_TYPE - value: {{ .Values.config.artifactType }} - - name: CHARTMUSEUM_BASEURL - value: {{ .Values.config.registryBaseurl }} - - name: HELM_BASE_CHART_TEMPLATE_LOCATION - value: {{ .Values.config.basehelmchartlocation }} - - name: CHARTMUSEUM_AUTH_BASIC_USERNAME - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "registrycred" "key" "login") | indent 14 }} - - name: CHARTMUSEUM_AUTH_BASIC_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "registrycred" "key" "password") | indent 14 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - volumes: - - name: dcae-helmgen-templates - configMap: - name: {{ include "common.fullname" . }}-dcae-helmgen-templates - - name: dcae-helmgen-base - configMap: - name: {{ include "common.fullname" . }}-dcae-helmgen-base - - name: dcae-helmgen-addon-templates - configMap: - name: {{ include "common.fullname" . }}-dcae-helmgen-addons-templates \ No newline at end of file diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/secrets.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/secrets.yaml deleted file mode 100644 index 3c527f8cd3..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/secrets.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/service.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/service.yaml deleted file mode 100644 index 100c3d5670..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/values.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/values.yaml deleted file mode 100644 index 64d196d908..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/values.yaml +++ /dev/null @@ -1,122 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2021 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - -config: - dashboardURL: https://inventory:8080/dcae-service-types - # The dashboard credentials aren't actually used, since - # the inventory API and the dashboard pass-through to the - # inventory API don't require authentication. - # Since the password doesn't matter, we let it be - # generated by the common secret template. - dashboardUser: nobody - #dashboardPassword: doesntmatter - mrTopicURL: http://message-router:3904/events - importCloudify: https://www.getcloudify.org/spec/cloudify/4.5.5/types.yaml - importK8S: plugin:k8splugin?version=>=3.5.1,<4.0.0 - importPostgres: plugin:pgaas?version=1.3.0 - importClamp: plugin:clamppolicyplugin?version=1.1.1 - importDMaaP: plugin:dmaap?version=>=1.5.1,<2.0.0 - useDmaapPlugin: false - bpResourcesCpuLimit: 250m - bpResourcesMemoryLimit: 128Mi - artifactType: "HELM" - registryBaseurl: http://chart-museum:80 - basehelmchartlocation: /helm-gen/ - - -secrets: - - uid: "dashsecret" - type: basicAuth - login: '{{ .Values.config.dashboardUser }}' - password: '{{ .Values.config.dashboardPassword }}' - passwordPolicy: generate - - uid: registrycred - type: basicAuth - login: '{{ .Values.registryCred.username }}' - password: '{{ .Values.registryCred.password }}' - passwordPolicy: required - -# Below parameter should match setting in all clients -# including oom\kubernetes\platform\components\chartmuseum -# where ONAP registry is setup -registryCred: - username: onapinitializer - password: demo123456! - -service: - type: ClusterIP - name: dcaemod-runtime-api - ports: - - name: http - port: 9090 - -# probe configuration parameters -liveness: - initialDelaySeconds: 60 - periodSeconds: 30 - port: http - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 60 - periodSeconds: 20 - port: http - # Should have a proper readiness endpoint or script - -# dependencies -#readinessCheck: -# wait_for: -# - chart-museum - - -# application image -image: onap/org.onap.dcaegen2.platform.mod.runtime-web:1.3.3 - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dcaemod-runtime-api - roles: - - read diff --git a/kubernetes/dcaemod/resources/expected-components.json b/kubernetes/dcaemod/resources/expected-components.json deleted file mode 100644 index 7fd644c3f8..0000000000 --- a/kubernetes/dcaemod/resources/expected-components.json +++ /dev/null @@ -1,10 +0,0 @@ -[ -{{- $ctx := . }} -{{- $components := tuple "dcaemod-designtool" "dcaemod-distributor-api" "dcaemod-genprocessor" "dcaemod-nifi-registry" "dcaemod-onboarding-api" "dcaemod-runtime-api" }} -{{- range $i, $v := $components }} -{{- if index $ctx.Values . "enabled" }} -{{- if $i }},{{ end }} -{{ $v | quote | indent 2 }} -{{- end -}} -{{- end }} -] \ No newline at end of file diff --git a/kubernetes/dcaemod/templates/configmap.yaml b/kubernetes/dcaemod/templates/configmap.yaml deleted file mode 100644 index 13b374cb04..0000000000 --- a/kubernetes/dcaemod/templates/configmap.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.release" . }}-dcaemod-expected-components - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/*").AsConfig . | indent 2 }} diff --git a/kubernetes/dcaemod/values.yaml b/kubernetes/dcaemod/values.yaml deleted file mode 100644 index 57e6d32693..0000000000 --- a/kubernetes/dcaemod/values.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - -# Enable all DCAE MOD components by default -dcaemod-designtool: - enabled: true -dcaemod-distributor-api: - enabled: true -dcaemod-genprocessor: - enabled: true -dcaemod-healthcheck: - enabled: true -dcaemod-nifi-registry: - enabled: true -dcaemod-onboarding-api: - enabled: true -dcaemod-runtime-api: - enabled: true \ No newline at end of file diff --git a/kubernetes/dmaap/Chart.yaml b/kubernetes/dmaap/Chart.yaml index d8cb1d5b60..31c57e31d0 100644 --- a/kubernetes/dmaap/Chart.yaml +++ b/kubernetes/dmaap/Chart.yaml @@ -18,32 +18,24 @@ apiVersion: v2 description: ONAP DMaaP components name: dmaap -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - - name: dmaap-strimzi - version: ~11.x-0 - repository: 'file://components/dmaap-strimzi' - condition: dmaap-strimzi.enabled - name: message-router - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/message-router' condition: message-router.enabled - - name: dmaap-bc - version: ~11.x-0 - repository: 'file://components/dmaap-bc' - condition: dmaap-bc.enabled - name: dmaap-dr-node - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/dmaap-dr-node' condition: dmaap-dr-node.enabled - name: dmaap-dr-prov - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/dmaap-dr-prov' condition: dmaap-dr-prov.enabled - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dmaap/Makefile b/kubernetes/dmaap/Makefile index 7f4318190f..5bedb4a7b9 100644 --- a/kubernetes/dmaap/Makefile +++ b/kubernetes/dmaap/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := dist resources templates charts docker HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -36,12 +42,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/dmaap/README.md b/kubernetes/dmaap/README.md index 8c61b6a012..33362926b0 100644 --- a/kubernetes/dmaap/README.md +++ b/kubernetes/dmaap/README.md @@ -1,5 +1,6 @@ # Copyright © 2018 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2018 Amdocs,Bell Canada +# Copyright (c) 2023 J. F.Lucas. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,11 +19,4 @@ ONAP DMaaP includes the following Kubernetes services: 1) message-router - a message bus for applications -2) dbc-api - an API to provision DMaaP resources -3) dmaap-data-router - an API to provision data feeds for consumers - -# Service Dependencies - -message-router depends on AAF -dmaap-data-router depends on AAF -dbc-api depends on AAF and Postgresql. \ No newline at end of file +2) dmaap-data-router - an API to provision data feeds for consumers diff --git a/kubernetes/dmaap/components/Makefile b/kubernetes/dmaap/components/Makefile index 3253599dea..89fff87d25 100644 --- a/kubernetes/dmaap/components/Makefile +++ b/kubernetes/dmaap/components/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -36,12 +42,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/dmaap/components/dmaap-bc/.helmignore b/kubernetes/dmaap/components/dmaap-bc/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/dmaap/components/dmaap-bc/Chart.yaml b/kubernetes/dmaap/components/dmaap-bc/Chart.yaml deleted file mode 100644 index 5ed50ca7e9..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/Chart.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: a Helm chart to deploy ONAP DMaaP Bus Controller (aka dmaap-bc) in Kubernetes -name: dmaap-bc -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: certInitializer - version: ~11.x-0 - repository: '@local' - - name: postgres - version: ~11.x-0 - repository: '@local' - condition: PG.enabled - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/dmaap/components/dmaap-bc/README.md b/kubernetes/dmaap/components/dmaap-bc/README.md deleted file mode 100644 index a6115477ec..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/README.md +++ /dev/null @@ -1,25 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Helm Chart for ONAP DMaaP Applications - -ONAP includes the following Kubernetes services available in ONAP Beijing Release (more expected in future): - -1) message-router - a message bus for applications -2) dmaap-prov - an API to provision DMaaP resources - -# Service Dependencies - -message-router depends on AAF -dmaap-prov depends on AAF and Postgresql. diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/config/buscontroller.env b/kubernetes/dmaap/components/dmaap-bc/resources/config/buscontroller.env deleted file mode 100644 index 2b2ea4183a..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/config/buscontroller.env +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -# Environment settings for starting a container -DMAAPBC_WAIT_TO_EXIT=Y -DMAAPBC_KSTOREFILE=/opt/app/osaaf/local/org.onap.dmaap-bc.jks diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties b/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties deleted file mode 100644 index d464428893..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties +++ /dev/null @@ -1,277 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - - -##################################################### -# -# Hooks for specific environment configurations -# -##################################################### -# Indicator for whether to use AAF for authentication -UseAAF: {{ .Values.global.aafEnabled }} - -# Stub out southbound calls for Unit Test cases to run. e.g. not timeout -# Comment out in other environments to get default (No) -#UnitTest: Yes - - -##################################################### -# -# Settings for Southbound API: Datarouter -# -##################################################### - -# URI to retrieve dynamic DR configuration -ProvisioningURI: /internal/prov - -# indicator for handling feed delete: -# DeleteOnDR - means use the DR API to DELETE a feed. (default for backwards compatibility) -# SimulateDelete - means preserve the feed on DR (after cleaning it up), and mark as DELETED in DBCL. Better for cloudify environments. -Feed.deleteHandling: SimulateDelete - -########################################################### -# The following properties default to match ONAP DR instance. -# However, there are some non-ONAP DR instances that require other values. -# Sets the X-DR-ON-BEHALF-OF HTTP Header value -#DR.onBehalfHeader: -# Value for the Content-Type Header in DR Feed API -#DR.feedContentType: -# Value for the Content-Type Header in DR Subscription API -#DR.subContentType: -# -# END OF properties helpful for non-ONAP DR instance. -############################################################ - -##################################################### -# -# Settings for Soutbound API: Postgresql -# -##################################################### -# flag indicates if we are using postgresql -UsePGSQL: {{ .Values.PG.enabled }} - -# postgres host name -# Need to connect to PG primary service, designated by service.name2 -DB.host: {{ .Values.postgres.service.name2 }} - -# postgres schema name -#DB.schema: {{ .Values.postgres.config.pgDatabase }} - -# postgres user name -DB.user: ${PG_USER} - -# postgres user password -DB.cred: ${PG_PASSWORD} - - -##################################################### -# -# Settings for Soutbound API: Message Router -# -##################################################### -# indicator for multi-site (locations) deployment. Give clue to buscontroller whether -# there is a need for message replication between edge and central. -# ONAP Casablanca is a single site deployment -MR.multisite: false - -# FQDN of primary message router. -# In ONAP Casablanca, there is only 1 message router service, so use that. -# In a multi-site, MR cluster deployment, use the CNAME DNS entry which resolves to the primary central MR -MR.CentralCname: {{ .Values.dmaapMessageRouterService }} - -# Indicator for whether we want hostname verification on SSL connection to MR -MR.hostnameVerify: false - -# MR Client Delete Level thoroughness: -# 0 = don't delete -# 1 = delete from persistent store -# 2 = delete from persistent store (DB) and authorization store (AAF) -MR.ClientDeleteLevel: 1 - -# namespace of MR Topic Factory -MR.TopicFactoryNS: org.onap.dmaap.mr.topicFactory - -# AAF Role assigned to Topic Manager Identity -MR.TopicMgrRole: org.onap.dmaap-bc-topic-mgr.client - -# MR topic ProjectID (used in certain topic name generation formats) -MR.projectID: mr - -# Use Basic Authentication when provisioning topics -MR.authentication: basicAuth - -# MR topic name style (default is FQTN_LEGACY_FORMAT) -#MR.topicStyle: FQTN_LEGACY_FORMAT -# -# end of MR Related Properties -################################################################################ - - -##################################################### -# -# Settings for Southbound API: CADI -# -##################################################### -# path to cadi.properties -cadi.properties: /opt/app/osaaf/local/org.onap.dmaap-bc.props - -##################################################### -# -# Settings for Southbound API: AAF proxy -# -##################################################### -# URL of the AAF server -aaf.URL: {{ .Values.aafURL }} - -# TopicMgr Identity -aaf.TopicMgrUser: {{ .Values.topicMgrUser }} - -# Password for TopicMgr identity -aaf.TopicMgrPassword: {{ .Values.topicMgrPwd }} - -# Buscontroller Admin Identity -aaf.AdminUser: {{ .Values.adminUser }} - -# Admin Password -aaf.AdminPassword: {{ .Values.adminPwd }} - -# Identity that is owner of any created namespaces for topics -aaf.NsOwnerIdentity: {{ .Values.adminUser }} - - -# this overrides the Class used for Decryption. -# This allows for a plugin encryption/decryption method if needed. -# Call this Class for decryption at runtime. -#AafDecryption.Class: com.company.proprietaryDecryptor - -# location of the codec keyfile used to decrypt passwords in this properties file before they are passed to AAF -# Not used in ONAP, but possibly used with Decryption override class. -#CredentialCodeKeyfile: etc/LocalKey - -# -# endof AAF Properties -#################################################### - - -##################################################### -# -# Settings for authorization of DBCAPI -# -##################################################### -# Namespace for URI values for the API used to create AAF permissions -# e.g. if ApiNamespace is X.Y.dmaapbc.api then for URI /mr_clients we create AAF perm X.Y.dmaapbc.api.mr_clients -ApiNamespace: org.onap.dmaap-bc.api - -# If API authorization is required, then implement a class to enforce it. -# This overrides the Class used for API permission check. -ApiPermission.Class: org.onap.dmaap.dbcapi.authentication.AllowAll - -##################################################### -# -# Settings for Southbound API: MirrorMaker provisioning -# -##################################################### -# AAF Role of client publishing MM prov cmds -MM.ProvRole: org.onap.dmaap-bc-mm-prov.prov - -# AAF identity when publishing MM prov cmds -MM.ProvUserMechId: dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org - -# pwd for Identity used to publish MM prov cmds -MM.ProvUserPwd: demo123456! - -# AAF Role of MirrorMaker agent subscribed to prov cmds. -MM.AgentRole: org.onal.dmaap-bc-mm-prov.agent - -##################################################### -# -# Certificate Management -# -##################################################### - -# Indicates how we are expecting certificates to be provided: -# cadi - a set of artifacts will be downloaded from AAF at deployment time, and details will be in a cadi properties file -# legacy (default) - artifacts will be installed manually or some other way and details will be in this file -CertificateManagement: cadi - -# When CertificateManagement is cadi, then this is where all the cadi properties will be. -# Note that the cadi properties include where the cert is, and the encrypted passwords to read. -cadi.properties: /opt/app/osaaf/local/org.onap.dmaap-bc.props - -########################################################################################### -# When CertificateManagement is legacy, we need to provide more details about cert handling: -#CertificateManagement: legacy -# the type of keystore for https (for legacy CertificateManagment only) -#KeyStoreType: jks - -# path to the keystore file (for legacy CertificateManagment only) -#KeyStoreFile: etc/keystore - -# password for the https keystore (for legacy CertificateManagment only) -#KeyStorePassword: Y@Y5f&gm?PAz,CVQL,lk[VAF -# password for the private key in the https keystore (for legacy CertificateManagment only) -#KeyPassword: changeit - -# type of truststore for https (for legacy CertificateManagment only) -#TrustStoreType: jks - -# path to the truststore for https (for legacy CertificateManagment only) -#TrustStoreFile: etc/org.onap.dmaap-bc.trust.jks - -# password for the https truststore (for legacy CertificateManagment only) -#TrustStorePassword: changeit -# -# END OF legacy CertificateManagement properties -########################################################################################### - - -##################################################### -# -# HTTP Server Configuration -# -##################################################### - -# Allow http access to dbcapi -HttpAllowed: true - -# listen to http port within this container (server) -IntHttpPort: 8080 - -# listen to https port within this container (server) -# set to 0 if no certificates are available. -IntHttpsPort: 8443 - - - -inHttpsPort: 0 - -##################################################### -# -# Deprecated -# -##################################################### -# csit: stubs out some southbound APIs for csit (deprecated) -#csit: No -# name of this DMaaP instance (deprecated) -#DmaapName: demo -# external port number for https taking port mapping into account (deprecated) -#ExtHttpsPort: 443 -# path to the file used to trigger an orderly shutdown (deprecated) -#QuiesceFile: etc/SHUTDOWN -# FQDN of DR Prov Server (deprecated) -#DR.provhost: dcae-drps.domain.not.set -# root of topic namespace (decrecated) -#topicNsRoot: org.onap.dcae.dmaap diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/dcaeLocations/san-francisco.json b/kubernetes/dmaap/components/dmaap-bc/resources/dcaeLocations/san-francisco.json deleted file mode 100644 index ca1e740dd8..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/dcaeLocations/san-francisco.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - - "dcaeLayer": "kubernetes-central", - "dcaeLocationName": "san-francisco" -} diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/dmaap/onap.json b/kubernetes/dmaap/components/dmaap-bc/resources/dmaap/onap.json deleted file mode 100644 index 23b111c8f3..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/dmaap/onap.json +++ /dev/null @@ -1,11 +0,0 @@ -{ -{{ if eq .Values.fixedTopicNamespace true }} - "dmaapName": "mr", -{{- else -}} - "dmaapName": "{{ include "common.namespace" . }}", -{{- end}} - "drProvUrl": "https://dmaap-dr-prov", - "version": "1", - "topicNsRoot": "org.onap.dmaap", - "bridgeAdminTopic": "DCAE_MM_AGENT" -} diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/dr_nodes/central.yaml b/kubernetes/dmaap/components/dmaap-bc/resources/dr_nodes/central.yaml deleted file mode 100644 index 7ef2dcdb8f..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/dr_nodes/central.yaml +++ /dev/null @@ -1,6 +0,0 @@ -{ - "dcaeLocationName" : "san-francisco", - "fqdn" : "dmaap-dr-node.san-francisco", - "hostName" : "dmaap-dr-node.pod", - "version" : "1.0.1" -} diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/dr_nodes/edge.yaml b/kubernetes/dmaap/components/dmaap-bc/resources/dr_nodes/edge.yaml deleted file mode 100644 index 272cd75e52..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/dr_nodes/edge.yaml +++ /dev/null @@ -1,6 +0,0 @@ -{ - "dcaeLocationName" : "edge1", - "fqdn" : "dmaap-dr-node.edge1", - "hostName" : "dmaap-dr-node.pod.edge1", - "version" : "1.0.1" -} diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/feeds/README b/kubernetes/dmaap/components/dmaap-bc/resources/feeds/README deleted file mode 100644 index 4f5eac5ba1..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/feeds/README +++ /dev/null @@ -1,3 +0,0 @@ -# -# Intent of this directory is for it to contain a file for each feed that needs to be provisioned in DR. -# So, app teams can add files to this directory as needed without impacting each other's code. diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/mr_clusters/san-francisco.json b/kubernetes/dmaap/components/dmaap-bc/resources/mr_clusters/san-francisco.json deleted file mode 100644 index 9e732d2af8..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/mr_clusters/san-francisco.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "dcaeLocationName": "san-francisco", - "fqdn": "message-router", - "topicProtocol": "http", - "topicPort": "3904" -} diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/topics/PNF_READY.json b/kubernetes/dmaap/components/dmaap-bc/resources/topics/PNF_READY.json deleted file mode 100644 index 34197b948e..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/topics/PNF_READY.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "topicName": "PNF_READY", - "topicDescription": "This topic will be used to publish the PNF_READY events generated by the PNF REgistration Handler service in the DCAE platform.", - "owner": "PNFRegistrationHandler", - "tnxEnabled": false, - "clients": [ - { - "dcaeLocationName": "san-francisco", - "clientRole": "org.onap.dmaap.mr.PNF_READY.pub", - "action": [ - "pub", - "view" - ] - - } - ] -} diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/topics/PNF_REGISTRATION.json b/kubernetes/dmaap/components/dmaap-bc/resources/topics/PNF_REGISTRATION.json deleted file mode 100644 index e7325794a1..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/topics/PNF_REGISTRATION.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "topicName": "PNF_REGISTRATION", - "topicDescription": "the VES collector will be publishing pnfRegistration events in this topic", - "owner": "VEScollector", - "tnxEnabled": false, - "clients": [ - { - "dcaeLocationName": "san-francisco", - "clientRole": "org.onap.dmaap.mr.PNF_REGISTRATION.sub", - "action": [ - "sub", - "view" - ] - - } - ] -} diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/topics/README b/kubernetes/dmaap/components/dmaap-bc/resources/topics/README deleted file mode 100644 index fbb88b97e6..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/topics/README +++ /dev/null @@ -1,3 +0,0 @@ -# -# Intent of this directory is for it to contain a file for each topic that needs to be provisioned in MR. -# So, app teams can add files to this directory as needed without impacting each other's code. diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/topics/mirrormakeragent.json b/kubernetes/dmaap/components/dmaap-bc/resources/topics/mirrormakeragent.json deleted file mode 100644 index fb2c54ed4b..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/topics/mirrormakeragent.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "topicName": "mirrormakeragent", - "topicDescription": "the topic used to provision the MM agent whitelist", - "replicationCase": "REPLICATION_NONE", - "owner": "dmaap", - "tnxEnabled": false, - "partitionCount": "1", - "clients": [ - { - "dcaeLocationName": "san-francisco", - "clientIdentity": "dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org", - "action": [ - "pub", - "sub", - "view" - ] - }, - { - "dcaeLocationName": "san-francisco", - "clientIdentity": "dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org", - "action": [ - "pub", - "sub", - "view" - ] - }, - { - "dcaeLocationName": "san-francisco", - "clientIdentity": "demo@people.osaaf.org", - "action": [ - "pub", - "sub", - "view" - ] - } - ] -} \ No newline at end of file diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/NOTES.txt b/kubernetes/dmaap/components/dmaap-bc/templates/NOTES.txt deleted file mode 100644 index 050853cfa2..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/templates/NOTES.txt +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}-prov) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ template "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/configmap.yaml b/kubernetes/dmaap/components/dmaap-bc/templates/configmap.yaml deleted file mode 100644 index b7c52df169..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/templates/configmap.yaml +++ /dev/null @@ -1,107 +0,0 @@ -{{/* -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-config - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dbc-dmaap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/dmaap/*.json").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dbc-dcaelocations - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/dcaeLocations/*.json").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dr-nodes - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/dr_nodes/*.json").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-feeds - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/feeds/*.json").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-mr-clusters - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/mr_clusters/*.json").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-topics - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/topics/*.json").AsConfig . | indent 2 }} diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml b/kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml deleted file mode 100644 index a0c315426c..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml +++ /dev/null @@ -1,137 +0,0 @@ -{{/* -# Modifications Copyright © 2018 Amdocs,Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - replicas: {{ .Values.replicaCount }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - {{ include "common.podSecurityContext" . | indent 6 | trim}} -{{- if .Values.PG.enabled }} - initContainers: - - command: - - sh - args: - - -c - - "cd /config-input && for PFILE in `find . -not -type d | grep -v -F ..`; do envsubst <${PFILE} >/config/${PFILE}; done" - env: - - name: PG_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} - - name: PG_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} - volumeMounts: - - mountPath: /config-input - name: {{ include "common.name" . }}-config-input - - mountPath: /config - name: {{ include "common.name" . }}-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | nindent 6 }} -{{- if .Values.global.aafEnabled }} - - name: {{ include "common.name" . }}-permission-fixer - securityContext: - runAsUser: 0 - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - command: ["chown","-Rf","1000:1001", "/opt/app/"] -# See AAF-425 for explanation of why this is needed. -# This artifact is provisioned in AAF for both pks12 and jks format and apparently -# the cadi library is not using the jks password on the jks keystore. -# So, this attempts to "fix" the credential property file until this is fixed properly. - - name: {{ include "common.name" . }}-cred-fixer - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - command: ["/bin/sh"] - args: [ "-c", "sed -i -e '/cadi_keystore_password=/d' -e '/cadi_keystore_password_jks/p' -e 's/cadi_keystore_password_jks/cadi_keystore_password/' -e 's/dmaap-bc.p12/dmaap-bc.jks/' /opt/app/osaaf/local/org.onap.dmaap-bc.cred.props" ] -{{- end }} - - name: {{ include "common.name" . }}-postgres-readiness - securityContext: - runAsUser: 100 - runAsGroup: 65533 - command: - - /app/ready.py - args: - - --container-name - - {{ .Values.postgres.nameOverride }} - - --container-name - - message-router - - --container-name - - dmaap-dr-node - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- end }} - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 10 }} - {{ if eq .Values.liveness.enabled true -}} - livenessProbe: - httpGet: - port: {{ .Values.liveness.port }} - path: /webapi/topics - scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - httpGet: - port: {{ .Values.readiness.port }} - path: /webapi/topics - scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true -# NOTE: on the following several configMaps, careful to include / at end -# since there may be more than one file in each mountPath - - name: {{ include "common.name" . }}-config - mountPath: /opt/app/config/conf/ - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.name" . }}-config-input - configMap: - name: {{ include "common.fullname" . }}-config - - name: {{ include "common.name" . }}-config - emptyDir: - medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/dmaap-provisioning-job.yaml b/kubernetes/dmaap/components/dmaap-bc/templates/dmaap-provisioning-job.yaml deleted file mode 100644 index ab6f573a34..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/templates/dmaap-provisioning-job.yaml +++ /dev/null @@ -1,93 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-dmaap-provisioning - namespace: {{ include "common.namespace" . }} - labels: {{- include "common.labels" . | nindent 4 }} -spec: - backoffLimit: 20 - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - restartPolicy: Never - initContainers: - - name: {{ include "common.name" . }}-init-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - dmaap-bc - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - name: dmaap-provisioning-job - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.clientImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - env: - - name: DELAY - value: "0" - {{- if or (include "common.onServiceMesh" .) .Values.global.allow_http }} - - name: PROTO - value: "http" - - name: PORT - value: "8080" - {{ end }} - - name: REQUESTID - value: "{{.Chart.Name}}-dmaap-provisioning" - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true -# NOTE: on the following several configMaps, careful to include / at end -# since there may be more than one file in each mountPath -# NOTE: the basename of the subdirectory of mountPath is important - it matches the DBCL API URI - - name: {{ include "common.fullname" . }}-dbc-dmaap - mountPath: /opt/app/config/dmaap/ - - name: {{ include "common.fullname" . }}-dbc-dcaelocations - mountPath: /opt/app/config/dcaeLocations/ - - name: {{ include "common.fullname" . }}-dr-nodes - mountPath: /opt/app/config/dr_nodes/ - - name: {{ include "common.fullname" . }}-feeds - mountPath: /opt/app/config/feeds/ - - name: {{ include "common.fullname" . }}-mr-clusters - mountPath: /opt/app/config/mr_clusters/ - - name: {{ include "common.fullname" . }}-topics - mountPath: /opt/app/config/topics/ - resources: {{ include "common.resources" . | nindent 10 }} - {{ include "common.waitForJobContainer" . | indent 6 | trim }} - {{- if .Values.nodeSelector }} - nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 8 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-dbc-dmaap - configMap: - name: {{ include "common.fullname" . }}-dbc-dmaap - - name: {{ include "common.fullname" . }}-dbc-dcaelocations - configMap: - name: {{ include "common.fullname" . }}-dbc-dcaelocations - - name: {{ include "common.fullname" . }}-dr-nodes - configMap: - name: {{ include "common.fullname" . }}-dr-nodes - - name: {{ include "common.fullname" . }}-feeds - configMap: - name: {{ include "common.fullname" . }}-feeds - - name: {{ include "common.fullname" . }}-mr-clusters - configMap: - name: {{ include "common.fullname" . }}-mr-clusters - - name: {{ include "common.fullname" . }}-topics - configMap: - name: {{ include "common.fullname" . }}-topics - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/ingress.yaml b/kubernetes/dmaap/components/dmaap-bc/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/secrets.yaml b/kubernetes/dmaap/components/dmaap-bc/templates/secrets.yaml deleted file mode 100644 index 7074e4de9a..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/templates/secrets.yaml +++ /dev/null @@ -1,16 +0,0 @@ - -# Modifications Copyright © 2019 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -{{ include "common.secretFast" . }} diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/service.yaml b/kubernetes/dmaap/components/dmaap-bc/templates/service.yaml deleted file mode 100644 index e658a712a0..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/dmaap/components/dmaap-bc/values.yaml b/kubernetes/dmaap/components/dmaap-bc/values.yaml deleted file mode 100644 index bc8325a6dd..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/values.yaml +++ /dev/null @@ -1,181 +0,0 @@ -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - -secrets: - - uid: pg-root-pass - name: &pgRootPassSecretName '{{ include "common.release" . }}-dmaap-bc-pg-root-pass' - type: password - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "dmaap-bc-pg-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret) }}' - password: '{{ .Values.postgres.config.pgRootpassword }}' - policy: generate - - uid: pg-user-creds - name: &pgUserCredsSecretName '{{ include "common.release" . }}-dmaap-bc-pg-user-creds' - type: basicAuth - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "dmaap-bc-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' - login: '{{ .Values.postgres.config.pgUserName }}' - password: '{{ .Values.postgres.config.pgUserPassword }}' - passwordPolicy: generate - -################################################################# -# Application configuration defaults. -################################################################# -pullPolicy: Always - -# application images -image: onap/dmaap/dmaap-bc:2.0.8 - - -# application configuration -dmaapMessageRouterService: message-router - -# change the following value to point to Windriver instance maintained -# by AAF team. -# e.g. -#aafURL: https://aaf-onap-test.osaaf.org:8095/proxy/ -aafURL: https://aaf-service:8100/ -aafLocateUrl: https://aaf-locate:8095 -topicMgrUser: dmaap-bc@dmaap-bc.onap.org -topicMgrPwd: demo123456! -adminUser: aaf_admin@people.osaaf.org -adminPwd: demo123456! - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: dmaap-bc-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: dmaap-bc - fqi: dmaap-bc@dmaap-bc.onap.org - publicFqdn: dmaap-bc.onap.org - cadiLatitude: 0.0 - cadiLongitude: 0.0 - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - -persistence: - aafCredsPath: /opt/app/osaaf/local/ - -# for Casablanca default deployment, leave this true to -# get a topic namespace that matches MR. When set to false, -# it will compose the topic namespace using the kubernetes namespace value -fixedTopicNamespace: true - -# for quicker deployments in dev, ability to disable using postgres -PG: - enabled: true - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - port: api - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - port: api - - -service: - type: NodePort - name: dmaap-bc - ports: - - name: api - port: 8443 - plain_port: 8080 - port_protocol: http - nodePort: 42 - - -# application configuration override for postgres -postgres: - nameOverride: dbc-pg - service: - name: dbc-postgres - name2: dbc-pg-primary - name3: dbc-pg-replica - container: - name: - primary: dbc-pg-primary - replica: dbc-pg-replica - config: - pgUserName: dmaap_admin - pgDatabase: dmaap - pgUserExternalSecret: *pgUserCredsSecretName - pgRootPasswordExternalSecret: *pgRootPassSecretName - persistence: - mountSubPath: dbc/data - mountInitPath: dbc - -ingress: - enabled: false - service: - - baseaddr: "dmaapbc" - name: "dmaap-bc" - port: 8443 - config: - ssl: "redirect" - -# Resource Limit flavor -By Default using small -flavor: small - -securityContext: - user_id: 1000 - group_id: 101 - -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 8Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dmaap-bc - roles: - - read - -wait_for_job_container: - containers: - - 'dmaap-provisioning-job' - diff --git a/kubernetes/dmaap/components/dmaap-dr-node/Chart.yaml b/kubernetes/dmaap/components/dmaap-dr-node/Chart.yaml index 59ea16b804..13e4ed7ca2 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/Chart.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-node/Chart.yaml @@ -17,18 +17,18 @@ apiVersion: v2 description: ONAP DMaaP Data Router Node Server name: dmaap-dr-node -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - - name: certInitializer - version: ~11.x-0 + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dmaap/components/dmaap-dr-node/resources/config/log/filebeat/filebeat.yml b/kubernetes/dmaap/components/dmaap-dr-node/resources/config/log/filebeat/filebeat.yml deleted file mode 100644 index 6292be2d9d..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-node/resources/config/log/filebeat/filebeat.yml +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2019 The Nordix Foundation. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} - -# dmaap-dr-node filebeat.yml -filebeat.prospectors: -#it is mandatory, in our case it's log -- input_type: log - #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. - paths: - - /var/log/onap/*/*/*/*.log - - /var/log/onap/*/*/*.log - - /var/log/onap/*/*.log - #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive - ignore_older: 48h - # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit - clean_inactive: 96h - - -# Name of the registry file. If a relative path is used, it is considered relative to the -# data path. Else full qualified file name. -#filebeat.registry_file: ${path.data}/registry - - -output.logstash: - #List of logstash server ip addresses with port number. - #But, in our case, this will be the loadbalancer IP address. - #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. - hosts: ["{{.Values.global.logstashServiceName}}.{{.Release.Namespace}}:{{.Values.global.logstashPort}}"] - #If enable will do load balancing among available Logstash, automatically. - loadbalance: true - - #The list of root certificates for server verifications. - #If certificate_authorities is empty or not set, the trusted - #certificate authorities of the host system are used. - #ssl.certificate_authorities: $ssl.certificate_authorities - - #The path to the certificate for SSL client authentication. If the certificate is not specified, - #client authentication is not available. - #ssl.certificate: $ssl.certificate - - #The client certificate key used for client authentication. - #ssl.key: $ssl.key - - #The passphrase used to decrypt an encrypted key stored in the configured key file - #ssl.key_passphrase: $ssl.key_passphrase diff --git a/kubernetes/dmaap/components/dmaap-dr-node/resources/config/logback.xml b/kubernetes/dmaap/components/dmaap-dr-node/resources/config/logback.xml index 8b8c16c287..7d773830cd 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/resources/config/logback.xml +++ b/kubernetes/dmaap/components/dmaap-dr-node/resources/config/logback.xml @@ -211,7 +211,7 @@ - + diff --git a/kubernetes/dmaap/components/dmaap-dr-node/resources/config/node.properties b/kubernetes/dmaap/components/dmaap-dr-node/resources/config/node.properties index 20030a79c8..21d7c20abd 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/resources/config/node.properties +++ b/kubernetes/dmaap/components/dmaap-dr-node/resources/config/node.properties @@ -28,23 +28,23 @@ # #ProvisioningURL: ${DRTR_PROV_INTURL} */}} -ProvisioningURL=https://{{ .Values.global.dmaapDrProvName }}:{{ .Values.global.dmaapDrProvExtPort2 }}/internal/prov +ProvisioningURL=http://{{ .Values.global.dmaapDrProvName }}:8080/internal/prov # # URL to upload PUB/DEL/EXP logs # #LogUploadURL: ${DRTR_LOG_URL} -LogUploadURL=https://{{ .Values.global.dmaapDrProvName }}:{{ .Values.global.dmaapDrProvExtPort2 }}/internal/logs +LogUploadURL=http://{{ .Values.global.dmaapDrProvName }}:8080/internal/logs # # The port number for http as seen within the server # #IntHttpPort: ${DRTR_NODE_INTHTTPPORT:-8080} -IntHttpPort={{ include "common.getPort" (dict "global" . "name" "api" "getPlain" true) }} +IntHttpPort={{ .Values.containerPort }} # # The port number for https as seen within the server # -IntHttpsPort={{ include "common.getPort" (dict "global" . "name" "api") }} +IntHttpsPort={{ .Values.containerPort }} # # The external port number for https taking port mapping into account # @@ -90,6 +90,9 @@ NodeAuthKey = Node123! # DR_NODE DEFAULT ENABLED TLS PROTOCOLS NodeHttpsProtocols = TLSv1.1|TLSv1.2 # +# AAF CADI enabled flag +CadiEnabled = false +# # AAF type to generate permission string AAFType = org.onap.dmaap-dr.feed # @@ -99,8 +102,8 @@ AAFInstance = legacy # AAF action to generate permission string - default should be publish AAFAction = publish # -# AAF CADI enabled flag -CadiEnabled = false -# # AAF Props file path -AAFPropsFilePath = {{ .Values.certInitializer.credsPath }}/org.onap.dmaap-dr.props +AAFPropsFilePath = /opt/app/osaaf/local/org.onap.dmaap-dr.props +# +# https security required for publish request +TlsEnabled = false \ No newline at end of file diff --git a/kubernetes/dmaap/components/dmaap-dr-node/templates/NOTES.txt b/kubernetes/dmaap/components/dmaap-dr-node/templates/NOTES.txt deleted file mode 100644 index 62aeffbe80..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-node/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{.Values.config.dmaapDrNode.externalPort}} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ include "common.getPort" (dict "global" . "name" "api" "getPlain" true) }} -{{- end }} diff --git a/kubernetes/dmaap/components/dmaap-dr-node/templates/configmap.yaml b/kubernetes/dmaap/components/dmaap-dr-node/templates/configmap.yaml index 597da1734c..ce64cabc92 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/templates/configmap.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-node/templates/configmap.yaml @@ -17,15 +17,10 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "common.fullname" . }}-configmap + name: {{ include "common.fullname" . }}-node-props namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} +{{ tpl (.Files.Glob "resources/config/node.properties").AsConfig . | indent 2 }} --- apiVersion: v1 kind: ConfigMap @@ -34,18 +29,3 @@ metadata: namespace: {{ include "common.namespace" . }} data: {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dbc-drnodes - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/dr_nodes/*.json").AsConfig . | indent 2 }} ---- -{{ include "common.log.configMap" . }} diff --git a/kubernetes/dmaap/components/dmaap-dr-node/templates/ingress.yaml b/kubernetes/dmaap/components/dmaap-dr-node/templates/ingress.yaml index 8f87c68f1e..f288af9b29 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/templates/ingress.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-node/templates/ingress.yaml @@ -1 +1,21 @@ +{{/* + # ============LICENSE_START=================================================== + # Copyright (C) 2022 Nordix Foundation, Orange. + # ============================================================================ + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + # + # SPDX-License-Identifier: Apache-2.0 + # ============LICENSE_END===================================================== +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/dmaap/components/dmaap-dr-node/templates/secret.yaml b/kubernetes/dmaap/components/dmaap-dr-node/templates/secret.yaml deleted file mode 100644 index 9a3f011e80..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-node/templates/secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/dmaap/components/dmaap-dr-node/templates/statefulset.yaml b/kubernetes/dmaap/components/dmaap-dr-node/templates/statefulset.yaml index 69f6fc1d6e..2795a2b5e5 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/templates/statefulset.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-node/templates/statefulset.yaml @@ -24,35 +24,18 @@ spec: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: {{ include "common.podSecurityContext" . | indent 6 | trim}} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 8 }} - - name: {{ include "common.name" . }}-readiness - securityContext: - runAsUser: 100 - runAsGroup: 65533 - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - dmaap-dr-prov - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace + initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 8 }} - name: {{ include "common.name" . }}-permission-fixer securityContext: runAsUser: 0 image: {{ include "repositoryGenerator.image.busybox" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: {{ .Values.persistence.spool.path }} - name: {{ include "common.fullname" . }}-spool - - mountPath: {{ .Values.persistence.event.path }} - name: {{ include "common.fullname" . }}-event-logs command: ["chown","-Rf","1000:1001", "/opt/app/"] + volumeMounts: + - name: {{ include "common.fullname" . }}-spool + mountPath: {{ .Values.persistence.spool.path }} + - name: {{ include "common.fullname" . }}-event-logs + mountPath: {{ .Values.persistence.event.path }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -70,22 +53,17 @@ spec: port: {{.Values.readiness.port}} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: {{ .Values.persistence.spool.path }} - name: {{ include "common.fullname" . }}-spool - - mountPath: {{ .Values.persistence.event.path }} - name: {{ include "common.fullname" . }}-event-logs - - mountPath: /etc/localtime - name: localtime - readOnly: false - - mountPath: /opt/app/datartr/etc/node.properties - name: {{ include "common.fullname" . }}-config - subPath: node.properties - - mountPath: /opt/app/datartr/etc/logback.xml - name: {{ include "common.fullname" . }}-log-conf - subPath: logback.xml - - mountPath: {{ .Values.global.loggingDirectory }} - name: logs + volumeMounts: + - mountPath: {{ .Values.persistence.spool.path }} + name: {{ include "common.fullname" . }}-spool + - mountPath: {{ .Values.persistence.event.path }} + name: {{ include "common.fullname" . }}-event-logs + - mountPath: /opt/app/datartr/etc/node.properties + name: {{ include "common.fullname" . }}-config + subPath: node.properties + - mountPath: /opt/app/datartr/etc/logback.xml + name: {{ include "common.fullname" . }}-log-conf + subPath: logback.xml resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} @@ -93,27 +71,18 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 10 }} {{- end }} - # Filebeat sidecar container - {{ include "common.log.sidecar" . | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: - name: {{ include "common.fullname" . }}-config configMap: - name: {{ include "common.fullname" . }}-configmap + name: {{ include "common.fullname" . }}-node-props items: - key: node.properties path: node.properties - name: {{ include "common.fullname" . }}-log-conf configMap: name: {{ include "common.fullname" . }}-log - {{ include "common.log.volumes" . | nindent 8 }} - - name: logs - emptyDir: {} {{- if not .Values.persistence.enabled }} - name: {{ include "common.fullname" . }}-event-logs emptyDir: {} diff --git a/kubernetes/dmaap/components/dmaap-dr-node/values.yaml b/kubernetes/dmaap/components/dmaap-dr-node/values.yaml index d1d2c54833..e3f0595b1f 100644 --- a/kubernetes/dmaap/components/dmaap-dr-node/values.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-node/values.yaml @@ -16,42 +16,16 @@ # Global configuration defaults. ################################################################# global: - loggingDirectory: /var/log/onap/datarouter persistence: {} - aafEnabled: true - centralizedLoggingEnabled: true - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: dmaap-dr-node-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: dmaap-dr-node - fqi: dmaap-dr-node@dmaap-dr.onap.org - public_fqdn: dmaap-dr.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: > - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop + dmaapDrProvName: dmaap-dr-prov ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/dmaap/datarouter-node:2.1.10 +image: onap/dmaap/datarouter-node:2.1.15 pullPolicy: Always -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration - see parent values chart - # default number of instances replicaCount: 1 @@ -59,6 +33,29 @@ nodeSelector: {} affinity: {} +# application configuration - see parent values chart +# dr uses the EELF Logging framework https://github.com/att/EELF +# and supports the following log levels: TRACE, DEBUG, INFO, WARN, ERROR, OFF +logLevel: "DEBUG" + +containerPort: &svc_port 8080 + +service: + type: ClusterIP + name: dmaap-dr-node + ports: + - name: http + port: *svc_port + +ingress: + enabled: false + service: + - baseaddr: "dmaap-dr-node-api" + name: "dmaap-dr-node" + port: *svc_port + config: + ssl: "redirect" + # probe configuration parameters liveness: initialDelaySeconds: 30 @@ -66,14 +63,14 @@ liveness: # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true - port: api + port: *svc_port readiness: initialDelaySeconds: 30 periodSeconds: 10 - port: api + port: *svc_port -## Persist data to a persitent volume +## Persist data to a persistent volume persistence: enabled: true mountPath: /dockerdata-nfs @@ -97,72 +94,38 @@ persistence: labels: app.kubernetes.io/component: event-logs -################################################################# -# Secrets metaconfig -################################################################# -secrets: {} - -ingress: - enabled: false - service: - - baseaddr: "dmaapdrnode" - name: "dmaap-dr-node" - port: 8443 - config: - ssl: "redirect" - # Resource Limit flavor -By Default using small flavor: small -securityContext: - user_id: 1000 - group_id: 1000 - # Segregation for Different environment (Small and Large) resources: small: limits: - cpu: 2000m - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 500m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 4000m - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 1000m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} -service: - type: NodePort - name: dmaap-dr-node - useNodePortExt: true - both_tls_and_plain: true - annotations: - service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" - ports: - - name: api - port: 8443 - plain_port: 8080 - port_protocol: http - nodePort: 94 - -config: - # dr node server configuration - dmaapDrNode: - # dr uses the EELF Logging framework https://github.com/att/EELF - # and supports the following log levels: TRACE, DEBUG, INFO, WARN, ERROR, OFF - logLevel: "INFO" - #Pods Service Account serviceAccount: nameOverride: dmaap-dr-node roles: - read -#Log configuration -log: - path: /var/log/onap +securityContext: + user_id: 1000 + group_id: 1000 + +readinessCheck: + wait_for: + services: + - dmaap-dr-prov diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/Chart.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/Chart.yaml index 72e75c47d6..fb3ff1236d 100644 --- a/kubernetes/dmaap/components/dmaap-dr-prov/Chart.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-prov/Chart.yaml @@ -16,25 +16,25 @@ apiVersion: v2 description: ONAP DMaaP Data Router Provisioning Server name: dmaap-dr-prov -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: mariadb-galera - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: global.mariadbGalera.localCluster - name: mariadb-init - version: ~11.x-0 - repository: '@local' - - name: certInitializer - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/log/filebeat/filebeat.yml b/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/log/filebeat/filebeat.yml deleted file mode 100644 index c8a173c531..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/log/filebeat/filebeat.yml +++ /dev/null @@ -1,63 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2019 The Nordix Foundation. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} - -# dmaap-dr-prov filebeat.yml -filebeat.prospectors: -#it is mandatory, in our case it's log -- input_type: log - #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. - paths: - - /var/log/onap/*/*/*/*.log - - /var/log/onap/*/*/*.log - - /var/log/onap/*/*.log - - /opt/app/datartr/logs/*.log - #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive - ignore_older: 48h - # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit - clean_inactive: 96h - - -# Name of the registry file. If a relative path is used, it is considered relative to the -# data path. Else full qualified file name. -#filebeat.registry_file: ${path.data}/registry - - -output.logstash: - #List of logstash server ip addresses with port number. - #But, in our case, this will be the loadbalancer IP address. - #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. - hosts: ["{{.Values.global.logstashServiceName}}.{{.Release.Namespace}}:{{.Values.global.logstashPort}}"] - #If enable will do load balancing among available Logstash, automatically. - loadbalance: true - - #The list of root certificates for server verifications. - #If certificate_authorities is empty or not set, the trusted - #certificate authorities of the host system are used. - #ssl.certificate_authorities: $ssl.certificate_authorities - - #The path to the certificate for SSL client authentication. If the certificate is not specified, - #client authentication is not available. - #ssl.certificate: $ssl.certificate - - #The client certificate key used for client authentication. - #ssl.key: $ssl.key - - #The passphrase used to decrypt an encrypted key stored in the configured key file - #ssl.key_passphrase: $ssl.key_passphrase diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/logback.xml b/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/logback.xml index 73446ee3ec..9a3c383f8f 100644 --- a/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/logback.xml +++ b/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/logback.xml @@ -369,15 +369,17 @@ + + + + - - - - + - \ No newline at end of file diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/provserver.properties b/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/provserver.properties index 18ab41982a..a56de3cd3b 100644 --- a/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/provserver.properties +++ b/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/provserver.properties @@ -25,35 +25,20 @@ #Jetty Server properties -org.onap.dmaap.datarouter.provserver.http.port = {{.Values.config.dmaapDrProv.internalPort}} -org.onap.dmaap.datarouter.provserver.https.port = {{.Values.config.dmaapDrProv.internalPort2}} +org.onap.dmaap.datarouter.provserver.http.port = {{ .Values.containerPort }} org.onap.dmaap.datarouter.provserver.https.relaxation = true -org.onap.dmaap.datarouter.provserver.aafprops.path = /opt/app/osaaf/local/org.onap.dmaap-dr.props +org.onap.dmaap.datarouter.provserver.tlsenabled = false +org.onap.dmaap.datarouter.nodeserver.http.port = 8080 org.onap.dmaap.datarouter.provserver.accesslog.dir = /opt/app/datartr/logs org.onap.dmaap.datarouter.provserver.spooldir = /opt/app/datartr/spool org.onap.dmaap.datarouter.provserver.dbscripts = /opt/app/datartr/etc/misc org.onap.dmaap.datarouter.provserver.logretention = 30 -#DMAAP-597 (Tech Dept) REST request source IP auth -# relaxation to accommodate OOM kubernetes deploy -org.onap.dmaap.datarouter.provserver.isaddressauthenabled = false - # Database access org.onap.dmaap.datarouter.db.driver = org.mariadb.jdbc.Driver org.onap.dmaap.datarouter.db.url = jdbc:mariadb://{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}/{{index .Values "mariadb-galera" "db" "name"}} org.onap.dmaap.datarouter.db.login = ${DB_USERNAME} org.onap.dmaap.datarouter.db.password = ${DB_PASSWORD} -# PROV - DEFAULT ENABLED TLS PROTOCOLS -org.onap.dmaap.datarouter.provserver.https.include.protocols = TLSv1.1|TLSv1.2 - -# AAF config -org.onap.dmaap.datarouter.provserver.cadi.enabled = false - -org.onap.dmaap.datarouter.provserver.aaf.feed.type = org.onap.dmaap-dr.feed -org.onap.dmaap.datarouter.provserver.aaf.sub.type = org.onap.dmaap-dr.sub -org.onap.dmaap.datarouter.provserver.aaf.instance = legacy -org.onap.dmaap.datarouter.provserver.aaf.action.publish = publish -org.onap.dmaap.datarouter.provserver.aaf.action.subscribe = subscribe diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/templates/NOTES.txt b/kubernetes/dmaap/components/dmaap-dr-prov/templates/NOTES.txt deleted file mode 100644 index 8d29cf9e66..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-prov/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.config.dmaapDrProv.servicetype }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.config.dmaapDrProv.servicetype }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{.Values.config.dmaapDrProv.externalPort}} -{{- else if contains "ClusterIP" .Values.config.dmaapDrProv.servicetype }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{.Values.config.dmaapDrProv.internalPort}} -{{- end }} diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/templates/configmap.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/templates/configmap.yaml index 9031cce423..1cd524423e 100644 --- a/kubernetes/dmaap/components/dmaap-dr-prov/templates/configmap.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-prov/templates/configmap.yaml @@ -36,42 +36,3 @@ data: {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} --- {{ include "common.log.configMap" . }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dbc-feeds - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/feeds/*.json").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dbc-drpubs - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/dr_pubs/*.json").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dbc-drsubs - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/dr_subs/*.json").AsConfig . | indent 2 }} diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/templates/deployment.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/templates/deployment.yaml index 325ca9f2a7..197638e654 100644 --- a/kubernetes/dmaap/components/dmaap-dr-prov/templates/deployment.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-prov/templates/deployment.yaml @@ -15,95 +15,46 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: {{ include "common.podSecurityContext" . | indent 6 | trim}} - hostname: {{ .Values.global.dmaapDrProvName }} - initContainers: - - name: {{ include "common.name" . }}-readiness - securityContext: - runAsUser: 100 - runAsGroup: 65533 - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-dmaap-dr-mariadb-init-config-job - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - {{- if .Values.global.aafEnabled }} - - {{ include "common.certInitializer.initContainer" . | nindent 8 }} - - - name: {{ include "common.name" . }}-permission-fixer - securityContext: - runAsUser: 0 - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - command: ["chown","-Rf","1000:1001", "/opt/app/"] - - {{ end }} + initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.config.dmaapDrProv.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} {{- if eq .Values.liveness.enabled true }} livenessProbe: - tcpSocket: - port: {{ .Values.config.dmaapDrProv.internalPort }} + httpGet: + port: {{ .Values.liveness.port }} + path: /internal/prov initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end -}} readinessProbe: - tcpSocket: - port: {{ .Values.config.dmaapDrProv.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} + httpGet: + port: {{ .Values.liveness.port }} + path: /internal/prov + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} env: - name: DB_USERNAME {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmaap-dr-db-user-credentials" "key" "login") | indent 12 }} - name: DB_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmaap-dr-db-user-credentials" "key" "password") | indent 12 }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: false - - mountPath: /opt/app/datartr/etc/provserver.properties - name: {{ include "common.fullname" . }}-config - subPath: provserver.properties - - mountPath: /opt/app/datartr/etc/logback.xml - name: {{ include "common.fullname" . }}-log-conf - subPath: logback.xml - - mountPath: {{ .Values.global.loggingDirectory }} - name: logs - resources: -{{ include "common.resources" . }} + volumeMounts: + - mountPath: /opt/app/datartr/etc/provserver.properties + name: {{ include "common.fullname" . }}-config + subPath: provserver.properties + - mountPath: /opt/app/datartr/etc/logback.xml + name: {{ include "common.fullname" . }}-log-conf + subPath: logback.xml + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -112,13 +63,8 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} - # Filebeat sidecar container - {{ include "common.log.sidecar" . | nindent 8 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: - name: {{ include "common.fullname" . }}-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -128,8 +74,4 @@ spec: - name: {{ include "common.fullname" . }}-log-conf configMap: name: {{ include "common.fullname" . }}-log - {{ include "common.log.volumes" . | nindent 6 }} - - name: logs - emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/templates/ingress.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/templates/ingress.yaml index 8f87c68f1e..f288af9b29 100644 --- a/kubernetes/dmaap/components/dmaap-dr-prov/templates/ingress.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-prov/templates/ingress.yaml @@ -1 +1,21 @@ +{{/* + # ============LICENSE_START=================================================== + # Copyright (C) 2022 Nordix Foundation, Orange. + # ============================================================================ + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + # + # SPDX-License-Identifier: Apache-2.0 + # ============LICENSE_END===================================================== +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/templates/service.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/templates/service.yaml index 1a0143f9ae..306b0f17eb 100644 --- a/kubernetes/dmaap/components/dmaap-dr-prov/templates/service.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-prov/templates/service.yaml @@ -14,51 +14,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ default "dmaap-dr-prov" .Values.global.dmaapDrProvName }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" - msb.onap.org/service-info: '[ - { - "serviceName": "{{ .Values.global.dmaapDrProvName }}", - "version": "v1", - "url": "/", - "protocol": "REST", - "port": "{{ .Values.global.dmaapDrProvExtPort2 }}", - "visualRange":"1" - } - ]' - -spec: - type: {{ .Values.config.dmaapDrProv.servicetype }} - ports: - {{- if eq .Values.config.dmaapDrProv.servicetype "NodePort" -}} - {{- if .Values.global.allow_http }} - - port: {{ .Values.global.dmaapDrProvExtPort }} - targetPort: {{ .Values.config.dmaapDrProv.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.config.dmaapDrProv.nodePort }} - name: {{ .Values.config.dmaapDrProv.portName }} - {{- end}} - - port: {{ .Values.global.dmaapDrProvExtPort2 }} - targetPort: {{ .Values.config.dmaapDrProv.internalPort2 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.config.dmaapDrProv.nodePort2 }} - name: {{ .Values.config.dmaapDrProv.portName }}2 - {{- else -}} - - port: {{ .Values.global.dmaapDrProvExtPort }} - targetPort: {{ .Values.config.dmaapDrProv.internalPort }} - name: {{ .Values.config.dmaapDrProv.portName }} - - port: {{ .Values.global.dmaapDrProvExtPort2 }} - targetPort: {{ .Values.config.dmaapDrProv.internalPort2 }} - name: {{ .Values.config.dmaapDrProv.portName }}2 - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml index 12eb1fb041..c13ba57c83 100644 --- a/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml +++ b/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml @@ -16,11 +16,9 @@ # Global configuration defaults. ################################################################# global: - nodePortPrefix: 302 - loggingDirectory: /opt/app/datartr/logs - persistence: {} - centralizedLoggingEnabled: true mariadbGalera: &mariadbGalera + # flag to enable the DB creation via mariadb-operator + useOperator: true #This flag allows DMAAP-DR to instantiate its own mariadb-galera cluster localCluster: false service: mariadb-galera @@ -42,14 +40,9 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/dmaap/datarouter-prov:2.1.10 +image: onap/dmaap/datarouter-prov:2.1.15 pullPolicy: Always -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration - see parent values chart - # default number of instances replicaCount: 1 @@ -57,52 +50,54 @@ nodeSelector: {} affinity: {} -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true +containerPort: &svc_port 8080 -readiness: - initialDelaySeconds: 30 - periodSeconds: 10 - -## Persist data to a persitent volume -persistence: - enabled: true - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - mountPath: /dockerdata-nfs +service: + type: ClusterIP + name: dmaap-dr-prov + ports: + - name: &port http + port: *svc_port ingress: enabled: false service: - - baseaddr: "dmaapdrprov" + - baseaddr: "dmaap-dr-prov-api" name: "dmaap-dr-prov" - port: 8443 + port: *svc_port config: ssl: "redirect" -config: - # dr provisioning server configuration - dmaapDrProv: - servicetype: NodePort - internalPort: 8080 - internalPort2: 8443 - portName: dr-prov-port - portName2: dr-prov-port2 - nodePort: 59 - nodePort2: 69 - # dr uses the EELF Logging framework https://github.com/att/EELF - # and supports the following log levels: TRACE, DEBUG, INFO, WARN, ERROR, OFF - logLevel: "INFO" +readinessCheck: + wait_for: + jobs: + - '{{ include "common.release" . }}-dmaap-dr-mariadb-init-config-job' + +# dr uses the EELF Logging framework https://github.com/att/EELF +# and supports the following log levels: TRACE, DEBUG, INFO, WARN, ERROR, OFF +logLevel: "DEBUG" + +# probe configuration parameters +liveness: + initialDelaySeconds: 60 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + port: *svc_port + +readiness: + initialDelaySeconds: 60 + periodSeconds: 10 + port: *svc_port # mariadb-galera configuration mariadb-galera: nameOverride: &dbServer dmaap-dr-db replicaCount: 1 + mariadbOperator: + galera: + enabled: false db: name: &mysqlDbName datarouter user: datarouter @@ -122,55 +117,37 @@ mariadb-init: userCredentialsExternalSecret: *dbUserSecretName mysqlDatabase: *mysqlDbName nameOverride: dmaap-dr-mariadb-init - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: dmaap-dr-prov-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! -# aafDeployCredsExternalSecret: some secret - fqdn: dmaap-dr-prov - fqi: dmaap-dr-prov@dmaap-dr.onap.org - publicFqdn: dmaap-dr.onap.org - cadiLatitude: 0.0 - cadiLongitude: 0.0 - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - + serviceAccount: + nameOverride: dmaap-dr-mariadb-init # Resource Limit flavor -By Default using small flavor: small -securityContext: - user_id: 1000 - group_id: 1000 - # Segregation for Different environment (Small and Large) resources: small: limits: - cpu: 2000m - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 500m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 4000m - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 1000m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} +#Pods Security Context +securityContext: + user_id: 1000 + group_id: 1000 + #Pods Service Account serviceAccount: nameOverride: dmaap-dr-prov roles: - read - -#Log configuration -log: - path: /var/log/onap diff --git a/kubernetes/dmaap/components/dmaap-strimzi/Chart.yaml b/kubernetes/dmaap/components/dmaap-strimzi/Chart.yaml deleted file mode 100644 index d62aebeb4b..0000000000 --- a/kubernetes/dmaap/components/dmaap-strimzi/Chart.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Dmaap Strimzi Kafka Bridge -name: dmaap-strimzi -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/dmaap/components/dmaap-strimzi/Makefile b/kubernetes/dmaap/components/dmaap-strimzi/Makefile deleted file mode 100644 index 51d7de122c..0000000000 --- a/kubernetes/dmaap/components/dmaap-strimzi/Makefile +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts docker -HELM_BIN := helm -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/dmaap/components/dmaap-strimzi/templates/dmaap-strimzi-kb.yaml b/kubernetes/dmaap/components/dmaap-strimzi/templates/dmaap-strimzi-kb.yaml deleted file mode 100644 index 8dd7eb97cb..0000000000 --- a/kubernetes/dmaap/components/dmaap-strimzi/templates/dmaap-strimzi-kb.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaBridge -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.kafkaBridgeReplicaCount }} - enableMetrics: false - bootstrapServers: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}:{{ .Values.global.kafkaInternalPort }} - authentication: - type: {{ .Values.global.saslMechanism }} - username: {{ .Values.global.kafkaStrimziAdminUser }} - passwordSecret: - secretName: {{ .Values.global.kafkaStrimziAdminUser }} - password: password - http: - port: {{ .Values.kafkaBridgePort }} diff --git a/kubernetes/dmaap/components/dmaap-strimzi/values.yaml b/kubernetes/dmaap/components/dmaap-strimzi/values.yaml deleted file mode 100644 index 8e8802d8c5..0000000000 --- a/kubernetes/dmaap/components/dmaap-strimzi/values.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - kafkaBootstrap: strimzi-kafka-bootstrap - kafkaStrimziAdminUser: strimzi-kafka-admin - kafkaInternalPort: 9092 - saslMechanism: scram-sha-512 - -################################################################# -# Application configuration defaults. -################################################################# -kafkaBridgeReplicaCount: 1 -kafkaBridgePort: 8080 - -ingress: - enabled: false - -#Pods Service Account -serviceAccount: - nameOverride: dmaap-strimzi - roles: - - read diff --git a/kubernetes/dmaap/components/message-router/Chart.yaml b/kubernetes/dmaap/components/message-router/Chart.yaml index 74700ff1d5..adc0599e94 100644 --- a/kubernetes/dmaap/components/message-router/Chart.yaml +++ b/kubernetes/dmaap/components/message-router/Chart.yaml @@ -18,21 +18,18 @@ apiVersion: v2 description: ONAP Message Router name: message-router -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - - name: certInitializer - version: ~11.x-0 - repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dmaap/components/message-router/Makefile b/kubernetes/dmaap/components/message-router/Makefile index 51d7de122c..ef273d0e9b 100644 --- a/kubernetes/dmaap/components/message-router/Makefile +++ b/kubernetes/dmaap/components/message-router/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := dist resources templates charts docker HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -36,12 +42,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/dmaap/components/message-router/resources/config/dmaap/MsgRtrApi.properties b/kubernetes/dmaap/components/message-router/resources/config/dmaap/MsgRtrApi.properties index d2ee8356d7..2dea84d289 100755 --- a/kubernetes/dmaap/components/message-router/resources/config/dmaap/MsgRtrApi.properties +++ b/kubernetes/dmaap/components/message-router/resources/config/dmaap/MsgRtrApi.properties @@ -28,9 +28,9 @@ ## Items below are passed through to Kafka's producer and consumer ## configurations (after removing "kafka.") ## if you want to change request.required.acks it can take this one value -kafka.metadata.broker.list={{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }}:{{ .Values.global.kafkaInternalPort }} -config.zk.servers=127.0.0.1:{{ .Values.global.zkTunnelService.internalPort }} #kafka.request.required.acks=-1 +kafka.metadata.broker.list={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 +config.zk.servers=127.0.0.1:{{ .Values.zkTunnelService.internalPort }} consumer.timeout.ms=100 zookeeper.connection.timeout.ms=6000 zookeeper.session.timeout.ms=20000 @@ -124,25 +124,10 @@ default.replicas=3 #100mb maxcontentlength=10000 - ############################################################################## -#AAF Properties -msgRtr.namespace.aaf=org.onap.dmaap.mr.topic -msgRtr.topicfactory.aaf=org.onap.dmaap.mr.topicFactory|:org.onap.dmaap.mr.topic: -enforced.topic.name.AAF=org.onap.dmaap.mr +##AAF Properties forceAAF=false -transidUEBtopicreqd=false -defaultNSforUEB=org.onap.dmaap.mr -############################################################################## -#Mirror Maker Agent - -msgRtr.mirrormakeradmin.aaf=org.onap.dmaap.mr.mirrormaker|*|admin -msgRtr.mirrormakeruser.aaf=org.onap.dmaap.mr.mirrormaker|*|user -msgRtr.mirrormakeruser.aaf.create=org.onap.dmaap.mr.topicFactory|:org.onap.dmaap.mr.topic: -msgRtr.mirrormaker.timeout=15000 -msgRtr.mirrormaker.topic=org.onap.dmaap.mr.mirrormakeragent -msgRtr.mirrormaker.consumergroup=mmagentserver -msgRtr.mirrormaker.consumerid=1 +useCustomAcls=false kafka.max.poll.interval.ms=300000 kafka.heartbeat.interval.ms=60000 diff --git a/kubernetes/dmaap/components/message-router/resources/config/dmaap/jmx-mrservice-prometheus.yml b/kubernetes/dmaap/components/message-router/resources/config/dmaap/jmx-mrservice-prometheus.yml deleted file mode 100644 index 3ee9fc5fe6..0000000000 --- a/kubernetes/dmaap/components/message-router/resources/config/dmaap/jmx-mrservice-prometheus.yml +++ /dev/null @@ -1,4 +0,0 @@ -jmxUrl: service:jmx:rmi:///jndi/rmi://localhost:{{ .Values.prometheus.jmx.targetPort }}/jmxrmi -lowercaseOutputName: true -lowercaseOutputLabelNames: true -ssl: false \ No newline at end of file diff --git a/kubernetes/dmaap/components/message-router/resources/config/dmaap/sys-props.properties b/kubernetes/dmaap/components/message-router/resources/config/dmaap/sys-props.properties deleted file mode 100644 index cd88565ed0..0000000000 --- a/kubernetes/dmaap/components/message-router/resources/config/dmaap/sys-props.properties +++ /dev/null @@ -1,165 +0,0 @@ -############################################################################### -# ============LICENSE_START======================================================= -# org.onap.dmaap -# ================================================================================ -# Copyright (c) 2017-201 AT&T Intellectual Property. All rights reserved. -# Copyright (c) 2021 Orange Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -# -# ECOMP is a trademark and service mark of AT&T Intellectual Property. -# -############################################################################### -#This file is used for defining AJSC system properties for different configuration schemes and is necessary for the AJSC to run properly. -#The sys-props.properties file is used for running locally. The template.sys-props.properties file will be used when deployed -#to a SOA/CSI Cloud node. For more information, - -#AJSC System Properties. The following properties are required for ALL AJSC services. If you are adding System Properties for your -#particular service, please add them AFTER all AJSC related System Properties. - -#For Cadi Authorization, use value="authentication-scheme-1 -CadiAuthN=authentication-scheme-1 - -#For Basic Authorization, use value="authentication-scheme-1 -authN=authentication-scheme-2 - -#Persistence used for AJSC meta-data storage. For most environments, "file" should be used. -ajscPersistence=file - -# If using hawtio for local development, these properties will allow for faster server startup and usage for local development -hawtio.authenticationEnabled=false -hawtio.config.pullOnStartup=false - -#Removes the extraneous restlet console output -org.restlet.engine.loggerFacadeClass=org.restlet.ext.slf4j.Slf4jLoggerFacade - -#server.host property to be enabled for local DME2 related testing -#server.host= - -#Enable/disable SSL (values=true/false). This property also determines which protocol to use (https if true, http otherwise), to register services into GRM through DME2. -enableSSL=false - -#Enable/disable csi logging (values=true/false). This can be disabled during local development -csiEnable=false - -#Enable/disable CAET This can be disabled during local development -isCAETEnable=true - -#Enable/disable EJB Container -ENABLE_EJB=false - -#Enable/disable OSGI -isOSGIEnable=false - -#Configure JMS Queue (WMQ/TIBCO) -JMS_BROKER=WMQ - -#Generate/Skip api docs -isApiDoc=false - - -#WMQ connectivity -JMS_WMQ_PROVIDER_URL=aftdsc://AFTUAT/34.07/-84.28 -JMS_WMQ_CONNECTION_FACTORY_NAME=aftdsc://AFTUAT/?service=CSILOG,version=1.0,bindingType=fusionBus,envContext=Q,Q30A=YES -JMS_WMQ_INITIAL_CONNECTION_FACTORY_NAME=com.att.aft.jms.FusionCtxFactory -JMS_WMQ_AUDIT_DESTINATION_NAME=queue:///CSILOGQL.M2E.DASHBOARD01.NOT.Q30A -JMS_WMQ_PERF_DESTINATION_NAME=queue:///CSILOGQL.M2E.PERFORMANCE01.NOT.Q30A - -#CSI related variables for CSM framework -csm.hostname=d1a-m2e-q112m2e1.edc.cingular.net - -#Enable/disable endpoint level logging (values=true/false). This can be disabled during local development -endpointLogging=false - -#Enable/disable trail logging and trail logging summary -enableTrailLogging=false -enableTrailLoggingSummary=false - -#SOA_CLOUD_ENV is used to register your service with dme2 and can be turned off for local development (values=true/false). -SOA_CLOUD_ENV=false - -#CONTINUE_ON_LISTENER_EXCEPTION will exit the application if there is a DME2 exception at the time of registration. -CONTINUE_ON_LISTENER_EXCEPTION=false - -#Jetty Container ThreadCount Configuration Variables -AJSC_JETTY_ThreadCount_MIN=1 -AJSC_JETTY_ThreadCount_MAX=200 -AJSC_JETTY_IDLETIME_MAX=3000 - -#Camel Context level default threadPool Profile configuration -CAMEL_POOL_SIZE=10 -CAMEL_MAX_POOL_SIZE=20 -CAMEL_KEEP_ALIVE_TIME=60 -CAMEL_MAX_QUEUE_SIZE=1000 - -#File Monitor configurations -ssf_filemonitor_polling_interval=5 -ssf_filemonitor_threadpool_size=10 - -#GRM/DME2 System Properties -AFT_DME2_CONN_IDLE_TIMEOUTMS=5000 -AJSC_ENV=SOACLOUD - -SOACLOUD_NAMESPACE=org.onap.dmaap.dev -SOACLOUD_ENV_CONTEXT=TEST -SOACLOUD_PROTOCOL=http -SOACLOUD_ROUTE_OFFER=DEFAULT - -AFT_LATITUDE=23.4 -AFT_LONGITUDE=33.6 -AFT_ENVIRONMENT=AFTUAT - -#Restlet Component Default Properties -RESTLET_COMPONENT_CONTROLLER_DAEMON=true -RESTLET_COMPONENT_CONTROLLER_SLEEP_TIME_MS=100 -RESTLET_COMPONENT_INBOUND_BUFFER_SIZE=8192 -RESTLET_COMPONENT_MIN_THREADS=1 -RESTLET_COMPONENT_MAX_THREADS=10 -RESTLET_COMPONENT_LOW_THREADS=8 -RESTLET_COMPONENT_MAX_QUEUED=0 -RESTLET_COMPONENT_MAX_CONNECTIONS_PER_HOST=-1 -RESTLET_COMPONENT_MAX_TOTAL_CONNECTIONS=-1 -RESTLET_COMPONENT_OUTBOUND_BUFFER_SIZE=8192 -RESTLET_COMPONENT_PERSISTING_CONNECTIONS=true -RESTLET_COMPONENT_PIPELINING_CONNECTIONS=false -RESTLET_COMPONENT_THREAD_MAX_IDLE_TIME_MS=60000 -RESTLET_COMPONENT_USE_FORWARDED_HEADER=false -RESTLET_COMPONENT_REUSE_ADDRESS=true - -#Externalized jar and properties file location. In CSI environments, there are a few libs that have been externalized to aid -#in CSTEM maintenance of the versions of these libs. The most important to the AJSC is the DME2 lib. Not only is this lib necessary -#for proper registration of your AJSC service on a node, but it is also necessary for running locally as well. Another framework -#used in CSI envs is the CSM framework. These 2 framework libs are shown as "provided" dependencies within the pom.xml. These -#dependencies will be copied into the target/commonLibs folder with the normal "mvn clean package" goal of the AJSC. They will -#then be added to the classpath via AJSC_EXTERNAL_LIB_FOLDERS system property. Any files (mainly property files) that need -#to be on the classpath should be added to the AJSC_EXTERNAL_PROPERTIES_FOLDERS system property. The default scenario when -#testing your AJSC service locally will utilize the target/commonLibs directory for DME2 and CSM related artifacts and 2 -#default csm properties files will be used for local testing with anything CSM knorelated. -#NOTE: we are using maven-replacer-plugin to replace "(doubleUnderscore)basedir(doubleUnderscore)" with ${basedir} within the -#target directory for running locally. Multiple folder locations can be separated by the pipe ("|") character. -#Please, NOTE: for running locally, we are setting this system property in the antBuild/build.xml "runLocal" target and in the -#"runAjsc" profile within the pom.xml. This is to most effectively use maven variables (${basedir}, most specifically. Therefore, -#when running locally, the following 2 properties should be set within the profile(s) themselves. -#Example: target/commonLibs|target/otherLibs -#AJSC_EXTERNAL_LIB_FOLDERS=__basedir__/target/commonLibs -#AJSC_EXTERNAL_PROPERTIES_FOLDERS=__basedir__/ajsc-shared-config/etc -#End of AJSC System Properties - -#Service System Properties. Please, place any Service related System Properties below. - -#msgrtr content length and error message -#100mb -maxcontentlength=10000 -msg_size_exceeds=Message size exceeds the default size. -forceAAF=false -cadi_prop_files={{.Values.certInitializer.appMountPath}}/local/{{.Values.certInitializer.fqi_namespace}}.properties \ No newline at end of file diff --git a/kubernetes/dmaap/components/message-router/resources/config/etc/ajsc-jetty.xml b/kubernetes/dmaap/components/message-router/resources/config/etc/ajsc-jetty.xml deleted file mode 100644 index 49196e441b..0000000000 --- a/kubernetes/dmaap/components/message-router/resources/config/etc/ajsc-jetty.xml +++ /dev/null @@ -1,138 +0,0 @@ - - - - - - - - - true - - - /etc/runner-web.xml - /etc/ajsc-override-web.xml - true - /extJars/json-20131018.jar - - - false - - - - - - - - - - - - - - - - - - - - - - - - - - /extApps - 10 - true - - - - - - - - - - - - - - - - - - - - - - - {{.Values.certInitializer.appMountPath}}/local/{{.Values.certInitializer.fqi_namespace}}.jks - ${KEYSTORE_PASSWORD} - ${KEYSTORE_PASSWORD} - true - - - - - - - - - - - - http/1.1 - - - - - - - - - - - - - - - - - - - - - - 30000 - - - - - - - - - - false - - - diff --git a/kubernetes/dmaap/components/message-router/resources/config/etc/cadi.properties b/kubernetes/dmaap/components/message-router/resources/config/etc/cadi.properties deleted file mode 100644 index 596a316d77..0000000000 --- a/kubernetes/dmaap/components/message-router/resources/config/etc/cadi.properties +++ /dev/null @@ -1,19 +0,0 @@ -aaf_locate_url=https://aaf-locate.onap:8095 -aaf_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1 -aaf_env=DEV -aaf_lur=org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm - -cadi_truststore={{ .Values.certInitializer.appMountPath }}/local/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -cadi_truststore_password=${TRUSTSTORE_PASSWORD} - -cadi_keyfile={{ .Values.certInitializer.appMountPath }}/local/{{ .Values.certInitializer.fqi_namespace }}.keyfile - -cadi_alias={{ .Values.certInitializer.fqi }} -cadi_keystore={{ .Values.certInitializer.appMountPath }}/local/{{ .Values.certInitializer.fqi_namespace }}.p12 -cadi_keystore_password=${KEYSTORE_PASSWORD_P12} -cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US - -cadi_loglevel=INFO -cadi_protocols=TLSv1.1,TLSv1.2 -cadi_latitude=37.78187 -cadi_longitude=-122.26147 diff --git a/kubernetes/dmaap/components/message-router/resources/config/etc/runner-web.xml b/kubernetes/dmaap/components/message-router/resources/config/etc/runner-web.xml deleted file mode 100644 index 116c52499f..0000000000 --- a/kubernetes/dmaap/components/message-router/resources/config/etc/runner-web.xml +++ /dev/null @@ -1,108 +0,0 @@ - - - - - - contextConfigLocation - /WEB-INF/spring-servlet.xml, - classpath:applicationContext.xml - - - - - spring.profiles.default - nooauth - - - - org.springframework.web.context.ContextLoaderListener - - - - ManagementServlet - ajsc.ManagementServlet - - - - WriteableRequestFilter - com.att.ajsc.csi.writeablerequestfilter.WriteableRequestFilter - - - - InterceptorFilter - ajsc.filters.InterceptorFilter - - preProcessor_interceptor_config_file - /etc/PreProcessorInterceptors.properties - - - postProcessor_interceptor_config_file - /etc/PostProcessorInterceptors.properties - - - - - - - DMaaPAuthFilter - DMaaPAuthFilter - org.onap.dmaap.util.DMaaPAuthFilter - - cadi_prop_files - {{.Values.certInitializer.appMountPath}}/local/cadi.properties - - - - - - RestletServlet - ajsc.restlet.RestletSpringServlet - - org.restlet.component - restletComponent - - - - - CamelServlet - ajsc.servlet.AjscCamelServlet - - - - - springSecurityFilterChain - org.springframework.web.filter.DelegatingFilterProxy - - - - spring - org.springframework.web.servlet.DispatcherServlet - 1 - - - - spring - / - - - diff --git a/kubernetes/dmaap/components/message-router/templates/NOTES.txt b/kubernetes/dmaap/components/message-router/templates/NOTES.txt deleted file mode 100644 index a44d0f76ee..0000000000 --- a/kubernetes/dmaap/components/message-router/templates/NOTES.txt +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/dmaap/components/message-router/templates/configmap.yaml b/kubernetes/dmaap/components/message-router/templates/configmap.yaml index c999b79183..3f786ad950 100644 --- a/kubernetes/dmaap/components/message-router/templates/configmap.yaml +++ b/kubernetes/dmaap/components/message-router/templates/configmap.yaml @@ -40,45 +40,4 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/dmaap/logback.xml").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-etc - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/etc/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-sys-props - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/dmaap/sys-props.properties").AsConfig . | indent 2 }} ---- -{{- if .Values.prometheus.jmx.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-prometheus-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/dmaap/jmx-mrservice-prometheus.yml").AsConfig . | indent 2 }} ---- -{{ end }} + diff --git a/kubernetes/dmaap/components/message-router/templates/ingress.yaml b/kubernetes/dmaap/components/message-router/templates/ingress.yaml new file mode 100644 index 0000000000..a90bf83c07 --- /dev/null +++ b/kubernetes/dmaap/components/message-router/templates/ingress.yaml @@ -0,0 +1,18 @@ +{{/* +# Copyright © 2018 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright © 2018 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/dmaap/components/message-router/templates/secrets.yaml b/kubernetes/dmaap/components/message-router/templates/secrets.yaml deleted file mode 100644 index 50dda8a8f9..0000000000 --- a/kubernetes/dmaap/components/message-router/templates/secrets.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021-2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-secret - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ (.Files.Glob "resources/config/dmaap/mykey").AsSecrets | indent 2 }} -type: Opaque ---- -{{ include "common.secretFast" . }} diff --git a/kubernetes/dmaap/components/message-router/templates/statefulset.yaml b/kubernetes/dmaap/components/message-router/templates/statefulset.yaml index 174eb2c3a9..ede6cb025e 100644 --- a/kubernetes/dmaap/components/message-router/templates/statefulset.yaml +++ b/kubernetes/dmaap/components/message-router/templates/statefulset.yaml @@ -2,6 +2,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T # Modifications Copyright © 2021-2022 Nordix Foundation +# Modifications Copyright © 2023 DTAG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,103 +23,14 @@ metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: selector: {{- include "common.selectors" . | nindent 4 }} serviceName: {{ include "common.servicename" . }} - replicas: {{ .Values.replicaCount }} + replicas: 1 template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: - {{ include "common.certInitializer.initContainer" . | indent 6 | trim }} - {{- if .Values.global.aafEnabled }} - - name: {{ include "common.name" . }}-update-config - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0); - cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /config - name: jetty - - mountPath: /config-input - name: etc - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- end }} containers: - {{- if .Values.prometheus.jmx.enabled }} - - name: prometheus-jmx-exporter - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.prometheus.jmx.image }}:{{ .Values.prometheus.jmx.imageTag }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - java - - -XX:+UnlockExperimentalVMOptions - - -XX:+UseCGroupMemoryLimitForHeap - - -XX:MaxRAMFraction=1 - - -XshowSettings:vm - - -jar - - jmx_prometheus_httpserver.jar - - {{ .Values.prometheus.jmx.port | quote }} - - /etc/jmx-kafka/jmx-mrservice-prometheus.yml - ports: - - containerPort: {{ .Values.prometheus.jmx.port }} - resources: - volumeMounts: - - name: jmx-config - mountPath: /etc/jmx-kafka - {{- end }} - - name: srimzi-zk-entrance - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.zookeeper.entrance.image }} - command: - - /opt/stunnel/stunnel_run.sh - ports: - - containerPort: {{ .Values.global.zkTunnelService.internalPort }} - name: zoo - protocol: TCP - env: - - name: LOG_LEVEL - value: debug - - name: STRIMZI_ZOOKEEPER_CONNECT - value: '{{ include "common.release" . }}-strimzi-zookeeper-client:{{ .Values.global.zkTunnelService.internalPort }}' - imagePullPolicy: Always - livenessProbe: - exec: - command: - - /opt/stunnel/stunnel_healthcheck.sh - - '{{ .Values.global.zkTunnelService.internalPort }}' - failureThreshold: 3 - initialDelaySeconds: 15 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - exec: - command: - - /opt/stunnel/stunnel_healthcheck.sh - - '{{ .Values.global.zkTunnelService.internalPort }}' - failureThreshold: 3 - initialDelaySeconds: 15 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - volumeMounts: - - mountPath: /etc/cluster-operator-certs/ - name: cluster-operator-certs - - mountPath: /etc/cluster-ca-certs/ - name: cluster-ca-certs - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - cp /jetty-config/ajsc-jetty.xml /appl/dmaapMR1/etc/ - cp /jetty-config/cadi.properties {{ .Values.certInitializer.appMountPath }}/local/cadi.properties - /bin/sh /appl/startup.sh - {{- end }} ports: {{ include "common.containerPorts" . | nindent 10 }} {{- if eq .Values.liveness.enabled true }} livenessProbe: @@ -148,56 +60,71 @@ spec: failureThreshold: {{ .Values.startup.failureThreshold }} env: - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "mr-kafka-admin-secret" "key" "sasl.jaas.config") | indent 12 }} + valueFrom: + secretKeyRef: + name: strimzi-kafka-admin + key: sasl.jaas.config - name: SASLMECH - value: {{ .Values.global.saslMechanism }} + value: scram-sha-512 - name: enableCadi - value: "{{ .Values.global.aafEnabled }}" - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /appl/dmaapMR1/bundleconfig/etc/appprops/MsgRtrApi.properties - subPath: MsgRtrApi.properties - name: appprops - - mountPath: /appl/dmaapMR1/bundleconfig/etc/logback.xml - subPath: logback.xml - name: logback - {{- if .Values.global.aafEnabled }} - - mountPath: /appl/dmaapMR1/etc/runner-web.xml - subPath: runner-web.xml - name: etc - - mountPath: /appl/dmaapMR1/bundleconfig/etc/sysprops/sys-props.properties - subPath: sys-props.properties - name: sys-props - - mountPath: /jetty-config - name: jetty - {{- end }} + value: "true" + - name: useZkTopicStore + value: "false" + volumeMounts: + - mountPath: /appl/dmaapMR1/bundleconfig/etc/appprops/MsgRtrApi.properties + subPath: MsgRtrApi.properties + name: appprops + - mountPath: /appl/dmaapMR1/bundleconfig/etc/logback.xml + subPath: logback.xml + name: logback resources: {{ include "common.resources" . | nindent 12 }} + - name: {{ .Values.zkTunnelService.name }} + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.zkTunnelService.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /opt/stunnel/stunnel_run.sh + ports: + - containerPort: {{ .Values.zkTunnelService.internalPort }} + name: {{ .Values.zkTunnelService.portName }} + protocol: {{ .Values.zkTunnelService.protocol }} + env: + - name: LOG_LEVEL + value: {{ .Values.zkTunnelService.logLevel }} + - name: STRIMZI_ZOOKEEPER_CONNECT + value: '{{ include "common.release" . }}-strimzi-zookeeper-client:{{ .Values.zkTunnelService.internalPort }}' + livenessProbe: + exec: + command: + - /opt/stunnel/stunnel_healthcheck.sh + - '{{ .Values.zkTunnelService.internalPort }}' + failureThreshold: 3 + initialDelaySeconds: 15 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + exec: + command: + - /opt/stunnel/stunnel_healthcheck.sh + - '{{ .Values.zkTunnelService.internalPort }}' + failureThreshold: 3 + initialDelaySeconds: 15 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + volumeMounts: + - mountPath: /etc/cluster-operator-certs/ + name: cluster-operator-certs + - mountPath: /etc/cluster-ca-certs/ + name: cluster-ca-certs serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: - name: appprops configMap: name: {{ include "common.fullname" . }}-msgrtrapi-prop-configmap - - name: etc - configMap: - name: {{ include "common.fullname" . }}-etc - name: logback configMap: name: {{ include "common.fullname" . }}-logback-xml-configmap - {{- if .Values.prometheus.jmx.enabled }} - - name: jmx-config - configMap: - name: {{ include "common.fullname" . }}-prometheus-configmap - {{- end }} - - name: sys-props - configMap: - name: {{ include "common.fullname" . }}-sys-props - - name: jetty - emptyDir: {} - name: cluster-operator-certs secret: defaultMode: 288 @@ -206,8 +133,7 @@ spec: secret: defaultMode: 288 secretName: {{ include "common.release" . }}-strimzi-cluster-ca-cert - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy @@ -224,7 +150,7 @@ spec: matchLabels: app.kubernetes.io/name: {{ include "common.name" . }} ports: - - port: {{ .Values.global.zkTunnelService.internalPort }} - protocol: TCP + - port: {{ .Values.zkTunnelService.internalPort }} + protocol: {{ .Values.zkTunnelService.protocol }} policyTypes: - Ingress diff --git a/kubernetes/dmaap/components/message-router/values.yaml b/kubernetes/dmaap/components/message-router/values.yaml index 11daae0de8..ab6a31ee2e 100644 --- a/kubernetes/dmaap/components/message-router/values.yaml +++ b/kubernetes/dmaap/components/message-router/values.yaml @@ -1,6 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T # Modifications Copyright © 2021-2022 Nordix Foundation +# Modifications Copyright © 2023 DTAG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,96 +19,58 @@ # Global configuration defaults. ################################################################# global: - nodePortPrefix: 302 - kafkaBootstrap: strimzi-kafka-bootstrap - saslMechanism: scram-sha-512 - kafkaInternalPort: 9092 - zkTunnelService: - type: ClusterIP - name: zk-tunnel-svc - portName: tcp-zk-tunnel - internalPort: 2181 - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: dmaap-mr-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: dmaap-mr - fqi: dmaapmr@mr.dmaap.onap.org - public_fqdn: mr.dmaap.onap.org - cadi_longitude: "-122.26147" - cadi_latitude: "37.78187" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - appMountPath: /appl/dmaapMR1/bundleconfig/etc/sysprops - fqi_namespace: org.onap.dmaap.mr - aaf_add_config: | - cd {{ .Values.credsPath }} - echo "*** change jks password into shell safe one" - export KEYSTORE_PASSWD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - keytool -storepasswd -new "${KEYSTORE_PASSWD}" \ - -storepass "${cadi_keystore_password_jks}" \ - -keystore {{ .Values.fqi_namespace }}.jks - echo "*** set key password as same password as jks keystore password" - keytool -keypasswd -new "${KEYSTORE_PASSWD}" \ - -keystore {{ .Values.fqi_namespace }}.jks \ - -keypass "${cadi_keystore_password_jks}" \ - -storepass "${KEYSTORE_PASSWD}" -alias {{ .Values.fqi }} - echo "*** store the passwords" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWD}" > mycreds.prop - echo "KEYSTORE_PASSWORD_P12=${cadi_keystore_password_p12}" >> mycreds.prop - echo "TRUSTSTORE_PASSWORD=${cadi_truststore_password}" >> mycreds.prop - echo "*** give ownership of files to the user" - chown -R 1000 . + persistence: {} ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/dmaap/dmaap-mr:1.3.2 +image: onap/dmaap/dmaap-mr:1.4.4 pullPolicy: Always -zookeeper: - entrance: +#Strimzi zookeeper_tunnel config +zkTunnelService: + type: ClusterIP + name: zk-tunnel-svc + portName: tcp-zk-tunnel + protocol: TCP + internalPort: 2181 + logLevel: debug image: scholzj/zoo-entrance:latest -secrets: - - uid: mr-kafka-admin-secret - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate - -# flag to enable debugging - application support required -debugEnabled: false +nodeSelector: {} -# application configuration -config: - someConfig: blah +affinity: {} -# default number of instances -replicaCount: 1 +containerPort: &svc_port 3904 -nodeSelector: {} +service: + type: ClusterIP + name: message-router + ports: + - name: api + port: *svc_port + port_protocol: http -affinity: {} +ingress: + enabled: false + service: + - baseaddr: "dmaap-mr-api" + name: "message-router" + port: *svc_port + config: + ssl: "redirect" # probe configuration parameters liveness: initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 + periodSeconds: 30 + timeoutSeconds: 15 successThreshold: 1 failureThreshold: 3 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container - port: api + port: *svc_port enabled: true readiness: @@ -116,50 +79,16 @@ readiness: timeoutSeconds: 1 successThreshold: 1 failureThreshold: 3 - port: api + port: *svc_port +# periodSeconds is set longer to avoid DMaaP 429 error startup: - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 + initialDelaySeconds: 90 + periodSeconds: 30 + timeoutSeconds: 15 successThreshold: 1 failureThreshold: 70 - port: api - -service: - type: NodePort - name: message-router - both_tls_and_plain: true - msb: - - port: 3904 - url: "/" - version: "v1" - protocol: "REST" - visualRange: "1" - ports: - - name: api - port: 3905 - plain_port: 3904 - port_protocol: http - nodePort: 26 - -prometheus: - jmx: - enabled: false - image: solsson/kafka-prometheus-jmx-exporter@sha256 - imageTag: 6f82e2b0464f50da8104acd7363fb9b995001ddff77d248379f8788e78946143 - port: 5556 - targetPort: 5555 - -ingress: - enabled: false - service: - - baseaddr: "mr.api" - name: "message-router" - port: 3905 - config: - ssl: "redirect" - + port: *svc_port # Resource Limit flavor -By Default using small flavor: small @@ -167,18 +96,18 @@ flavor: small resources: small: limits: - cpu: 2000m - memory: 4Gi + cpu: "2" + memory: "4Gi" requests: - cpu: 500m - memory: 1Gi + cpu: "1" + memory: "2Gi" large: limits: - cpu: 4000m - memory: 8Gi + cpu: "4" + memory: "8Gi" requests: - cpu: 1000m - memory: 2Gi + cpu: "2" + memory: "4Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/dmaap/resources/config/log/filebeat/filebeat.yml b/kubernetes/dmaap/resources/config/log/filebeat/filebeat.yml deleted file mode 100644 index 8540903193..0000000000 --- a/kubernetes/dmaap/resources/config/log/filebeat/filebeat.yml +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2019 The Nordix Foundation. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} - -filebeat.prospectors: -#it is mandatory, in our case it's log -- input_type: log - #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. - paths: - - /var/log/onap/*/*/*/*.log - - /var/log/onap/*/*/*.log - - /var/log/onap/*/*.log - - /opt/app/datartr/logs/*.log - #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive - ignore_older: 48h - # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit - clean_inactive: 96h - - -# Name of the registry file. If a relative path is used, it is considered relative to the -# data path. Else full qualified file name. -#filebeat.registry_file: ${path.data}/registry - - -output.logstash: - #List of logstash server ip addresses with port number. - #But, in our case, this will be the loadbalancer IP address. - #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. - hosts: ["{{.Values.global.logstashServiceName}}.{{.Release.Namespace}}:{{.Values.global.logstashPort}}"] - #If enable will do load balancing among available Logstash, automatically. - loadbalance: true - - #The list of root certificates for server verifications. - #If certificate_authorities is empty or not set, the trusted - #certificate authorities of the host system are used. - #ssl.certificate_authorities: $ssl.certificate_authorities - - #The path to the certificate for SSL client authentication. If the certificate is not specified, - #client authentication is not available. - #ssl.certificate: $ssl.certificate - - #The client certificate key used for client authentication. - #ssl.key: $ssl.key - - #The passphrase used to decrypt an encrypted key stored in the configured key file - #ssl.key_passphrase: $ssl.key_passphrase \ No newline at end of file diff --git a/kubernetes/dmaap/values.yaml b/kubernetes/dmaap/values.yaml index d34efae312..6faab9cdbc 100644 --- a/kubernetes/dmaap/values.yaml +++ b/kubernetes/dmaap/values.yaml @@ -18,53 +18,14 @@ # Global configuration defaults. ################################################################# global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - readinessImage: onap/oom/readiness:3.0.1 - loggingRepository: docker.elastic.co - loggingImage: beats/filebeat:5.5.0 - clientImage: onap/dmaap/dbc-client:1.0.9 - repository: nexus3.onap.org:10001 - busyBoxImage: busybox:1.30 - busyBoxRepository: docker.io - -#Global DMaaP app config - allow_http: false - - #Logstash config - logstashServiceName: log-ls - logstashPort: 5044 - - #dmaap-dr-prov server configuration - dmaapDrProvName: dmaap-dr-prov - dmaapDrProvExtPort2: 443 - dmaapDrProvExtPort: 80 - - #AAF global config overrides - aafEnabled: true - aafAgentImage: onap/aaf/aaf_agent:2.1.20 - aafAppNs: org.osaaf.aaf - aafLocatorContainer: oom - - #Strimzi config - kafkaBootstrap: strimzi-kafka-bootstrap - kafkaStrimziAdminUser: strimzi-kafka-admin - kafkaInternalPort: 9092 - saslMechanism: scram-sha-512 - + persistence: {} #Component overrides message-router: enabled: true - config: - jaasConfExternalSecret: '{{ .Values.global.kafkaStrimziAdminUser }}' -dmaap-bc: - enabled: true dmaap-dr-node: enabled: true dmaap-dr-prov: enabled: true -dmaap-strimzi: - enabled: true #Pods Service Account serviceAccount: diff --git a/kubernetes/helm/plugins/deploy/deploy.sh b/kubernetes/helm/plugins/deploy/deploy.sh index 347c7689e4..f60a2d35d0 100755 --- a/kubernetes/helm/plugins/deploy/deploy.sh +++ b/kubernetes/helm/plugins/deploy/deploy.sh @@ -51,8 +51,8 @@ generate_overrides() { END=${SUBCHART_NAMES[index+1]} if [ "$START" = "global:" ]; then echo "global:" > $GLOBAL_OVERRIDES - cat $COMPUTED_OVERRIDES | sed '/common:/,/consul:/d' \ - | sed -n '/^'"$START"'/,/'log:'/p' | sed '1d;$d' >> $GLOBAL_OVERRIDES + cat $COMPUTED_OVERRIDES | sed -n '/^'"$START"'/,/'"$END"'/p' \ + | sed '1d;$d' >> $GLOBAL_OVERRIDES else SUBCHART_DIR="$CACHE_SUBCHART_DIR/$(echo "$START" |cut -d':' -f1)" if [ -d "$SUBCHART_DIR" ]; then @@ -271,7 +271,7 @@ deploy() { #So cache the results to prevent repeated execution. ALL_HELM_RELEASES=$(helm ls -q) - for subchart in strimzi cassandra mariadb-galera postgres ; do + for subchart in strimzi roles-wrapper repository-wrapper cassandra mariadb-galera postgres ; do SUBCHART_OVERRIDES=$CACHE_SUBCHART_DIR/$subchart/subchart-overrides.yaml SUBCHART_ENABLED=0 @@ -296,8 +296,8 @@ deploy() { done fi done - - + # Disable delay + DELAY="false" for subchart in * ; do SUBCHART_OVERRIDES=$CACHE_SUBCHART_DIR/$subchart/subchart-overrides.yaml diff --git a/kubernetes/helm/starters/onap-app/Chart.yaml b/kubernetes/helm/starters/onap-app/Chart.yaml index 2f8c678e40..c8f618a984 100644 --- a/kubernetes/helm/starters/onap-app/Chart.yaml +++ b/kubernetes/helm/starters/onap-app/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: name: -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/helm/starters/onap-app/templates/deployment.yaml b/kubernetes/helm/starters/onap-app/templates/deployment.yaml index fc76c1ff6d..c4d0eb5d3f 100644 --- a/kubernetes/helm/starters/onap-app/templates/deployment.yaml +++ b/kubernetes/helm/starters/onap-app/templates/deployment.yaml @@ -70,16 +70,12 @@ spec: #Example environment variable passed to container # - name: DEBUG_FLAG # value: {{ .Values.global.debugEnabled | default .Values.debugEnabled | quote }} - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true #Example config file mount into container +# volumeMounts: # - mountPath: /opt/app/application.properties # name: {{ include "common.name" . }}-config # subPath: application.properties - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -89,16 +85,12 @@ spec: {{ toYaml .Values.affinity | indent 10 }} {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime #Example config file mount into container +# volumes: # - name: {{ include "common.fullname" . }}-config # configMap: # name: {{ include "common.fullname" . }}-configmap # items: # - key: application.properties # path: application.properties - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/helm/starters/onap-app/values.yaml b/kubernetes/helm/starters/onap-app/values.yaml index 702bfb2a73..eef745d940 100644 --- a/kubernetes/helm/starters/onap-app/values.yaml +++ b/kubernetes/helm/starters/onap-app/values.yaml @@ -85,8 +85,8 @@ resources: {} # Minimum memory for production is 4 CPU cores and 8GB memory #resources: # limits: -# cpu: 2 -# memory: 4Gi +# cpu: "2" +# memory: "4Gi" # requests: -# cpu: 2 -# memory: 4Gi +# cpu: "2" +# memory: "4Gi" diff --git a/kubernetes/holmes/Chart.yaml b/kubernetes/holmes/Chart.yaml index 10268d4c81..7a8a23a42f 100644 --- a/kubernetes/holmes/Chart.yaml +++ b/kubernetes/holmes/Chart.yaml @@ -18,26 +18,26 @@ apiVersion: v2 description: ONAP DCAE HOLMES name: holmes -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: postgres - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: global.postgres.localCluster - name: postgres-init - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - condition: not global.postgres.localCluster + condition: global.postgres.globalCluster - name: holmes-rule-mgmt - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/holmes-rule-mgmt' - name: holmes-engine-mgmt - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/holmes-engine-mgmt' diff --git a/kubernetes/holmes/Makefile b/kubernetes/holmes/Makefile index 51d7de122c..08ed7cb9da 100644 --- a/kubernetes/holmes/Makefile +++ b/kubernetes/holmes/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := dist resources templates charts docker HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -36,12 +42,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/holmes/components/Makefile b/kubernetes/holmes/components/Makefile index f4c9784bc4..9544d70f33 100644 --- a/kubernetes/holmes/components/Makefile +++ b/kubernetes/holmes/components/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -36,12 +42,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/holmes/components/holmes-engine-mgmt/Chart.yaml b/kubernetes/holmes/components/holmes-engine-mgmt/Chart.yaml index 5169d6510a..df7f2c0c72 100644 --- a/kubernetes/holmes/components/holmes-engine-mgmt/Chart.yaml +++ b/kubernetes/holmes/components/holmes-engine-mgmt/Chart.yaml @@ -18,18 +18,18 @@ apiVersion: v2 appVersion: "2.0" description: Holmes Engine Management name: holmes-engine-mgmt -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - - name: certInitializer - version: ~11.x-0 + - name: readinessCheck + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 - repository: '@local' + version: ~13.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/holmes/components/holmes-engine-mgmt/resources/config/application.yaml b/kubernetes/holmes/components/holmes-engine-mgmt/resources/config/application.yaml new file mode 100644 index 0000000000..34c4024059 --- /dev/null +++ b/kubernetes/holmes/components/holmes-engine-mgmt/resources/config/application.yaml @@ -0,0 +1,18 @@ +server: + port: 9102 + servlet: + context-path: /api/holmes-engine-mgmt/v1 + +logging: + config: classpath:logback-spring.xml + +spring: + application: + name: Holmes Engine Management + datasource: + dirver-class-name: org.postgresql.Driver + url: jdbc:postgresql://${URL_JDBC}:${DB_PORT}/${DB_NAME} + username: ${JDBC_USERNAME} + password: ${JDBC_PASSWORD} + mvc: + throw-exception-if-no-handler-found: true \ No newline at end of file diff --git a/kubernetes/holmes/components/holmes-engine-mgmt/resources/config/engine-d.yml b/kubernetes/holmes/components/holmes-engine-mgmt/resources/config/engine-d.yml index 9e62ccf2f7..9a16390856 100644 --- a/kubernetes/holmes/components/holmes-engine-mgmt/resources/config/engine-d.yml +++ b/kubernetes/holmes/components/holmes-engine-mgmt/resources/config/engine-d.yml @@ -19,10 +19,8 @@ server: applicationContextPath: / adminContextPath: /admin connector: - type: https + type: http port: 9102 - keyStorePath: /opt/onap/conf/holmes.keystore - keyStorePassword: holmes validateCerts: false validatePeers: false diff --git a/kubernetes/holmes/components/holmes-engine-mgmt/templates/deployment.yaml b/kubernetes/holmes/components/holmes-engine-mgmt/templates/deployment.yaml index dd7bb4552e..641f032ce4 100644 --- a/kubernetes/holmes/components/holmes-engine-mgmt/templates/deployment.yaml +++ b/kubernetes/holmes/components/holmes-engine-mgmt/templates/deployment.yaml @@ -33,7 +33,12 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{- include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: + {{- if .Values.global.postgres.localCluster }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_local ) | indent 6 | trim }} + {{ else }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_global ) | indent 6 | trim }} + {{- end }} - name: {{ include "common.name" . }}-env-config image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -53,6 +58,16 @@ spec: value: {{ .Values.config.pgConfig.dbHost }} - name: DB_PORT value: "{{ .Values.config.pgConfig.dbPort }}" + - name: AAI_ADDR + value: aai + - name: AAI_PORT + value: "{{ .Values.config.aai.aaiPort }}" + - name: AAI_USERNAME + value: {{ .Values.config.aai.username }} + - name: AAI_PASSWORD + value: {{ .Values.config.aai.password }} + - name: NAMESPACE + value: {{ include "common.namespace" . }} volumeMounts: - mountPath: /hemconfig name: {{ include "common.fullname" . }}-config @@ -64,7 +79,7 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} resources: {{ include "common.resources" . | nindent 10 }} ports: {{ include "common.containerPorts" . | nindent 10 }} - volumeMounts: {{- include "common.certInitializer.volumeMount" . | nindent 8 }} + volumeMounts: - name: {{ include "common.fullname" . }}-env-config mountPath: /opt/hemconfig - name: {{ include "common.fullname" . }}-config @@ -119,7 +134,7 @@ spec: - name: DB_PORT value: "{{ .Values.config.pgConfig.dbPort }}" serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} + volumes: - name: {{ include "common.fullname" . }}-config configMap: defaultMode: 422 @@ -127,5 +142,4 @@ spec: - name: {{ include "common.fullname" . }}-env-config emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/holmes/components/holmes-engine-mgmt/values.yaml b/kubernetes/holmes/components/holmes-engine-mgmt/values.yaml index 50df26f946..bd06bcd1ee 100644 --- a/kubernetes/holmes/components/holmes-engine-mgmt/values.yaml +++ b/kubernetes/holmes/components/holmes-engine-mgmt/values.yaml @@ -20,50 +20,19 @@ ################################################################# global: nodePortPrefixExt: 302 - msbProtocol: https + msbProtocol: http msbServiceName: msb-iag - msbPort: 443 + msbPort: 80 + postgres: + localCluster: false ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/holmes/engine-management:10.0.5 +image: onap/holmes/engine-management:12.0.1 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.0.0 -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: holmes-engine-mgmt-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: holmes-engine-mgmt - fqi: holmes-engine-mgmt@holmes-engine-mgmt.onap.org - fqi_namespace: org.onap.holmes-engine-mgmt - public_fqdn: holmes-engine-mgmt.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSORE_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** save the generated passwords" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop - echo "TRUSTSORE_PASSWORD=${TRUSTSORE_PASSWORD}" >> mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 . - ################################################################# # Secrets metaconfig ################################################################# @@ -90,20 +59,41 @@ config: dbUser: admin dbUserPassword: admin # dbUserCredsExternalSecret + msb: + serviceName: msb-iag + port: 80 + aai: + aaiPort: 80 + username: AAI + password: AAI service: type: ClusterIP name: holmes-engine-mgmt ports: - - name: https-rest + - name: http-rest port: &svc_port 9102 + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "holmes-engine-mgmt", + "version": "v1", + "url": "/api/holmes-engine-mgmt/v1", + "path":"/api/holmes-engine-mgmt/v1", + "protocol": "REST", + "visualRange":"0|1", + "port": "9102", + "enable_ssl": false + } + ]{{ end }} # probe configuration parameters liveness: initialDelaySeconds: 10 periodSeconds: 10 path: /api/holmes-engine-mgmt/v1/healthcheck - scheme: HTTPS + scheme: HTTP port: *svc_port enabled: true @@ -111,27 +101,35 @@ readiness: initialDelaySeconds: 30 periodSeconds: 30 path: /api/holmes-engine-mgmt/v1/healthcheck - scheme: HTTPS + scheme: HTTP port: *svc_port # Segregation for Different environment (Small and Large) resources: small: limits: - cpu: 500m - memory: 1Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 250m - memory: 500Mi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 500m - memory: 2Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 250m - memory: 1Gi + cpu: "1" + memory: "2Gi" unlimited: {} +readinessCheck: + wait_for_global: + jobs: + - '{{ include "common.release" . }}-holmes-postgres-init-config-job' + wait_for_local: + services: + - '{{ .Values.global.postgres.service.name2 }}' + #Pods Service Account serviceAccount: nameOverride: holmes-engine-mgmt diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/Chart.yaml b/kubernetes/holmes/components/holmes-rule-mgmt/Chart.yaml index 08eb19df74..4263913b25 100644 --- a/kubernetes/holmes/components/holmes-rule-mgmt/Chart.yaml +++ b/kubernetes/holmes/components/holmes-rule-mgmt/Chart.yaml @@ -18,18 +18,18 @@ apiVersion: v2 appVersion: "2.0" description: Holmes Rule Management name: holmes-rule-mgmt -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - - name: certInitializer - version: ~11.x-0 + - name: readinessCheck + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/resources/config/application.yaml b/kubernetes/holmes/components/holmes-rule-mgmt/resources/config/application.yaml new file mode 100644 index 0000000000..2ff0fa6d52 --- /dev/null +++ b/kubernetes/holmes/components/holmes-rule-mgmt/resources/config/application.yaml @@ -0,0 +1,18 @@ +server: + port: 9101 + servlet: + context-path: /api/holmes-rule-mgmt/v1 + +logging: + config: classpath:logback-spring.xml + +spring: + application: + name: Holmes Rule Management + datasource: + dirver-class-name: org.postgresql.Driver + url: jdbc:postgresql://${URL_JDBC}:${DB_PORT}/${DB_NAME} + username: ${JDBC_USERNAME} + password: ${JDBC_PASSWORD} + mvc: + throw-exception-if-no-handler-found: true \ No newline at end of file diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/resources/config/rulemgt.yml b/kubernetes/holmes/components/holmes-rule-mgmt/resources/config/rulemgt.yml index 89269dede8..3b7218855a 100644 --- a/kubernetes/holmes/components/holmes-rule-mgmt/resources/config/rulemgt.yml +++ b/kubernetes/holmes/components/holmes-rule-mgmt/resources/config/rulemgt.yml @@ -13,10 +13,8 @@ server: applicationContextPath: / adminContextPath: /admin connector: - type: https + type: http port: 9101 - keyStorePath: /opt/onap/conf/holmes.keystore - keyStorePassword: holmes validateCerts: false validatePeers: false diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/resources/rules/ControlLoop-VOLTE-2179b738-fd36-4843-a71a-a8c24c70c55b.drl b/kubernetes/holmes/components/holmes-rule-mgmt/resources/rules/ControlLoop-VOLTE-2179b738-fd36-4843-a71a-a8c24c70c55b.drl index 494333c2a8..814aeedf03 100644 --- a/kubernetes/holmes/components/holmes-rule-mgmt/resources/rules/ControlLoop-VOLTE-2179b738-fd36-4843-a71a-a8c24c70c55b.drl +++ b/kubernetes/holmes/components/holmes-rule-mgmt/resources/rules/ControlLoop-VOLTE-2179b738-fd36-4843-a71a-a8c24c70c55b.drl @@ -4,7 +4,7 @@ import org.onap.holmes.common.dmaap.DmaapService; import org.onap.holmes.common.api.stat.VesAlarm; import org.onap.holmes.common.aai.CorrelationUtil; import org.onap.holmes.common.dmaap.entity.PolicyMsg; -import org.onap.holmes.common.dropwizard.ioc.utils.ServiceLocatorHolder; +import org.onap.holmes.common.utils.SpringContextUtil; import org.onap.holmes.common.utils.DroolsLog; rule "Relation_analysis_Rule" @@ -20,7 +20,7 @@ no-loop true $child : VesAlarm( eventId != $eventId, parentId == null, CorrelationUtil.getInstance().isTopologicallyRelated(sourceId, $sourceId, $sourceName), eventName in ("Fault_MME_eNodeB out of service alarm"), - startEpochMicrosec < $startEpochMicrosec + 60000 && startEpochMicrosec > $startEpochMicrosec - 60000 ) + startEpochMicrosec < $startEpochMicrosec + 60000 && startEpochMicrosec > $startEpochMicrosec - 60000) then DroolsLog.printInfo("==========================================================="); DroolsLog.printInfo("Relation_analysis_Rule: rootId=" + $root.getEventId() + ", childId=" + $child.getEventId()); @@ -37,7 +37,7 @@ no-loop true then DroolsLog.printInfo("==========================================================="); DroolsLog.printInfo("root_has_child_handle_Rule: rootId=" + $root.getEventId() + ", childId=" + $child.getEventId()); - DmaapService dmaapService = ServiceLocatorHolder.getLocator().getService(DmaapService.class); + DmaapService dmaapService = SpringContextUtil.getBean(DmaapService.class); PolicyMsg policyMsg = dmaapService.getPolicyMsg($root, $child, "org.onap.holmes.droolsRule"); dmaapService.publishPolicyMsg(policyMsg, "dcae_cl_out"); $root.setRootFlag(1); @@ -55,7 +55,7 @@ no-loop true then DroolsLog.printInfo("==========================================================="); DroolsLog.printInfo("root_no_child_handle_Rule: rootId=" + $root.getEventId()); - DmaapService dmaapService = ServiceLocatorHolder.getLocator().getService(DmaapService.class); + DmaapService dmaapService = SpringContextUtil.getBean(DmaapService.class); PolicyMsg policyMsg = dmaapService.getPolicyMsg($root, null, "org.onap.holmes.droolsRule"); dmaapService.publishPolicyMsg(policyMsg, "dcae_cl_out"); $root.setRootFlag(1); @@ -70,7 +70,7 @@ no-loop true then DroolsLog.printInfo("==========================================================="); DroolsLog.printInfo("root_cleared_handle_Rule: rootId=" + $root.getEventId()); - DmaapService dmaapService = ServiceLocatorHolder.getLocator().getService(DmaapService.class); + DmaapService dmaapService = SpringContextUtil.getBean(DmaapService.class); PolicyMsg policyMsg = dmaapService.getPolicyMsg($root, null, "org.onap.holmes.droolsRule"); dmaapService.publishPolicyMsg(policyMsg, "dcae_cl_out"); retract($root); @@ -85,4 +85,4 @@ no-loop true DroolsLog.printInfo("==========================================================="); DroolsLog.printInfo("child_handle_Rule: childId=" + $child.getEventId()); retract($child); -end +end \ No newline at end of file diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/templates/deployment.yaml b/kubernetes/holmes/components/holmes-rule-mgmt/templates/deployment.yaml index 21a96568cb..e71187c557 100644 --- a/kubernetes/holmes/components/holmes-rule-mgmt/templates/deployment.yaml +++ b/kubernetes/holmes/components/holmes-rule-mgmt/templates/deployment.yaml @@ -32,7 +32,12 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{- include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: + {{- if .Values.global.postgres.localCluster }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_local ) | indent 6 | trim }} + {{ else }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_global ) | indent 6 | trim }} + {{- end }} - name: {{ include "common.name" . }}-env-config image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -52,6 +57,8 @@ spec: value: {{ .Values.config.pgConfig.dbHost }} - name: DB_PORT value: "{{ .Values.config.pgConfig.dbPort }}" + - name: NAMESPACE + value: {{ include "common.namespace" . }} volumeMounts: - mountPath: /hrmconfig name: {{ include "common.fullname" . }}-general-config @@ -61,8 +68,9 @@ spec: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: {{ include "common.resources" . | nindent 10 }} ports: {{ include "common.containerPorts" . | nindent 8 }} - volumeMounts: {{- include "common.certInitializer.volumeMount" . | nindent 8 }} + volumeMounts: - name: {{ include "common.fullname" . }}-env-config mountPath: /opt/hrmconfig - name: {{ include "common.fullname" . }}-rule-config @@ -117,7 +125,7 @@ spec: - name: DB_PORT value: "{{ .Values.config.pgConfig.dbPort }}" serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} + volumes: - name: {{ include "common.fullname" . }}-general-config configMap: defaultMode: 422 @@ -129,5 +137,4 @@ spec: - name: {{ include "common.fullname" . }}-env-config emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/templates/ingress.yaml b/kubernetes/holmes/components/holmes-rule-mgmt/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/kubernetes/holmes/components/holmes-rule-mgmt/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/values.yaml b/kubernetes/holmes/components/holmes-rule-mgmt/values.yaml index 84c2108521..a7e0e25a17 100644 --- a/kubernetes/holmes/components/holmes-rule-mgmt/values.yaml +++ b/kubernetes/holmes/components/holmes-rule-mgmt/values.yaml @@ -1,6 +1,7 @@ #============LICENSE_START======================================================== # ================================================================================ # Copyright (c) 2021 ZTE Corporation Intellectual Property. All rights reserved. +# Modifications 2023 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -20,50 +21,19 @@ ################################################################# global: nodePortPrefixExt: 302 - msbProtocol: https + msbProtocol: http msbServiceName: msb-iag - msbPort: 443 + msbPort: 80 + postgres: + localCluster: false ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/holmes/rule-management:10.0.5 +image: onap/holmes/rule-management:12.0.0 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.0.0 -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: holmes-rule-mgmt-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: holmes-rule-mgmt - fqi: holmes-rule-mgmt@holmes-rule-mgmt.onap.org - fqi_namespace: org.onap.holmes-rule-mgmt - public_fqdn: holmes-rule-mgmt.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSORE_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** save the generated passwords" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop - echo "TRUSTSORE_PASSWORD=${TRUSTSORE_PASSWORD}" >> mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 . - ################################################################# # Secrets metaconfig ################################################################# @@ -95,12 +65,40 @@ service: type: NodePort name: holmes-rule-mgmt ports: - - name: https-rest + - name: http-rest port: &svc_port 9101 nodePort: 92 - - name: https-ui - port: 9104 + - name: http-ui + port: &ui_port 9104 nodePort: 93 + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "holmes-rule-mgmt", + "version": "v1", + "url": "/api/holmes-rule-mgmt/v1", + "path":"/api/holmes-rule-mgmt/v1", + "protocol": "REST", + "visualRange":"0|1", + "port": "9101", + "enable_ssl": false + } + ]{{ end }} + +ingress: + enabled: false + service: + - baseaddr: "holmes-rule-mgmt" + name: "holmes-rule-mgmt" + path: "/api/holmes-rule-mgmt/v1" + port: *svc_port + - baseaddr: "holmes-rule-mgmt-ui" + name: "holmes-rule-mgmt" + path: "/iui/holmes" + port: *ui_port + config: + ssl: "redirect" # probe configuration parameters liveness: @@ -109,33 +107,41 @@ liveness: periodSeconds: 10 path: /api/holmes-rule-mgmt/v1/healthcheck enabled: true - scheme: HTTPS + scheme: HTTP readiness: initialDelaySeconds: 30 port: *svc_port periodSeconds: 30 path: /api/holmes-rule-mgmt/v1/healthcheck - scheme: HTTPS + scheme: HTTP # Segregation for Different environment (Small and Large) resources: small: limits: - cpu: 250m - memory: 1024Mi + cpu: "1" + memory: "1Gi" requests: - cpu: 250m - memory: 256Mi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 500m - memory: 2Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 500m - memory: 512Mi + cpu: "1" + memory: "1Gi" unlimited: {} +readinessCheck: + wait_for_global: + jobs: + - '{{ include "common.release" . }}-holmes-postgres-init-config-job' + wait_for_local: + services: + - '{{ .Values.global.postgres.service.name2 }}' + #Pods Service Account serviceAccount: nameOverride: holmes-rule-mgmt diff --git a/kubernetes/holmes/values.yaml b/kubernetes/holmes/values.yaml index a536380bd5..4ede9a15fd 100644 --- a/kubernetes/holmes/values.yaml +++ b/kubernetes/holmes/values.yaml @@ -22,7 +22,11 @@ global: #Service Names of the postgres db to connect to. #Override it to dbc-pg if localCluster is enabled. postgres: + #This flag allows SO to instantiate its own mariadb-galera cluster + #When changing it to "true", also set "globalCluster: false" + #as the dependency check will not work otherwise (Chart.yaml) localCluster: false + globalCluster: true service: name: pgset name2: &postgres tcp-pgset-primary @@ -43,7 +47,6 @@ secrets: password: '{{ .Values.postgres.config.pgUserPassword }}' passwordPolicy: generate - ################################################################# # Application configuration defaults. ################################################################# @@ -84,6 +87,8 @@ postgres-init: # pgPrimaryPassword: password # pgUserPassword: password # pgRootPassword: password + serviceAccount: + nameOverride: holmes-postgres-init holmes-engine-mgmt: config: diff --git a/kubernetes/log/.helmignore b/kubernetes/log/.helmignore deleted file mode 100644 index 7ddbad7ef4..0000000000 --- a/kubernetes/log/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -components/ diff --git a/kubernetes/log/Chart.yaml b/kubernetes/log/Chart.yaml deleted file mode 100644 index 891566c781..0000000000 --- a/kubernetes/log/Chart.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Logging ElasticStack -name: log -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: log-elasticsearch - version: ~11.x-0 - repository: 'file://components/log-elasticsearch' - - name: log-kibana - version: ~11.x-0 - repository: 'file://components/log-kibana' - - name: log-logstash - version: ~11.x-0 - repository: 'file://components/log-logstash' diff --git a/kubernetes/log/Makefile b/kubernetes/log/Makefile deleted file mode 100644 index 2f6c6fe47c..0000000000 --- a/kubernetes/log/Makefile +++ /dev/null @@ -1,56 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts docker -HELM_BIN := helm -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) -HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) -ifeq "$(findstring v3,$(HELM_VER))" "v3" - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) push -f $$PACKAGE_NAME local; fi -else - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi -endif - @$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/log/components/Makefile b/kubernetes/log/components/Makefile deleted file mode 100644 index 1688db2d44..0000000000 --- a/kubernetes/log/components/Makefile +++ /dev/null @@ -1,56 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) -HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) -ifeq "$(findstring v3,$(HELM_VER))" "v3" - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) push -f $$PACKAGE_NAME local; fi -else - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi -endif - @$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/log/components/log-elasticsearch/Chart.yaml b/kubernetes/log/components/log-elasticsearch/Chart.yaml deleted file mode 100644 index 7783eb1e9a..0000000000 --- a/kubernetes/log/components/log-elasticsearch/Chart.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Logging Elasticsearch -name: log-elasticsearch -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/log/components/log-elasticsearch/resources/config/elasticsearch.yml b/kubernetes/log/components/log-elasticsearch/resources/config/elasticsearch.yml deleted file mode 100644 index d39fc97e0d..0000000000 --- a/kubernetes/log/components/log-elasticsearch/resources/config/elasticsearch.yml +++ /dev/null @@ -1,146 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ======================== Elasticsearch Configuration ========================= -# -# NOTE: Elasticsearch comes with reasonable defaults for most settings. -# Before you set out to tweak and tune the configuration, make sure you -# understand what are you trying to accomplish and the consequences. -# -# The primary way of configuring a node is via this file. This template lists -# the most important settings you may want to configure for a production cluster. -# -# Please consult the documentation for further information on configuration options: -# https://www.elastic.co/guide/en/elasticsearch/reference/index.html -# -# ---------------------------------- Cluster ----------------------------------- -# -# Name of the Elasticsearch cluster. -# A node can only join a cluster when it shares its cluster.name with all the other nodes in the cluster. -# The default name is elasticsearch, but you should change it to an appropriate name which describes the -# purpose of the cluster. -# -cluster.name: "onap-log" -# -# The port that other nodes in the cluster should use when communicating with this node. -# Required for Elasticsearch's nodes running on different cluster nodes. -# More : https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-transport.html -#transport.publish_port:$transport.publish_port -# -# The host address to publish for nodes in the cluster to connect to. -# Required for Elasticsearch's nodes running on different cluster nodes. -# More : https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-transport.html -#transport.publish_host:$transport.publish_host -# -# ------------------------------------ Node ------------------------------------ -# -# It is better to provide different meaningfull names fot different elastic nodes. -# By default, Elasticsearch will take the 7 first character of the randomly generated uuid used as the node id. -# Note that the node id is persisted and does not change when a node restarts -# -#node.name: $node.name -# -# Add custom attributes to the node: -# -#node.attr.rack: r1 -# -# ----------------------------------- Paths ------------------------------------ -# -# The location of the data files of each index / shard allocated on the node. Can hold multiple locations separated by coma. -# In production, we should not keep this default to "/elasticsearch/data", as on upgrading Elasticsearch, directory structure -# may change & can deal to data loss. -path.data: /usr/share/elasticsearch/data -# -# Elasticsearch's log files location. In production, we should not keep this default to "/elasticsearch/logs", -# as on upgrading Elasticsearch, directory structure may change. -path.logs: /usr/share/elasticsearch/logs -# -# ----------------------------------- Memory ----------------------------------- -# -# It is vitally important to the health of your node that none of the JVM is ever swapped out to disk. -# Lock the memory on startup. -# -bootstrap.memory_lock: false -# -# Make sure that the heap size is set to about half the memory available -# on the system and that the owner of the process is allowed to use this -# limit. -# -# Elasticsearch performs poorly when the system is swapping the memory. -# -# ---------------------------------- Network ----------------------------------- -# -# Set the bind address to a specific IP (IPv4 or IPv6): -# In order to communicate and to form a cluster with nodes on other servers, your node will need to bind to a -# non-loopback address. -network.host: 0.0.0.0 -# -# Set a custom port for HTTP: If required, default is 9200-9300 -# -#http.port: $http.port -# -# For more information, consult the network module documentation. -# -# --------------------------------- Discovery ---------------------------------- -# -# Pass an initial list of hosts to perform discovery when new node is started -# To form a cluster with nodes on other servers, you have to provide a seed list of other nodes in the cluster -# that are likely to be live and contactable. -# By default, Elasticsearch will bind to the available loopback addresses and will scan ports 9300 to 9305 to try -# to connect to other nodes running on the same server. -# -#$discovery.zen.ping.unicast.hosts -# -# This setting tells Elasticsearch to not elect a master unless there are enough master-eligible nodes -# available. Only then will an election take place. -# Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1): -discovery.zen.minimum_master_nodes: 1 -# -# For more information, consult the zen discovery module documentation. -# -# ---------------------------------- Gateway ----------------------------------- -# -# Block initial recovery after a full cluster restart until N nodes are started: -# -#gateway.recover_after_nodes: 3 -# -# For more information, consult the gateway module documentation. -# -# ---------------------------------- Various ----------------------------------- -# -# Require explicit names when deleting indices: -# -#action.destructive_requires_name: true -# Set a custom port for HTTP: If required, default is 9200-9300 -# This is used for REST APIs -http.port: {{.Values.service.externalPort}} -# Port to bind for communication between nodes. Accepts a single value or a range. -# If a range is specified, the node will bind to the first available port in the range. -# Defaults to 9300-9400. -# More info: -transport.tcp.port: {{.Values.service.externalPort2}} - -xpack.graph.enabled: false -#Set to false to disable X-Pack graph features. - -xpack.ml.enabled: false -#Set to false to disable X-Pack machine learning features. - -xpack.monitoring.enabled: false -#Set to false to disable X-Pack monitoring features. - -xpack.security.enabled: false -#Set to false to disable X-Pack security features. - -xpack.watcher.enabled: false -#Set to false to disable Watcher. diff --git a/kubernetes/log/components/log-elasticsearch/templates/NOTES.txt b/kubernetes/log/components/log-elasticsearch/templates/NOTES.txt deleted file mode 100644 index ab908cd309..0000000000 --- a/kubernetes/log/components/log-elasticsearch/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/log/components/log-elasticsearch/templates/configmap.yaml b/kubernetes/log/components/log-elasticsearch/templates/configmap.yaml deleted file mode 100644 index fe0349ede9..0000000000 --- a/kubernetes/log/components/log-elasticsearch/templates/configmap.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/log/components/log-elasticsearch/templates/deployment.yaml b/kubernetes/log/components/log-elasticsearch/templates/deployment.yaml deleted file mode 100644 index b778af8564..0000000000 --- a/kubernetes/log/components/log-elasticsearch/templates/deployment.yaml +++ /dev/null @@ -1,115 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - command: - - /bin/sh - - -c - - | - sysctl -w vm.max_map_count=262144 - mkdir -p /logroot/elasticsearch/logs - mkdir -p /logroot/elasticsearch/data - chmod -R 777 /logroot/elasticsearch - chown -R root:root /logroot - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - securityContext: - privileged: true - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: init-sysctl - volumeMounts: - - name: {{ include "common.fullname" . }}-logs - mountPath: /logroot/ - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.elasticRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: -{{ include "common.resources" . | indent 12 }} - ports: - - containerPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - - containerPort: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.name2 }} -# disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort2 }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /usr/share/elasticsearch/config/elasticsearch.yml - name: {{ include "common.fullname" . }}-config - subPath: elasticsearch.yml - - mountPath: /usr/share/elasticsearch/data/ - name: {{ include "common.fullname" . }}-data - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }}-configmap - items: - - key: elasticsearch.yml - path: elasticsearch.yml - - name: {{ include "common.fullname" . }}-data - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - - name: {{ include "common.fullname" . }}-logs - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPathLogs }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/log/components/log-elasticsearch/templates/ingress.yaml b/kubernetes/log/components/log-elasticsearch/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/log/components/log-elasticsearch/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/log/components/log-elasticsearch/templates/pv.yaml b/kubernetes/log/components/log-elasticsearch/templates/pv.yaml deleted file mode 100644 index 9d4093db11..0000000000 --- a/kubernetes/log/components/log-elasticsearch/templates/pv.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }}-data - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.persistence.size}} - accessModes: - - {{ .Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" . }}-data" - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }} -{{- end -}} diff --git a/kubernetes/log/components/log-elasticsearch/templates/pvc.yaml b/kubernetes/log/components/log-elasticsearch/templates/pvc.yaml deleted file mode 100644 index 6ae4eea0d3..0000000000 --- a/kubernetes/log/components/log-elasticsearch/templates/pvc.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -{{- if .Values.persistence.annotations }} - annotations: -{{ toYaml .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size }} -{{- end -}} diff --git a/kubernetes/log/components/log-elasticsearch/templates/service.yaml b/kubernetes/log/components/log-elasticsearch/templates/service.yaml deleted file mode 100644 index 7736f0c9d7..0000000000 --- a/kubernetes/log/components/log-elasticsearch/templates/service.yaml +++ /dev/null @@ -1,70 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.name }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name2 }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type2 }} - ports: - {{if eq .Values.service.type2 "NodePort" -}} - - port: {{ .Values.service.internalPort2 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} - name: {{ .Values.service.name2 }} - {{- else -}} - - port: {{ .Values.service.externalPort2 }} - targetPort: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.name2 }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/log/components/log-elasticsearch/values.yaml b/kubernetes/log/components/log-elasticsearch/values.yaml deleted file mode 100644 index 7919a0948e..0000000000 --- a/kubernetes/log/components/log-elasticsearch/values.yaml +++ /dev/null @@ -1,116 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - persistence: {} - -################################################################# -# Application configuration defaults. -################################################################# - -# application image -image: elasticsearch/elasticsearch:5.5.0 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -# Example: -config: {} - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 120 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 120 - periodSeconds: 10 - -## Persist data to a persitent volume -persistence: - enabled: true - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - volumeReclaimPolicy: Retain - - ## database data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - accessMode: ReadWriteOnce - size: 1Gi - mountPath: /dockerdata-nfs - mountSubPath: log/elasticsearch/data - mountSubPathLogs: log - -service: - type: NodePort - name: log-es - externalPort: 9200 - internalPort: 9200 - nodePort: 54 - type2: ClusterIP - name2: log-es-tcp - externalPort2: 9300 - internalPort2: 9300 - -ingress: - enabled: false - service: - - baseaddr: "loges" - name: "log-es" - port: 9200 - config: - ssl: "none" -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 1 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - large: - limits: - cpu: 2 - memory: 8Gi - requests: - cpu: 1 - memory: 4Gi - unlimited: {} diff --git a/kubernetes/log/components/log-kibana/Chart.yaml b/kubernetes/log/components/log-kibana/Chart.yaml deleted file mode 100644 index 0df19a6d39..0000000000 --- a/kubernetes/log/components/log-kibana/Chart.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Logging Kibana -name: log-kibana -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/log/components/log-kibana/resources/config/README.txt b/kubernetes/log/components/log-kibana/resources/config/README.txt deleted file mode 100644 index 2863c1d5e5..0000000000 --- a/kubernetes/log/components/log-kibana/resources/config/README.txt +++ /dev/null @@ -1 +0,0 @@ -"kibana-onboarding.json" file contains initial setup of Kibana obtained using Elasticdump tool. \ No newline at end of file diff --git a/kubernetes/log/components/log-kibana/resources/config/kibana-onboarding.json b/kubernetes/log/components/log-kibana/resources/config/kibana-onboarding.json deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/kubernetes/log/components/log-kibana/resources/config/kibana.yml b/kubernetes/log/components/log-kibana/resources/config/kibana.yml deleted file mode 100644 index 377f3c7b65..0000000000 --- a/kubernetes/log/components/log-kibana/resources/config/kibana.yml +++ /dev/null @@ -1,129 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -xpack.graph.enabled: false -#Set to false to disable X-Pack graph features. -xpack.ml.enabled: false -#Set to false to disable X-Pack machine learning features. -xpack.monitoring.enabled: false -#Set to false to disable X-Pack monitoring features. -xpack.reporting.enabled: false -#Set to false to disable X-Pack reporting features. -xpack.security.enabled: false -#Set to false to disable X-Pack security features. -xpack.watcher.enabled: false -#Set to false to disable Watcher. -# Kibana is served by a back end server. This setting specifies the port to use. -server.port: {{.Values.service.externalPort}} - -# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values. -# The default is 'localhost', which usually means remote machines will not be able to connect. -# To allow connections from remote users, set this parameter to a non-loopback address. -server.host: "0" - -# Enables you to specify a path to mount Kibana at if you are running behind a proxy. This only affects -# the URLs generated by Kibana, your proxy is expected to remove the basePath value before forwarding requests -# to Kibana. This setting cannot end in a slash. -#server.basePath: "" - -# The maximum payload size in bytes for incoming server requests. -#server.maxPayloadBytes: 1048576 - -# The Kibana server's name. This is used for display purposes. -server.name: "Kibana" - -# The URL of the Elasticsearch instance to use for all your queries. -elasticsearch.url: "http://{{.Values.config.elasticsearchServiceName}}.{{.Release.Namespace}}:{{.Values.config.elasticsearchPort}}" -# When this setting's value is true Kibana uses the hostname specified in the server.host -# setting. When the value of this setting is false, Kibana uses the hostname of the host -# that connects to this Kibana instance. -#elasticsearch.preserveHost: true - -# Kibana uses an index in Elasticsearch to store saved searches, visualizations and -# dashboards. Kibana creates a new index if the index doesn't already exist. -#kibana.index: ".kibana" - -# The default application to load. -#kibana.defaultAppId: "discover" - -# If your Elasticsearch is protected with basic authentication, these settings provide -# the username and password that the Kibana server uses to perform maintenance on the Kibana -# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which -# is proxied through the Kibana server. -elasticsearch.username: "elastic" -elasticsearch.password: "changeme" -# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively. -# These settings enable SSL for outgoing requests from the Kibana server to the browser. -#server.ssl.enabled: $server_ssl_enabled -#server.ssl.certificate: $server_ssl_certificate -#server.ssl.key: $server_ssl_key - -# Optional settings that provide the paths to the PEM-format SSL certificate and key files. -# These files validate that your Elasticsearch backend uses the same key files. -#elasticsearch.ssl.certificate: $elasticsearch_ssl_certificate -#elasticsearch.ssl.key: $elasticsearch_ssl_key - -# Optional setting that enables you to specify a path to the PEM file for the certificate -# authority for your Elasticsearch instance. -#elasticsearch.ssl.certificateAuthorities: $elasticsearch_ssl_certificateAuthorities - -# To disregard the validity of SSL certificates, change this setting's value to 'none'. -#elasticsearch.ssl.verificationMode: $elasticsearch_ssl_verificationMode - -# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of -# the elasticsearch.requestTimeout setting. -#elasticsearch.pingTimeout: 1500 - -# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value -# must be a positive integer. -#elasticsearch.requestTimeout: 30000 - -# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side -# headers, set this value to [] (an empty list). -#elasticsearch.requestHeadersWhitelist: [ authorization ] - -# Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten -# by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration. -#elasticsearch.customHeaders: {} - -# Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable. -#elasticsearch.shardTimeout: 0 - -# Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying. -#elasticsearch.startupTimeout: 5000 - -# Specifies the path where Kibana creates the process ID file. -#pid.file: /var/run/kibana.pid - -# Enables you specify a file where Kibana stores log output. -#logging.dest: stdout - -# Set the value of this setting to true to suppress all logging output. -#logging.silent: false - -# Set the value of this setting to true to suppress all logging output other than error messages. -#logging.quiet: false - -# Set the value of this setting to true to log all events, including system usage information -# and all requests. -#logging.verbose: false - -# Set the interval in milliseconds to sample system and process performance -# metrics. Minimum is 100ms. Defaults to 5000. -#ops.interval: 5000 - -# The default locale. This locale can be used in certain circumstances to substitute any missing -# translations. -#i18n.defaultLocale: "en" diff --git a/kubernetes/log/components/log-kibana/templates/NOTES.txt b/kubernetes/log/components/log-kibana/templates/NOTES.txt deleted file mode 100644 index f115eb6f23..0000000000 --- a/kubernetes/log/components/log-kibana/templates/NOTES.txt +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/log/components/log-kibana/templates/configmap.yaml b/kubernetes/log/components/log-kibana/templates/configmap.yaml deleted file mode 100644 index 3e98246df1..0000000000 --- a/kubernetes/log/components/log-kibana/templates/configmap.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/log/components/log-kibana/templates/deployment.yaml b/kubernetes/log/components/log-kibana/templates/deployment.yaml deleted file mode 100644 index 5e3dc98f84..0000000000 --- a/kubernetes/log/components/log-kibana/templates/deployment.yaml +++ /dev/null @@ -1,117 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - command: - - /app/ready.py - args: - - --container-name - - log-elasticsearch - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - - args: - - --input=/config/kibana-onboarding.json - - --output=http://{{.Values.config.elasticsearchServiceName}}.{{ include "common.namespace" . }}:{{.Values.config.elasticsearchPort}}/.kibana - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.elasticdumpImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-elasticdump - volumeMounts: - - mountPath: /config/kibana-onboarding.json - name: {{ include "common.fullname" . }} - subPath: kibana-onboarding.json - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.elasticRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: -{{ include "common.resources" . | indent 12 }} - ports: - - containerPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - readinessProbe: - httpGet: - path: "/" - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} -# disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - httpGet: - path: "/" - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - {{ end -}} - env: - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /usr/share/kibana/config/ - name: {{ include "common.fullname" . }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }} - configMap: - name: {{ include "common.fullname" . }} - items: - - key: kibana.yml - path: kibana.yml - - key: kibana-onboarding.json - path: kibana-onboarding.json - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/log/components/log-kibana/templates/ingress.yaml b/kubernetes/log/components/log-kibana/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/log/components/log-kibana/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/log/components/log-kibana/templates/service.yaml b/kubernetes/log/components/log-kibana/templates/service.yaml deleted file mode 100644 index c53dc03368..0000000000 --- a/kubernetes/log/components/log-kibana/templates/service.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.name }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/log/components/log-kibana/values.yaml b/kubernetes/log/components/log-kibana/values.yaml deleted file mode 100644 index 767ea6ae99..0000000000 --- a/kubernetes/log/components/log-kibana/values.yaml +++ /dev/null @@ -1,100 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - persistence: {} - -################################################################# -# Application configuration defaults. -################################################################# - -# Elasticdump image -elasticdumpImage: taskrabbit/elasticsearch-dump - -# application image -image: kibana/kibana:5.5.0 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -config: - elasticsearchServiceName: log-es - elasticsearchPort: 9200 - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 300 - periodSeconds: 10 - timeoutSeconds: 1 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 300 - periodSeconds: 10 - timeoutSeconds: 1 - -service: - #Example service definition with external, internal and node ports. - #Services may use any combination of ports depending on the 'type' of - #service being defined. - type: NodePort - name: log-kibana - externalPort: 5601 - internalPort: 5601 - nodePort: 53 - -ingress: - enabled: false - service: - - baseaddr: "kibana.api" - name: "log-kibana" - port: 5601 - config: - ssl: "none" - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - large: - limits: - cpu: 4 - memory: 8Gi - requests: - cpu: 2 - memory: 4Gi - unlimited: {} diff --git a/kubernetes/log/components/log-logstash/Chart.yaml b/kubernetes/log/components/log-logstash/Chart.yaml deleted file mode 100644 index b8a0d8e2c5..0000000000 --- a/kubernetes/log/components/log-logstash/Chart.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Logging Logstash -name: log-logstash -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/log/components/log-logstash/resources/config/logstash.yml b/kubernetes/log/components/log-logstash/resources/config/logstash.yml deleted file mode 100644 index 7c3bd8f851..0000000000 --- a/kubernetes/log/components/log-logstash/resources/config/logstash.yml +++ /dev/null @@ -1,32 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -http.host: "0.0.0.0" -pipeline.workers: 3 -## Path where pipeline configurations reside -path.config: /usr/share/logstash/pipeline - -## Type of queue : memeory based or file based -#queue.type: persisted -## Size of queue -#queue.max_bytes: 1024mb -## Setting true makes logstash check periodically for change in pipeline configurations -config.reload.automatic: true - -## xpack configurations -#xpack.monitoring.elasticsearch.url: ["http://10.247.186.12:9200", "http://10.247.186.13:9200"] -#xpack.monitoring.elasticsearch.username: elastic -#xpack.monitoring.elasticsearch.password: changeme -xpack.monitoring.enabled: false diff --git a/kubernetes/log/components/log-logstash/resources/config/onap-pipeline.conf b/kubernetes/log/components/log-logstash/resources/config/onap-pipeline.conf deleted file mode 100644 index b224bf3173..0000000000 --- a/kubernetes/log/components/log-logstash/resources/config/onap-pipeline.conf +++ /dev/null @@ -1,276 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -input { - beats { - - ## Add a id to plugin configuration. Can be anything unique. - id => 'beats_plugin' - - ######## Connection configurations ######## - - ## The port to listen on. - port => {{.Values.service.externalPort}} - - ## Close Idle clients after the specified time in seconds. Default is 60 seconds - #client_inactivity_timeout => 60 - - ######## Security configurations ######## - - ## Enable encryption. Default false. - #ssl => $filebeat_ssl - - ## ssl certificate path. - #ssl_certificate => $filebeat_ssl_certificate - - ## SSL key to use. - #ssl_key => $filebeat_ssl_key - - ##SSL key passphrase to use. - #ssl_key_passphrase => $filebeat_ssl_key_passphrase - - ## Value can be any of: none, peer, force_peer. - #ssl_verify_mode => $filebeat_ssl_verify_mode - - ## Time in milliseconds for an incomplete ssl handshake to timeout. Default is 10000 ms. - #ssl_handshake_timeout => 10000 - include_codec_tag => false - } -} - - -filter { - grok { - break_on_match => false - match => { - "source" => ["/var/log/onap/(?[^/]+)/", - "/var/log/onap/%{GREEDYDATA:componentLogFile}" - ] - } - } - - # Filter for log4j xml events - if "" in [message] { - - #mutate { add_field => { "orgmsg_log4j" => "%{message}" } } # Copy of orginal msg for debug - - #Filter to parse xml event and retrieve data - xml { - source => "message" - store_xml => false - remove_namespaces => true - target => "xml_content" - xpath => [ "/event/message/text()", "logmsg" , - "/event/@logger", "Logger", - "/event/@timestamp", "Timestamp", - "/event/@level", "loglevel", - "/event/@thread", "Thread", - "/event/throwable/text()", "Exceptionthrowable", - "/event/NDC/text()", "NDCs", - "/event/properties/data/@name","mdcname", - "/event/properties/data/@value","mdcvalue"] - - } - - #Ruby filter to iterate and separate MDCs into documents - ruby { - code => ' - $i = 0 - $num = 0 - if event.get("[mdcname]") - $num = event.get("[mdcname]").length - end - if $num != 0 - until $i > $num do - if event.get("[mdcname]").at($i) and event.get("[mdcvalue]").at($i) - event.set(event.get("[mdcname]").at($i), event.get("[mdcvalue]").at($i)) - end - $i=$i+1 - end - end - ' - } - - #Validations - if [Exceptionthrowable] - { - mutate { - replace => { - "exceptionmessage" => "%{[Exceptionthrowable]}" - } - } - } - - if [NDCs] - { - mutate { - replace => { - "NDC" => "%{[NDCs]}" - } - } - } - - mutate { - replace => { - "Logger" =>"%{[Logger]}" - "logmsg" =>"%{[logmsg]}" - "Timestamp" =>"%{[Timestamp]}" - "loglevel" =>"%{[loglevel]}" - "message" => "%{logmsg}" - "Thread" => "%{[Thread]}" - } - remove_field => ["mdcname", "mdcvalue", "logmsg","Exceptionthrowable","NDCs"] - } - - if [Timestamp] - { - date { - match => ["Timestamp", "UNIX_MS"] - target => "Timestamp" - } - } - } - # Filter for logback events - else { - - #mutate { add_field => { "orgmsg" => "%{message}" } } # Copy of orginal msg for debug - - mutate { - gsub => [ - 'message', ' = ', '=', - 'message', '= ', '=null', - 'message', '=\t', '=null\t', #This null is followed by a tab - 'message', '\t$', '\t' - ] - } - # The grok below parses the message field for all current logback patterns used by oom components. - # Example logback pattern: %d{"yyyy-MM-dd'T'HH:mm:ss.SSSXXX", UTC}|%X{RequestId}|%msg - # Example grok pattern: %{TIMESTAMP_ISO8601:Timestamp}\|%{UUID:RequestId}\|%{GREEDYDATA:message} - # Use the following command to find all logback patterns in oom directory: find oom -name "logback*xml" -exec grep "property.*attern.*value" {} \;|sort|uniq - grok { - match => { - "message" => [ - "%{TIMESTAMP_ISO8601:Timestamp}\\t[%{GREEDYDATA:Thread}]\\t%{GREEDYDATA:loglevel}\\t%{JAVACLASS:Logger}\\t%{GREEDYDATA:MDCs}\\t%{GREEDYDATA:message}", - "%{TIMESTAMP_ISO8601:BeginTimestamp}\|%{TIMESTAMP_ISO8601:EndTimestamp}\|%{UUID:RequestId}\|%{GREEDYDATA:ServiceInstanceId}\|%{GREEDYDATA:Thread}\|%{GREEDYDATA:Unknown1}\|%{GREEDYDATA:ServiceName}\|%{GREEDYDATA:PartnerName}\|%{GREEDYDATA:TargetEntity}\|%{GREEDYDATA:TargetServiceName}\|%{GREEDYDATA:StatusCode}\|%{GREEDYDATA:ResponseCode}\|%{GREEDYDATA:ResponseDesc}\|%{UUID:InstanceUUID}\|%{GREEDYDATA:loglevel}\|%{GREEDYDATA:AlertSeverity}\|%{IP:ServerIPAddress}\|%{GREEDYDATA:Timer}\|%{HOSTNAME:ServerFQDN}\|%{IPORHOST:RemoteHost}\|%{GREEDYDATA:Unknown2}\|%{GREEDYDATA:Unknown3}\|%{GREEDYDATA:Unknown4}\|%{GREEDYDATA:TargetVirtualEntity}\|%{GREEDYDATA:Unknown5}\|%{GREEDYDATA:Unknown6}\|%{GREEDYDATA:Unknown7}\|%{GREEDYDATA:Unknown8}\|%{GREEDYDATA:message}", - "%{TIMESTAMP_ISO8601:BeginTimestamp}\|%{TIMESTAMP_ISO8601:EndTimestamp}\|%{UUID:RequestId}\|%{GREEDYDATA:ServiceInstanceId}\|%{GREEDYDATA:Thread}\|%{GREEDYDATA:Unknown1}\|%{GREEDYDATA:ServiceName}\|%{GREEDYDATA:PartnerName}\|%{GREEDYDATA:StatusCode}\|%{GREEDYDATA:ResponseCode}\|%{GREEDYDATA:ResponseDesc}\|%{UUID:InstanceUUID}\|%{GREEDYDATA:loglevel}\|%{GREEDYDATA:AlertSeverity}\|%{IP:ServerIPAddress}\|%{GREEDYDATA:Timer}\|%{HOSTNAME:ServerFQDN}\|%{IPORHOST:RemoteHost}\|%{GREEDYDATA:Unknown2}\|%{GREEDYDATA:Unknown3}\|%{GREEDYDATA:Unknown4}\|%{GREEDYDATA:Unknown5}\|%{GREEDYDATA:Unknown6}\|%{GREEDYDATA:Unknown7}\|%{GREEDYDATA:Unknown8}\|%{GREEDYDATA:message}", - "%{TIMESTAMP_ISO8601:Timestamp}\|%{UUID:RequestId}\|%{GREEDYDATA:ServiceInstanceId}\|%{GREEDYDATA:Thread}\|%{GREEDYDATA:ServiceName}\|%{UUID:InstanceUUID}\|%{GREEDYDATA:loglevel}\|%{GREEDYDATA:AlertSeverity}\|%{IP:ServerIPAddress}\|%{HOSTNAME:ServerFQDN}\|%{IPORHOST:RemoteHost}\|%{GREEDYDATA:Timer}\|\[%{GREEDYDATA:caller}\]\|%{GREEDYDATA:message}", - "%{TIMESTAMP_ISO8601:Timestamp}\|%{GREEDYDATA:RequestId}\|%{GREEDYDATA:Thread}\|%{GREEDYDATA:ServiceName}\|%{GREEDYDATA:PartnerName}\|%{GREEDYDATA:TargetEntity}\|%{GREEDYDATA:TargetServiceName}\|%{GREEDYDATA:loglevel}\|%{GREEDYDATA:ErrorCode}\|%{GREEDYDATA:ErrorDesc}\|%{GREEDYDATA:message}", - "%{TIMESTAMP_ISO8601:Timestamp}\|%{GREEDYDATA:RequestId}\|%{GREEDYDATA:Thread}\|%{GREEDYDATA:ClassName}\|%{GREEDYDATA:message}", - "%{TIMESTAMP_ISO8601:Timestamp}\|%{UUID:RequestId}\|%{GREEDYDATA:message}", - "\[%{TIMESTAMP_ISO8601:Timestamp}\|%{LOGLEVEL:loglevel}\|%{GREEDYDATA:Logger}\|%{GREEDYDATA:Thread}\] %{GREEDYDATA:message}" - ] - } - overwrite => ["message"] - } - # The MDCs are key value pairs that are seperated by "," or "\t". Extra space characters are trimmed from the keys and values. - kv { - source => "MDCs" - field_split => ",\t" - trim_key => "\s" - trim_value => "\s" - remove_field => [ "MDCs" ] - } - - if (![Timestamp] and [EndTimestamp]) { - mutate { add_field => { "Timestamp" => "%{EndTimestamp}" } } - } - date { - match => [ "Timestamp", "ISO8601", "yyyy-MM-dd HH:mm:ss,SSS" ] - target => "Timestamp" - } - - mutate { - remove_field => ["DuplicateRequestID", "Unknown1", "Unknown2", "Unknown3", "Unknown4", "Unknown5", "Unknown6", "Unknown7", "Unknown8"] - } - - if ([source] == "/var/log/onap/sdc/sdc-be/audit.log") { - #Parse kvps in message - kv { - field_split => "\s" - trim_key => "\s" - trim_value => "\s" - } - - #If Request Id is missing and DID is present use as RequestId - if (![RequestId] and [DID] =~ /.+/) { - mutate { add_field => { "RequestId" => "%{DID}" } } - } - } - - } #Close else statement for logback events -} #Close filter - - -output { - elasticsearch { - id => 'onap_es' - - ######### Security configurations ######### - - user => "elastic" - password => "changeme" - - ## The .cer or .pem file to validate the server's certificate - #cacert => $es_cacert - - ## The keystore used to present a certificate to the server. It can be either .jks or .p12 - #keystore => $es_keystore - #keystore_password => $es_keystore_password - - ## Enable SSL/TLS secured communication to Elasticsearch cluster. - ## Default is not set which in that case depends on the protocol specidfied in hosts list - #ssl => $es_ssl - - ## Option to validate the server's certificate. Default is true - #ssl_certificate_verification => $es_ssl_certificate_verification - - ## The JKS truststore to validate the server's certificate. - #truststore => $es_truststore - #truststore_password => $es_truststore_password - - - ######### Elasticsearchcluster and host configurations ######### - - ##can specify one or a list of hosts. If sniffing is set, one is enough and others will be auto-discovered - hosts => ["http://{{.Values.config.elasticsearchServiceName}}.{{.Release.Namespace}}:{{.Values.config.elasticsearchPort}}"] - - - ## This setting asks Elasticsearch for the list of all cluster nodes and adds them to the hosts list. Default is false. - sniffing => true - - ## How long to wait, in seconds, between sniffing attempts. Default is 5 seconds. - #sniffing_delay => 5 - - ## Set the address of a forward HTTP proxy. - #proxy => $es_proxy - - ##Use this if you must run Elasticsearch behind a proxy that remaps the root path for the Elasticsearch HTTP API lives - #path => $es_path - - ######### Elasticsearch request configurations ######### - - ## This setting defines the maximum sized bulk request Logstash will make. - #flush_size => ? - - ######### Document configurations ######### - - index => "logstash-%{+YYYY.MM.dd}" - document_type => "logs" - - ## This can be used to associate child documents with a parent using the parent ID. - #parent => "abcd' - } -} - diff --git a/kubernetes/log/components/log-logstash/templates/NOTES.txt b/kubernetes/log/components/log-logstash/templates/NOTES.txt deleted file mode 100644 index f115eb6f23..0000000000 --- a/kubernetes/log/components/log-logstash/templates/NOTES.txt +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/log/components/log-logstash/templates/configmap.yaml b/kubernetes/log/components/log-logstash/templates/configmap.yaml deleted file mode 100644 index 3e98246df1..0000000000 --- a/kubernetes/log/components/log-logstash/templates/configmap.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/log/components/log-logstash/templates/deployment.yaml b/kubernetes/log/components/log-logstash/templates/deployment.yaml deleted file mode 100644 index 92817fac88..0000000000 --- a/kubernetes/log/components/log-logstash/templates/deployment.yaml +++ /dev/null @@ -1,105 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - command: - - /app/ready.py - args: - - --container-name - - log-elasticsearch - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.elasticRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: -{{ include "common.resources" . | indent 12 }} - ports: - - containerPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - - containerPort: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.name2 }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} -# disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - env: - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /usr/share/logstash/config/ - name: {{ include "common.fullname" . }}-config - - mountPath: /usr/share/logstash/pipeline/ - name: {{ include "common.fullname" . }}-pipeline - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }} - items: - - key: logstash.yml - path: logstash.yml - - name: {{ include "common.fullname" . }}-pipeline - configMap: - name: {{ include "common.fullname" . }} - items: - - key: onap-pipeline.conf - path: onap-pipeline.conf - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/log/components/log-logstash/templates/ingress.yaml b/kubernetes/log/components/log-logstash/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/log/components/log-logstash/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/log/components/log-logstash/templates/service.yaml b/kubernetes/log/components/log-logstash/templates/service.yaml deleted file mode 100644 index 7736f0c9d7..0000000000 --- a/kubernetes/log/components/log-logstash/templates/service.yaml +++ /dev/null @@ -1,70 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.name }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name2 }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type2 }} - ports: - {{if eq .Values.service.type2 "NodePort" -}} - - port: {{ .Values.service.internalPort2 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} - name: {{ .Values.service.name2 }} - {{- else -}} - - port: {{ .Values.service.externalPort2 }} - targetPort: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.name2 }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/log/components/log-logstash/values.yaml b/kubernetes/log/components/log-logstash/values.yaml deleted file mode 100644 index 7a0674cdf5..0000000000 --- a/kubernetes/log/components/log-logstash/values.yaml +++ /dev/null @@ -1,102 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - persistence: {} - -################################################################# -# Application configuration defaults. -################################################################# - -# application image -image: logstash/logstash:5.4.3 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -config: - elasticsearchServiceName: log-es - elasticsearchPort: 9200 - -# default number of instances -# 30+ logs/sec will saturate a single node to 6+ vCores -replicaCount: 3 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 120 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - #Example service definition with external, internal and node ports. - #Services may use any combination of ports depending on the 'type' of - #service being defined. - type: NodePort - name: log-ls - externalPort: 5044 - internalPort: 5044 - nodePort: 55 - type2: ClusterIP - name2: log-ls-http - externalPort2: 9600 - internalPort2: 9600 -ingress: - enabled: false - service: - - baseaddr: "logls" - name: "log-ls" - port: 5044 - - baseaddr: "loglshttp" - name: "log-ls" - port: 9600 - config: - ssl: "none" - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 1 - memory: 2Gi - requests: - cpu: 0.5 - memory: 1Gi - large: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 2 - memory: 4Gi - unlimited: {} diff --git a/kubernetes/log/values.yaml b/kubernetes/log/values.yaml deleted file mode 100644 index ddcf5235cd..0000000000 --- a/kubernetes/log/values.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 diff --git a/kubernetes/modeling/Chart.yaml b/kubernetes/modeling/Chart.yaml index fdb4031609..72e6b880d2 100644 --- a/kubernetes/modeling/Chart.yaml +++ b/kubernetes/modeling/Chart.yaml @@ -17,9 +17,9 @@ apiVersion: v2 description: ONAP Modeling (Modeling) name: modeling -version: 11.0.0 +version: 13.0.0 dependencies: - name: modeling-etsicatalog - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/modeling-etsicatalog' diff --git a/kubernetes/modeling/Makefile b/kubernetes/modeling/Makefile index 51d7de122c..08ed7cb9da 100644 --- a/kubernetes/modeling/Makefile +++ b/kubernetes/modeling/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := dist resources templates charts docker HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -36,12 +42,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/modeling/components/Makefile b/kubernetes/modeling/components/Makefile index f4c9784bc4..9544d70f33 100644 --- a/kubernetes/modeling/components/Makefile +++ b/kubernetes/modeling/components/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -36,12 +42,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/modeling/components/modeling-etsicatalog/Chart.yaml b/kubernetes/modeling/components/modeling-etsicatalog/Chart.yaml index 0c6dc78100..80db5cc8b9 100644 --- a/kubernetes/modeling/components/modeling-etsicatalog/Chart.yaml +++ b/kubernetes/modeling/components/modeling-etsicatalog/Chart.yaml @@ -17,26 +17,26 @@ apiVersion: v2 description: ONAP Modeling - Etsicatalog name: modeling-etsicatalog -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: mariadb-galera - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: global.mariadbGalera.localCluster - name: mariadb-init - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - condition: not global.mariadbGalera.localCluster + condition: global.mariadbGalera.globalCluster - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/modeling/components/modeling-etsicatalog/templates/deployment.yaml b/kubernetes/modeling/components/modeling-etsicatalog/templates/deployment.yaml index d9cbbef15b..fbe3e0ca07 100644 --- a/kubernetes/modeling/components/modeling-etsicatalog/templates/deployment.yaml +++ b/kubernetes/modeling/components/modeling-etsicatalog/templates/deployment.yaml @@ -41,8 +41,13 @@ spec: - command: - /app/ready.py args: - - -j - - "{{ include "common.release" . }}-{{ include "common.name" . }}-config-job" +{{- if .Values.global.mariadbGalera.localCluster }} + - --service-name + - {{ index .Values "mariadb-galera" "service" "name" }} +{{- else }} + - --job-name + - {{ include "common.release" . }}-etsicatalog-db-config-job +{{- end }} env: - name: NAMESPACE valueFrom: @@ -52,7 +57,16 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-job-readiness - {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for.msb ) | indent 6 | trim }} + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + {{ if .Values.config.msb_enabled }} + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} + {{ end }} - command: - /bin/sh - -c @@ -84,18 +98,30 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: + {{- if and (include "common.needTLS" .) (eq .Values.config.ssl_enabled true) }} - name: SSL_ENABLED - value: "{{ .Values.config.ssl_enabled }}" + value: "true" + {{- else }} + - name: SSL_ENABLED + value: "false" + {{- end }} - name: MSB_ENABLED value: "{{ .Values.config.msb_enabled }}" + {{- if (include "common.needTLS" .) }} + - name: MSB_ADDR + value: "{{ .Values.config.msbProtocol }}s://{{ .Values.config.msbServiceName }}:{{ .Values.config.msbPort }}" + - name: SDC_ADDR + value: "{{ .Values.config.sdcProtocol }}s://{{ .Values.config.sdcServiceName }}:{{ .Values.config.sdcPort }}" + {{- else }} - name: MSB_ADDR - value: "{{ .Values.config.msbProtocol }}://{{ .Values.config.msbServiceName }}:{{ .Values.config.msbPort }}" + value: "{{ .Values.config.msbProtocol }}://{{ .Values.config.msbServiceName }}:{{ .Values.config.msbPlainPort }}" - name: SDC_ADDR - value: "{{ .Values.config.sdcProtocol }}://{{ .Values.config.sdcServiceName }}:{{ .Values.config.sdcPort }}" + value: "{{ .Values.config.sdcProtocol }}://{{ .Values.config.sdcServiceName }}:{{ .Values.config.sdcPlainPort }}" + {{- end }} - name: DMAAP_ENABLED value: "{{ .Values.config.dmaap_enabled }}" - name: DMAAP_ADDR - value: "{{ .Values.config.dmaapProtocol }}://{{ .Values.config.dmaapServiceName }}:{{ .Values.config.dmaapPort }}" + value: "{{ .Values.config.dmaapProtocol }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}://{{ .Values.config.dmaapServiceName }}:{{ .Values.config.dmaapPort }}" - name: DB_IP value: "{{ include "common.mariadbService" . }}" - name: DB_PORT @@ -107,16 +133,12 @@ spec: volumeMounts: - name: {{ include "common.fullname" . }}-etsicatalog mountPath: /service/modeling/etsicatalog/static - - name: {{ include "common.fullname" . }}-localtime - mountPath: /etc/localtime - readOnly: true - name: {{ include "common.fullname" . }}-logs mountPath: {{ .Values.log.path }} - name: {{ include "common.fullname" . }}-logconfig mountPath: /opt/modeling/etsicatalog/config/log.yml subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -137,9 +159,6 @@ spec: {{- else }} emptyDir: {} {{- end }} - - name: {{ include "common.fullname" . }}-localtime - hostPath: - path: /etc/localtime - name: {{ include "common.fullname" . }}-logs emptyDir: {} - name: {{ include "common.fullname" . }}-logconfig @@ -147,5 +166,4 @@ spec: name : {{ include "common.fullname" . }}-logging-configmap {{ include "common.log.volumes" . | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/modeling/components/modeling-etsicatalog/templates/service.yaml b/kubernetes/modeling/components/modeling-etsicatalog/templates/service.yaml index 20d3fd22ab..688c04b06c 100644 --- a/kubernetes/modeling/components/modeling-etsicatalog/templates/service.yaml +++ b/kubernetes/modeling/components/modeling-etsicatalog/templates/service.yaml @@ -70,11 +70,11 @@ spec: - port: {{ .Values.service.externalPort }} targetPort: {{ .Values.service.internalPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} {{- else -}} - port: {{ .Values.service.externalPort }} targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} {{- end}} selector: app: {{ include "common.name" . }} diff --git a/kubernetes/modeling/components/modeling-etsicatalog/values.yaml b/kubernetes/modeling/components/modeling-etsicatalog/values.yaml index 61df057fdb..83cfde8a7b 100644 --- a/kubernetes/modeling/components/modeling-etsicatalog/values.yaml +++ b/kubernetes/modeling/components/modeling-etsicatalog/values.yaml @@ -22,8 +22,13 @@ global: mountPath: /dockerdata-nfs mariadbGalera: - #This flag allows Modeling to instantiate its own mariadb-galera cluster + # flag to enable the DB creation via mariadb-operator + useOperator: true + #This flag allows SO to instantiate its own mariadb-galera cluster + #When changing it to "true", also set "globalCluster: false" + #as the dependency check will not work otherwise (Chart.yaml) localCluster: false + globalCluster: true service: mariadb-galera internalPort: 3306 nameOverride: mariadb-galera @@ -32,10 +37,8 @@ global: readinessCheck: wait_for: - msb: - name: msb - containers: - - msb-iag + services: + - msb-iag ################################################################# # Secrets metaconfig @@ -54,6 +57,7 @@ secrets: mariadb-galera: db: + user: &dbUser etsicatalog externalSecret: *dbSecretName name: &mysqlDbName etsicatalog nameOverride: &modeling-db modeling-db @@ -67,13 +71,19 @@ mariadb-galera: disableNfsProvisioner: true serviceAccount: nameOverride: *modeling-db + replicaCount: 1 + mariadbOperator: + galera: + enabled: false mariadb-init: config: userCredentialsExternalSecret: *dbSecretName mysqlDatabase: *mysqlDbName # nameOverride should be the same with common.name - nameOverride: modeling-etsicatalog + nameOverride: etsicatalog-db + serviceAccount: + nameOverride: etsicatalog-db ################################################################# # Application configuration defaults. @@ -82,20 +92,22 @@ config: #application configuration about msb ssl_enabled: false msb_enabled: false - msbProtocol: https + msbProtocol: http msbServiceName: msb-iag msbPort: 443 - sdcProtocol: https + msbPlainPort: 80 + sdcProtocol: http sdcServiceName: sdc-be sdcPort: 8443 + sdcPlainPort: 8080 dmaap_enabled: false - dmaapProtocol: https + dmaapProtocol: http dmaapServiceName: message-router-external dmaapPort: 3905 #application configuration user password about mariadb db: - userName: etsicatalog + userName: *dbUser # userPassword: password # userCredentialsExternalSecret: some-secret @@ -154,7 +166,7 @@ persistence: service: type: ClusterIP name: modeling-etsicatalog - portName: modeling-etsicatalog + portName: http externalPort: 8806 internalPort: 8806 # nodePort: 30806 @@ -166,18 +178,18 @@ ingress: resources: small: limits: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" requests: - cpu: 100m - memory: 250Mi + cpu: "100m" + memory: "200Mi" large: limits: - cpu: 400m - memory: 1000Mi + cpu: "400m" + memory: "1Gi" requests: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" unlimited: {} #Pods Service Account diff --git a/kubernetes/msb/Chart.yaml b/kubernetes/msb/Chart.yaml index 0ca765779c..67db10be70 100644 --- a/kubernetes/msb/Chart.yaml +++ b/kubernetes/msb/Chart.yaml @@ -18,28 +18,28 @@ apiVersion: v2 description: ONAP MicroServices Bus name: msb -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: kube2msb - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/kube2msb' - name: msb-consul - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/msb-consul' - name: msb-discovery - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/msb-discovery' - name: msb-eag - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/msb-eag' - name: msb-iag - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/msb-iag' diff --git a/kubernetes/msb/Makefile b/kubernetes/msb/Makefile index 51d7de122c..08ed7cb9da 100644 --- a/kubernetes/msb/Makefile +++ b/kubernetes/msb/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := dist resources templates charts docker HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -36,12 +42,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/msb/components/Makefile b/kubernetes/msb/components/Makefile index f4c9784bc4..9544d70f33 100644 --- a/kubernetes/msb/components/Makefile +++ b/kubernetes/msb/components/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -36,12 +42,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/msb/components/kube2msb/Chart.yaml b/kubernetes/msb/components/kube2msb/Chart.yaml index ec63e0565f..2e823e69b8 100644 --- a/kubernetes/msb/components/kube2msb/Chart.yaml +++ b/kubernetes/msb/components/kube2msb/Chart.yaml @@ -16,12 +16,12 @@ apiVersion: v2 description: ONAP MicroServices Bus Kube2MSB Registrator name: kube2msb -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/msb/components/kube2msb/templates/deployment.yaml b/kubernetes/msb/components/kube2msb/templates/deployment.yaml index ed99deea43..b83d4c9d99 100644 --- a/kubernetes/msb/components/kube2msb/templates/deployment.yaml +++ b/kubernetes/msb/components/kube2msb/templates/deployment.yaml @@ -41,7 +41,7 @@ spec: - command: - /app/ready.py args: - - --container-name + - --service-name - msb-discovery env: - name: NAMESPACE @@ -52,6 +52,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -61,12 +68,7 @@ spec: value: {{ .Values.config.kubeMasterUrl }} - name: MSB_URL value: {{tpl $.Values.config.discoveryUrl .}} - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -75,9 +77,4 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/msb/components/kube2msb/values.yaml b/kubernetes/msb/components/kube2msb/values.yaml index d2a0a15f49..bdc7c06b3b 100644 --- a/kubernetes/msb/components/kube2msb/values.yaml +++ b/kubernetes/msb/components/kube2msb/values.yaml @@ -55,16 +55,16 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "500Mi" requests: - cpu: 500m - memory: 500Mi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" unlimited: {} diff --git a/kubernetes/msb/components/msb-consul/Chart.yaml b/kubernetes/msb/components/msb-consul/Chart.yaml index 830023b046..356ca84972 100644 --- a/kubernetes/msb/components/msb-consul/Chart.yaml +++ b/kubernetes/msb/components/msb-consul/Chart.yaml @@ -16,15 +16,15 @@ apiVersion: v2 description: ONAP MicroServices Bus Consul name: msb-consul -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/msb/components/msb-consul/templates/deployment.yaml b/kubernetes/msb/components/msb-consul/templates/deployment.yaml index d03829d89d..d229590da0 100644 --- a/kubernetes/msb/components/msb-consul/templates/deployment.yaml +++ b/kubernetes/msb/components/msb-consul/templates/deployment.yaml @@ -68,14 +68,10 @@ spec: periodSeconds: {{ .Values.readiness.periodSeconds }} env: volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /usr/local/bin/docker-entrypoint.sh name: entrypoint subPath: docker-entrypoint.sh - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -86,12 +82,8 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: entrypoint configMap: name: {{ include "common.fullname" . }}-entrypoint defaultMode: 0777 - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/msb/components/msb-consul/values.yaml b/kubernetes/msb/components/msb-consul/values.yaml index 258d49e30b..37ccf988d8 100644 --- a/kubernetes/msb/components/msb-consul/values.yaml +++ b/kubernetes/msb/components/msb-consul/values.yaml @@ -57,7 +57,7 @@ service: ingress: enabled: false service: - - baseaddr: "msbconsul" + - baseaddr: "msb-consul-api" name: "msb-consul" port: 8500 config: @@ -69,18 +69,18 @@ flavor: small resources: small: limits: - cpu: 20m - memory: 100Mi + cpu: "1" + memory: "500Mi" requests: - cpu: 10m - memory: 50Mi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 40m - memory: 200Mi + cpu: "2" + memory: "1Gi" requests: - cpu: 20m - memory: 100Mi + cpu: "1" + memory: "1Gi" unlimited: {} securityContext: diff --git a/kubernetes/msb/components/msb-discovery/Chart.yaml b/kubernetes/msb/components/msb-discovery/Chart.yaml index 8d0c9a1ea4..545bc0082a 100644 --- a/kubernetes/msb/components/msb-discovery/Chart.yaml +++ b/kubernetes/msb/components/msb-discovery/Chart.yaml @@ -16,15 +16,15 @@ apiVersion: v2 description: ONAP MicroServices Bus Discovery name: msb-discovery -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/msb/components/msb-discovery/templates/deployment.yaml b/kubernetes/msb/components/msb-discovery/templates/deployment.yaml index d9f902be4d..4f286535dc 100644 --- a/kubernetes/msb/components/msb-discovery/templates/deployment.yaml +++ b/kubernetes/msb/components/msb-discovery/templates/deployment.yaml @@ -40,7 +40,7 @@ spec: - command: - /app/ready.py args: - - --container-name + - --service-name - msb-consul env: - name: NAMESPACE @@ -51,6 +51,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -75,13 +82,9 @@ spec: - name: CONSUL_IP value: msb-consul.{{ include "common.namespace" . }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /usr/local/discover-works/logs name: {{ include "common.fullname" . }}-logs - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -101,8 +104,4 @@ spec: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} - - name: localtime - hostPath: - path: /etc/localtime - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/msb/components/msb-discovery/values.yaml b/kubernetes/msb/components/msb-discovery/values.yaml index 2d18d14532..b8c361a296 100644 --- a/kubernetes/msb/components/msb-discovery/values.yaml +++ b/kubernetes/msb/components/msb-discovery/values.yaml @@ -57,7 +57,7 @@ service: ingress: enabled: false service: - - baseaddr: "msb.api.discovery" + - baseaddr: "msb-discovery-api" name: "msb-discovery" port: 10081 config: @@ -69,18 +69,18 @@ flavor: small resources: small: limits: - cpu: 400m - memory: 400Mi + cpu: "1" + memory: "500Mi" requests: - cpu: 200m - memory: 200Mi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 800m - memory: 800Mi + cpu: "2" + memory: "1Gi" requests: - cpu: 400m - memory: 400Mi + cpu: "1" + memory: "1Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/msb/components/msb-eag/Chart.yaml b/kubernetes/msb/components/msb-eag/Chart.yaml index 1348eaa3d9..d42c99388d 100644 --- a/kubernetes/msb/components/msb-eag/Chart.yaml +++ b/kubernetes/msb/components/msb-eag/Chart.yaml @@ -16,18 +16,15 @@ apiVersion: v2 description: ONAP MicroServices Bus Internal API Gateway name: msb-eag -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: certInitializer - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/msb/components/msb-eag/resources/config/nginx/msbhttps.conf b/kubernetes/msb/components/msb-eag/resources/config/nginx/msbhttps.conf deleted file mode 100644 index 70125753ed..0000000000 --- a/kubernetes/msb/components/msb-eag/resources/config/nginx/msbhttps.conf +++ /dev/null @@ -1,28 +0,0 @@ -{{/* -# -# Copyright (C) 2017-2018 ZTE, Inc. and others. All rights reserved. (ZTE) -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -*/}} -server { - listen 443 ssl; - ssl_certificate {{ .Values.certInitializer.credsPath }}/certs/cert.crt; - ssl_certificate_key {{ .Values.certInitializer.credsPath }}/certs/cert.key; - ssl_protocols TLSv1.1 TLSv1.2; - ssl_dhparam ../ssl/dh-pubkey/dhparams.pem; - include ../msb-enabled/location-default/msblocations.conf; - # Add below settings for making SDC to work - underscores_in_headers on; -} \ No newline at end of file diff --git a/kubernetes/msb/components/msb-eag/templates/configmap.yaml b/kubernetes/msb/components/msb-eag/templates/configmap.yaml index 30c0a80209..62bbf4272a 100644 --- a/kubernetes/msb/components/msb-eag/templates/configmap.yaml +++ b/kubernetes/msb/components/msb-eag/templates/configmap.yaml @@ -21,11 +21,4 @@ metadata: namespace: {{ include "common.namespace" . }} data: {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-nginx - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/nginx/*").AsConfig . | indent 2 }} + diff --git a/kubernetes/msb/components/msb-eag/templates/deployment.yaml b/kubernetes/msb/components/msb-eag/templates/deployment.yaml index db24152026..da2afc3bfc 100644 --- a/kubernetes/msb/components/msb-eag/templates/deployment.yaml +++ b/kubernetes/msb/components/msb-eag/templates/deployment.yaml @@ -16,33 +16,18 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - annotations: - sidecar.istio.io/inject: "{{.Values.istioSidecar}}" + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "common.certInitializer.initContainer" . | indent 6 | trim }} - command: - /app/ready.py args: - - --container-name + - --service-name - msb-discovery env: - name: NAMESPACE @@ -53,15 +38,18 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - - containerPort: {{ .Values.service.internalPortHttps }} - name: {{ .Values.service.name }}-https + ports: {{- include "common.containerPorts" . | indent 10 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if eq .Values.liveness.enabled true }} @@ -84,17 +72,9 @@ spec: - name: ROUTE_LABELS value: {{ .Values.config.routeLabels }} volumeMounts: - {{ include "common.certInitializer.volumeMount" . | indent 10 | trim }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /usr/local/apiroute-works/logs name: {{ include "common.fullname" . }}-logs - - mountPath: /usr/local/openresty/nginx/msb-enabled/msbhttps.conf - name: {{ include "common.fullname" . }}-nginx-conf - subPath: msbhttps.conf - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -107,18 +87,10 @@ spec: {{ include "common.log.sidecar" . | nindent 8 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - {{ include "common.certInitializer.volumes" . | indent 8 | trim }} - name: {{ include "common.fullname" . }}-log-conf configMap: name: {{ include "common.fullname" . }}-log - - name: {{ include "common.fullname" . }}-nginx-conf - configMap: - name: {{ include "common.fullname" . }}-nginx {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} - - name: localtime - hostPath: - path: /etc/localtime - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/msb/components/msb-eag/templates/service.yaml b/kubernetes/msb/components/msb-eag/templates/service.yaml index e8e3a8a947..eeeafc15fc 100644 --- a/kubernetes/msb/components/msb-eag/templates/service.yaml +++ b/kubernetes/msb/components/msb-eag/templates/service.yaml @@ -13,32 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPortHttps }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePortHttps }} - name: https-{{ .Values.service.name }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: http-{{ .Values.service.name }} - - port: {{ .Values.service.externalPortHttps }} - targetPort: {{ .Values.service.internalPortHttps }} - name: https-{{ .Values.service.name }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/msb/components/msb-eag/values.yaml b/kubernetes/msb/components/msb-eag/values.yaml index dcd4aed13f..49f0be78f5 100644 --- a/kubernetes/msb/components/msb-eag/values.yaml +++ b/kubernetes/msb/components/msb-eag/values.yaml @@ -18,41 +18,11 @@ global: nodePortPrefix: 302 -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: msb-eag-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: msb-eag - fqi: msb-eag@msb-eag.onap.org - fqi_namespace: org.onap.msb-eag - public_fqdn: msb-eag.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - mkdir -p {{ .Values.credsPath }}/certs - echo "*** retrieve certificate from pkcs12" - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** copy key to relevant place" - cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key - echo "*** change ownership and read/write attributes" - chown -R 1000 {{ .Values.credsPath }}/certs - chmod 600 {{ .Values.credsPath }}/certs/cert.crt - chmod 600 {{ .Values.credsPath }}/certs/cert.key - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/msb/msb_apigateway:1.4.0 +image: onap/msb/msb_apigateway:1.6.0 pullPolicy: Always istioSidecar: true @@ -82,18 +52,21 @@ readiness: service: type: NodePort name: msb-eag - externalPort: 80 + # for liveness and readiness probe only + # internalPort: internalPort: 80 - externalPortHttps: 443 - internalPortHttps: 443 - nodePortHttps: 84 + ports: + - name: msb-eag + port: 80 + port_protocol: http + nodePort: '84' ingress: enabled: false service: - - baseaddr: "msbeag" + - baseaddr: "msb-eag-ui" name: "msb-eag" - port: 443 + port: 80 config: ssl: "redirect" @@ -103,18 +76,18 @@ flavor: small resources: small: limits: - cpu: 200m - memory: 500Mi + cpu: "1" + memory: "500Mi" requests: - cpu: 100m - memory: 200Mi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 400m - memory: 800Mi + cpu: "2" + memory: "1Gi" requests: - cpu: 200m - memory: 400Mi + cpu: "1" + memory: "1Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/msb/components/msb-iag/Chart.yaml b/kubernetes/msb/components/msb-iag/Chart.yaml index 38084154c6..50fa020c8b 100644 --- a/kubernetes/msb/components/msb-iag/Chart.yaml +++ b/kubernetes/msb/components/msb-iag/Chart.yaml @@ -16,18 +16,15 @@ apiVersion: v2 description: ONAP MicroServices Bus Internal API Gateway name: msb-iag -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: certInitializer - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/msb/components/msb-iag/resources/config/nginx/msbhttps.conf b/kubernetes/msb/components/msb-iag/resources/config/nginx/msbhttps.conf deleted file mode 100644 index 70125753ed..0000000000 --- a/kubernetes/msb/components/msb-iag/resources/config/nginx/msbhttps.conf +++ /dev/null @@ -1,28 +0,0 @@ -{{/* -# -# Copyright (C) 2017-2018 ZTE, Inc. and others. All rights reserved. (ZTE) -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -*/}} -server { - listen 443 ssl; - ssl_certificate {{ .Values.certInitializer.credsPath }}/certs/cert.crt; - ssl_certificate_key {{ .Values.certInitializer.credsPath }}/certs/cert.key; - ssl_protocols TLSv1.1 TLSv1.2; - ssl_dhparam ../ssl/dh-pubkey/dhparams.pem; - include ../msb-enabled/location-default/msblocations.conf; - # Add below settings for making SDC to work - underscores_in_headers on; -} \ No newline at end of file diff --git a/kubernetes/msb/components/msb-iag/templates/configmap.yaml b/kubernetes/msb/components/msb-iag/templates/configmap.yaml index 30c0a80209..7214c8a95f 100644 --- a/kubernetes/msb/components/msb-iag/templates/configmap.yaml +++ b/kubernetes/msb/components/msb-iag/templates/configmap.yaml @@ -21,11 +21,3 @@ metadata: namespace: {{ include "common.namespace" . }} data: {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-nginx - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/nginx/*").AsConfig . | indent 2 }} diff --git a/kubernetes/msb/components/msb-iag/templates/deployment.yaml b/kubernetes/msb/components/msb-iag/templates/deployment.yaml index db24152026..da2afc3bfc 100644 --- a/kubernetes/msb/components/msb-iag/templates/deployment.yaml +++ b/kubernetes/msb/components/msb-iag/templates/deployment.yaml @@ -16,33 +16,18 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - annotations: - sidecar.istio.io/inject: "{{.Values.istioSidecar}}" + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "common.certInitializer.initContainer" . | indent 6 | trim }} - command: - /app/ready.py args: - - --container-name + - --service-name - msb-discovery env: - name: NAMESPACE @@ -53,15 +38,18 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - - containerPort: {{ .Values.service.internalPortHttps }} - name: {{ .Values.service.name }}-https + ports: {{- include "common.containerPorts" . | indent 10 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if eq .Values.liveness.enabled true }} @@ -84,17 +72,9 @@ spec: - name: ROUTE_LABELS value: {{ .Values.config.routeLabels }} volumeMounts: - {{ include "common.certInitializer.volumeMount" . | indent 10 | trim }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /usr/local/apiroute-works/logs name: {{ include "common.fullname" . }}-logs - - mountPath: /usr/local/openresty/nginx/msb-enabled/msbhttps.conf - name: {{ include "common.fullname" . }}-nginx-conf - subPath: msbhttps.conf - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -107,18 +87,10 @@ spec: {{ include "common.log.sidecar" . | nindent 8 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - {{ include "common.certInitializer.volumes" . | indent 8 | trim }} - name: {{ include "common.fullname" . }}-log-conf configMap: name: {{ include "common.fullname" . }}-log - - name: {{ include "common.fullname" . }}-nginx-conf - configMap: - name: {{ include "common.fullname" . }}-nginx {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} - - name: localtime - hostPath: - path: /etc/localtime - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/msb/components/msb-iag/templates/service.yaml b/kubernetes/msb/components/msb-iag/templates/service.yaml index e8e3a8a947..eeeafc15fc 100644 --- a/kubernetes/msb/components/msb-iag/templates/service.yaml +++ b/kubernetes/msb/components/msb-iag/templates/service.yaml @@ -13,32 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPortHttps }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePortHttps }} - name: https-{{ .Values.service.name }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: http-{{ .Values.service.name }} - - port: {{ .Values.service.externalPortHttps }} - targetPort: {{ .Values.service.internalPortHttps }} - name: https-{{ .Values.service.name }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/msb/components/msb-iag/values.yaml b/kubernetes/msb/components/msb-iag/values.yaml index bbf4d83f9d..19b500a62c 100644 --- a/kubernetes/msb/components/msb-iag/values.yaml +++ b/kubernetes/msb/components/msb-iag/values.yaml @@ -18,41 +18,11 @@ global: nodePortPrefix: 302 -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: msb-iag-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: msb-iag - fqi: msb-iag@msb-iag.onap.org - fqi_namespace: org.onap.msb-iag - public_fqdn: msb-iag.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - mkdir -p {{ .Values.credsPath }}/certs - echo "*** retrieve certificate from pkcs12" - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** copy key to relevant place" - cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key - echo "*** change ownership and read/write attributes" - chown -R 1000 {{ .Values.credsPath }}/certs - chmod 600 {{ .Values.credsPath }}/certs/cert.crt - chmod 600 {{ .Values.credsPath }}/certs/cert.key - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/msb/msb_apigateway:1.4.0 +image: onap/msb/msb_apigateway:1.6.0 pullPolicy: Always istioSidecar: true @@ -82,19 +52,21 @@ readiness: service: type: NodePort name: msb-iag - externalPort: 80 + # for liveness and readiness probe only + # internalPort: internalPort: 80 - nodePort: 80 - externalPortHttps: 443 - internalPortHttps: 443 - nodePortHttps: 83 + ports: + - name: msb-iag + port: 80 + port_protocol: http + nodePort: '83' ingress: enabled: false service: - - baseaddr: "msbiag" + - baseaddr: "msb-iag-ui" name: "msb-iag" - port: 443 + port: 80 config: ssl: "redirect" @@ -104,18 +76,18 @@ flavor: small resources: small: limits: - cpu: 100m - memory: 400Mi + cpu: "1" + memory: "500Mi" requests: - cpu: 50m - memory: 200Mi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 200m - memory: 800Mi + cpu: "2" + memory: "1Gi" requests: - cpu: 100m - memory: 400Mi + cpu: "1" + memory: "1Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/multicloud/Chart.yaml b/kubernetes/multicloud/Chart.yaml index 7bc5f17613..48a3b9631a 100644 --- a/kubernetes/multicloud/Chart.yaml +++ b/kubernetes/multicloud/Chart.yaml @@ -18,43 +18,43 @@ apiVersion: v2 description: ONAP multicloud broker name: multicloud -version: 11.0.0 +version: 13.1.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: multicloud-fcaps - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/multicloud-fcaps' condition: multicloud-fcaps.enabled - name: multicloud-k8s - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/multicloud-k8s' condition: multicloud-k8s.enabled - name: multicloud-pike - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/multicloud-pike' condition: multicloud-pike.enabled - name: multicloud-prometheus - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/multicloud-prometheus' condition: multicloud-prometheus.enabled - name: multicloud-starlingx - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/multicloud-starlingx' condition: multicloud-starlingx.enabled - name: multicloud-vio - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/multicloud-vio' condition: multicloud-vio.enabled - name: multicloud-windriver - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/multicloud-windriver' condition: multicloud-windriver.enabled - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/multicloud/Makefile b/kubernetes/multicloud/Makefile index 51d7de122c..08ed7cb9da 100644 --- a/kubernetes/multicloud/Makefile +++ b/kubernetes/multicloud/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := dist resources templates charts docker HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -36,12 +42,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/multicloud/components/Makefile b/kubernetes/multicloud/components/Makefile index 1ea8433a9c..9544d70f33 100644 --- a/kubernetes/multicloud/components/Makefile +++ b/kubernetes/multicloud/components/Makefile @@ -17,9 +17,15 @@ OUTPUT_DIR := $(ROOT_DIR)/../../dist PACKAGE_DIR := $(OUTPUT_DIR)/packages SECRET_DIR := $(OUTPUT_DIR)/secrets -EXCLUDES := soHelpers +EXCLUDES := HELM_BIN := helm -HELM_CHARTS := soHelpers $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + +HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -36,12 +42,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/multicloud/components/multicloud-fcaps/Chart.yaml b/kubernetes/multicloud/components/multicloud-fcaps/Chart.yaml index c8fdd60d11..b825f67969 100644 --- a/kubernetes/multicloud/components/multicloud-fcaps/Chart.yaml +++ b/kubernetes/multicloud/components/multicloud-fcaps/Chart.yaml @@ -16,15 +16,15 @@ apiVersion: v2 description: ONAP multicloud OpenStack fcaps Plugin name: multicloud-fcaps -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/multicloud/components/multicloud-fcaps/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-fcaps/templates/deployment.yaml index f71255bc5f..7c850a4463 100644 --- a/kubernetes/multicloud/components/multicloud-fcaps/templates/deployment.yaml +++ b/kubernetes/multicloud/components/multicloud-fcaps/templates/deployment.yaml @@ -16,91 +16,73 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} - annotations: - sidecar.istio.io/inject: "{{.Values.istioSidecar}}" + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - containers: - - env: - - name: MSB_PROTO - value: {{ .Values.config.msbprotocol }} - - name: MSB_ADDR - value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" - - name: MSB_PORT - value: "{{ .Values.config.msbPort }}" - - name: AAI_ADDR - value: aai.{{ include "common.namespace" . }} - - name: AAI_PORT - value: "{{ .Values.config.aai.port }}" - - name: AAI_SCHEMA_VERSION - value: "{{ .Values.config.aai.schemaVersion }}" - - name: AAI_USERNAME - value: "{{ .Values.config.aai.username }}" - - name: AAI_PASSWORD - value: "{{ .Values.config.aai.password }}" - - name: SSL_ENABLED - value: "{{ .Values.config.ssl_enabled }}" - name: {{ include "common.name" . }} - volumeMounts: - - mountPath: "{{ .Values.log.path }}" - name: fcaps-log - - mountPath: /opt/fcaps/fcaps/pub/config/log.yml - name: fcaps-logconfig - subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if .Values.liveness.enabled }} - livenessProbe: - httpGet: - path: /api/multicloud-fcaps/v1/healthcheck - port: {{ .Values.service.internalPort }} - scheme: HTTPS - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - successThreshold: {{ .Values.liveness.successThreshold }} - failureThreshold: {{ .Values.liveness.failureThreshold }} - {{ end }} - # side car containers - {{ include "common.log.sidecar" . | nindent 5 }} - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.rabbitmq }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: rabbit-mq - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.memcached }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: memcached - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: fcaps-log - emptyDir: {} - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 5 }} - - name: fcaps-logconfig - configMap: - name: {{ include "common.fullname" . }}-log-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Always + containers: + - env: + - name: MSB_PROTO + value: "http" + - name: MSB_ADDR + value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" + - name: MSB_PORT + value: "{{ .Values.config.msbPort }}" + - name: AAI_ADDR + value: "aai.{{ include "common.namespace" . }}" + - name: AAI_PORT + value: "{{ .Values.config.aai.aaiPort }}" + - name: AAI_SCHEMA_VERSION + value: "{{ .Values.config.aai.schemaVersion }}" + - name: AAI_USERNAME + value: "{{ .Values.config.aai.username }}" + - name: AAI_PASSWORD + value: "{{ .Values.config.aai.password }}" + - name: SSL_ENABLED + value: "false" + name: {{ include "common.name" . }} + volumeMounts: + - mountPath: "{{ .Values.log.path }}" + name: fcaps-log + - mountPath: /opt/fcaps/fcaps/pub/config/log.yml + name: fcaps-logconfig + subPath: log.yml + resources: {{ include "common.resources" . | nindent 10 }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: {{ include "common.containerPorts" . | nindent 10 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{ if .Values.liveness.enabled }} + livenessProbe: + httpGet: + path: /api/multicloud-fcaps/v1/healthcheck + port: {{ .Values.service.internalPort }} + scheme: HTTP + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} + successThreshold: {{ .Values.liveness.successThreshold }} + failureThreshold: {{ .Values.liveness.failureThreshold }} + {{ end }} + # side car containers + {{ include "common.log.sidecar" . | nindent 6 }} + - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.rabbitmq }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: rabbit-mq + - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.memcached }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: memcached + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: fcaps-log + emptyDir: {} + {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 6 }} + - name: fcaps-logconfig + configMap: + name: {{ include "common.fullname" . }}-log-configmap + {{- include "common.imagePullSecrets" . | nindent 6 }} + restartPolicy: Always diff --git a/kubernetes/multicloud/components/multicloud-fcaps/templates/ingress.yaml b/kubernetes/multicloud/components/multicloud-fcaps/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/kubernetes/multicloud/components/multicloud-fcaps/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/multicloud/components/multicloud-fcaps/templates/service.yaml b/kubernetes/multicloud/components/multicloud-fcaps/templates/service.yaml index fabe32e0ff..ce6f1479bd 100644 --- a/kubernetes/multicloud/components/multicloud-fcaps/templates/service.yaml +++ b/kubernetes/multicloud/components/multicloud-fcaps/templates/service.yaml @@ -1,62 +1,18 @@ {{/* # Copyright (c) 2019, CMCC Technologies Co., Ltd. -# # -# # Licensed under the Apache License, Version 2.0 (the "License"); -# # you may not use this file except in compliance with the License. -# # You may obtain a copy of the License at -# # -# # http://www.apache.org/licenses/LICENSE-2.0 -# # -# # Unless required by applicable law or agreed to in writing, software -# # distributed under the License is distributed on an "AS IS" BASIS, -# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# # See the License for the specific language governing permissions and -# # limitations under the License. +# Modifications Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "multicloud-fcaps", - "version": "v0", - "url": "/api/multicloud-fcaps/v0", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "enable_ssl": {{ .Values.config.ssl_enabled }}, - "visualRange": "1" - }, - { - "serviceName": "multicloud-fcaps", - "version": "v1", - "url": "/api/multicloud-fcaps/v1", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "enable_ssl": {{ .Values.config.ssl_enabled }}, - "visualRange": "1" - } - ]' -spec: - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - type: {{ .Values.service.type }} +{{ include "common.service" . }} diff --git a/kubernetes/multicloud/components/multicloud-fcaps/values.yaml b/kubernetes/multicloud/components/multicloud-fcaps/values.yaml index 21be9d38cb..f6adfba5ae 100644 --- a/kubernetes/multicloud/components/multicloud-fcaps/values.yaml +++ b/kubernetes/multicloud/components/multicloud-fcaps/values.yaml @@ -26,16 +26,14 @@ image: onap/multicloud/openstack-fcaps:1.5.7 pullPolicy: Always #Istio sidecar injection policy -istioSidecar: false +istioSidecar: true # application configuration config: - ssl_enabled: true - msbprotocol: https msbgateway: msb-iag - msbPort: 443 + msbPort: 80 aai: - port: 8443 + aaiPort: 80 schemaVersion: v13 username: AAI password: AAI @@ -57,15 +55,42 @@ liveness: enabled: true service: - type: ClusterIP - name: multicloud-fcaps - portName: multicloud-fcaps - externalPort: 9011 + type: NodePort internalPort: 9011 - nodePort: 87 + ports: + - name: http + port: 9011 + nodePort: '87' + useNodePortExt: true + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "multicloud-fcaps", + "version": "v0", + "url": "/api/multicloud-fcaps/v0", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + }, + { + "serviceName": "multicloud-fcaps", + "version": "v1", + "url": "/api/multicloud-fcaps/v1", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + } + ]{{ end }} ingress: enabled: false + service: + - baseaddr: 'multicloud-fcaps-api' + name: 'multicloud-fcaps' + port: 9011 # Resource Limit flavor -By Default using small flavor: small @@ -73,18 +98,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 10m - memory: 1Gi + cpu: "10m" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 20m - memory: 2Gi + cpu: "20m" + memory: "2Gi" unlimited: {} # rabbit-mq image resource diff --git a/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml b/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml index c6645db05c..4099f826ce 100644 --- a/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml +++ b/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml @@ -17,24 +17,24 @@ apiVersion: v2 description: ONAP Multicloud Kubernetes Plugin name: multicloud-k8s -version: 11.0.0 +version: 13.1.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - - name: mongo - version: ~11.x-0 + - name: mongodb + version: 14.12.2 repository: '@local' - name: etcd - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/multicloud/components/multicloud-k8s/resources/config/config.json b/kubernetes/multicloud/components/multicloud-k8s/resources/config/config.json index 2ce2d8564b..54b2b0e12b 100644 --- a/kubernetes/multicloud/components/multicloud-k8s/resources/config/config.json +++ b/kubernetes/multicloud/components/multicloud-k8s/resources/config/config.json @@ -5,7 +5,7 @@ "port":9014, "userName":"healthcheck", "password":"zb!XztG34", - "https":true + "https":{{ (eq "true" (include "common.needTLS" .)) | ternary true false }} }, "receptionHandlerParameters":{ "SDCReceptionHandler":{ @@ -27,15 +27,11 @@ "sdcConfiguration":{ "parameterClassName":"org.onap.policy.distribution.reception.handling.sdc.SdcReceptionHandlerConfigurationParameterGroup", "parameters":{ - "asdcAddress": "sdc-be.{{ include "common.namespace" . }}:8443", - "messageBusAddress": [ - "message-router.{{ include "common.namespace" . }}" - ], + "sdcAddress": "sdc-be.{{ include "common.namespace" . }}:{{ (eq "true" (include "common.needTLS" .)) | ternary 8443 8080 }}", "user": "multicloud", "password": "Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U", "pollingInterval":20, "pollingTimeout":30, - "consumerId": "multicloud-k8s-id", "artifactTypes": [ "TOSCA_CSAR", "HEAT", @@ -48,13 +44,20 @@ "CLOUD_TECHNOLOGY_SPECIFIC_ARTIFACT", "HELM" ], - "consumerGroup": "multicloud-k8s-group", + {{- with (first .Values.kafkaUser.acls) }} + "consumerGroup": "{{ .name }}", + "consumerId": "{{ .name }}-k8s", + {{- end }} "environmentName": "AUTO", "keystorePath": "null", "keystorePassword": "null", "activeserverTlsAuth": false, "isFilterinEmptyResources": true, - "isUseHttpsWithDmaap": false + "isUseHttpsWithSDC": {{ (eq "true" (include "common.needTLS" .)) | ternary true false }}, + "httpsproxyHost": "null", + "httpproxyHost": "null", + "httpsproxyPort": 8181, + "httpproxyPort": 8080 } } }, @@ -62,7 +65,7 @@ "k8sConfiguration":{ "parameterClassName":"org.onap.policy.distribution.forwarding.k8s.K8sArtifactForwarderParameterGroup", "parameters":{ - "useHttps": true, + "useHttps": {{ (eq "true" (include "common.needTLS" .)) | ternary true false }}, "hostname": "pdp", "port": 8081, "userName": "testpdp", diff --git a/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml index e63be9c81c..9881a13615 100644 --- a/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml +++ b/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml @@ -16,24 +16,12 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: containers: - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -41,8 +29,7 @@ spec: name: {{ include "common.name" . }} command: ["/opt/multicloud/k8splugin/k8plugin"] workingDir: /opt/multicloud/k8splugin - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 10 }} {{- if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: @@ -56,14 +43,10 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/multicloud/k8splugin/k8sconfig.json name: {{ include "common.name" .}} subPath: k8sconfig.json - resources: -{{ include "common.resources" . | indent 10 }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -73,6 +56,7 @@ spec: {{ toYaml .Values.affinity | indent 10 }} {{- end }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.artifactImage }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: framework-artifactbroker command: ["/opt/app/distribution/bin/artifact-dist.sh"] args: ["/opt/app/distribution/etc/mounted/config.json"] @@ -85,15 +69,17 @@ spec: subPath: config.json - mountPath: /data name: artifact-data + env: + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name : {{ include "common.name" . }} configMap: name: {{ include "common.fullname" . }} - name: artifact-data emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/multicloud/components/multicloud-k8s/templates/ingress.yaml b/kubernetes/multicloud/components/multicloud-k8s/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/kubernetes/multicloud/components/multicloud-k8s/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/multicloud/components/multicloud-k8s/templates/kafkauser.yaml b/kubernetes/multicloud/components/multicloud-k8s/templates/kafkauser.yaml new file mode 100644 index 0000000000..324a068cf0 --- /dev/null +++ b/kubernetes/multicloud/components/multicloud-k8s/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2022-23 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/multicloud/components/multicloud-k8s/templates/secret.yaml b/kubernetes/multicloud/components/multicloud-k8s/templates/secret.yaml new file mode 100644 index 0000000000..bb5091f01a --- /dev/null +++ b/kubernetes/multicloud/components/multicloud-k8s/templates/secret.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/multicloud/components/multicloud-k8s/templates/service.yaml b/kubernetes/multicloud/components/multicloud-k8s/templates/service.yaml index b2b39db899..dc9695266a 100644 --- a/kubernetes/multicloud/components/multicloud-k8s/templates/service.yaml +++ b/kubernetes/multicloud/components/multicloud-k8s/templates/service.yaml @@ -1,5 +1,6 @@ {{/* # Copyright 2019 Intel Corporation, Inc +# Modifications Copyright © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,39 +15,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "multicloud-k8s", - "version": "v1", - "url": "/", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "visualRange": "1" - } - ]' -spec: - type: {{ .Values.service.type }} - ports: - - name: {{ .Values.service.PortName }} - {{if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefixExt | default "302" }}{{ .Values.service.nodePort }} - {{- else -}} - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - {{- end}} - protocol: TCP - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} diff --git a/kubernetes/multicloud/components/multicloud-k8s/values.yaml b/kubernetes/multicloud/components/multicloud-k8s/values.yaml index b152af282e..5c9c0ad864 100644 --- a/kubernetes/multicloud/components/multicloud-k8s/values.yaml +++ b/kubernetes/multicloud/components/multicloud-k8s/values.yaml @@ -18,7 +18,16 @@ global: nodePortPrefixExt: 304 persistence: {} - artifactImage: onap/multicloud/framework-artifactbroker:1.7.3 + artifactImage: onap/multicloud/framework-artifactbroker:1.9.0 + # Docker Repository used by RepositoryGenerator + dockerHubRepository: docker.io + # Additions for MongoDB**************************** + # If dockerHubRepository is changes the following entry needs + # to be changed as well + imageRegistry: docker.io + imagePullSecrets: + - '{{ include "common.names.namespace" . }}-docker-registry-key' + # ************************************************* ################################################################# # Application configuration defaults. @@ -27,6 +36,17 @@ global: image: onap/multicloud/k8s:0.10.1 pullPolicy: Always +# Strimzi KafkaUser config +kafkaUser: + acls: + - name: multicloud + type: group + operations: [Read] + - name: SDC-DISTR + type: topic + patternType: prefix + operations: [Read, Write] + # flag to enable debugging - application support required debugEnabled: false @@ -52,53 +72,78 @@ readiness: periodSeconds: 30 service: - type: ClusterIP - name: multicloud-k8s - portName: multicloud-k8s + type: NodePort internalPort: 9015 - externalPort: 9015 - nodePort: 98 + ports: + - name: http + port: 9015 + nodePort: '98' + useNodePortExt: true + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "multicloud-k8s", + "version": "v1", + "url": "/", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + } + ]{{ end }} + +ingress: + enabled: false + service: + - baseaddr: 'multicloud-k8s-api' + name: 'multicloud-k8s' + port: 9015 #Mongo chart overrides for k8splugin -mongo: +mongodb: nameOverride: multicloud-k8s-mongo service: - name: multicloud-k8s-mongo - internalPort: 27017 - nfsprovisionerPrefix: multicloud-k8s - sdnctlPrefix: multicloud-k8s + nameOverride: multicloud-k8s-mongo + port: 27017 + auth: + enabled: false + resources: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "500m" + memory: "2Gi" + +#etcd chart overrides for k8splugin +etcd: + nameOverride: multicloud-k8s-etcd + service: + name: multicloud-k8s-etcd + clientPortName: tcp-etcd-client + peerPortName: tcp-etcd-server persistence: - mountSubPath: multicloud-k8s/mongo/data + mountSubPath: multicloud-k8s/etcd/data enabled: true - disableNfsProvisioner: true - flavor: &storage_flavor large - resources: &storage_resources + flavor: large + resources: small: limits: - cpu: 100m - memory: 300Mi + cpu: "100m" + memory: "300Mi" requests: - cpu: 10m - memory: 75Mi + cpu: "10m" + memory: "70Mi" large: limits: - cpu: 200m - memory: 1Gi + cpu: "200m" + memory: "1Gi" requests: - cpu: 50m - memory: 300Mi + cpu: "50m" + memory: "300Mi" unlimited: {} -#etcd chart overrides for k8splugin -etcd: - nameOverride: multicloud-k8s-etcd - service: - name: multicloud-k8s-etcd - persistence: - mountSubPath: multicloud-k8s/etcd/data - enabled: true - flavor: *storage_flavor - resources: *storage_resources # No persistence right now as we rely on Mongo to handle that persistence: @@ -109,9 +154,6 @@ persistence: mountPath: /dockerdata-nfs mountSubPath: multicloud-k8s/data -ingress: - enabled: false - artifactbroker: internalPort: 9014 @@ -120,18 +162,18 @@ flavor: large resources: small: limits: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" requests: - cpu: 10m - memory: 10Mi + cpu: "10m" + memory: "10Mi" large: limits: - cpu: 400m - memory: 1Gi + cpu: "400m" + memory: "1Gi" requests: - cpu: 10m - memory: 100Mi + cpu: "10m" + memory: "100Mi" unlimited: {} #Pods Service Account diff --git a/kubernetes/multicloud/components/multicloud-pike/Chart.yaml b/kubernetes/multicloud/components/multicloud-pike/Chart.yaml index 45dd8e5668..74d6b8ce29 100644 --- a/kubernetes/multicloud/components/multicloud-pike/Chart.yaml +++ b/kubernetes/multicloud/components/multicloud-pike/Chart.yaml @@ -17,15 +17,15 @@ apiVersion: v2 description: ONAP multicloud OpenStack Pike Plugin name: multicloud-pike -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/multicloud/components/multicloud-pike/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-pike/templates/deployment.yaml index a802cb1466..1822695eab 100644 --- a/kubernetes/multicloud/components/multicloud-pike/templates/deployment.yaml +++ b/kubernetes/multicloud/components/multicloud-pike/templates/deployment.yaml @@ -16,90 +16,72 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} - annotations: - sidecar.istio.io/inject: "{{.Values.istioSidecar}}" + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - containers: - - env: - - name: MSB_PROTO - value: {{ .Values.config.msbprotocol }} - - name: MSB_ADDR - value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" - - name: MSB_PORT - value: "{{ .Values.config.msbPort }}" - - name: AAI_ADDR - value: aai.{{ include "common.namespace" . }} - - name: AAI_PORT - value: "{{ .Values.config.aai.port }}" - - name: AAI_SCHEMA_VERSION - value: "{{ .Values.config.aai.schemaVersion }}" - - name: AAI_USERNAME - value: "{{ .Values.config.aai.username }}" - - name: AAI_PASSWORD - value: "{{ .Values.config.aai.password }}" - - name: SSL_ENABLED - value: "{{ .Values.config.ssl_enabled }}" - name: {{ include "common.name" . }} - volumeMounts: - - mountPath: "{{ .Values.log.path }}" - name: pike-log - - mountPath: /opt/pike/pike/pub/config/log.yml - name: pike-logconfig - subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["/bin/sh"] - args: ["-c", "/bin/sh /opt/pike/run.sh"] - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if .Values.liveness.enabled }} - livenessProbe: - httpGet: - path: /api/multicloud-pike/v0/swagger.json - port: {{ .Values.service.internalPort }} - scheme: HTTP - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - successThreshold: {{ .Values.liveness.successThreshold }} - failureThreshold: {{ .Values.liveness.failureThreshold }} - {{ end }} - # side car containers - {{ include "common.log.sidecar" . | nindent 5 }} - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.memcached }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: memcached - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: pike-log - emptyDir: {} - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 5 }} - - name: pike-logconfig - configMap: - name: {{ include "common.fullname" . }}-log-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Always + containers: + - env: + - name: MSB_PROTO + value: "http" + - name: MSB_ADDR + value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" + - name: MSB_PORT + value: "{{ .Values.config.msbPort }}" + - name: AAI_ADDR + value: "aai.{{ include "common.namespace" . }}" + - name: AAI_PORT + value: "{{ .Values.config.aai.aaiPort }}" + - name: AAI_SCHEMA_VERSION + value: "{{ .Values.config.aai.schemaVersion }}" + - name: AAI_USERNAME + value: "{{ .Values.config.aai.username }}" + - name: AAI_PASSWORD + value: "{{ .Values.config.aai.password }}" + - name: SSL_ENABLED + value: "false" + name: {{ include "common.name" . }} + volumeMounts: + - mountPath: "{{ .Values.log.path }}" + name: pike-log + - mountPath: /opt/pike/pike/pub/config/log.yml + name: pike-logconfig + subPath: log.yml + resources: {{ include "common.resources" . | nindent 10 }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: ["/bin/sh"] + args: ["-c", "/bin/sh /opt/pike/run.sh"] + ports: {{ include "common.containerPorts" . | nindent 10 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{ if .Values.liveness.enabled }} + livenessProbe: + httpGet: + path: /api/multicloud-pike/v0/swagger.json + port: {{ .Values.service.internalPort }} + scheme: HTTP + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} + successThreshold: {{ .Values.liveness.successThreshold }} + failureThreshold: {{ .Values.liveness.failureThreshold }} + {{ end }} + # side car containers + {{ include "common.log.sidecar" . | nindent 6 }} + - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.memcached }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: memcached + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: pike-log + emptyDir: {} + {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} + - name: pike-logconfig + configMap: + name: {{ include "common.fullname" . }}-log-configmap + {{- include "common.imagePullSecrets" . | nindent 6 }} + restartPolicy: Always diff --git a/kubernetes/multicloud/components/multicloud-pike/templates/ingress.yaml b/kubernetes/multicloud/components/multicloud-pike/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/kubernetes/multicloud/components/multicloud-pike/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/multicloud/components/multicloud-pike/templates/service.yaml b/kubernetes/multicloud/components/multicloud-pike/templates/service.yaml index 503fae375a..adbb87c70d 100644 --- a/kubernetes/multicloud/components/multicloud-pike/templates/service.yaml +++ b/kubernetes/multicloud/components/multicloud-pike/templates/service.yaml @@ -1,61 +1,18 @@ {{/* # Copyright (c) 2018 Intel Corporation. -# # -# # Licensed under the Apache License, Version 2.0 (the "License"); -# # you may not use this file except in compliance with the License. -# # You may obtain a copy of the License at -# # -# # http://www.apache.org/licenses/LICENSE-2.0 -# # -# # Unless required by applicable law or agreed to in writing, software -# # distributed under the License is distributed on an "AS IS" BASIS, -# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# # See the License for the specific language governing permissions and -# # limitations under the License. +# Modifications Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "multicloud-pike", - "version": "v0", - "url": "/api/multicloud-pike/v0", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "visualRange": "1" - }, - { - "serviceName": "multicloud-pike", - "version": "v1", - "url": "/api/multicloud-pike/v1", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "visualRange": "1" - } - ]' - -spec: - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - type: {{ .Values.service.type }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/multicloud/components/multicloud-pike/values.yaml b/kubernetes/multicloud/components/multicloud-pike/values.yaml index 7b606a5492..643daa7e3f 100644 --- a/kubernetes/multicloud/components/multicloud-pike/values.yaml +++ b/kubernetes/multicloud/components/multicloud-pike/values.yaml @@ -25,17 +25,12 @@ global: image: onap/multicloud/openstack-pike:1.5.7 pullPolicy: Always -#Istio sidecar injection policy -istioSidecar: true - # application configuration config: - ssl_enabled: false - msbprotocol: https msbgateway: msb-iag - msbPort: 443 + msbPort: 80 aai: - port: 8443 + aaiPort: 80 schemaVersion: v13 username: AAI password: AAI @@ -57,15 +52,41 @@ liveness: enabled: true service: - type: ClusterIP - name: multicloud-pike - portName: multicloud-pike - externalPort: 9007 + type: NodePort internalPort: 9007 - nodePort: 96 + ports: + - name: http + port: 9007 + nodePort: '96' + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "multicloud-pike", + "version": "v0", + "url": "/api/multicloud-pike/v0", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + }, + { + "serviceName": "multicloud-pike", + "version": "v1", + "url": "/api/multicloud-pike/v1", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + } + ]{{ end }} ingress: enabled: false + service: + - baseaddr: 'multicloud-pike-api' + name: 'multicloud-pike' + port: 9007 # Resource Limit flavor -By Default using small flavor: small @@ -73,18 +94,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 10m - memory: 1Gi + cpu: "10m" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 20m - memory: 2Gi + cpu: "20m" + memory: "2Gi" unlimited: {} # memcached image resource diff --git a/kubernetes/multicloud/components/multicloud-prometheus/Chart.yaml b/kubernetes/multicloud/components/multicloud-prometheus/Chart.yaml index 1fbfcd4a36..2ed930aa65 100644 --- a/kubernetes/multicloud/components/multicloud-prometheus/Chart.yaml +++ b/kubernetes/multicloud/components/multicloud-prometheus/Chart.yaml @@ -17,21 +17,21 @@ apiVersion: v2 description: ONAP Multicloud Prometheus name: multicloud-prometheus -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: prometheus-alertmanager - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/prometheus-alertmanager' - name: prometheus-grafana - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/prometheus-grafana' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/Chart.yaml b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/Chart.yaml index 7734428db2..b4643db800 100644 --- a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/Chart.yaml +++ b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/Chart.yaml @@ -16,4 +16,4 @@ apiVersion: v2 description: ONAP Multicloud Prometheus Alert Manager name: prometheus-alertmanager -version: 11.0.0 +version: 13.0.0 diff --git a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/deployment.yaml index ca56b670cd..185aa1e47b 100644 --- a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/deployment.yaml +++ b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/deployment.yaml @@ -93,8 +93,6 @@ spec: {{- else }} emptyDir: {} {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} restartPolicy: Always - {{- end -}} diff --git a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/values.yaml b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/values.yaml index ccd70b30cf..5b48f73a45 100644 --- a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/values.yaml +++ b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/values.yaml @@ -72,16 +72,16 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 10m - memory: 1Gi + cpu: "10m" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 20m - memory: 2Gi + cpu: "20m" + memory: "2Gi" unlimited: {} diff --git a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/Chart.yaml b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/Chart.yaml index b72890c141..cc89de3d26 100644 --- a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/Chart.yaml +++ b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/Chart.yaml @@ -16,4 +16,4 @@ apiVersion: v2 description: ONAP Multicloud Grafana for Prometheus name: prometheus-grafana -version: 11.0.0 +version: 13.0.0 diff --git a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/deployment.yaml index 2dea842733..e578feb96d 100644 --- a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/deployment.yaml +++ b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/deployment.yaml @@ -132,8 +132,6 @@ spec: name: {{ include "common.fullname" $ }}-dashboards-{{ . }} {{- end }} {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} restartPolicy: Always - {{- end -}} diff --git a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/values.yaml b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/values.yaml index 43f4e93a6f..0d066bbdc7 100644 --- a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/values.yaml +++ b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/values.yaml @@ -99,16 +99,16 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 10m - memory: 1Gi + cpu: "10m" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 20m - memory: 2Gi + cpu: "20m" + memory: "2Gi" unlimited: {} diff --git a/kubernetes/multicloud/components/multicloud-prometheus/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-prometheus/templates/deployment.yaml index 74941292fd..a75ac28b2d 100644 --- a/kubernetes/multicloud/components/multicloud-prometheus/templates/deployment.yaml +++ b/kubernetes/multicloud/components/multicloud-prometheus/templates/deployment.yaml @@ -16,25 +16,12 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - image: {{ include "repositoryGenerator.image.busybox" . }} @@ -70,8 +57,7 @@ spec: {{- end }} resources: {{ toYaml .Values.resources | indent 10 }} - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 10 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if .Values.liveness.enabled }} @@ -117,6 +103,5 @@ spec: {{- else }} emptyDir: {} {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} restartPolicy: Always diff --git a/kubernetes/multicloud/components/multicloud-prometheus/templates/service.yaml b/kubernetes/multicloud/components/multicloud-prometheus/templates/service.yaml index b8dbb687fb..ec4e1a7011 100644 --- a/kubernetes/multicloud/components/multicloud-prometheus/templates/service.yaml +++ b/kubernetes/multicloud/components/multicloud-prometheus/templates/service.yaml @@ -1,5 +1,6 @@ {{/* # Copyright 2018 Intel Corporation, Inc +# Modifications Copyright © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,29 +15,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - - name: {{ .Values.service.portName }} - {{if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default "302" }}{{ .Values.service.nodePort }} - {{- else -}} - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - {{- end}} - protocol: TCP - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} \ No newline at end of file +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/multicloud/components/multicloud-prometheus/values.yaml b/kubernetes/multicloud/components/multicloud-prometheus/values.yaml index 757041ce43..20ab052169 100644 --- a/kubernetes/multicloud/components/multicloud-prometheus/values.yaml +++ b/kubernetes/multicloud/components/multicloud-prometheus/values.yaml @@ -52,10 +52,10 @@ persistence: #Service configuration for this chart service: type: ClusterIP - name: multicloud-prometheus - portName: multicloud-prometheus internalPort: 9090 - externalPort: 9090 + ports: + - name: http + port: 9090 # probe configuration parameters liveness: @@ -87,18 +87,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 10m - memory: 1Gi + cpu: "10m" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 20m - memory: 2Gi + cpu: "20m" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/multicloud/components/multicloud-starlingx/Chart.yaml b/kubernetes/multicloud/components/multicloud-starlingx/Chart.yaml index 79e0831141..dd0d9e5564 100644 --- a/kubernetes/multicloud/components/multicloud-starlingx/Chart.yaml +++ b/kubernetes/multicloud/components/multicloud-starlingx/Chart.yaml @@ -17,15 +17,15 @@ apiVersion: v2 description: ONAP multicloud OpenStack Starlingx Plugin name: multicloud-starlingx -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/multicloud/components/multicloud-starlingx/resources/config/log/config.json b/kubernetes/multicloud/components/multicloud-starlingx/resources/config/log/config.json index da0727c3a7..ebc53849d6 100644 --- a/kubernetes/multicloud/components/multicloud-starlingx/resources/config/log/config.json +++ b/kubernetes/multicloud/components/multicloud-starlingx/resources/config/log/config.json @@ -5,7 +5,7 @@ "port":9014, "userName":"healthcheck", "password":"zb!XztG34", - "https":true + "https":{{ (eq "true" (include "common.needTLS" .)) | ternary true false }} }, "receptionHandlerParameters":{ "SDCReceptionHandler":{ @@ -27,7 +27,7 @@ "sdcConfiguration":{ "parameterClassName":"org.onap.policy.distribution.reception.handling.sdc.SdcReceptionHandlerConfigurationParameterGroup", "parameters":{ - "asdcAddress": "sdc-be.{{ include "common.namespace" . }}:8443", + "asdcAddress": "sdc-be.{{ include "common.namespace" . }}:{{ (eq "true" (include "common.needTLS" .)) | ternary 8443 8080 }}", "messageBusAddress": [ "message-router.{{ include "common.namespace" . }}" ], @@ -53,7 +53,12 @@ "keystorePassword": "null", "activeserverTlsAuth": false, "isFilterinEmptyResources": true, - "isUseHttpsWithDmaap": false + "isUseHttpsWithDmaap": false, + "isUseHttpsWithSDC": {{ (eq "true" (include "common.needTLS" .)) | ternary true false }}, + "httpsproxyHost": "null", + "httpproxyHost": "null", + "httpsproxyPort": 8181, + "httpproxyPort": 8080 } } }, diff --git a/kubernetes/multicloud/components/multicloud-starlingx/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-starlingx/templates/deployment.yaml index 2524cd8421..96942ddae5 100644 --- a/kubernetes/multicloud/components/multicloud-starlingx/templates/deployment.yaml +++ b/kubernetes/multicloud/components/multicloud-starlingx/templates/deployment.yaml @@ -16,40 +16,25 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} - annotations: - sidecar.istio.io/inject: "{{.Values.istioSidecar}}" + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: containers: - env: - name: MSB_PROTO - value: {{ .Values.config.msbprotocol }} + value: "http" - name: MSB_ADDR value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" - name: MSB_PORT value: "{{ .Values.config.msbPort }}" - name: AAI_ADDR - value: aai.{{ include "common.namespace" . }} + value: "aai.{{ include "common.namespace" . }}" - name: AAI_PORT - value: "{{ .Values.config.aai.port }}" + value: "{{ .Values.config.aai.aaiPort }}" - name: AAI_SCHEMA_VERSION value: "{{ .Values.config.aai.schemaVersion }}" - name: AAI_USERNAME @@ -57,7 +42,7 @@ spec: - name: AAI_PASSWORD value: "{{ .Values.config.aai.password }}" - name: SSL_ENABLED - value: "{{ .Values.config.ssl_enabled }}" + value: "false" name: {{ include "common.name" . }} volumeMounts: - mountPath: "{{ .Values.log.path }}" @@ -67,11 +52,10 @@ spec: subPath: log.yml - mountPath: /opt/artifacts/ name: artifact-data - resources: {{ include "common.resources" . | nindent 12 }} + resources: {{ include "common.resources" . | nindent 10 }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 10 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{ if .Values.liveness.enabled }} @@ -79,7 +63,7 @@ spec: httpGet: path: /api/multicloud-starlingx/v0/swagger.json port: {{ .Values.service.internalPort }} - scheme: HTTPS + scheme: HTTP initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} @@ -87,7 +71,7 @@ spec: failureThreshold: {{ .Values.liveness.failureThreshold }} {{ end }} # side car containers - {{ include "common.log.sidecar" . | nindent 7 }} + {{ include "common.log.sidecar" . | nindent 6 }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.memcached }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: memcached @@ -108,12 +92,11 @@ spec: volumes: - name: starlingx-log emptyDir: {} - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 7 }} + {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 6 }} - name: starlingx-logconfig configMap: name: {{ include "common.fullname" . }}-log-configmap - name: artifact-data emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} restartPolicy: Always diff --git a/kubernetes/multicloud/components/multicloud-starlingx/templates/ingress.yaml b/kubernetes/multicloud/components/multicloud-starlingx/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/kubernetes/multicloud/components/multicloud-starlingx/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/multicloud/components/multicloud-starlingx/templates/service.yaml b/kubernetes/multicloud/components/multicloud-starlingx/templates/service.yaml index cf67f106ee..6eb90e5630 100644 --- a/kubernetes/multicloud/components/multicloud-starlingx/templates/service.yaml +++ b/kubernetes/multicloud/components/multicloud-starlingx/templates/service.yaml @@ -1,62 +1,18 @@ {{/* # Copyright (c) 2019 Intel Corporation. -# # -# # Licensed under the Apache License, Version 2.0 (the "License"); -# # you may not use this file except in compliance with the License. -# # You may obtain a copy of the License at -# # -# # http://www.apache.org/licenses/LICENSE-2.0 -# # -# # Unless required by applicable law or agreed to in writing, software -# # distributed under the License is distributed on an "AS IS" BASIS, -# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# # See the License for the specific language governing permissions and -# # limitations under the License. +# Modifications Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "multicloud-starlingx", - "version": "v0", - "url": "/api/multicloud-starlingx/v0", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "enable_ssl": {{ .Values.config.ssl_enabled }}, - "visualRange": "1" - }, - { - "serviceName": "multicloud-starlingx", - "version": "v1", - "url": "/api/multicloud-starlingx/v1", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "enable_ssl": {{ .Values.config.ssl_enabled }}, - "visualRange": "1" - } - ]' -spec: - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - type: {{ .Values.service.type }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/multicloud/components/multicloud-starlingx/values.yaml b/kubernetes/multicloud/components/multicloud-starlingx/values.yaml index e59f34a8bc..2f06b4b3d4 100644 --- a/kubernetes/multicloud/components/multicloud-starlingx/values.yaml +++ b/kubernetes/multicloud/components/multicloud-starlingx/values.yaml @@ -17,7 +17,7 @@ ################################################################# global: nodePortPrefixExt: 304 - artifactImage: onap/multicloud/framework-artifactbroker:1.7.3 + artifactImage: onap/multicloud/framework-artifactbroker:1.9.0 ################################################################# # Application configuration defaults. @@ -27,17 +27,12 @@ repository: nexus3.onap.org:10001 image: onap/multicloud/openstack-starlingx:1.5.7 pullPolicy: Always -#Istio sidecar injection policy -istioSidecar: false - # application configuration config: - ssl_enabled: true - msbprotocol: https msbgateway: msb-iag - msbPort: 443 + msbPort: 80 aai: - port: 8443 + aaiPort: 80 schemaVersion: v13 username: AAI password: AAI @@ -59,15 +54,42 @@ liveness: enabled: true service: - type: ClusterIP - name: multicloud-starlingx - portName: multicloud-starlingx - externalPort: 9009 + type: NodePort internalPort: 9009 - nodePort: 85 + ports: + - name: http + port: 9009 + nodePort: '85' + useNodePortExt: true + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "multicloud-starlingx", + "version": "v0", + "url": "/api/multicloud-starlingx/v0", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + }, + { + "serviceName": "multicloud-starlingx", + "version": "v1", + "url": "/api/multicloud-starlingx/v1", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + } + ]{{ end }} ingress: enabled: false + service: + - baseaddr: 'multicloud-starlingx-api' + name: 'multicloud-starlingx' + port: 9009 # Resource Limit flavor -By Default using small flavor: small @@ -75,18 +97,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 10m - memory: 1Gi + cpu: "10m" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 20m - memory: 2Gi + cpu: "20m" + memory: "2Gi" unlimited: {} # memcached image resource diff --git a/kubernetes/multicloud/components/multicloud-vio/Chart.yaml b/kubernetes/multicloud/components/multicloud-vio/Chart.yaml index 0c444fb15b..2efafe9267 100644 --- a/kubernetes/multicloud/components/multicloud-vio/Chart.yaml +++ b/kubernetes/multicloud/components/multicloud-vio/Chart.yaml @@ -18,15 +18,15 @@ apiVersion: v2 description: ONAP multicloud VIO plugin name: multicloud-vio -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/multicloud/components/multicloud-vio/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-vio/templates/deployment.yaml index 1d27d6eb33..9e26cc3d14 100644 --- a/kubernetes/multicloud/components/multicloud-vio/templates/deployment.yaml +++ b/kubernetes/multicloud/components/multicloud-vio/templates/deployment.yaml @@ -17,81 +17,65 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} - annotations: - sidecar.istio.io/inject: "{{.Values.istioSidecar}}" + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - containers: - - env: - - name: MSB_ADDR - value: "{{ .Values.config.msbgateway }}" - - name: MSB_PORT - value: "{{ .Values.config.msbPort }}.{{ include "common.namespace" . }}" - - name: AAI_ADDR - value: aai.{{ include "common.namespace" . }} - - name: AAI_PORT - value: "{{ .Values.config.aai.port }}" - - name: AAI_SCHEMA_VERSION - value: "{{ .Values.config.aai.schemaVersion }}" - - name: AAI_USERNAME - value: "{{ .Values.config.aai.username }}" - - name: AAI_PASSWORD - value: "{{ .Values.config.aai.password }}" - name: {{ include "common.name" . }} - volumeMounts: - - mountPath: "{{ .Values.log.path }}" - name: vio-log - - mountPath: /opt/vio/vio/pub/config/log.yml - name: vio-logconfig - subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - httpGet: - path: /api/multicloud-vio/v0/swagger.json - port: {{ .Values.service.internalPort }} - scheme: HTTP - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - successThreshold: {{ .Values.liveness.successThreshold }} - failureThreshold: {{ .Values.liveness.failureThreshold }} - {{ end -}} - # side car containers - {{ include "common.log.sidecar" . | nindent 5 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: vio-log - emptyDir: {} - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 5 }} - - name: vio-logconfig - configMap: - name: {{ include "common.fullname" . }}-log-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Always + containers: + - env: + - name: MSB_PROTO + value: "http" + - name: MSB_ADDR + value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" + - name: MSB_PORT + value: "{{ .Values.config.msbPort }}" + - name: AAI_ADDR + value: "aai.{{ include "common.namespace" . }}" + - name: AAI_PORT + value: "{{ .Values.config.aai.aaiPort }}" + - name: AAI_SCHEMA_VERSION + value: "{{ .Values.config.aai.schemaVersion }}" + - name: AAI_USERNAME + value: "{{ .Values.config.aai.username }}" + - name: AAI_PASSWORD + value: "{{ .Values.config.aai.password }}" + name: {{ include "common.name" . }} + volumeMounts: + - mountPath: "{{ .Values.log.path }}" + name: vio-log + - mountPath: /opt/vio/vio/pub/config/log.yml + name: vio-logconfig + subPath: log.yml + resources: {{ include "common.resources" . | nindent 10 }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: {{ include "common.containerPorts" . | nindent 10 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + httpGet: + path: /api/multicloud-vio/v0/swagger.json + port: {{ .Values.service.internalPort }} + scheme: HTTP + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} + successThreshold: {{ .Values.liveness.successThreshold }} + failureThreshold: {{ .Values.liveness.failureThreshold }} + {{ end -}} + # side car containers + {{ include "common.log.sidecar" . | nindent 6 }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: vio-log + emptyDir: {} + {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 6 }} + - name: vio-logconfig + configMap: + name: {{ include "common.fullname" . }}-log-configmap + {{- include "common.imagePullSecrets" . | nindent 6 }} + restartPolicy: Always diff --git a/kubernetes/multicloud/components/multicloud-vio/templates/ingress.yaml b/kubernetes/multicloud/components/multicloud-vio/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/kubernetes/multicloud/components/multicloud-vio/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/multicloud/components/multicloud-vio/templates/service.yaml b/kubernetes/multicloud/components/multicloud-vio/templates/service.yaml index 4a926df420..0cff91a68c 100644 --- a/kubernetes/multicloud/components/multicloud-vio/templates/service.yaml +++ b/kubernetes/multicloud/components/multicloud-vio/templates/service.yaml @@ -1,61 +1,19 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T -# # -# # Licensed under the Apache License, Version 2.0 (the "License"); -# # you may not use this file except in compliance with the License. -# # You may obtain a copy of the License at -# # -# # http://www.apache.org/licenses/LICENSE-2.0 -# # -# # Unless required by applicable law or agreed to in writing, software -# # distributed under the License is distributed on an "AS IS" BASIS, -# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# # See the License for the specific language governing permissions and -# # limitations under the License. +# Modifications Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "multicloud-vio", - "version": "v0", - "url": "/api/multicloud-vio/v0", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "visualRange": "1" - }, - { - "serviceName": "multicloud-vio", - "version": "v1", - "url": "/api/multicloud-vio/v1", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "visualRange": "1" - } - ]' -spec: - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - type: {{ .Values.service.type }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/multicloud/components/multicloud-vio/values.yaml b/kubernetes/multicloud/components/multicloud-vio/values.yaml index 17643baffe..1337362a34 100644 --- a/kubernetes/multicloud/components/multicloud-vio/values.yaml +++ b/kubernetes/multicloud/components/multicloud-vio/values.yaml @@ -23,18 +23,15 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/multicloud/vio:1.4.1 +image: onap/multicloud/vio:1.4.2 pullPolicy: Always -#Istio sidecar injection policy -istioSidecar: true - # application configuration config: msbgateway: msb-iag msbPort: 80 aai: - port: 8443 + aaiPort: 80 schemaVersion: v13 username: AAI password: AAI @@ -56,15 +53,41 @@ liveness: enabled: true service: - type: ClusterIP - name: multicloud-vio - portName: multicloud-vio - externalPort: 9004 + type: NodePort internalPort: 9004 - nodePort: 92 + ports: + - name: http + port: 9004 + nodePort: '92' + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "multicloud-vio", + "version": "v0", + "url": "/api/multicloud-vio/v0", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + }, + { + "serviceName": "multicloud-vio", + "version": "v1", + "url": "/api/multicloud-vio/v1", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + } + ]{{ end }} ingress: enabled: false + service: + - baseaddr: 'multicloud-vio-api' + name: 'multicloud-vio' + port: 9004 # Resource Limit flavor -By Default using small flavor: small @@ -72,18 +95,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 10m - memory: 1Gi + cpu: "10m" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 20m - memory: 2Gi + cpu: "20m" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/multicloud/components/multicloud-windriver/Chart.yaml b/kubernetes/multicloud/components/multicloud-windriver/Chart.yaml index d161db51ef..110cba02c2 100644 --- a/kubernetes/multicloud/components/multicloud-windriver/Chart.yaml +++ b/kubernetes/multicloud/components/multicloud-windriver/Chart.yaml @@ -18,15 +18,15 @@ apiVersion: v2 description: ONAP multicloud OpenStack WindRiver Plugin name: multicloud-windriver -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/multicloud/components/multicloud-windriver/resources/config/log/config.json b/kubernetes/multicloud/components/multicloud-windriver/resources/config/log/config.json index 655076a901..e34637666f 100644 --- a/kubernetes/multicloud/components/multicloud-windriver/resources/config/log/config.json +++ b/kubernetes/multicloud/components/multicloud-windriver/resources/config/log/config.json @@ -5,7 +5,7 @@ "port":9014, "userName":"healthcheck", "password":"zb!XztG34", - "https":true + "https":{{ (eq "true" (include "common.needTLS" .)) | ternary true false }} }, "receptionHandlerParameters":{ "SDCReceptionHandler":{ @@ -27,7 +27,7 @@ "sdcConfiguration":{ "parameterClassName":"org.onap.policy.distribution.reception.handling.sdc.SdcReceptionHandlerConfigurationParameterGroup", "parameters":{ - "asdcAddress": "sdc-be.{{ include "common.namespace" . }}:8443", + "asdcAddress": "sdc-be.{{ include "common.namespace" . }}:{{ (eq "true" (include "common.needTLS" .)) | ternary 8443 8080 }}", "messageBusAddress": [ "message-router.{{ include "common.namespace" . }}" ], @@ -53,7 +53,12 @@ "keystorePassword": "null", "activeserverTlsAuth": false, "isFilterinEmptyResources": true, - "isUseHttpsWithDmaap": false + "isUseHttpsWithDmaap": false, + "isUseHttpsWithSDC": {{ (eq "true" (include "common.needTLS" .)) | ternary true false }}, + "httpsproxyHost": "null", + "httpproxyHost": "null", + "httpsproxyPort": 8181, + "httpproxyPort": 8080 } } }, diff --git a/kubernetes/multicloud/components/multicloud-windriver/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-windriver/templates/deployment.yaml index 7656632737..434c0d156e 100644 --- a/kubernetes/multicloud/components/multicloud-windriver/templates/deployment.yaml +++ b/kubernetes/multicloud/components/multicloud-windriver/templates/deployment.yaml @@ -17,27 +17,12 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} - annotations: - sidecar.istio.io/inject: "{{.Values.istioSidecar}}" + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - command: ["sh", "-c", "chown -R 100:101 /data"] @@ -50,15 +35,15 @@ spec: containers: - env: - name: MSB_PROTO - value: {{ .Values.config.msbprotocol }} + value: "http" - name: MSB_ADDR value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" - name: MSB_PORT value: "{{ .Values.config.msbPort }}" - name: AAI_ADDR - value: aai.{{ include "common.namespace" . }} + value: "aai.{{ include "common.namespace" . }}" - name: AAI_PORT - value: "{{ .Values.config.aai.port }}" + value: "{{ .Values.config.aai.aaiPort }}" - name: AAI_SCHEMA_VERSION value: "{{ .Values.config.aai.schemaVersion }}" - name: AAI_USERNAME @@ -66,7 +51,7 @@ spec: - name: AAI_PASSWORD value: "{{ .Values.config.aai.password }}" - name: SSL_ENABLED - value: "{{ .Values.config.ssl_enabled }}" + value: "false" name: {{ include "common.name" . }} volumeMounts: - mountPath: "{{ .Values.log.path }}" @@ -76,11 +61,10 @@ spec: subPath: log.yml - mountPath: /opt/artifacts/ name: artifact-data - resources: {{ include "common.resources" . | nindent 12 }} + resources: {{ include "common.resources" . | nindent 10 }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 10 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{ if .Values.liveness.enabled }} @@ -88,7 +72,7 @@ spec: httpGet: path: /api/multicloud-titaniumcloud/v1/swagger.json port: {{ .Values.service.internalPort }} - scheme: HTTPS + scheme: HTTP initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} @@ -96,7 +80,7 @@ spec: failureThreshold: {{ .Values.liveness.failureThreshold }} {{ end }} # side car containers - {{ include "common.log.sidecar" . | nindent 7 }} + {{ include "common.log.sidecar" . | nindent 6 }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.memcached }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: memcached @@ -117,7 +101,7 @@ spec: volumes: - name: windriver-log emptyDir: {} - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 7 }} + {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 6 }} - name: windriver-logconfig configMap: name: {{ include "common.fullname" . }}-log-configmap @@ -128,6 +112,5 @@ spec: {{- else }} emptyDir: {} {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} restartPolicy: Always diff --git a/kubernetes/multicloud/components/multicloud-windriver/templates/ingress.yaml b/kubernetes/multicloud/components/multicloud-windriver/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/kubernetes/multicloud/components/multicloud-windriver/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/multicloud/components/multicloud-windriver/templates/service.yaml b/kubernetes/multicloud/components/multicloud-windriver/templates/service.yaml index 5a555b3222..578036bb8d 100644 --- a/kubernetes/multicloud/components/multicloud-windriver/templates/service.yaml +++ b/kubernetes/multicloud/components/multicloud-windriver/templates/service.yaml @@ -1,73 +1,19 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T -# # -# # Licensed under the Apache License, Version 2.0 (the "License"); -# # you may not use this file except in compliance with the License. -# # You may obtain a copy of the License at -# # -# # http://www.apache.org/licenses/LICENSE-2.0 -# # -# # Unless required by applicable law or agreed to in writing, software -# # distributed under the License is distributed on an "AS IS" BASIS, -# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# # See the License for the specific language governing permissions and -# # limitations under the License. +# Modifications Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "multicloud-titanium_cloud", - "version": "v0", - "url": "/api/multicloud-titanium_cloud/v0", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "enable_ssl": {{ .Values.config.ssl_enabled }}, - "visualRange": "1" - }, - { - "serviceName": "multicloud-titaniumcloud", - "version": "v0", - "url": "/api/multicloud-titaniumcloud/v0", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "enable_ssl": {{ .Values.config.ssl_enabled }}, - "visualRange": "1" - }, - { - "serviceName": "multicloud-titaniumcloud", - "version": "v1", - "url": "/api/multicloud-titaniumcloud/v1", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "enable_ssl": {{ .Values.config.ssl_enabled }}, - "visualRange": "1" - } - ]' - -spec: - ports: - {{ if eq .Values.service.type "NodePort" }} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{ else }} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{ end }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - type: {{ .Values.service.type }} +{{ include "common.service" . }} diff --git a/kubernetes/multicloud/components/multicloud-windriver/values.yaml b/kubernetes/multicloud/components/multicloud-windriver/values.yaml index 1a6527b4cb..0af9df856b 100644 --- a/kubernetes/multicloud/components/multicloud-windriver/values.yaml +++ b/kubernetes/multicloud/components/multicloud-windriver/values.yaml @@ -18,7 +18,7 @@ ################################################################# global: nodePortPrefix: 302 - artifactImage: onap/multicloud/framework-artifactbroker:1.7.3 + artifactImage: onap/multicloud/framework-artifactbroker:1.9.0 persistence: {} ################################################################# @@ -28,28 +28,62 @@ global: image: onap/multicloud/openstack-windriver:1.5.7 pullPolicy: Always -#Istio sidecar injection policy -istioSidecar: true - # application configuration config: ssl_enabled: true - msbprotocol: https msbgateway: msb-iag - msbPort: 443 + msbPort: 80 aai: - port: 8443 + aaiPort: 80 schemaVersion: v13 username: AAI password: AAI service: - type: ClusterIP - name: multicloud-titaniumcloud - portName: multicloud-titaniumcloud - externalPort: 9005 + type: NodePort internalPort: 9005 - nodePort: 94 + ports: + - name: http + port: 9005 + nodePort: '94' + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "multicloud-titanium_cloud", + "version": "v0", + "url": "/api/multicloud-titanium_cloud/v0", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + }, + { + "serviceName": "multicloud-titaniumcloud", + "version": "v0", + "url": "/api/multicloud-titaniumcloud/v0", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + }, + { + "serviceName": "multicloud-titaniumcloud", + "version": "v1", + "url": "/api/multicloud-titaniumcloud/v1", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + } + ]{{ end }} + +ingress: + enabled: false + service: + - baseaddr: 'multicloud-titaniumcloud-api' + name: 'multicloud-titaniumcloud' + port: 9005 # default number of instances replicaCount: 1 @@ -67,9 +101,6 @@ liveness: failureThreshold: 5 enabled: true -ingress: - enabled: false - persistence: enabled: true mountPath: /dockerdata-nfs @@ -84,18 +115,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 10m - memory: 1Gi + cpu: "10m" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 20m - memory: 2Gi + cpu: "20m" + memory: "2Gi" unlimited: {} # memcached image resource diff --git a/kubernetes/multicloud/templates/deployment.yaml b/kubernetes/multicloud/templates/deployment.yaml index 53716e5f44..80a09c73b8 100644 --- a/kubernetes/multicloud/templates/deployment.yaml +++ b/kubernetes/multicloud/templates/deployment.yaml @@ -17,90 +17,76 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - containers: - - env: - - name: MSB_PROTO - value: {{ .Values.config.msbprotocol }} - - name: MSB_ADDR - value: {{ .Values.config.msbgateway }}.{{ include "common.namespace" . }} - - name: MSB_PORT - value: "{{ .Values.config.msbPort }}" - - name: AAI_ADDR - value: "aai.{{ include "common.namespace" . }}" - - name: AAI_PORT - value: "{{ .Values.config.aai.port }}" - - name: AAI_SCHEMA_VERSION - value: "{{ .Values.config.aai.schemaVersion }}" - - name: AAI_USERNAME - value: "{{ .Values.config.aai.username }}" - - name: AAI_PASSWORD - value: "{{ .Values.config.aai.password }}" - - name: SSL_ENABLED - value: "{{ .Values.config.ssl_enabled }}" - resources: -{{ include "common.resources" . | indent 12 }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }} - volumeMounts: - - mountPath: "{{ .Values.log.path }}" - name: framework-log - - mountPath: /opt/multivimbroker/multivimbroker/pub/config/log.yml - name: framework-logconfig - subPath: log.yml - - mountPath: /opt/multivimbroker/multivimbroker/pub/config/provider-plugin.json - name: provider-plugin - subPath: provider-plugin.json - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - httpGet: - path: /api/multicloud/v0/swagger.json - port: {{ .Values.service.internalPort }} - scheme: HTTPS - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - successThreshold: {{ .Values.liveness.successThreshold }} - failureThreshold: {{ .Values.liveness.failureThreshold }} - {{ end -}} + containers: + - env: + - name: MSB_PROTO + value: "http" + - name: MSB_ADDR + value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" + - name: MSB_PORT + value: "{{ .Values.config.msbPort }}" + - name: AAI_ADDR + value: "aai.{{ include "common.namespace" . }}" + - name: AAI_PORT + value: "{{ .Values.config.aai.aaiPlainPort }}" + - name: AAI_SCHEMA_VERSION + value: "{{ .Values.config.aai.schemaVersion }}" + - name: AAI_USERNAME + value: "{{ .Values.config.aai.username }}" + - name: AAI_PASSWORD + value: "{{ .Values.config.aai.password }}" + - name: AAI_PROTOCOL + value: "http" + - name: SSL_ENABLED + value: "false" + resources: {{ include "common.resources" . | nindent 10 }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }} + volumeMounts: + - mountPath: "{{ .Values.log.path }}" + name: framework-log + - mountPath: /opt/multivimbroker/multivimbroker/pub/config/log.yml + name: framework-logconfig + subPath: log.yml + - mountPath: /opt/multivimbroker/multivimbroker/pub/config/provider-plugin.json + name: provider-plugin + subPath: provider-plugin.json + ports: {{ include "common.containerPorts" . | nindent 10 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + httpGet: + path: /api/multicloud/v0/swagger.json + port: {{ .Values.service.internalPort }} + scheme: "HTTP" + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} + successThreshold: {{ .Values.liveness.successThreshold }} + failureThreshold: {{ .Values.liveness.failureThreshold }} + {{ end -}} # side car containers - {{ include "common.log.sidecar" . | nindent 5 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: framework-log - emptyDir: {} - - name: provider-plugin - configMap: - name: {{ include "common.fullname" . }}-provider-plugin-configmap - {{ include "common.log.volumes" . | nindent 5 }} - - name: framework-logconfig - configMap: - name: {{ include "common.fullname" . }}-log-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Always + {{ include "common.log.sidecar" . | nindent 6 }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: framework-log + emptyDir: {} + - name: provider-plugin + configMap: + name: {{ include "common.fullname" . }}-provider-plugin-configmap + {{ include "common.log.volumes" . | nindent 6 }} + - name: framework-logconfig + configMap: + name: {{ include "common.fullname" . }}-log-configmap + {{- include "common.imagePullSecrets" . | nindent 6 }} + restartPolicy: Always diff --git a/kubernetes/multicloud/templates/ingress.yaml b/kubernetes/multicloud/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/kubernetes/multicloud/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/multicloud/templates/service.yaml b/kubernetes/multicloud/templates/service.yaml index 3f950db038..578036bb8d 100644 --- a/kubernetes/multicloud/templates/service.yaml +++ b/kubernetes/multicloud/templates/service.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T +# Modifications Copyright © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,49 +16,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.portName }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "multicloud", - "version": "v0", - "url": "/api/multicloud/v0", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "enable_ssl": {{ .Values.config.ssl_enabled }}, - "visualRange": "1" - }, - { - "serviceName": "multicloud", - "version": "v1", - "url": "/api/multicloud/v1", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "enable_ssl": {{ .Values.config.ssl_enabled }}, - "visualRange": "1" - } - ]' -spec: - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - type: {{ .Values.service.type }} +{{ include "common.service" . }} diff --git a/kubernetes/multicloud/values.yaml b/kubernetes/multicloud/values.yaml index 977de08b6a..033826f0e6 100644 --- a/kubernetes/multicloud/values.yaml +++ b/kubernetes/multicloud/values.yaml @@ -18,7 +18,7 @@ ################################################################# global: nodePortPrefix: 302 - artifactImage: onap/multicloud/framework-artifactbroker:1.7.3 + artifactImage: onap/multicloud/framework-artifactbroker:1.9.0 prometheus: enabled: false persistence: {} @@ -28,7 +28,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/multicloud/framework:1.7.3 +image: onap/multicloud/framework:1.8.1 pullPolicy: Always #Istio sidecar injection policy @@ -56,14 +56,12 @@ multicloud-windriver: # application configuration config: - ssl_enabled: true - msbprotocol: https msbgateway: msb-iag - msbPort: 443 logstashServiceName: log-ls logstashPort: 5044 + msbPort: 80 aai: - port: 8443 + aaiPort: 80 schemaVersion: v13 username: AAI password: AAI @@ -85,15 +83,41 @@ liveness: enabled: true service: - type: ClusterIP - name: multicloud - portName: multicloud-framework - externalPort: 9001 + type: NodePort internalPort: 9001 - nodePort: 91 + ports: + - name: http + port: 9001 + nodePort: '91' + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "multicloud", + "version": "v0", + "url": "/api/multicloud/v0", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + }, + { + "serviceName": "multicloud", + "version": "v1", + "url": "/api/multicloud/v1", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + } + ]{{ end }} ingress: enabled: false + service: + - baseaddr: 'multicloud-api' + name: 'multicloud' + port: 9001 # Resource Limit flavor -By Default using small flavor: small @@ -101,18 +125,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 10m - memory: 1Gi + cpu: "10m" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 20m - memory: 2Gi + cpu: "20m" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/nbi/Chart.yaml b/kubernetes/nbi/Chart.yaml index 93a05d34b0..25f307c253 100644 --- a/kubernetes/nbi/Chart.yaml +++ b/kubernetes/nbi/Chart.yaml @@ -17,32 +17,29 @@ apiVersion: v2 description: ONAP Northbound Interface name: nbi -version: 11.0.0 +version: 13.1.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - - name: certInitializer - version: ~11.x-0 - repository: '@local' - - name: mongo - version: ~11.x-0 + - name: mongodb + version: 14.12.2 repository: '@local' - name: mariadb-galera - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: global.mariadbGalera.localCluster - name: mariadb-init - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - condition: not global.mariadbGalera.localCluster + condition: global.mariadbGalera.globalCluster - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/nbi/templates/deployment.yaml b/kubernetes/nbi/templates/deployment.yaml index b9ed35b0f7..863926a8ce 100644 --- a/kubernetes/nbi/templates/deployment.yaml +++ b/kubernetes/nbi/templates/deployment.yaml @@ -18,67 +18,34 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.fullname" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: -{{- if .Values.global.aafEnabled }} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} -{{- end }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(grep '^c' {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export JAVA_OPTS="-Djavax.net.ssl.trustStorePassword=$cadi_truststore_password \ - -Dserver.ssl.key-store={{ .Values.certInitializer.credsPath }}/org.onap.nbi.p12 \ - -Dserver.ssl.key-store-type=PKCS12 \ - -Djavax.net.ssl.trustStore={{ .Values.certInitializer.credsPath }}/org.onap.nbi.trust.jks \ - -Dserver.ssl.key-store-password=$cadi_keystore_password_p12 \ - -Djavax.net.ssl.trustStoreType=jks\ - -Djava.security.egd=file:/dev/./urandom -Dserver.port=8443" - exec java -XX:+UseContainerSupport $JAVA_OPTS -jar /opt/onap/app.jar - {{- end }} {{ if .Values.liveness.enabled }} livenessProbe: httpGet: - port: {{ .Values.liveness.port }} + port: {{ .Values.service.internalPort }} path: {{ .Values.liveness.path }} - scheme: HTTPS + scheme: HTTP initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end }} readinessProbe: httpGet: - port: {{ .Values.readiness.port }} + port: {{ .Values.service.internalPort }} path: {{ .Values.readiness.path }} - scheme: HTTPS + scheme: HTTP initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: @@ -89,11 +56,11 @@ spec: - name: SPRING_DATASOURCE_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "nbi-db-secret" "key" "password") | indent 14 }} - name: SPRING_DATA_MONGODB_HOST - value: {{ .Values.mongo.service.name }}.{{ include "common.namespace" . }} + value: {{ .Values.mongodb.service.nameOverride }}.{{ include "common.namespace" . }} - name: SPRING_DATA_MONGODB_PORT - value: "{{ .Values.mongo.service.internalPort }}" + value: "{{ .Values.mongodb.service.port }}" - name: SPRING_DATA_MONGODB_DATABASE - value: {{ .Values.mongo.config.dbName }} + value: {{ .Values.mongodb.config.dbName }} - name: ONAP_LCPCLOUDREGIONID value: {{ .Values.config.openStackRegion }} - name: ONAP_TENANTID @@ -105,15 +72,15 @@ spec: - name: ONAP_K8SCLOUDOWNER value: {{ .Values.config.k8sCloudOwner }} - name: NBI_URL - value: "https://nbi.{{ include "common.namespace" . }}:8443/nbi/api/v4" + value: "http://nbi.{{ include "common.namespace" . }}:{{ .Values.service.internalPort }}/nbi/api/v4" - name: SDC_HOST - value: "https://sdc-be.{{ include "common.namespace" . }}:8443" + value: "http://sdc-be.{{ include "common.namespace" . }}:8080" - name: SDC_HEADER_ECOMPINSTANCEID value: {{ .Values.config.ecompInstanceId }} - name: SDC_HEADER_AUTHORIZATION value: {{ .Values.sdc_authorization }} - name: AAI_HOST - value: "https://aai.{{ include "common.namespace" . }}:8443" + value: "http://aai.{{ include "common.namespace" . }}:80" - name: AAI_HEADER_AUTHORIZATION value: {{ .Values.aai_authorization }} - name: SO_HOST @@ -123,21 +90,16 @@ spec: value: {{ .Values.so_authorization }} {{- end }} - name: DMAAP_HOST - value: "https://message-router.{{ include "common.namespace" . }}:3905" + value: "http://message-router.{{ include "common.namespace" . }}:3904" - name: LOGGING_LEVEL_ORG_ONAP_NBI value: {{ .Values.config.loglevel }} - name: MSB_ENABLED - value: "true" + value: "{{ .Values.global.msbEnabled }}" - name: MSB_DISCOVERY_HOST value: "msb-discovery.{{ include "common.namespace" . }}" - name: MSB_DISCOVERY_PORT value: "10081" - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 12 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -147,9 +109,4 @@ spec: {{ toYaml .Values.affinity | indent 10 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/nbi/templates/service.yaml b/kubernetes/nbi/templates/service.yaml index 4d5359ce0e..11fae18dc1 100644 --- a/kubernetes/nbi/templates/service.yaml +++ b/kubernetes/nbi/templates/service.yaml @@ -14,28 +14,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}-{{ .Values.service.internalPort }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/nbi/tests/deployment_test.yaml b/kubernetes/nbi/tests/deployment_test.yaml index 7c8a1b0dbb..fe9d0d2977 100644 --- a/kubernetes/nbi/tests/deployment_test.yaml +++ b/kubernetes/nbi/tests/deployment_test.yaml @@ -98,7 +98,7 @@ tests: path: spec.template.spec.containers[0].env content: name: SDC_HOST - value: https://sdc-be.NAMESPACE:8443 + value: http://sdc-be.NAMESPACE:8080 - contains: path: spec.template.spec.containers[0].env content: @@ -113,7 +113,7 @@ tests: path: spec.template.spec.containers[0].env content: name: AAI_HOST - value: https://aai.NAMESPACE:8443 + value: http://aai.NAMESPACE:80 - contains: path: spec.template.spec.containers[0].env content: diff --git a/kubernetes/nbi/values.yaml b/kubernetes/nbi/values.yaml index 9b69a4356f..0d143dc6c6 100644 --- a/kubernetes/nbi/values.yaml +++ b/kubernetes/nbi/values.yaml @@ -19,35 +19,26 @@ global: nodePortPrefix: 302 mariadbGalera: &mariadbGalera - #This flag allows SO to instantiate its own mariadb-galera cluster + # flag to enable the DB creation via mariadb-operator + useOperator: true + #This flag allows NBI to instantiate its own mariadb-galera cluster + #When changing it to "true", also set "globalCluster: false" + #as the dependency check will not work otherwise (Chart.yaml) localCluster: false + globalCluster: true service: mariadb-galera internalPort: 3306 nameOverride: mariadb-galera - aafEnabled: true - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: nbi-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: nbi - fqi: nbi@nbi.onap.org - public_fqdn: nbi.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: > - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop - -aafConfig: - permission_user: 1000 - permission_group: 999 + msbEnabled: false + # Docker Repository used by RepositoryGenerator + dockerHubRepository: docker.io + # Additions for MongoDB**************************** + # If dockerHubRepository is changes the following entry needs + # to be changed as well + imageRegistry: docker.io + imagePullSecrets: + - '{{ include "common.names.namespace" . }}-docker-registry-key' + # ************************************************* ################################################################# # Secrets metaconfig @@ -83,12 +74,13 @@ config: openStackRegion: RegionOne openStackVNFTenantId: 31047205ce114b60833b23e400d6a535 db: - userName: rene + userName: &dbuser rene # userPassword: password # userCredentialsExternalSecret: some-secret mariadb-galera: db: + user: *dbuser externalSecret: *dbUserSecretName name: &mysqlDbName nbi service: @@ -97,6 +89,9 @@ mariadb-galera: internalPort: 3306 nameOverride: &nbi-galera nbi-galera replicaCount: 1 + mariadbOperator: + galera: + enabled: false persistence: enabled: true mountSubPath: nbi/maria/data @@ -108,21 +103,29 @@ mariadb-init: userCredentialsExternalSecret: *dbUserSecretName mysqlDatabase: *mysqlDbName nameOverride: nbi-config + serviceAccount: + nameOverride: nbi-config -mongo: +mongodb: nameOverride: nbi-mongo config: - dbName: ServiceOrderDB + dbName: &mongoDBName ServiceOrderDB + auth: + enabled: false + databases: + - *mongoDBName + usernames: + - "nbi" service: - name: nbi-mongohost + nameOverride: nbi-mongohost internalPort: 27017 - nfsprovisionerPrefix: nbi - sdnctlPrefix: nbi - persistence: - mountSubPath: nbi/mongo/data - enabled: true - disableNfsProvisioner: true - + resources: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "500m" + memory: "1Gi" # default number of instances replicaCount: 1 @@ -134,7 +137,6 @@ affinity: {} # probe configuration parameters liveness: path: /nbi/api/v4/status - port: 8443 initialDelaySeconds: 180 periodSeconds: 30 # necessary to disable liveness probe when setting breakpoints @@ -143,7 +145,6 @@ liveness: readiness: path: /nbi/api/v4/status - port: 8443 initialDelaySeconds: 185 periodSeconds: 30 @@ -151,15 +152,18 @@ service: type: NodePort portName: api name: nbi - nodePort: 74 - internalPort: 8443 + internalPort: 8080 + ports: + - name: http + port: 8080 + nodePort: '74' ingress: enabled: false service: - - baseaddr: "nbi.api" + - baseaddr: "nbi-api" name: "nbi" - port: 8443 + port: 8080 config: ssl: "redirect" # Resource Limit flavor -By Default using small @@ -168,18 +172,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 2Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 2 - memory: 4Gi + cpu: "4" + memory: "2Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/onap/Chart.yaml b/kubernetes/onap/Chart.yaml index 3113fda8d1..45d8da170b 100644 --- a/kubernetes/onap/Chart.yaml +++ b/kubernetes/onap/Chart.yaml @@ -15,8 +15,8 @@ apiVersion: v2 name: onap -version: 11.0.0 -appVersion: Kohn +version: 14.0.0 +appVersion: NewDelhi description: Open Network Automation Platform (ONAP) home: https://www.onap.org/ sources: @@ -25,161 +25,121 @@ icon: https://wiki.onap.org/download/thumbnails/1015829/onap_704x271%20copy.png? kubeVersion: ">=1.19.11-0" dependencies: - - name: aaf - version: ~11.x-0 - repository: '@local' - condition: aaf.enabled - name: aai - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: aai.enabled - - name: appc - version: ~11.x-0 - repository: '@local' - condition: appc.enabled - name: cassandra - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: cassandra.enabled - name: cds - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: cds.enabled - name: cli - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: cli.enabled - name: common - version: ~11.x-0 - repository: '@local' - - name: consul - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - condition: consul.enabled - - name: contrib - version: ~11.x-0 - repository: '@local' - condition: global.addTestingComponents - name: cps - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: cps.enabled - - name: dcaegen2 - version: ~11.x-0 - repository: '@local' - condition: dcaegen2.enabled - name: dcaegen2-services - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: dcaegen2-services.enabled - - name: dcaemod - version: ~11.x-0 - repository: '@local' - condition: dcaemod.enabled - name: holmes - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: holmes.enabled - name: dmaap - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: dmaap.enabled - - name: log - version: ~11.x-0 - repository: '@local' - condition: log.enabled - - name: sniro-emulator - version: ~11.x-0 - repository: '@local' - condition: sniro-emulator.enabled - name: mariadb-galera - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: mariadb-galera.enabled - name: msb - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: msb.enabled - name: multicloud - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: multicloud.enabled - name: nbi - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: nbi.enabled - name: policy - version: ~11.x-0 + version: ~14.x-0 repository: '@local' condition: policy.enabled - - name: portal - version: ~11.x-0 + - name: portal-ng + version: ~13.x-0 repository: '@local' - condition: portal.enabled + condition: portal-ng.enabled - name: postgres - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: postgres.enabled - name: oof - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: oof.enabled - name: repository-wrapper - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: robot - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: robot.enabled - name: sdc - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: sdc.enabled - name: sdnc - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: sdnc.enabled - name: so - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: so.enabled - name: strimzi - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: strimzi.enabled - name: uui - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: uui.enabled - name: vfc - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: vfc.enabled - - name: vid - version: ~11.x-0 - repository: '@local' - condition: vid.enabled - name: vnfsdk - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: vnfsdk.enabled - name: modeling - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: modeling.enabled - name: platform - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: platform.enabled - name: a1policymanagement - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: a1policymanagement.enabled - - name: cert-wrapper - version: ~11.x-0 - repository: '@local' - condition: cert-wrapper.enabled - name: roles-wrapper - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: roles-wrapper.enabled diff --git a/kubernetes/onap/resources/environments/core-onap.yaml b/kubernetes/onap/resources/environments/core-onap.yaml index de448084ee..ebfe688619 100644 --- a/kubernetes/onap/resources/environments/core-onap.yaml +++ b/kubernetes/onap/resources/environments/core-onap.yaml @@ -16,7 +16,7 @@ # This override file is used to deploy a core configuration. It is based on # minimal-onap.yaml and Orange accomplishments [1][2][3]. # It includes the following components: -# AAI, DMAAP, SDC, SDNC, SO (+ Cassandra) +# AAI, DMAAP Message Router, SDC, SDNC, SO (+ Cassandra), STRIMZI Kafka # # Minimal resources are also reviewed for the various containers # AAI: no override => to be fixed @@ -52,33 +52,25 @@ aai: replicas: 1 aai-cassandra: replicaCount: 1 -aaf: - enabled: false -appc: - enabled: false cassandra: enabled: true replicaCount: 3 -clamp: - enabled: false cli: enabled: false -consul: - enabled: false -contrib: - enabled: false cps: enabled: false -dcaegen2: - enabled: false dcaegen2-services: enabled: false holmes: enabled: false dmaap: enabled: true -log: - enabled: false + message-router: + enabled: true + dmaap-dr-prov: + enabled: false + dmaap-dr-node: + enabled: false mariadb-galera: enabled: true msb: @@ -91,9 +83,7 @@ oof: enabled: false policy: enabled: false -pomba: - enabled: false -portal: +portal-ng: enabled: false robot: enabled: false @@ -106,19 +96,17 @@ sdc: resources: small: limits: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" requests: - cpu: 10m - memory: 500Mi + cpu: "10m" + memory: "500Mi" sdc-cs: config: maxHeapSize: "512M" heapNewSize: "256M" sdnc: enabled: true -sniro-emulator: - enabled: false so: enabled: true config: @@ -128,10 +116,18 @@ so: openStackKeyStoneUrl: "$OPENSTACK_KEYSTONE_URL" openStackServiceTenantName: "$OPENSTACK_TENANT_NAME" openStackEncryptedPasswordHere: "$OPENSTACK_ENCRYPTED_PASSWORD" +strimzi: + enabled: true + replicaCount: 2 + persistence: + kafka: + size: 1Gi + zookeeper: + size: 500Mbi + strimzi-kafka-bridge: + enabled: false uui: enabled: false -vid: - enabled: false vfc: enabled: false vnfsdk: diff --git a/kubernetes/onap/resources/environments/dev.yaml b/kubernetes/onap/resources/environments/dev.yaml index b5951b25d2..fcf5de366c 100644 --- a/kubernetes/onap/resources/environments/dev.yaml +++ b/kubernetes/onap/resources/environments/dev.yaml @@ -32,7 +32,7 @@ global: #repository: nexus3.onap.org:10001 # readiness check - readinessImage: onap/oom/readiness:3.0.1 + readinessImage: onap/oom/readiness:6.0.3 # logging agent - temporary repo until images migrated to nexus3 loggingRepository: docker.elastic.co @@ -52,14 +52,10 @@ global: # Enable/disable and configure helm charts (ie. applications) # to customize the ONAP deployment. ################################################################# -aaf: - enabled: false aai: enabled: false aai-cassandra: replicaCount: 1 -appc: - enabled: false cassandra: enabled: false replicaCount: 1 @@ -67,26 +63,14 @@ clamp: enabled: false cli: enabled: false -consul: - enabled: false -contrib: - enabled: false cps: enabled: false -dcaegen2: - enabled: false dcaegen2-services: enabled: false holmes: enabled: false dmaap: enabled: false -log: - enabled: false - log-logstash: - replicaCount: 1 -sniro-emulator: - enabled: false oof: enabled: false mariadb-galera: @@ -99,9 +83,7 @@ nbi: enabled: false policy: enabled: false -pomba: - enabled: false -portal: +portal-ng: enabled: false robot: enabled: true @@ -139,11 +121,11 @@ so: mariadb: config: mariadbRootPassword: password +strimzi: + enabled: false uui: enabled: false vfc: enabled: false -vid: - enabled: false vnfsdk: enabled: false diff --git a/kubernetes/onap/resources/environments/disable-allcharts.yaml b/kubernetes/onap/resources/environments/disable-allcharts.yaml index 0f93b94983..2d42af05ac 100644 --- a/kubernetes/onap/resources/environments/disable-allcharts.yaml +++ b/kubernetes/onap/resources/environments/disable-allcharts.yaml @@ -25,36 +25,20 @@ # Enable/disable and configure helm charts (ie. applications) # to customize the ONAP deployment. ################################################################# -aaf: - enabled: false aai: enabled: false -appc: - enabled: false cassandra: enabled: false -clamp: - enabled: false cli: enabled: false -consul: - enabled: false -contrib: - enabled: false cps: enabled: false -dcaegen2: - enabled: false dcaegen2-services: enabled: false holmes: enabled: false dmaap: enabled: false -log: - enabled: false -sniro-emulator: - enabled: false mariadb-galera: enabled: false msb: @@ -67,9 +51,7 @@ oof: enabled: false policy: enabled: false -pomba: - enabled: false -portal: +portal-ng: enabled: false robot: enabled: false @@ -79,11 +61,11 @@ sdnc: enabled: false so: enabled: false +strimzi: + enabled: false uui: enabled: false vfc: enabled: false -vid: - enabled: false vnfsdk: enabled: false diff --git a/kubernetes/onap/resources/environments/minimal-onap.yaml b/kubernetes/onap/resources/environments/minimal-onap.yaml index 670a55ae8d..5a628c8c7d 100644 --- a/kubernetes/onap/resources/environments/minimal-onap.yaml +++ b/kubernetes/onap/resources/environments/minimal-onap.yaml @@ -16,17 +16,15 @@ # This override file is used to deploy a minimal configuration to # onboard and deploy a VNF. # It includes the following components: -# A&AI, Cassandra, DMAAP, Portal, Robot, SDC, SDNC, SO, VID +# A&AI, Cassandra, DMAAP Message Router, Portal, Robot, SDC, SDNC, SO, STRIMZI Kafka # # Minimal resources are also reviewed for the various containers # A&AI: no override => to be fixed # DMAAP: no override -# Portal: new values # Robot: new values # SO: no override # SDC: new values # SDNC: no override -# VID: no override # # Replica are set to 1 (A&AI Cassandra) # @@ -47,33 +45,25 @@ aai: replicas: 1 aai-cassandra: replicaCount: 1 -aaf: - enabled: false -appc: - enabled: false cassandra: enabled: true replicaCount: 1 -clamp: - enabled: false cli: enabled: false -consul: - enabled: false -contrib: - enabled: false cps: enabled: false -dcaegen2: - enabled: false dcaegen2-services: enabled: false holmes: enabled: false dmaap: enabled: true -log: - enabled: false + message-router: + enabled: true + dmaap-dr-prov: + enabled: false + dmaap-dr-node: + enabled: false mariadb-galera: enabled: true msb: @@ -86,49 +76,8 @@ oof: enabled: false policy: enabled: false -pomba: +portal-ng: enabled: false -portal: - enabled: true - portal-cassandra: - config: - cassandraJvmOpts: "-Xmx512m -Xms256m" - resources: - small: - limits: - cpu: 1 - memory: 2Gi - requests: - cpu: 100m - memory: 1Gi - portal-app: - resources: - small: - limits: - cpu: 1 - memory: 2Gi - requests: - cpu: 100m - memory: 1Gi - resources: - portal-mariaddb: - resources: - small: - limits: - cpu: 800m - memory: 1Gi - requests: - cpu: 100m - memory: 500Mi - portal-widget: - resources: - small: - limits: - cpu: 1 - memory: 2Gi - requests: - cpu: 100m - memory: 500Mi robot: enabled: true config: @@ -136,11 +85,11 @@ robot: resources: small: limits: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" requests: - cpu: 10m - memory: 100Mi + cpu: "10m" + memory: "100Mi" sdc: enabled: true sdc-be: @@ -150,19 +99,17 @@ sdc: resources: small: limits: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" requests: - cpu: 10m - memory: 500Mi + cpu: "10m" + memory: "500Mi" sdc-cs: config: maxHeapSize: "512M" heapNewSize: "256M" sdnc: enabled: true -sniro-emulator: - enabled: false so: enabled: true config: @@ -172,10 +119,18 @@ so: openStackKeyStoneUrl: "$OPENSTACK_KEYSTONE_URL" openStackServiceTenantName: "$OPENSTACK_TENANT_NAME" openStackEncryptedPasswordHere: "$OPENSTACK_ENCRYPTED_PASSWORD" +strimzi: + enabled: true + replicaCount: 1 + persistence: + kafka: + size: 1Gi + zookeeper: + size: 500Mbi + strimzi-kafka-bridge: + enabled: false uui: enabled: false -vid: - enabled: true vfc: enabled: false vnfsdk: diff --git a/kubernetes/onap/resources/environments/public-cloud.yaml b/kubernetes/onap/resources/environments/public-cloud.yaml index b44cb29891..74ce637d52 100644 --- a/kubernetes/onap/resources/environments/public-cloud.yaml +++ b/kubernetes/onap/resources/environments/public-cloud.yaml @@ -24,27 +24,6 @@ # deploy ONAP. This increase in timeouts prevents restarting of # the pods thereby the components will be deployed without error. ################################################################# -aaf: - aaf-cs: - liveness: - initialDelaySeconds: 240 - readiness: - initialDelaySeconds: 240 - aaf-gui: - liveness: - initialDelaySeconds: 120 - readiness: - initialDelaySeconds: 120 - aaf-oauth: - liveness: - initialDelaySeconds: 300 - readiness: - initialDelaySeconds: 300 - aaf-service: - liveness: - initialDelaySeconds: 300 - readiness: - initialDelaySeconds: 300 aai: aai-champ: liveness: @@ -56,17 +35,6 @@ cassandra: initialDelaySeconds: 120 readiness: initialDelaySeconds: 120 -clamp: - liveness: - initialDelaySeconds: 60 - readiness: - initialDelaySeconds: 60 -dcaegen2: - dcae-cloudify-manager: - liveness: - initialDelaySeconds: 120 - readiness: - initialDelaySeconds: 120 holmes: holmes-rule-mgmt: liveness: @@ -99,13 +67,6 @@ dmaap: initialDelaySeconds: 120 readiness: initialDelaySeconds: 120 - -portal: - portal-app: - liveness: - initialDelaySeconds: 60 - readiness: - initialDelaySeconds: 60 sdc: sdc-fe: liveness: diff --git a/kubernetes/onap/resources/overrides/environment.yaml b/kubernetes/onap/resources/overrides/environment.yaml index c9ae94a136..468aab8c18 100644 --- a/kubernetes/onap/resources/overrides/environment.yaml +++ b/kubernetes/onap/resources/overrides/environment.yaml @@ -32,27 +32,6 @@ # large value may not fix all installation issues on over subscribed hardware. # ################################################################# -aaf: - aaf-cs: - liveness: - initialDelaySeconds: 240 - readiness: - initialDelaySeconds: 240 - aaf-gui: - liveness: - initialDelaySeconds: 120 - readiness: - initialDelaySeconds: 120 - aaf-oauth: - liveness: - initialDelaySeconds: 300 - readiness: - initialDelaySeconds: 300 - aaf-service: - liveness: - initialDelaySeconds: 300 - readiness: - initialDelaySeconds: 300 aai: liveness: initialDelaySeconds: 120 @@ -75,11 +54,6 @@ aai: periodSeconds: 120 readiness: periodSeconds: 60 -appc: - mariadb-galera: - liveness: - initialDelaySeconds: 180 - periodSeconds: 60 cassandra: liveness: timeoutSeconds: 30 @@ -87,22 +61,6 @@ cassandra: readiness: timeoutSeconds: 30 periodSeconds: 60 -clamp: - liveness: - initialDelaySeconds: 60 - readiness: - initialDelaySeconds: 60 - clamp-mariadb: - liveness: - initialDelaySeconds: 30 - readiness: - initialDelaySeconds: 30 -dcaegen2: - dcae-cloudify-manager: - liveness: - initialDelaySeconds: 120 - readiness: - initialDelaySeconds: 120 holmes: holmes-rule-mgmt: liveness: @@ -156,17 +114,6 @@ oof: periodSeconds: 120 readiness: periodSeconds: 60 -portal: - portal-app: - liveness: - initialDelaySeconds: 60 - readiness: - initialDelaySeconds: 60 - portal-cassandra: - liveness: - periodSeconds: 120 - readiness: - periodSeconds: 60 sdc: sdc-fe: liveness: diff --git a/kubernetes/onap/resources/overrides/onap-5g-network-slicing.yaml b/kubernetes/onap/resources/overrides/onap-5g-network-slicing.yaml index 8c9babb99a..4c1a418777 100644 --- a/kubernetes/onap/resources/overrides/onap-5g-network-slicing.yaml +++ b/kubernetes/onap/resources/overrides/onap-5g-network-slicing.yaml @@ -35,7 +35,7 @@ global: password: docker # readiness check - readinessImage: onap/oom/readiness:3.0.1 + readinessImage: onap/oom/readiness:6.0.3 # logging agent - temporary repo until images migrated to nexus3 loggingRepository: docker.elastic.co @@ -68,46 +68,28 @@ global: # Enable/disable and configure helm charts (ie. applications) # to customize the ONAP deployment. ################################################################# -aaf: - enabled: true aai: enabled: true -appc: - enabled: false - config: - openStackType: OpenStackProvider - openStackName: OpenStack - openStackKeyStoneUrl: http://localhost:8181/apidoc/explorer/index.html - openStackServiceTenantName: default - openStackDomain: default - openStackUserName: admin - openStackEncryptedPassword: admin cassandra: enabled: true cds: enabled: true -clamp: - enabled: false cli: enabled: false -consul: - enabled: false -contrib: - enabled: false cps: enabled: false -dcaegen2: - enabled: false dcaegen2-services: enabled: false holmes: enabled: false dmaap: enabled: true -log: - enabled: true -sniro-emulator: - enabled: false + message-router: + enabled: true + dmaap-dr-prov: + enabled: false + dmaap-dr-node: + enabled: false oof: enabled: true mariadb-galera: @@ -124,14 +106,12 @@ nbi: openStackVNFTenantId: "1234" policy: enabled: true -pomba: - enabled: false -portal: +portal-ng: enabled: true robot: enabled: true config: - # openStackEncryptedPasswordHere should match the encrypted string used in SO and APPC and overridden per environment + # openStackEncryptedPasswordHere should match the encrypted string used in SO and overridden per environment openStackEncryptedPasswordHere: "c124921a3a0efbe579782cde8227681e" sdc: enabled: true @@ -163,12 +143,14 @@ so: openStackServiceTenantName: "service" openStackEncryptedPasswordHere: "c124921a3a0efbe579782cde8227681e" +strimzi: + enabled: true + strimzi-kafka-bridge: + enabled: false uui: enabled: true vfc: enabled: false -vid: - enabled: false vnfsdk: enabled: false modeling: diff --git a/kubernetes/onap/resources/overrides/onap-all-ingress-gatewayapi.yaml b/kubernetes/onap/resources/overrides/onap-all-ingress-gatewayapi.yaml new file mode 100644 index 0000000000..ba7b50e53c --- /dev/null +++ b/kubernetes/onap/resources/overrides/onap-all-ingress-gatewayapi.yaml @@ -0,0 +1,168 @@ +# Copyright © 2019 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################### +# This override file enables helm charts for all ONAP applications. +################################################################### +#ingress virtualhost based configuration +global: + ingress: + enabled: true + # enable all component's Ingress interfaces + enable_all: true + # All http requests via ingress will be redirected + + # Provider: ingress, istio, gw-api + provider: gw-api + # Ingress class (only for provider "ingress"): e.g. nginx, traefik + ingressClass: + # Ingress Selector (only for provider "istio") to match with the + # ingress pod label "istio=ingress" + ingressSelector: ingress + # optional: common used Gateway (for Istio, GW-API) and listener names + commonGateway: + name: "common-gateway" + httpListener: "http-80" + httpsListener: "https-443" + virtualhost: + # Default Ingress base URL + # can be overwritten in component by setting ingress.baseurlOverride + baseurl: "simpledemo.onap.org" + # prefix for baseaddr + # can be overwritten in component by setting ingress.preaddrOverride + preaddr: "" + # postfix for baseaddr + # can be overwritten in component by setting ingress.postaddrOverride + postaddr: "" + config: + ssl: "redirect" + # you can set an own Secret containing a certificate + # tls: + # secret: 'my-ingress-cert' + # optional: Namespace of the Istio IngressGateway + namespace: istio-ingress + centralizedLoggingEnabled: ¢ralizedLogging false + # Disabling CMPv2 + cmpv2Enabled: false + +cassandra: + enabled: true +mariadb-galera: + enabled: true +postgres: + enabled: true +aai: + enabled: true +cds: + enabled: true +cli: + enabled: true +cps: + enabled: true +dcaegen2: + enabled: true +dcaegen2-services: + enabled: true + dcae-datafile-collector: + enabled: true + dcae-datalake-admin-ui: + enabled: true + dcae-datalake-des: + enabled: true + dcae-datalake-feeder: + enabled: true + dcae-heartbeat: + enabled: true + dcae-hv-ves-collector: + enabled: true + dcae-kpi-ms: + enabled: true + dcae-ms-healthcheck: + enabled: true + dcae-pm-mapper: + enabled: true + dcae-pmsh: + enabled: true + dcae-prh: + enabled: true + dcae-restconf-collector: + enabled: true + dcae-slice-analysis-ms: + enabled: true + dcae-snmptrap-collector: + enabled: true + dcae-son-handler: + enabled: true + dcae-tcagen2: + enabled: true + dcae-ves-collector: + enabled: true + applicationConfig: + auth.method: "noAuth" + dcae-ves-mapper: + enabled: true + dcae-ves-openapi-manager: + enabled: true +holmes: + enabled: true +dmaap: + enabled: true + message-router: + enabled: true + dmaap-dr-prov: + enabled: true + dmaap-dr-node: + enabled: true +oof: + enabled: true +msb: + enabled: true +multicloud: + enabled: true +nbi: + enabled: true +platform: + enabled: true + cmpv2-cert-service: + enabled: false + keycloak-init: + enabled: true + oauth2-proxy: + enabled: true +policy: + enabled: true +portal-ng: + enabled: true +robot: + enabled: true +sdc: + enabled: true +sdnc: + enabled: true +so: + enabled: true +strimzi: + enabled: true + strimzi-kafka-bridge: + enabled: true +uui: + enabled: true +vfc: + enabled: true +vnfsdk: + enabled: true +modeling: + enabled: true +a1policymanagement: + enabled: true diff --git a/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml b/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml new file mode 100644 index 0000000000..cc830424e2 --- /dev/null +++ b/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml @@ -0,0 +1,169 @@ +# Copyright © 2019 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################### +# This override file enables helm charts for all ONAP applications. +################################################################### +#ingress virtualhost based configuration +global: + ingress: + enabled: true + # enable all component's Ingress interfaces + enable_all: true + # All http requests via ingress will be redirected + + # Provider: ingress, istio, gw-api + provider: istio + # Ingress class (only for provider "ingress"): e.g. nginx, traefik + ingressClass: + # Ingress Selector (only for provider "istio") to match with the + # ingress pod label "istio=ingress" + ingressSelector: ingress + # optional: common used Gateway (for Istio, GW-API) and listener names + commonGateway: + name: "" + httpListener: "" + httpsListener: "" + + virtualhost: + # Default Ingress base URL + # can be overwritten in component by setting ingress.baseurlOverride + baseurl: "simpledemo.onap.org" + # prefix for baseaddr + # can be overwritten in component by setting ingress.preaddrOverride + preaddr: "" + # postfix for baseaddr + # can be overwritten in component by setting ingress.postaddrOverride + postaddr: "" + config: + ssl: "redirect" + # you can set an own Secret containing a certificate + # tls: + # secret: 'my-ingress-cert' + # optional: Namespace of the Istio IngressGateway + namespace: istio-ingress + centralizedLoggingEnabled: ¢ralizedLogging false + # Disabling CMPv2 + cmpv2Enabled: false + +cassandra: + enabled: true +mariadb-galera: + enabled: true +postgres: + enabled: true +aai: + enabled: true +cds: + enabled: true +cli: + enabled: true +cps: + enabled: true +dcaegen2: + enabled: true +dcaegen2-services: + enabled: true + dcae-datafile-collector: + enabled: true + dcae-datalake-admin-ui: + enabled: true + dcae-datalake-des: + enabled: true + dcae-datalake-feeder: + enabled: true + dcae-heartbeat: + enabled: true + dcae-hv-ves-collector: + enabled: true + dcae-kpi-ms: + enabled: true + dcae-ms-healthcheck: + enabled: true + dcae-pm-mapper: + enabled: true + dcae-pmsh: + enabled: true + dcae-prh: + enabled: true + dcae-restconf-collector: + enabled: true + dcae-slice-analysis-ms: + enabled: true + dcae-snmptrap-collector: + enabled: true + dcae-son-handler: + enabled: true + dcae-tcagen2: + enabled: true + dcae-ves-collector: + enabled: true + applicationConfig: + auth.method: "noAuth" + dcae-ves-mapper: + enabled: true + dcae-ves-openapi-manager: + enabled: true +holmes: + enabled: true +dmaap: + enabled: true + message-router: + enabled: true + dmaap-dr-prov: + enabled: true + dmaap-dr-node: + enabled: true +oof: + enabled: true +msb: + enabled: true +multicloud: + enabled: true +nbi: + enabled: true +platform: + enabled: true + cmpv2-cert-service: + enabled: false + keycloak-init: + enabled: true + oauth2-proxy: + enabled: true +policy: + enabled: true +portal-ng: + enabled: true +robot: + enabled: true +sdc: + enabled: true +sdnc: + enabled: true +so: + enabled: true +strimzi: + enabled: true + strimzi-kafka-bridge: + enabled: true +uui: + enabled: true +vfc: + enabled: true +vnfsdk: + enabled: true +modeling: + enabled: true +a1policymanagement: + enabled: true diff --git a/kubernetes/onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml b/kubernetes/onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml index a56126a093..e5fd78e9ef 100644 --- a/kubernetes/onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml +++ b/kubernetes/onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml @@ -15,37 +15,51 @@ ################################################################### # This override file enables helm charts for all ONAP applications. ################################################################### +#ingress virtualhost based configuration +global: + ingress: + enabled: true + enable_all: true + # Provider: ingress, istio, gw-api + provider: ingress + # Ingress class (only for provider "ingress"): e.g. nginx, traefik + ingressClass: nginx + # Ingress Selector (only for provider "istio") to match with the + # ingress pod label "istio=ingress" + ingressSelector: ingress + # optional: common used Gateway (for Istio, GW-API) and listener names + commonGateway: + name: "" + httpListener: "" + httpsListener: "" + cassandra: enabled: true mariadb-galera: enabled: true - -aaf: +postgres: enabled: true + aai: enabled: true -appc: - enabled: false cds: enabled: true -clamp: - enabled: true cli: enabled: true -consul: - enabled: true -contrib: - enabled: true cps: enabled: true -dcaegen2: - enabled: true dcaegen2-services: enabled: true holmes: enabled: true dmaap: enabled: true + message-router: + enabled: true + dmaap-dr-prov: + enabled: true + dmaap-dr-node: + enabled: true oof: enabled: true msb: @@ -56,7 +70,7 @@ nbi: enabled: true policy: enabled: true -portal: +portal-ng: enabled: true robot: enabled: true @@ -66,28 +80,14 @@ sdnc: enabled: true so: enabled: true - ingress: - enabled: true - so-monitoring: - ingress: - enabled: true - so-vnfm-adapter: - ingress: - enabled: true strimzi: enabled: true + strimzi-kafka-bridge: + enabled: true uui: enabled: true vfc: enabled: true -vid: - enabled: true - ingress: - enabled: true vnfsdk: enabled: true -#ingress virtualhost based configuration -global: - ingress: - enabled: true diff --git a/kubernetes/onap/resources/overrides/onap-all.yaml b/kubernetes/onap/resources/overrides/onap-all.yaml index f8f1b4cd81..027f8b3225 100644 --- a/kubernetes/onap/resources/overrides/onap-all.yaml +++ b/kubernetes/onap/resources/overrides/onap-all.yaml @@ -19,42 +19,20 @@ ################################################################### # This override file enables helm charts for all ONAP applications. ################################################################### -global: - addTestingComponents: &testing true - centralizedLoggingEnabled: ¢ralizedLogging false cassandra: enabled: true mariadb-galera: enabled: true postgres: enabled: true -aaf: - enabled: true - aaf-sms: - cps: - # you must always set the same values as value set in cps.enabled - enabled: true aai: enabled: true -appc: - enabled: false cds: enabled: true -clamp: - enabled: true cli: enabled: true -# Today, "contrib" chart that hosting these components must also be enabled -# in order to make it work. So `contrib.enabled` must have the same value than -# addTestingComponents -contrib: - enabled: *testing -consul: - enabled: true cps: enabled: true -dcaegen2: - enabled: true dcaegen2-services: enabled: true dcae-datafile-collector: @@ -95,12 +73,16 @@ dcaegen2-services: enabled: true dcae-ves-openapi-manager: enabled: true -dcaemod: - enabled: true holmes: enabled: true dmaap: enabled: true + message-router: + enabled: true + dmaap-dr-prov: + enabled: true + dmaap-dr-node: + enabled: true oof: enabled: true msb: @@ -111,8 +93,8 @@ nbi: enabled: true policy: enabled: true -portal: - enabled: false +portal-ng: + enabled: true robot: enabled: true sdc: @@ -123,12 +105,12 @@ so: enabled: true strimzi: enabled: true + strimzi-kafka-bridge: + enabled: true uui: enabled: true vfc: enabled: true -vid: - enabled: false vnfsdk: enabled: true modeling: diff --git a/kubernetes/onap/resources/overrides/onap-vfw.yaml b/kubernetes/onap/resources/overrides/onap-vfw.yaml index f9da136043..14748ddb2e 100644 --- a/kubernetes/onap/resources/overrides/onap-vfw.yaml +++ b/kubernetes/onap/resources/overrides/onap-vfw.yaml @@ -21,33 +21,27 @@ cassandra: mariadb-galera: enabled: true -aaf: - enabled: true aai: enabled: true -appc: - enabled: true -clamp: - enabled: true -consul: - enabled: true -dcaegen2: - enabled: true dcaegen2-services: enabled: true holmes: enabled: true dmaap: enabled: true -log: - enabled: true + message-router: + enabled: true + dmaap-dr-prov: + enabled: false + dmaap-dr-node: + enabled: false oof: enabled: true msb: enabled: true policy: enabled: true -portal: +portal-ng: enabled: true robot: enabled: true @@ -59,5 +53,5 @@ so: enabled: true strimzi: enabled: true -vid: - enabled: true + strimzi-kafka-bridge: + enabled: false diff --git a/kubernetes/onap/resources/overrides/openstack.yaml b/kubernetes/onap/resources/overrides/openstack.yaml index 5e09d7cfe9..9c0fc539c3 100644 --- a/kubernetes/onap/resources/overrides/openstack.yaml +++ b/kubernetes/onap/resources/overrides/openstack.yaml @@ -15,19 +15,7 @@ ################################################################# # This override file configures openstack parameters for ONAP ################################################################# -appc: - config: - enableClustering: false - openStackType: "OpenStackProvider" - openStackName: "OpenStack" - openStackKeyStoneUrl: "http://10.12.25.2:5000/v2.0" - openStackServiceTenantName: "OPENSTACK_TENANTNAME_HERE" - openStackDomain: "Default" - openStackUserName: "OPENSTACK_USERNAME_HERE" - openStackEncryptedPassword: "XXXXXXXXXXXXXXXXXXXXXXXX_OPENSTACK_PASSWORD_HERE_XXXXXXXXXXXXXXXX" robot: - appcUsername: "appc@appc.onap.org" - appcPassword: "demo123456!" openStackKeyStoneUrl: "http://10.12.25.2:5000" openStackPublicNetId: "971040b2-7059-49dc-b220-4fab50cb2ad4" openStackTenantId: "09d8566ea45e43aa974cf447ed591d77" @@ -46,7 +34,7 @@ robot: scriptVersion: "1.4.0-SNAPSHOT" rancherIpAddress: "10.12.5.127" config: - # openStackEncryptedPasswordHere should match the encrypted string used in SO and APPC and overridden per environment + # openStackEncryptedPasswordHere should match the encrypted string used in SO and overridden per environment openStackEncryptedPasswordHere: "XXXXXXXXXXXXXXXXXXXXXXXX_OPENSTACK_ENCRYPTED_PASSWORD_HERE_XXXXXXXXXXXXXXXX" so: # so server configuration diff --git a/kubernetes/onap/resources/overrides/sm-onap.yaml b/kubernetes/onap/resources/overrides/sm-onap.yaml index 2af6e2147b..dc5da35113 100644 --- a/kubernetes/onap/resources/overrides/sm-onap.yaml +++ b/kubernetes/onap/resources/overrides/sm-onap.yaml @@ -20,7 +20,8 @@ # # Minimal resources are also reviewed for the various containers # AAI: no override => to be fixed -# DMAAP: no override # SO: no override +# DMAAP: no override +# SO: no override # SDC: new values # SDNC: no override # @@ -44,6 +45,9 @@ ####################### global: aafEnabled: false + cmpv2Enabled: false + msbEnabled: false + tlsEnabled: false centralizedLoggingEnabled: false serviceMesh: enabled: true @@ -56,35 +60,25 @@ aai: replicas: 1 aai-cassandra: replicaCount: 1 -aaf: - enabled: false - aaf-sms: - cps: - # you must always set the same values as value set in cps.enabled - enabled: false -appc: - enabled: false cassandra: enabled: true replicaCount: 3 -clamp: - enabled: false cli: enabled: false -consul: - enabled: false -contrib: - enabled: false cps: enabled: false -dcaegen2: - enabled: false dcaegen2-services: enabled: false +dmaap: + enabled: true + message-router: + enabled: true + dmaap-dr-prov: + enabled: true + dmaap-dr-node: + enabled: true holmes: enabled: false -log: - enabled: false mariadb-galera: enabled: true msb: @@ -97,9 +91,7 @@ oof: enabled: false policy: enabled: false -pomba: - enabled: false -portal: +portal-ng: enabled: false robot: enabled: false @@ -112,19 +104,17 @@ sdc: resources: small: limits: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" requests: - cpu: 10m - memory: 500Mi + cpu: "10m" + memory: "500Mi" sdc-cs: config: maxHeapSize: "512M" heapNewSize: "256M" sdnc: enabled: true -sniro-emulator: - enabled: false so: enabled: true config: @@ -136,17 +126,14 @@ so: openStackEncryptedPasswordHere: "$OPENSTACK_ENCRYPTED_PASSWORD" strimzi: enabled: true + strimzi-kafka-bridge: + enabled: true uui: enabled: false -vid: - enabled: false vfc: enabled: false vnfsdk: enabled: false cds: enabled: true -dmaap: - enabled: true - dmaap-bc: - enabled: false + diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml index 6939a87f21..5f48a5e2ed 100755 --- a/kubernetes/onap/values.yaml +++ b/kubernetes/onap/values.yaml @@ -1,6 +1,7 @@ # Copyright © 2019 Amdocs, Bell Canada # Copyright (c) 2020 Nordix Foundation, Modifications # Modifications Copyright © 2020-2021 Nokia +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,19 +27,6 @@ global: nodePortPrefix: 302 nodePortPrefixExt: 304 - - # Install test components - # test components are out of the scope of ONAP but allow to have a entire - # environment to test the different features of ONAP - # Current tests environments provided: - # - netbox (needed for CDS IPAM) - # - AWX (needed for XXX) - # - EJBCA Server (needed for CMPv2 tests) - # Today, "contrib" chart that hosting these components must also be enabled - # in order to make it work. So `contrib.enabled` must have the same value than - # addTestingComponents - addTestingComponents: &testing false - # ONAP Repository # Four different repositories are used # You can change individually these repositories to ones that will serve the @@ -46,15 +34,10 @@ global: repository: nexus3.onap.org:10001 dockerHubRepository: &dockerHubRepository docker.io elasticRepository: &elasticRepository docker.elastic.co + quayRepository: quay.io googleK8sRepository: k8s.gcr.io githubContainerRegistry: ghcr.io - #/!\ DEPRECATED /!\ - # Legacy repositories which will be removed at the end of migration. - # Please don't use - loggingRepository: *elasticRepository - busyboxRepository: *dockerHubRepository - # Default credentials # they're optional. If the target repository doesn't need them, comment them repositoryCred: @@ -75,6 +58,20 @@ global: # user: myuser # password: mypassord + # Default definition of the secret containing the docker image repository + # credentials. In the default ONAP deployment the secret is created by the + # repository-wrapper component, which uses the secrets defined above. + # If this is not wanted or other secrets are created, alternative secret + # names can be used + # Overrides for specific images can be done, if the "image" entry is used as + # a map and the "pullSecrets" is used, e.g. + # image: + # ... + # pullSecrets: + # - myRegistryKeySecretName + # + imagePullSecrets: + - '{{ include "common.namespace" . }}-docker-registry-key' # common global images # Busybox for simple shell manipulation @@ -106,7 +103,7 @@ global: postgresImage: crunchydata/crunchy-postgres:centos8-13.2-4.6.1 # readiness check image - readinessImage: onap/oom/readiness:3.0.1 + readinessImage: onap/oom/readiness:6.0.3 # image pull policy pullPolicy: Always @@ -127,6 +124,10 @@ global: storageclassProvisioner: kubernetes.io/no-provisioner volumeReclaimPolicy: Retain + # Global flag to enable the creation of default roles instead of using + # common roles-wrapper + createDefaultRoles: false + # override default resource limit flavor for all charts flavor: unlimited @@ -146,18 +147,63 @@ global: # Global ingress configuration ingress: + # generally enable ingress for ONAP components enabled: false + # enable all component's Ingress interfaces + enable_all: false + + # Provider: ingress, istio, gw-api + provider: istio + # Ingress class (only for provider "ingress"): e.g. nginx, traefik + ingressClass: + # Ingress Selector (only for provider "istio") to match with the + # ingress pod label "istio=ingress" + ingressSelector: ingress + # optional: common used Gateway (for Istio, GW-API) and listener names + commonGateway: + name: "" + httpListener: "" + httpsListener: "" + + # default Ingress base URL and preAddr- and postAddr settings + # Ingress URLs result: + # . virtualhost: + # Default Ingress base URL + # can be overwritten in component by setting ingress.baseurlOverride baseurl: "simpledemo.onap.org" + # prefix for baseaddr + # can be overwritten in component by setting ingress.preaddrOverride + preaddr: "" + # postfix for baseaddr + # can be overwritten in component by setting ingress.postaddrOverride + postaddr: "" + + # All http (port 80) requests via ingress will be redirected + # to port 443 on Ingress controller + # only valid for Istio Gateway (ServiceMesh enabled) + config: + ssl: "redirect" + # you can set an own Secret containing a certificate + # only valid for Istio Gateway (ServiceMesh enabled) + # tls: + # secret: 'my-ingress-cert' + + # optional: Namespace of the Istio IngressGateway or Gateway-API + # only valid for Istio Gateway (ServiceMesh enabled) + namespace: istio-ingress # Global Service Mesh configuration - # POC Mode, don't use it in production serviceMesh: enabled: false tls: true # be aware that linkerd is not well tested engine: "istio" # valid value: istio or linkerd + # Global Istio Authorization Policy configuration + authorizationPolicies: + enabled: false + # metrics part # If enabled, exporters (for prometheus) will be deployed # if custom resources set to yes, CRD from prometheus operartor will be @@ -171,8 +217,7 @@ global: # Disabling AAF # POC Mode, only for use in development environment # Keep it enabled in production - aafEnabled: true - aafAgentImage: onap/aaf/aaf_agent:2.1.20 + aafEnabled: false # Disabling MSB # POC Mode, only for use in development environment @@ -195,7 +240,7 @@ global: name: cmpv2-issuer-onap # Enabling CMPv2 - cmpv2Enabled: true + cmpv2Enabled: false platform: certificates: clientSecretName: oom-cert-service-client-tls-secret @@ -215,7 +260,7 @@ global: # Set to false if you want to disable TLS for NodePorts. Be aware that this # will loosen your security. # if set this element will force or not tls even if serviceMesh.tls is set. - # tlsEnabled: false + tlsEnabled: false # Logging # Currently, centralized logging is not in best shape so it's disabled by @@ -238,14 +283,6 @@ global: # storageClass: "-" # Example of specific for the components which requires RWX: -# aaf: -# persistence: -# storageClassOverride: "My_RWX_Storage_Class" -# contrib: -# netbox: -# netbox-app: -# persistence: -# storageClassOverride: "My_RWX_Storage_Class" # cds: # cds-blueprints-processor: # persistence: @@ -260,58 +297,28 @@ global: # to customize the ONAP deployment. ################################################################# -aaf: - enabled: false - aaf-sms: - cps: - # you must always set the same values as value set in cps.enabled - enabled: false aai: enabled: false -appc: - enabled: false - config: - openStackType: OpenStackProvider - openStackName: OpenStack - openStackKeyStoneUrl: http://localhost:8181/apidoc/explorer/index.html - openStackServiceTenantName: default - openStackDomain: default - openStackUserName: admin - openStackEncryptedPassword: admin cassandra: enabled: false cds: enabled: false -clamp: - enabled: false cli: enabled: false -consul: - enabled: false -# Today, "contrib" chart that hosting these components must also be enabled -# in order to make it work. So `contrib.enabled` must have the same value than -# addTestingComponents -contrib: - enabled: *testing cps: enabled: false -dcaegen2: - enabled: false dcaegen2-services: enabled: false -dcaemod: - enabled: false holmes: enabled: false dmaap: enabled: false -# Today, "logging" chart that perform the central part of logging must also be -# enabled in order to make it work. So `logging.enabled` must have the same -# value than centralizedLoggingEnabled -log: - enabled: *centralizedLogging -sniro-emulator: - enabled: false + message-router: + enabled: false + dmaap-dr-prov: + enabled: false + dmaap-dr-node: + enabled: false oof: enabled: false mariadb-galera: @@ -328,14 +335,12 @@ nbi: openStackVNFTenantId: "1234" policy: enabled: false -pomba: - enabled: false -portal: +portal-ng: enabled: false robot: enabled: false config: - # openStackEncryptedPasswordHere should match the encrypted string used in SO and APPC and overridden per environment + # openStackEncryptedPasswordHere should match the encrypted string used in SO and overridden per environment openStackEncryptedPasswordHere: "c124921a3a0efbe579782cde8227681e" sdc: enabled: false @@ -372,14 +377,26 @@ so: # server: # monitoring: # password: demo123456! + strimzi: enabled: false + # Kafka replication & disk storage should be dimensioned + # according to each given system use case. + replicaCount: 3 + persistence: + kafka: + size: 10Gi + zookeeper: + size: 1Gi + # Strimzi kafka bridge is an optional http api towards + # kafka provided by https://strimzi.io/docs/bridge/latest/ + strimzi-kafka-bridge: + enabled: false + uui: enabled: false vfc: enabled: false -vid: - enabled: false vnfsdk: enabled: false modeling: @@ -388,9 +405,6 @@ platform: enabled: false a1policymanagement: enabled: false - -cert-wrapper: - enabled: true repository-wrapper: enabled: true roles-wrapper: diff --git a/kubernetes/oof/Chart.yaml b/kubernetes/oof/Chart.yaml index 7602afdb96..6be063fc4c 100755 --- a/kubernetes/oof/Chart.yaml +++ b/kubernetes/oof/Chart.yaml @@ -18,25 +18,25 @@ apiVersion: v2 description: ONAP Optimization Framework name: oof -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 - repository: '@local' - - name: certInitializer - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: oof-has - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/oof-has' condition: oof-has.enabled - name: oof-templates - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/oof-templates' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/oof/Makefile b/kubernetes/oof/Makefile index 2bb70a4f92..eea1b7aefb 100644 --- a/kubernetes/oof/Makefile +++ b/kubernetes/oof/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := dist resources templates charts docker HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") @@ -37,17 +43,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) -ifeq "$(findstring v3,$(HELM_VER))" "v3" - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) push -f $$PACKAGE_NAME local; fi -else - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi -endif - - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/oof/components/Makefile b/kubernetes/oof/components/Makefile index 1688db2d44..f09e21e75c 100755 --- a/kubernetes/oof/components/Makefile +++ b/kubernetes/oof/components/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") @@ -37,16 +43,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) -ifeq "$(findstring v3,$(HELM_VER))" "v3" - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) push -f $$PACKAGE_NAME local; fi -else - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi -endif - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/oof/components/oof-has/Chart.yaml b/kubernetes/oof/components/oof-has/Chart.yaml index 85613895f1..79f19c176c 100755 --- a/kubernetes/oof/components/oof-has/Chart.yaml +++ b/kubernetes/oof/components/oof-has/Chart.yaml @@ -18,45 +18,41 @@ apiVersion: v2 description: ONAP Homing and Allocation Service name: oof-has -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - - name: music - version: ~11.x-0 - repository: '@local' - condition: music.enabled - name: etcd - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: etcd.enabled - name: etcd-init - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: etcd-init.enabled - name: oof-has-api - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/oof-has-api' condition: oof-has-api.enabled - name: oof-has-controller - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/oof-has-controller' condition: oof-has-controller.enabled - name: oof-has-data - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/oof-has-data' condition: oof-has-data.enabled - name: oof-has-reservation - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/oof-has-reservation' condition: oof-has-reservation.enabled - name: oof-has-solver - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/oof-has-solver' condition: oof-has-solver.enabled - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/oof/components/oof-has/Makefile b/kubernetes/oof/components/oof-has/Makefile index 721f6025c0..2de7c19587 100644 --- a/kubernetes/oof/components/oof-has/Makefile +++ b/kubernetes/oof/components/oof-has/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := dist resources templates charts docker HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") @@ -37,16 +43,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) -ifeq "$(findstring v3,$(HELM_VER))" "v3" - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) push -f $$PACKAGE_NAME local; fi -else - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi -endif - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/oof/components/oof-has/components/Makefile b/kubernetes/oof/components/oof-has/components/Makefile index 546fad1b74..6d0030d4cf 100755 --- a/kubernetes/oof/components/oof-has/components/Makefile +++ b/kubernetes/oof/components/oof-has/components/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") @@ -37,16 +43,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) -ifeq "$(findstring v3,$(HELM_VER))" "v3" - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) push -f $$PACKAGE_NAME local; fi -else - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi -endif - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/oof/components/oof-has/components/oof-has-api/Chart.yaml b/kubernetes/oof/components/oof-has/components/oof-has-api/Chart.yaml index a1558114d8..c6c07bd8ef 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-api/Chart.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-api/Chart.yaml @@ -18,21 +18,22 @@ apiVersion: v2 description: ONAP Homing and Allocation Servicei - API name: oof-has-api -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 - repository: '@local' - - name: certInitializer - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: oof-templates - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../../../oof-templates' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' + diff --git a/kubernetes/oof/components/oof-has/components/oof-has-api/templates/deployment.yaml b/kubernetes/oof/components/oof-has/components/oof-has-api/templates/deployment.yaml index 3ed20ba8a6..703d8bb7c4 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-api/templates/deployment.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-api/templates/deployment.yaml @@ -18,63 +18,15 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --container-name - - oof-has-controller - - --container-name - - aaf-service - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - - - name: {{ include "common.name" . }}-has-sms-readiness - command: - - sh - - -c - - resp="FAILURE"; - until [ $resp = "200" ]; do - resp=$(curl -s -o /dev/null -k --write-out %{http_code} https://aaf-sms.{{ include "common.namespace" . }}:10443/v1/sms/domain/has/secret); - echo $resp; - sleep 2; - done - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.curl" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{ include "common.certInitializer.initContainer" . | indent 6 }} - + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.image.optf_has }} @@ -99,20 +51,13 @@ spec: periodSeconds: {{ .Values.readiness.periodSeconds }} env: {{ include "oof.etcd.env" . | nindent 10 }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /usr/local/etc/conductor/conductor.conf name: {{ .Values.global.commonConfigPrefix }}-config subPath: conductor.conf - mountPath: /usr/local/bin/log.conf name: {{ .Values.global.commonConfigPrefix }}-config subPath: log.conf - - mountPath: /usr/local/bin/AAF_RootCA.cer - name: {{ include "common.fullname" . }}-onap-certs - subPath: aaf_root_ca.cer - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} - name: {{ include "common.name" . }}-nginx image: {{ include "repositoryGenerator.image.nginx" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -121,11 +66,10 @@ spec: args: - "-c" - | - grep -v '^$' /opt/bitnami/nginx/ssl/local/org.onap.oof.crt > /tmp/oof.crt - cat /tmp/oof.crt /tmp/intermediate_root_ca.pem /tmp/AAF_RootCA.cer >> /opt/bitnami/nginx/org.onap.oof.crt /opt/bitnami/scripts/nginx/entrypoint.sh /opt/bitnami/scripts/nginx/run.sh ports: - containerPort: {{ .Values.service.internalPort }} + name: http {{- if .Values.liveness.enabled }} livenessProbe: tcpSocket: @@ -139,21 +83,10 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/bitnami/nginx/conf/nginx.conf name: {{ .Values.global.commonConfigPrefix }}-config subPath: nginx.conf - - mountPath: /tmp/AAF_RootCA.cer - name: {{ include "common.fullname" . }}-onap-certs - subPath: aaf_root_ca.cer - - mountPath: /tmp/intermediate_root_ca.pem - name: {{ include "common.fullname" . }}-onap-certs - subPath: intermediate_root_ca.pem - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -164,10 +97,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - name: {{ .Values.global.commonConfigPrefix }}-config configMap: name: {{ .Values.global.commonConfigPrefix }}-configmap @@ -178,6 +107,4 @@ spec: path: conductor.conf - key: log.conf path: log.conf -{{ include "oof.certificate.volume" . | indent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/oof/components/oof-has/components/oof-has-api/templates/service.yaml b/kubernetes/oof/components/oof-has/components/oof-has-api/templates/service.yaml index 751545ebef..b77b592c08 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-api/templates/service.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-api/templates/service.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T,VMware +# Modifications Copyright © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,29 +16,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} diff --git a/kubernetes/oof/components/oof-has/components/oof-has-api/values.yaml b/kubernetes/oof/components/oof-has/components/oof-has-api/values.yaml index 228302fed4..0d7bd7c995 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-api/values.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-api/values.yaml @@ -16,16 +16,12 @@ global: # global defaults nodePortPrefix: 302 image: - optf_has: onap/optf-has:2.3.0 + optf_has: onap/optf-has:2.3.1 ################################################################# # secrets metaconfig ################################################################# secrets: - - uid: oof-onap-certs - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' - uid: oof-has-etcd-secret name: &user-creds '{{ include "common.release" . }}-oof-has-etcd-secret' type: basicAuth @@ -42,16 +38,15 @@ config: service: type: NodePort name: oof-has-api - externalPort: 8091 internalPort: 8091 - nodePort: 75 - portName: oof-has-api + ports: + - name: http + port: 8091 + nodePort: '75' #backend container info uwsgi: internalPort: 8080 -ingress: - enabled: false replicaCount: 1 nodeSelector: {} affinity: {} @@ -61,18 +56,18 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "2Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} # probe configuration parameters liveness: @@ -85,33 +80,20 @@ readiness: initialDelaySeconds: 10 periodSeconds: 10 -#sub-charts configuration -certInitializer: - nameOverride: oof-has-cert-initializer - fqdn: "oof.onap" - app_ns: "org.osaaf.aaf" - fqi: "oof@oof.onap.org" - fqi_namespace: org.onap.oof - public_fqdn: "oof.onap.org" - aafDeployFqi: "deployer@people.osaaf.org" - aafDeployPass: demo123456! - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - appMountPath: /opt/bitnami/nginx/ssl - aaf_add_config: > - chmod 444 {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key; - - ingress: enabled: false service: - - baseaddr: "oof-has-api.onap" + - baseaddr: "oof-has-api" name: "oof-has-api" port: 8091 config: ssl: "redirect" +readinessCheck: + wait_for: + apps: + - oof-has-controller + #Pods Service Account serviceAccount: nameOverride: oof-has-api diff --git a/kubernetes/oof/components/oof-has/components/oof-has-controller/Chart.yaml b/kubernetes/oof/components/oof-has/components/oof-has-controller/Chart.yaml index e8f510bf5f..9c155e8525 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-controller/Chart.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-controller/Chart.yaml @@ -18,18 +18,21 @@ apiVersion: v2 description: ONAP Homing and Allocation Sservice - Controller name: oof-has-controller -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: oof-templates - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../../../oof-templates' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/oof/components/oof-has/components/oof-has-controller/templates/deployment.yaml b/kubernetes/oof/components/oof-has/components/oof-has-controller/templates/deployment.yaml index 55bb4f620d..2367da742e 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-controller/templates/deployment.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-controller/templates/deployment.yaml @@ -17,61 +17,15 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-{{ .Values.config.etcd.configJobNameOverride }}-job - - --container-name - - aaf-sms - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - - - name: {{ include "common.name" . }}-cont-sms-readiness - command: - - sh - - -c - - resp="FAILURE"; - until [ $resp = "200" ]; do - resp=$(curl -s -o /dev/null -k --write-out %{http_code} https://aaf-sms.{{ include "common.namespace" . }}:10443/v1/sms/domain/has/secret); - echo $resp; - sleep 2; - done - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.curl" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.image.optf_has }} @@ -101,9 +55,6 @@ spec: periodSeconds: {{ .Values.readiness.periodSeconds }} env: {{ include "oof.etcd.env" . | nindent 10 }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /usr/local/bin/conductor.conf name: {{ .Values.global.commonConfigPrefix }}-config subPath: conductor.conf @@ -113,11 +64,7 @@ spec: - mountPath: /usr/local/bin/healthy.sh name: {{ .Values.global.commonConfigPrefix }}-config subPath: healthy.sh - - mountPath: /usr/local/bin/AAF_RootCA.cer - name: {{ include "common.fullname" . }}-onap-certs - subPath: aaf_root_ca.cer - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -128,9 +75,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: {{ .Values.global.commonConfigPrefix }}-config configMap: name: {{ .Values.global.commonConfigPrefix }}-configmap @@ -141,6 +85,4 @@ spec: path: log.conf - key: healthy.sh path: healthy.sh -{{ include "oof.certificate.volume" . | indent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/oof/components/oof-has/components/oof-has-controller/values.yaml b/kubernetes/oof/components/oof-has/components/oof-has-controller/values.yaml index a8c5dd216a..7cbfafbc76 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-controller/values.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-controller/values.yaml @@ -14,16 +14,12 @@ global: image: - optf_has: onap/optf-has:2.3.0 + optf_has: onap/optf-has:2.3.1 ################################################################# # Secrets metaconfig ################################################################# secrets: - - uid: oof-onap-certs - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' - uid: oof-has-etcd-secret name: &user-creds '{{ include "common.release" . }}-oof-has-etcd-secret' type: basicAuth @@ -48,18 +44,18 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "2Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} # probe configuration parameters liveness: @@ -72,6 +68,11 @@ readiness: initialDelaySeconds: 10 periodSeconds: 10 +readinessCheck: + wait_for: + jobs: + - '{{ include "common.release" . }}-{{ .Values.config.etcd.configJobNameOverride }}-job' + #Pods Service Account serviceAccount: nameOverride: oof-has-controller diff --git a/kubernetes/oof/components/oof-has/components/oof-has-data/Chart.yaml b/kubernetes/oof/components/oof-has/components/oof-has-data/Chart.yaml index 3bcfd08b41..142f6e563e 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-data/Chart.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-data/Chart.yaml @@ -18,18 +18,21 @@ apiVersion: v2 description: ONAP Homing and Allocation Service - Data Component name: oof-has-data -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: oof-templates - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../../../oof-templates' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/oof/components/oof-has/components/oof-has-data/templates/deployment.yaml b/kubernetes/oof/components/oof-has/components/oof-has-data/templates/deployment.yaml index 4f58ec3b94..765d3dbda4 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-data/templates/deployment.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-data/templates/deployment.yaml @@ -17,60 +17,15 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-{{ .Values.config.etcd.configJobNameOverride }}-job - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - - - name: {{ include "common.name" . }}-data-sms-readiness - command: - - sh - - -c - - resp="FAILURE"; - until [ $resp = "200" ]; do - resp=$(curl -s -o /dev/null -k --write-out %{http_code} https://aaf-sms.{{ include "common.namespace" . }}:10443/v1/sms/domain/has/secret); - echo $resp; - sleep 2; - done - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.curl" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.image.optf_has }} @@ -100,9 +55,6 @@ spec: periodSeconds: {{ .Values.readiness.periodSeconds }} env: {{ include "oof.etcd.env" . | nindent 10 }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /usr/local/bin/conductor.conf name: {{ .Values.global.commonConfigPrefix }}-config subPath: conductor.conf @@ -112,17 +64,7 @@ spec: - mountPath: /usr/local/bin/healthy.sh name: {{ .Values.global.commonConfigPrefix }}-config subPath: healthy.sh - - mountPath: /usr/local/bin/aai_cert.cer - name: {{ .Values.global.commonConfigPrefix }}-config - subPath: aai_cert.cer - - mountPath: /usr/local/bin/aai_key.key - name: {{ .Values.global.commonConfigPrefix }}-config - subPath: aai_key.key - - mountPath: /usr/local/bin/AAF_RootCA.cer - name: {{ include "common.fullname" . }}-onap-certs - subPath: aaf_root_ca.cer - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -133,9 +75,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: {{ .Values.global.commonConfigPrefix }}-config configMap: name: {{ .Values.global.commonConfigPrefix }}-configmap @@ -146,10 +85,4 @@ spec: path: log.conf - key: healthy.sh path: healthy.sh - - key: aai_cert.cer - path: aai_cert.cer - - key: aai_key.key - path: aai_key.key -{{ include "oof.certificate.volume" . | indent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/oof/components/oof-has/components/oof-has-data/values.yaml b/kubernetes/oof/components/oof-has/components/oof-has-data/values.yaml index 0aaf4286cd..37e131ba91 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-data/values.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-data/values.yaml @@ -14,16 +14,12 @@ global: image: - optf_has: onap/optf-has:2.3.0 + optf_has: onap/optf-has:2.3.1 ################################################################# # secrets metaconfig ################################################################# secrets: - - uid: oof-onap-certs - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' - uid: oof-has-etcd-secret name: &user-creds '{{ include "common.release" . }}-oof-has-etcd-secret' type: basicAuth @@ -48,18 +44,18 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "2Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} # probe configuration parameters liveness: @@ -72,6 +68,11 @@ readiness: initialDelaySeconds: 10 periodSeconds: 10 +readinessCheck: + wait_for: + jobs: + - '{{ include "common.release" . }}-{{ .Values.config.etcd.configJobNameOverride }}-job' + #Pods Service Account serviceAccount: nameOverride: oof-has-data diff --git a/kubernetes/oof/components/oof-has/components/oof-has-reservation/Chart.yaml b/kubernetes/oof/components/oof-has/components/oof-has-reservation/Chart.yaml index ba2733ef9f..2e7666ca06 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-reservation/Chart.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-reservation/Chart.yaml @@ -18,18 +18,21 @@ apiVersion: v2 description: ONAP Homing and Allocation Sevice - Reservation Component name: oof-has-reservation -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: oof-templates - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../../../oof-templates' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/oof/components/oof-has/components/oof-has-reservation/templates/deployment.yaml b/kubernetes/oof/components/oof-has/components/oof-has-reservation/templates/deployment.yaml index f8755ea66b..d7b53346e9 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-reservation/templates/deployment.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-reservation/templates/deployment.yaml @@ -17,60 +17,15 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-{{ .Values.config.etcd.configJobNameOverride }}-job - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - - - name: {{ include "common.name" . }}-resrv-sms-readiness - command: - - sh - - -c - - resp="FAILURE"; - until [ $resp = "200" ]; do - resp=$(curl -s -o /dev/null -k --write-out %{http_code} https://aaf-sms.{{ include "common.namespace" .}}:10443/v1/sms/domain/has/secret); - echo $resp; - sleep 2; - done - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.curl" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.image.optf_has }} @@ -100,9 +55,6 @@ spec: {{ end -}} env: {{ include "oof.etcd.env" . | nindent 10 }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /usr/local/bin/conductor.conf name: {{ .Values.global.commonConfigPrefix }}-config subPath: conductor.conf @@ -112,11 +64,7 @@ spec: - mountPath: /usr/local/bin/healthy.sh name: {{ .Values.global.commonConfigPrefix }}-config subPath: healthy.sh - - mountPath: /usr/local/bin/AAF_RootCA.cer - name: {{ include "common.fullname" . }}-onap-certs - subPath: aaf_root_ca.cer - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -127,9 +75,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: {{ .Values.global.commonConfigPrefix }}-config configMap: name: {{ .Values.global.commonConfigPrefix }}-configmap @@ -140,6 +85,4 @@ spec: path: log.conf - key: healthy.sh path: healthy.sh -{{ include "oof.certificate.volume" . | indent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/oof/components/oof-has/components/oof-has-reservation/values.yaml b/kubernetes/oof/components/oof-has/components/oof-has-reservation/values.yaml index fd88273dce..6a1bc53582 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-reservation/values.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-reservation/values.yaml @@ -14,16 +14,12 @@ global: image: - optf_has: onap/optf-has:2.3.0 + optf_has: onap/optf-has:2.3.1 ################################################################# # secrets metaconfig ################################################################# secrets: - - uid: oof-onap-certs - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' - uid: oof-has-etcd-secret name: &user-creds '{{ include "common.release" . }}-oof-has-etcd-secret' type: basicAuth @@ -48,18 +44,18 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "2Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} # probe configuration parameters liveness: @@ -72,6 +68,11 @@ readiness: initialDelaySeconds: 10 periodSeconds: 10 +readinessCheck: + wait_for: + jobs: + - '{{ include "common.release" . }}-{{ .Values.config.etcd.configJobNameOverride }}-job' + #Pods Service Account serviceAccount: nameOverride: oof-has-reservation diff --git a/kubernetes/oof/components/oof-has/components/oof-has-solver/Chart.yaml b/kubernetes/oof/components/oof-has/components/oof-has-solver/Chart.yaml index 3ec7d88fe7..7fe3d0c8ca 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-solver/Chart.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-solver/Chart.yaml @@ -18,18 +18,21 @@ apiVersion: v2 description: ONAP Homing and Allocation Service - Solver Component name: oof-has-solver -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: oof-templates - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../../../oof-templates' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/oof/components/oof-has/components/oof-has-solver/templates/deployment.yaml b/kubernetes/oof/components/oof-has/components/oof-has-solver/templates/deployment.yaml index 154bc78e41..5d9c0763b5 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-solver/templates/deployment.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-solver/templates/deployment.yaml @@ -17,60 +17,15 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-{{ .Values.config.etcd.configJobNameOverride }}-job - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - - - name: {{ include "common.name" . }}-solvr-sms-readiness - command: - - sh - - -c - - resp="FAILURE"; - until [ $resp = "200" ]; do - resp=$(curl -s -o /dev/null -k --write-out %{http_code} https://aaf-sms.{{ include "common.namespace" . }}:10443/v1/sms/domain/has/secret); - echo $resp; - sleep 2; - done - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.curl" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.image.optf_has }} @@ -100,9 +55,6 @@ spec: periodSeconds: {{ .Values.readiness.periodSeconds }} env: {{ include "oof.etcd.env" . | nindent 10 }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /usr/local/bin/conductor.conf name: {{ .Values.global.commonConfigPrefix }}-config subPath: conductor.conf @@ -112,11 +64,7 @@ spec: - mountPath: /usr/local/bin/healthy.sh name: {{ .Values.global.commonConfigPrefix }}-config subPath: healthy.sh - - mountPath: /usr/local/bin/AAF_RootCA.cer - name: {{ include "common.fullname" . }}-onap-certs - subPath: aaf_root_ca.cer - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -127,9 +75,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: {{ .Values.global.commonConfigPrefix }}-config configMap: name: {{ .Values.global.commonConfigPrefix }}-configmap @@ -140,6 +85,4 @@ spec: path: log.conf - key: healthy.sh path: healthy.sh -{{ include "oof.certificate.volume" . | indent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/oof/components/oof-has/components/oof-has-solver/values.yaml b/kubernetes/oof/components/oof-has/components/oof-has-solver/values.yaml index 36c1945835..e0a9b0cdd1 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-solver/values.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-solver/values.yaml @@ -14,16 +14,12 @@ global: image: - optf_has: onap/optf-has:2.3.0 + optf_has: onap/optf-has:2.3.1 ################################################################# # secrets metaconfig ################################################################# secrets: - - uid: oof-onap-certs - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' - uid: oof-has-etcd-secret name: &user-creds '{{ include "common.release" . }}-oof-has-etcd-secret' type: basicAuth @@ -48,18 +44,18 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "2Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} # probe configuration parameters liveness: @@ -72,6 +68,11 @@ readiness: initialDelaySeconds: 10 periodSeconds: 10 +readinessCheck: + wait_for: + jobs: + - '{{ include "common.release" . }}-{{ .Values.config.etcd.configJobNameOverride }}-job' + #Pods Service Account serviceAccount: nameOverride: oof-has-solver diff --git a/kubernetes/oof/components/oof-has/resources/config/aai_cert.cer b/kubernetes/oof/components/oof-has/resources/config/aai_cert.cer deleted file mode 100755 index 4c6eb916e6..0000000000 --- a/kubernetes/oof/components/oof-has/resources/config/aai_cert.cer +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEKjCCAxKgAwIBAgIBHjANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJVUzEN -MAsGA1UECgwET05BUDEOMAwGA1UECwwFT1NBQUYxGTAXBgNVBAMMEGludGVybWVk -aWF0ZUNBXzEwHhcNMTgwNDI1MTIxMzAxWhcNMTkwNDIwMTIxMzAxWjBtMQswCQYD -VQQGEwJVUzENMAsGA1UECgwET05BUDEZMBcGA1UECwwQb29mQG9vZi5vbmFwLm9y -ZzEOMAwGA1UECwwFT1NBQUYxJDAiBgNVBAMMG29vZi5hcGkuc2ltcGxlZGVtby5v -bmFwLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANGpQUtgLXG3 -dVikd/QC2Q24wzeTOeZzbx3PnidNYZT5K0sJ/TdnZF6O/4+9gXQ6AQS2Q8wfQ009 -MQAA5vhUaq5yZ2K+XAtEFGln1TxTFpGu3WDOwQ800Vw18Dk8WidrkzDJv489Bn1f -SSaPC0IaRB0K1d8BD63ZHgsuEY8lt31DX2wFWJcfN9mxNDzuLTZoLxtxKsedoZKH -rsOOILwXOhwuunfx40i6RQN/pFX6C2i8dtOA5OwUm9Q1RrZ2Tv1Uf4IURriH6bfZ -5n50yxTuL22TMYXsF/ohrdgwacuC0aV9ZSGhIZUJPyHVg7+QTBioHmoUJInVKuIx -kkC4lENbLYUCAwEAAaOB+jCB9zAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIG -wDAzBglghkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQgU2VydmVyIENlcnRp -ZmljYXRlMB0GA1UdDgQWBBQwbU5oHU2iYHCoVz4hFCvBW59cdTBUBgNVHSMETTBL -gBQd5lldG54KOKRipsGF8/PP1vGX6qEwpC4wLDEOMAwGA1UECwwFT1NBQUYxDTAL -BgNVBAoMBE9OQVAxCzAJBgNVBAYTAlVTggEBMA4GA1UdDwEB/wQEAwIF4DAdBgNV -HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBADEa -0VuxoFIygeQTqlizpHNwfApPmlAVSKDTWuEu4rhJs8GT61EuWZQPygXEUHCYmGvJ -GMwEGGIDGiQqxMqlqng46gksNJbi1ktXr6Du18qW7gziUd84ve8KcecjZru1Sk1e -UJ/6WEQVE17CHKcnzQZsMDakgP+61VgKbk5NlkeF/Qh4L6/3jY7g+xoXqaId5RT9 -BetmH/cMsj33lxQTs0fcXTbAQd6BX5ug854OJ1mU4ngJnNBdmn9Ow1bB71ohf5Xv -OEYX8+khjgjlmM0u1hBRL4qViv3y2Gzhpm1M8cETMDj4g0zIJytzIYMxO8XvDPCF -YmVZHXJDLsCogSOmmh0= ------END CERTIFICATE----- \ No newline at end of file diff --git a/kubernetes/oof/components/oof-has/resources/config/aai_key.key b/kubernetes/oof/components/oof-has/resources/config/aai_key.key deleted file mode 100755 index 246ff6d8cb..0000000000 --- a/kubernetes/oof/components/oof-has/resources/config/aai_key.key +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN ENCRYPTED PRIVATE KEY----- -MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIvxjZPeQVkRACAggA -MBQGCCqGSIb3DQMHBAhWqwQCjZFCrASCBMjWG5wsC1WFJISJ5odMHzYOWOKLpaDP -7a/dxnBrV6gId/DTmzoqtiBCmQRqhnUuYok98DNUFGjR9JqztNNOf5eslzqCugsh -zVwCvsJYKvxxJ4Q8tow3DKx28I6EmOvwudMsL9c30OxpEWdlWmyFimu5JDdDvWUH -S0fWKebQETZ7lptiRX2IXhC3Ye6Wu/DowDYc5L4Z/Q8nwncMB3n2ntMX10pBrura -15/R18AvG5cDwcasTXz5WKIB/K2onvJfW0so2M8jApu2DF4MpEIN9Z973uTNFXcL -dgHKWtIl2WO38coedaXUILgsxLSSU27TG4F+7QMGjiKXUSWjN9+TD+8zWye/9OIW -qfVtoh+n7lWtzC3Axo1OmPInCkFb+I7QaDsJgsUn+ZWap7FVJFrYiz20UTzYYgAK -OukCgKiJTHOhTT1k0km34ROPmqOk6mH7IkioUSTmoP362RpIVTbKv2e5GKzhYfkk -27W3RRG/qoZLUTU2AaAyoGZlzXDkBFw2g4vxnhcfHeXX6jyJyQWOOOeRJ5B6uc+Y -4XmKKJvq5pFlxUDmVCZLRzjwpvYPTQwTQQ9t7kEZFI8B7TMkDqv62YlXyoWNDwPq -yLvDwPDicx33AZor8N/eDgIOE+TXQ0vEyphf0c9OcgneeJmEtn7IskEahv32ruMQ -uFAAuIUmQfXPNMXu3MYIUItvZDm3RUk3YJDj9c8YtvxDlzLytHu5QYJ3v7rvo+mG -XKwmnZouaNRLw5Y7Mff07BuTPuttyNadacuJtUjvv8qVOIeuxQ7nku6yqKKLTeJr -8E4/tYyZ15FIo3hWi16h3zyZ9LiHhhe7d2XYSVMuzuD4jkIdHbdgiKsCJn9mI5PF -VpDF34w1Fjwv7Gu32MRMpJijAW10ENaP1O2izr9l8jwo+CLgi5qa6a2YTYAZooqt -UjTLfEIQKbwFbq5L9Eb1uRw1lRR9SxcxdNQdY+mtx0x2BSmXVUEcyi6OG/8Lzf/1 -9VoE5UPfhSE7ogfbL8eraFlQmKL8f3h3Jx/XDvvKC8YXxgooEhV0BsofXmLdF0BK -bhXR1/JptLz8CJjtlBWQkmqj+ONOHFA9/4YHMNn5T1PBLNzQCZSjQXrDKxowLDsI -ozUyZ080c2LrJCf6zj6+fB3LDvHYfJ6LnYASCHJlNS0NVmRPiYB/dmoqF/iyAEjp -cKUUrbhs6U95aPMo0pPSCuhLKiibCo3Vz/9dvGb7pr6aj/ehOjrtKtGlYukBqNkS -RQK2kkL8IO+iPWs3aCnEhfeS+wNBMAtI/TEw6As2zseyb3/SylHjek4s1gs9MPdw -c3o2ArwMzmP0sfFIjYz+AyQm+5i/LSnkNjG0OU9ekGXy7Z4HAcko2Dv8/SmOVapP -cf8c55RUDlYJh9Ltn0W5fuNA6dykV7f9s8BIrZcnzTN+lifNhNlEYYcmyZwlCcX4 -NBLoH+ENW+Q7+nuhGcf52j/XgTaPZ0Eec8ZJdK7FzVDN4DWKM4KHD7DgpkOR7TZl -IKGNtdvb3SaGG83YlJhRkkr0C2KvB0Mz2dkAhOKX3NkBr5fY62IvuMdqD7VDjGAw -h/GBn0k5+gpVP0Uh6yWEla3CjM9GnUuMVcwIUAYSeW2rFu4iapK0gBwguR91cM1N -MA8= ------END ENCRYPTED PRIVATE KEY----- diff --git a/kubernetes/oof/components/oof-has/resources/config/bundle.pem b/kubernetes/oof/components/oof-has/resources/config/bundle.pem deleted file mode 100755 index 60121e751b..0000000000 --- a/kubernetes/oof/components/oof-has/resources/config/bundle.pem +++ /dev/null @@ -1,26 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEVDCCAjygAwIBAgIBATANBgkqhkiG9w0BAQsFADAsMQ4wDAYDVQQLDAVPU0FB -RjENMAsGA1UECgwET05BUDELMAkGA1UEBhMCVVMwHhcNMTgwNDA1MTQxNTQwWhcN -MTgwNjA0MTQxNTQwWjBHMQswCQYDVQQGEwJVUzENMAsGA1UECgwET05BUDEOMAwG -A1UECwwFT1NBQUYxGTAXBgNVBAMMEGludGVybWVkaWF0ZUNBXzEwggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCY3YPA/YQdz4kaZQzdRzWNjmn33WYAWZ8+ -EIz3PhkEzk7M1q9N7Icx2LvozMj4VH0yGz/HYlliHhw26ZRsjYMSR8zATsXl4oW9 -w9BrjuyvM3w8Ptxe8WbUFF9LJDGyXPeVvcXVo0iyh3QYPWC/AWmomN19MvBFN5vH -AvEG/7qtonViNfISW9Gr9LpXB0foCmUDBu/lV+SwRGajoCPqdZhZ6/L6/yqDvha2 -wsML/UZXlGhXAedt/xOKmT/dSXx/I0vWBVp6Tq4zu87yCvd+I6Tpa5HjttA2I5EV -zdHX+JYBPBBcVCyO9YQOYjJuoVDE4D5etY6dEipKG/KZF/rqAoqZAgMBAAGjZjBk -MB0GA1UdDgQWBBQd5lldG54KOKRipsGF8/PP1vGX6jAfBgNVHSMEGDAWgBRTVTPy -S+vQUbHBeJrBKDF77+rtSTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE -AwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAmgeiitBDi/YEqFh2Cqp0VIEqw8hiuV87 -rADQWMK4hv5WXl3KJTjFAnWsYFUKrm6s1jNH16FyGExUQgwggob0Vt+MHiUs36jU -kyret/uE5qrjz+/J+i2XG6s1oKcDRVD/jU4qBygZWFBMuwl7sz8IEvaYXGM43s96 -Du3UF9E+V3aMppqkGWz6MnrTmANnWAlDAMeifcoexjrpxiKbp8f49HX1UzwFoeEg -RnVwNqgDWT66yGV6mbNl6FpE/U81RpCRY1ZJDeVTxbqIaG/UPV4hpQ+BEVBDF+cb -rGsvsNYYpWx5srIQ7WtGKIlaDFbfWPwnHDHegzr8ypAS3KNWULE+QXCbHWtB+b0Y -WhP/2F6Jjb+ByvJqQoE+nHEYBeUOZUUZC4IuQFNJ5Wy5P0CNXdheiWhdrBmG02Gy -KMi0FJx6BEoWM2xcdl6bn5j9mhF4TX7zgepNWlgTra4Z8Oz8iqbQk33/s2OKM4ic -6ZezUYhNp+MuUt4Se+ufNcGV65jnUKeROtWzNLwP+xwglEFlG8aNiAORthd7QJuT -Ey2cX7H7f38ENQ5YCriUk1nVLO9F66l/rNRzYZgQzRI3IvDW8vyM2TLW2mcZNsaf -qjFMcCDweV2FRb8eTbmWzzB2/xTVpGzVJqzwgE+U7UtJx5CZS3wPkvXuEgvcg1tY -m1r4NGYFvLM= ------END CERTIFICATE----- \ No newline at end of file diff --git a/kubernetes/oof/components/oof-has/resources/config/conductor.conf b/kubernetes/oof/components/oof-has/resources/config/conductor.conf index 22a20fe64e..511c0cd6de 100755 --- a/kubernetes/oof/components/oof-has/resources/config/conductor.conf +++ b/kubernetes/oof/components/oof-has/resources/config/conductor.conf @@ -159,13 +159,13 @@ appkey = "" # # is_aaf_enabled. (boolean value) -is_aaf_enabled = true +is_aaf_enabled = false # aaf_cache_expiry_hrs. (integer value) aaf_cache_expiry_hrs = 3 # aaf_url. (string value) -aaf_url = https://{{.Values.config.aaf.serviceName}}:{{.Values.config.aaf.port}}/authz/perms/user/ +aaf_url = # aaf_cert_file. (string value) #aaf_cert_file = @@ -175,7 +175,7 @@ aaf_url = https://{{.Values.config.aaf.serviceName}}:{{.Values.config.aaf.port}} # aaf_ca_bundle_file. (string value) #aaf_ca_bundle_file = -aaf_ca_bundle_file = /usr/local/bin/AAF_RootCA.cer +aaf_ca_bundle_file = # aaf_retries. (integer value) #aaf_retries = 3 @@ -193,9 +193,12 @@ aaf_ca_bundle_file = /usr/local/bin/AAF_RootCA.cer # From conductor # +# is_enabled. (boolean value) +is_enabled = false + # Base URL for SMS, up to and not including the version, and without a trailing # slash. (string value) -aaf_sms_url = https://{{.Values.config.sms.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.sms.port}} +aaf_sms_url = # Timeout for SMS API Call (integer value) @@ -231,7 +234,7 @@ complex_cache_refresh_interval = 60 # Base URL for A&AI, up to and not including the version, and without a # trailing slash. (string value) -server_url = https://{{.Values.config.aai.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.aai.port}}/aai +server_url = http://{{.Values.config.aai.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.aai.port}}/aai # Timeout for A&AI Rest Call (string value) #aai_rest_timeout = 30 @@ -252,7 +255,7 @@ certificate_key_file = # Certificate Authority Bundle file in pem format. Must contain the appropriate # trust chain for the Certificate file. (string value) #certificate_authority_bundle_file = certificate_authority_bundle.pem -certificate_authority_bundle_file = /usr/local/bin/AAF_RootCA.cer +certificate_authority_bundle_file = # Username for AAI. (string value) username = OOF @@ -448,102 +451,6 @@ username = password = -[music_api] - -# -# From conductor -# - -# Base URL for Music REST API without a trailing slash. (string value) -#server_url = http://oof-has-music:8080/MUSIC/rest/v2 -server_url = https://{{.Values.config.music.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.music.port}}/MUSIC/rest/v2 -version = v2 - -# DEPRECATED: List of hostnames (round-robin access) (list value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Use server_url instead -#hostnames = - -# DEPRECATED: Port (integer value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Use server_url instead -#port = - -# DEPRECATED: Path (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Use server_url instead -#path = - -# Socket connection timeout (floating point value) -#connect_timeout = 3.05 - -# Socket read timeout (floating point value) -#read_timeout = 12.05 - -# Lock timeout (integer value) -#lock_timeout = 10 - -# Replication factor (integer value) -#replication_factor = 1 -replication_factor = 1 - -# Use mock API (boolean value) -#mock = false - -# (string value) -#music_topology = SimpleStrategy - -# Name of the first data center (string value) -#first_datacenter_name = - -# Number of replicas in first data center (integer value) -#first_datacenter_replicas = - -# Name of the second data center (string value) -#second_datacenter_name = - -# Number of replicas in second data center (integer value) -#second_datacenter_replicas = - -# Name of the third data center (string value) -#third_datacenter_name = - -# Number of replicas in third data center (integer value) -#third_datacenter_replicas = - -# new or old version (boolean value) -#music_new_version = -music_new_version = True - -# for version (string value) -#music_version = -music_version = "3.2.40" - -# username value that used for creating basic authorization header (string -# value) -#aafuser = -aafuser = conductor - -# password value that used for creating basic authorization header (string -# value) -#aafpass = -aafpass = c0nduct0r - -# AAF namespace field used in MUSIC request header (string value) -#aafns = -aafns = conductor - -# Enabling HTTPs mode (boolean value) -enable_https_mode = True - -# Certificate Authority Bundle file in pem format. Must contain the appropriate -# trust chain for the Certificate file. (string value) -certificate_authority_bundle_file = /usr/local/bin/AAF_RootCA.cer - - [prometheus] # @@ -676,7 +583,7 @@ concurrent = true # Base URL for SDC, up to and not including the version, and without a # trailing slash. (string value) #server_url = https://controller:8443/sdc -server_url = https://{{.Values.config.sdc.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.sdc.port}}/sdc +server_url = http://{{.Values.config.sdc.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.sdc.port}}/sdc # Timeout for SDC Rest Call (string value) #sdc_rest_timeout = 30 @@ -699,7 +606,7 @@ certificate_key_file = # Certificate Authority Bundle file in pem format. Must contain the appropriate # trust chain for the Certificate file. (string value) #certificate_authority_bundle_file = certificate_authority_bundle.pem -certificate_authority_bundle_file = /usr/local/bin/AAF_RootCA.cer +certificate_authority_bundle_file = # Username for SDC. (string value) #username = @@ -744,7 +651,7 @@ certificate_key_file = # Certificate Authority Bundle file in pem format. Must contain the appropriate # trust chain for the Certificate file. (string value) #certificate_authority_bundle_file = certificate_authority_bundle.pem -certificate_authority_bundle_file = /usr/local/bin/AAF_RootCA.cer +certificate_authority_bundle_file = # Username for CPS. (string value) #username = @@ -765,7 +672,7 @@ get_ta_list_url = "/api/v1/execute/ran-coverage-area/get_ta_list" # Base URL for DCAE, up to and not including the version, and without a # trailing slash. (string value) -server_url = https://{{.Values.config.dcae.service}}.{{ include "common.namespace" . }}:{{.Values.config.dcae.port}} +server_url = http://{{.Values.config.dcae.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.dcae.port}} # Timeout for DCAE Rest Call (string value) #dcae_rest_timeout = 30 @@ -788,7 +695,7 @@ certificate_key_file = # Certificate Authority Bundle file in pem format. Must contain the appropriate # trust chain for the Certificate file. (string value) #certificate_authority_bundle_file = certificate_authority_bundle.pem -certificate_authority_bundle_file = /usr/local/bin/AAF_RootCA.cer +certificate_authority_bundle_file = # Username for DCAE. (string value) #username = @@ -796,4 +703,4 @@ certificate_authority_bundle_file = /usr/local/bin/AAF_RootCA.cer # Password for DCAE. (string value) #password = -get_slice_config_url = "/api/v1/slices-config" \ No newline at end of file +get_slice_config_url = "/api/v1/slices-config" diff --git a/kubernetes/oof/components/oof-has/resources/config/nginx.conf b/kubernetes/oof/components/oof-has/resources/config/nginx.conf index cbb1b60a58..1c1094dacb 100644 --- a/kubernetes/oof/components/oof-has/resources/config/nginx.conf +++ b/kubernetes/oof/components/oof-has/resources/config/nginx.conf @@ -11,12 +11,8 @@ http { server { - listen 8091 ssl; + listen 8091; server_name oof; - ssl_certificate /opt/bitnami/nginx/org.onap.oof.crt; - ssl_certificate_key /opt/bitnami/nginx/ssl/local/org.onap.oof.key; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!aNULL:!MD5; location / { include /opt/bitnami/nginx/conf/uwsgi_params; diff --git a/kubernetes/oof/components/oof-has/values.yaml b/kubernetes/oof/components/oof-has/values.yaml index 8a146a90b8..33558c4567 100755 --- a/kubernetes/oof/components/oof-has/values.yaml +++ b/kubernetes/oof/components/oof-has/values.yaml @@ -19,7 +19,7 @@ global: commonConfigPrefix: onap-oof-has image: - optf_has: onap/optf-has:2.3.0 + optf_has: onap/optf-has:2.3.1 persistence: enabled: true @@ -27,11 +27,6 @@ global: # Secrets metaconfig ################################################################# secrets: - - uid: oof-onap-certs - name: &oof-certs '{{ include "common.release" . }}-oof-onap-certs' - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' - uid: oof-has-etcd-root-password name: &root-password '{{ include "common.release" . }}-has-etcd-root-password' type: password @@ -50,29 +45,20 @@ nodePortPrefix: 302 dataRootDir: /dockerdata-nfs config: dbBackend: etcd - aaf: - serviceName: aaf-service - port: 8100 aai: serviceName: aai - port: 8443 + port: 80 msb: serviceName: msb-iag port: 80 - music: - serviceName: music - port: 8443 - sms: - serviceName: aaf-sms - port: 10443 sdc: serviceName: sdc-be - port: 8443 + port: 8080 cps: - service: cps-tbdmt + serviceName: cps-tbdmt port: 8080 dcae: - service: dcae-slice-analysis-ms + serviceName: dcae-slice-analysis-ms port: 8080 etcd: serviceName: &etcd-service oof-has-etcd @@ -87,24 +73,23 @@ flavor: small resources: small: limits: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 4Gi - cpu: 2000m + cpu: "2" + memory: "4Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} #component overrides oof-has-api: &has-config enabled: true - certSecret: *oof-certs config: etcd: userCredentialsExternalSecret: *user-creds @@ -113,8 +98,6 @@ oof-has-controller: *has-config oof-has-data: *has-config oof-has-reservation: *has-config oof-has-solver: *has-config -music: - enabled: false #etcd subchart configurations etcd: @@ -130,18 +113,18 @@ etcd: resources: &etcd-resources small: limits: - cpu: 100m - memory: 300Mi + cpu: "100m" + memory: "300Mi" requests: - cpu: 10m - memory: 75Mi + cpu: "10m" + memory: "70Mi" large: limits: - cpu: 200m - memory: 1Gi + cpu: "200m" + memory: "1Gi" requests: - cpu: 50m - memory: 300Mi + cpu: "50m" + memory: "300Mi" unlimited: {} etcd-init: @@ -158,6 +141,8 @@ etcd-init: keyPrefix: conductor flavor: *etcd-flavor resources: *etcd-resources + serviceAccount: + nameOverride: *job-name # Python doesn't support well dollar sign in password -passwordStrengthOverride: basic \ No newline at end of file +passwordStrengthOverride: basic diff --git a/kubernetes/oof/components/oof-templates/Chart.yaml b/kubernetes/oof/components/oof-templates/Chart.yaml index a59f751611..946be1fd2d 100755 --- a/kubernetes/oof/components/oof-templates/Chart.yaml +++ b/kubernetes/oof/components/oof-templates/Chart.yaml @@ -18,10 +18,10 @@ apiVersion: v2 description: ONAP OOF helm templates name: oof-templates -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/oof/components/oof-templates/templates/_certificate.tpl b/kubernetes/oof/components/oof-templates/templates/_certificate.tpl deleted file mode 100644 index 4da128bcbb..0000000000 --- a/kubernetes/oof/components/oof-templates/templates/_certificate.tpl +++ /dev/null @@ -1,11 +0,0 @@ -{{- define "oof.certificate.volume" -}} -- name: {{ include "common.fullname" . }}-onap-certs - secret: - secretName: {{ include "common.secret.getSecretNameFast" (dict "global" . "uid" "oof-onap-certs") }} - items: - - key: aaf_root_ca.cer - path: aaf_root_ca.cer - - key: intermediate_root_ca.pem - path: intermediate_root_ca.pem -{{- end -}} - diff --git a/kubernetes/oof/resources/config/certs/aaf_root_ca.cer b/kubernetes/oof/resources/config/certs/aaf_root_ca.cer deleted file mode 100755 index e9a50d7ea0..0000000000 --- a/kubernetes/oof/resources/config/certs/aaf_root_ca.cer +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFPjCCAyagAwIBAgIJAJ6u7cCnzrWdMA0GCSqGSIb3DQEBCwUAMCwxDjAMBgNV -BAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQMQswCQYDVQQGEwJVUzAeFw0xODA0MDUx -NDE1MjhaFw0zODAzMzExNDE1MjhaMCwxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQK -DARPTkFQMQswCQYDVQQGEwJVUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC -ggIBAMA5pkgRs7NhGG4ew5JouhyYakgYUyFaG121+/h8qbSdt0hVQv56+EA41Yq7 -XGie7RYDQK9NmAFF3gruE+6X7wvJiChp+Cyd7sFMnb65uWhxEdxWTM2BJFrgfzUn -H8ZCxgaCo3XH4PzlKRy2LQQJEJECwl/RZmRCXijMt5e9h8XoZY/fKkKcZZUsWNCM -pTo266wjvA9MXLmdgReRj0+vrCjrNqy+htwJDztoiHWiYPqT6o8EvGcgjNqjlZx7 -NUNf8MfLDByqKF6+wRbHv1GKjn3/Vijd45Fv8riyRYROiFanvbV6jIfBkv8PZbXg -2VDWsYsgp8NAvMxK+iV8cO+Ck3lBI2GOPZbCEqpPVTYbLUz6sczAlCXwQoPzDIZY -wYa3eR/gYLY1gP2iEVHORag3bLPap9ZX5E8DZkzTNTjovvLk8KaCmfcaUMJsBtDd -ApcUitz10cnRyZc1sX3gE1f3DpzQM6t9C5sOVyRhDcSrKqqwb9m0Ss04XAS9FsqM -P3UWYQyqDXSxlUAYaX892u8mV1hxnt2gjb22RloXMM6TovM3sSrJS0wH+l1nznd6 -aFXftS/G4ZVIVZ/LfT1is4StoyPWZCwwwly1z8qJQ/zhip5NgZTxQw4mi7ww35DY -PdAQOCoajfSvFjqslQ/cPRi/MRCu079heVb5fQnnzVtnpFQRAgMBAAGjYzBhMB0G -A1UdDgQWBBRTVTPyS+vQUbHBeJrBKDF77+rtSTAfBgNVHSMEGDAWgBRTVTPyS+vQ -UbHBeJrBKDF77+rtSTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAN -BgkqhkiG9w0BAQsFAAOCAgEAPx/IaK94n02wPxpnYTy+LVLIxwdq/kawNd6IbiMz -L87zmNMDmHcGbfoRCj8OkhuggX9Lx1/CkhpXimuYsZOFQi5blr/u+v4mIbsgbmi9 -7j+cUHDP0zLycvSvxKHty51LwmaX9a4wkJl5zBU4O1sd/H9tWcEmwJ39ltKoBKBx -c94Zc3iMm5ytRWGj+0rKzLDAXEWpoZ5bE5PLJauA6UDCxDLfs3FwhbS7uDggxYvf -jySF5FCNET94oJ+m8s7VeHvoa8iPGKvXrIqdd7XDHnqJJlVKr7m9S0fMbyEB8ci2 -RtOXDt93ifY1uhoEtEykn4dqBSp8ezvNMnwoXdYPDvTd9uCAFeWFLVreBAWxd25h -PsBTkZA5hpa/rA+mKv6Af4VBViYr8cz4dZCsFChuioVebe9ighrfjB//qKepFjPF -CyjzKN1u0JKm/2x/ORqxkTONG8p3uDwoIOyimUcTtTMv42bfYD88RKakqSFXE9G+ -Z0LlaKABqfjK49o/tsAp+c5LoNlYllKhnetO3QAdraHwdmC36BhoghzR1jpX751A -cZn2VH3Q4XKyp01cJNCJIrua+A+bx6zh3RyW6zIIkbRCbET+UD+4mr8WIcSE3mtR -ZVlnhUDO4z9//WKMVzwS9Rh8/kuszrGFI1KQozXCHLrce3YP6RYZfOed79LXaRwX -dYY= ------END CERTIFICATE----- diff --git a/kubernetes/oof/resources/config/certs/intermediate_root_ca.pem b/kubernetes/oof/resources/config/certs/intermediate_root_ca.pem deleted file mode 100644 index b67866d160..0000000000 --- a/kubernetes/oof/resources/config/certs/intermediate_root_ca.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEdTCCAl2gAwIBAgIBBzANBgkqhkiG9w0BAQsFADAsMQ4wDAYDVQQLDAVPU0FB -RjENMAsGA1UECgwET05BUDELMAkGA1UEBhMCVVMwHhcNMTgwODE3MTg1MTM3WhcN -MjMwODE3MTg1MTM3WjBHMQswCQYDVQQGEwJVUzENMAsGA1UECgwET05BUDEOMAwG -A1UECwwFT1NBQUYxGTAXBgNVBAMMEGludGVybWVkaWF0ZUNBXzkwggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv0HHUkba3uNtNI3jPKimUcd6RNwmhSCJL -neMWpnjqp5/A+HCKyNsEaT4y177hNLmCm/aMm1u2JIfikc+8wEqLCSBBPz+P0h+d -o+sZ7U+4oeQizdYYpEdzHJ2SieHHa8vtu80rU3nO2NEIkuYC20HcKSEtl8fFKsk3 -nqlhY+tGfYJPTXcDOQAO40BTcgat3C3uIJHkWJJ4RivunE4LEuRv9QyKgAw7rkJV -v+f7guqpZlXy6dzAkuU7XULWcgo55MkZlssoiErMvEZJad5aWKvRY3g7qUjaQ6wO -15wOAUoRBW96eeZZbytgn8kybcBy++Ue49gPtgm1MF/KlAsp0MD5AgMBAAGjgYYw -gYMwHQYDVR0OBBYEFIH3mVsQuciM3vNSXupOaaBDPqzdMB8GA1UdIwQYMBaAFFNV -M/JL69BRscF4msEoMXvv6u1JMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/ -BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B -AQsFAAOCAgEADxNymiCNr2e37iLReoaxKmZvwox0cTiNAaj7iafRzmwIoY3VXO8Q -ix5IYcp4FaQ7fV1jyp/AmaSnyHf6Osl0sx8PxsQkO7ALttxKUrjfbvNSVUA2C/vl -u5m7UVJLIUtFDZBWanzUSmkTsYLHpiANFQKd2c/cU1qXcyzgJVFEFVyyHNkF7Is+ -+pjG9M1hwQHOoTnEuU013P7X1mHek+RXEfhJWwe7UsZnBKZaZKbQZu7hEtqKWYp/ -QsHgnjoLYXsh0WD5rz/mBxdTdDLGpFqWDzDqb8rsYnqBzoowvsasV8X8OSkov0Ht -8Yka0ckFH9yf8j1Cwmbl6ttuonOhky3N/gwLEozuhy7TPcZGVyzevF70kXy7g1CX -kpFGJyEHXoprlNi8FR4I+NFzbDe6a2cFow1JN19AJ9Z5Rk5m7M0mQPaQ4RcikjB3 -aoLsASCJTm1OpOFHfxEKiBW4Lsp3Uc5/Rb9ZNbfLrwqWZRM7buW1e3ekLqntgbky -uKKISHqVJuw/vXHl1jNibEo9+JuQ88VNuAcm7WpGUogeCa2iAlPTckPZei+MwZ8w -tpvxTyYlZEC8DWzY1VC29+W2N5cvh01e2E3Ql08W1zL63dqrgdEZ3VWjzooYi4ep -BmMXTvouW+Flyvcw/0oTcfN0biDIt0mCkZ5CQVjfGL9DTOYteR5hw+k= ------END CERTIFICATE----- - diff --git a/kubernetes/oof/resources/config/conf/common_config.yaml b/kubernetes/oof/resources/config/conf/common_config.yaml index 57e8e27a19..394bece9d9 100644 --- a/kubernetes/oof/resources/config/conf/common_config.yaml +++ b/kubernetes/oof/resources/config/conf/common_config.yaml @@ -4,8 +4,6 @@ osdf_system: internal: 8699 # inside the Docker container, the app listens to this port external: 8698 # clients use this port on DockerHost osdf_ip_default: 0.0.0.0 -# # Important Note: At deployment time, we need to ensure the port mapping is done - ssl_context: ['/opt/osdf/org.onap.oof.crt', '/opt/osdf/osaaf/local/org.onap.oof.key'] osdf_temp: # special configuration required for "workarounds" or testing local_policies: @@ -113,6 +111,17 @@ policy_info: resources: - nst + nsst_selection: + policy_fetch: by_scope + policy_scope: + - + scope: + - OSDF_GUILIN + services: + - nsst + resources: + - nsst + subnet_selection: policy_fetch: by_scope policy_scope: diff --git a/kubernetes/oof/resources/config/conf/osdf_config.yaml b/kubernetes/oof/resources/config/conf/osdf_config.yaml index 441a77ab5a..818d4f340a 100755 --- a/kubernetes/oof/resources/config/conf/osdf_config.yaml +++ b/kubernetes/oof/resources/config/conf/osdf_config.yaml @@ -11,14 +11,14 @@ placementDefaultMinorVersion: {{ .Values.config.placementDefaultMinorVersion }} placementDefaultPatchVersion: {{ .Values.config.placementDefaultPatchVersion }} # Credentials for Conductor -conductorUrl: {{ .Values.config.conductorUrl }} +conductorUrl: {{ .Values.config.conductorUrl.http }} conductorPingWaitTime: {{ .Values.config.conductorPingWaitTime }} conductorMaxRetries: {{ .Values.config.conductorMaxRetries }} # versions to be set in HTTP header conductorMinorVersion: {{ .Values.config.conductorMinorVersion }} # Policy Platform -- requires ClientAuth, Authorization, and Environment -policyPlatformUrl: {{ .Values.config.policyPlatformUrl }} +policyPlatformUrl: {{ .Values.config.policyPlatformUrl.http }} policyPlatformEnv: {{ .Values.config.policyPlatformEnv }} # Credentials for DMaaP @@ -29,19 +29,16 @@ messageReaderTopic: {{ .Values.config.messageReaderTopic }} sdcUrl: {{ .Values.config.sdcUrl }} sdcONAPInstanceID: {{ .Values.config.sdcONAPInstanceID }} -is_aaf_enabled: {{ .Values.config.is_aaf_enabled }} -aaf_cache_expiry_mins: {{ .Values.config.aaf_cache_expiry_mins }} -aaf_url: {{ .Values.config.aaf_url }} +is_aaf_enabled: False +aaf_cache_expiry_mins: 5 +aaf_url: aaf_user_roles: - {{- range .Values.config.aaf_user_roles }} - - {{ . }} - {{- end }} # Secret Management Service from AAF -aaf_sms_url: {{ .Values.config.aaf_sms_url }}.{{ include "common.namespace" . }}:{{ .Values.config.aaf_sms_port }} -aaf_sms_timeout: {{ .Values.config.aaf_sms_timeout }} -secret_domain: {{ .Values.config.secret_domain }} -aaf_ca_certs: {{ .Values.config.aaf_ca_certs }} +aaf_sms_url: +aaf_sms_timeout: 30 +secret_domain: '' +aaf_ca_certs: '' configClientType: {{ .Values.config.configClientType }} @@ -56,7 +53,7 @@ cpsCellListUrl: {{ .Values.config.cps.cellListUrl }} cpsNbrListUrl: {{ .Values.config.cps.nbrListUrl }} # AAI api -aaiUrl: {{ .Values.config.aaiUrl }} +aaiUrl: {{ .Values.config.aaiUrl.http }} aaiGetLinksUrl: {{ .Values.config.aaiGetLinksUrl }} aaiServiceInstanceUrl : {{ .Values.config.aaiServiceInstanceUrl }} aaiGetControllersUrl: {{ .Values.config.aaiGetControllersUrl }} @@ -65,7 +62,7 @@ aaiGetInterDomainLinksUrl: {{ .Values.config.aaiGetInterDomainLinksUrl }} dslQueryPath: /aai/v23/dsl?format= #DES api -desUrl: {{ .Values.config.desUrl }} +desUrl: {{ .Values.config.desUrl.http }} desApiPath: {{ .Values.config.desApiPath }} desHeaders: Accept: application/json @@ -77,4 +74,3 @@ desPassword: {{ .Values.config.desPassword }} appkey: '' activateConsulConfig: False - diff --git a/kubernetes/oof/templates/deployment.yaml b/kubernetes/oof/templates/deployment.yaml index 58ff39e1e5..5eb0fc0c6a 100644 --- a/kubernetes/oof/templates/deployment.yaml +++ b/kubernetes/oof/templates/deployment.yaml @@ -18,59 +18,15 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - - command: - - /app/ready.py - args: - - --container-name - - policy-xacml-pdp - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - - command: - - sh - - -c - - resp="FAILURE"; - until [ $resp = "200" ]; do - resp=$(curl -s -o /dev/null -k --write-out %{http_code} https://aaf-sms.{{ include "common.namespace" . }}:10443/v1/sms/domain/osdf/secret); - echo $resp; - sleep 2; - done - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.curl" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-osdf-sms-readiness -{{ include "common.certInitializer.initContainer" . | indent 6 }} + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -80,11 +36,10 @@ spec: args: - "-c" - | - grep -v '^$' /opt/osdf/osaaf/local/org.onap.oof.crt > /tmp/oof.crt - cat /tmp/oof.crt /opt/app/ssl_cert/intermediate_root_ca.pem /opt/app/ssl_cert/aaf_root_ca.cer >> /opt/osdf/org.onap.oof.crt python osdfapp.py ports: - containerPort: {{ .Values.service.internalPort }} + name: http # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if .Values.liveness.enabled }} @@ -101,19 +56,9 @@ spec: periodSeconds: {{ .Values.readiness.periodSeconds }} env: volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/osdf/config/osdf_config.yaml name: {{ include "common.fullname" . }}-config subPath: osdf_config.yaml - - mountPath: /opt/app/ssl_cert/aaf_root_ca.cer - name: {{ include "common.fullname" . }}-onap-certs - subPath: aaf_root_ca.cer - - mountPath: /opt/app/ssl_cert/intermediate_root_ca.pem - name: {{ include "common.fullname" . }}-onap-certs - subPath: intermediate_root_ca.pem - mountPath: /opt/osdf/config/common_config.yaml name: {{ include "common.fullname" . }}-config subPath: common_config.yaml @@ -123,8 +68,7 @@ spec: - mountPath: /opt/osdf/config/slicing_config.yaml name: {{ include "common.fullname" . }}-config subPath: slicing_config.yaml - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -135,10 +79,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - name: {{ include "common.fullname" . }}-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -151,6 +91,4 @@ spec: path: log.yml - key: slicing_config.yaml path: slicing_config.yaml -{{ include "oof.certificate.volume" . | indent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/oof/templates/ingress.yaml b/kubernetes/oof/templates/ingress.yaml index 8f87c68f1e..99c7f87970 100644 --- a/kubernetes/oof/templates/ingress.yaml +++ b/kubernetes/oof/templates/ingress.yaml @@ -1 +1,19 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T,VMware +# Modifications Copyright (C) 2020 Wipro Limited. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/oof/templates/service.yaml b/kubernetes/oof/templates/service.yaml index 0706a8d6d4..418f89ac93 100644 --- a/kubernetes/oof/templates/service.yaml +++ b/kubernetes/oof/templates/service.yaml @@ -15,30 +15,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/oof/values.yaml b/kubernetes/oof/values.yaml index f5873b404e..738df14015 100644 --- a/kubernetes/oof/values.yaml +++ b/kubernetes/oof/values.yaml @@ -19,23 +19,11 @@ global: nodePortPrefix: 302 persistence: {} -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: oof-onap-certs - name: &oof-certs '{{ include "common.release" . }}-oof-onap-certs' - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: - - resources/config/certs/intermediate_root_ca.pem - - resources/config/certs/aaf_root_ca.cer - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/optf-osdf:3.0.6 +image: onap/optf-osdf:3.0.8 pullPolicy: Always # flag to enable debugging - application support required @@ -56,13 +44,15 @@ config: placementDefaultPatchVersion: "0" # Url and credentials for Conductor. - conductorUrl: https://oof-has-api:8091/v1/plans/ + conductorUrl: + http: http://oof-has-api:8091/v1/plans/ conductorPingWaitTime: 10 conductorMaxRetries: 30 # versions to be set in HTTP header conductorMinorVersion: 0 # Url and credentials for the Policy Platform - policyPlatformUrl: https://policy-xacml-pdp:6969/policy/pdpx/v1/decision # Policy Dev platform URL + policyPlatformUrl: + http: http://policy-xacml-pdp:8080/policy/pdpx/v1/decision policyPlatformEnv: TEST # Environment for policy platform # Credentials for the message reader - A placeholder. messageReaderHosts: NA @@ -70,24 +60,14 @@ config: # Credentials for the SDC interface - A placeholder. sdcUrl: NA sdcONAPInstanceID: NA - #AAF Authentication - is_aaf_enabled: False - aaf_cache_expiry_mins: 5 - aaf_url: https://aaf-service:8100 - aaf_user_roles: - - '/placement:org.onap.oof.access|*|read ALL' - - '/pci:org.onap.oof.access|*|read ALL' - # Secret Management Service from AAF - aaf_sms_url: https://aaf-sms - aaf_sms_port: 10443 - aaf_sms_timeout: 30 - secret_domain: osdf - aaf_ca_certs: /opt/app/ssl_cert/aaf_root_ca.cer + configClientType: cps + # config db api configDbUrl: http://configdb:8080 configDbGetCellListUrl: 'api/sdnc-config-db/v3/getCellList' configDbGetNbrListUrl: 'api/sdnc-config-db/v3/getNbrList' + # cps api cps: url: cps-tbdmt:8080/execute @@ -95,14 +75,16 @@ config: nbrListUrl: 'ran-network/getNbrList' #aai api - aaiUrl: https://aai:8443 + aaiUrl: + http: http://aai:80 aaiGetLinksUrl: /aai/v16/network/logical-links aaiServiceInstanceUrl : /aai/v20/nodes/service-instances/service-instance/ aaiGetControllersUrl: /aai/v19/external-system/esr-thirdparty-sdnc-list controllerQueryUrl: /aai/v19/query?format=resource aaiGetInterDomainLinksUrl: /aai/v19/network/logical-links?link-type=inter-domain&operational-status=up #des api - desUrl: https://des.url:9000 + desUrl: + http: http://des.url:8080 desApiPath: /datalake/v1/exposure/ desUsername: '' desPassword: '' @@ -113,39 +95,23 @@ affinity: {} # Resource Limit flavor -By Default using small flavor: small -#sub-charts configuration -certInitializer: - nameOverride: oof-osdf-cert-initializer - fqdn: "oof.onap" - app_ns: "org.osaaf.aaf" - fqi: "oof@oof.onap.org" - fqi_namespace: org.onap.oof - public_fqdn: "oof.onap.org" - aafDeployFqi: "deployer@people.osaaf.org" - aafDeployPass: demo123456! - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - appMountPath: /opt/osdf/osaaf - aaf_add_config: > - chmod 444 {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key; - # Segregation for Different environment (Small and Large) resources: small: limits: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "1Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 4Gi - cpu: 2000m + cpu: "2" + memory: "2Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" + unlimited: {} # probe configuration parameters liveness: @@ -160,13 +126,15 @@ readiness: service: type: NodePort name: oof-osdf - externalPort: 8698 internalPort: 8699 - nodePort: 48 + ports: + - name: http + port: 8698 + nodePort: '48' ingress: enabled: false service: - - baseaddr: "oofosdf" + - baseaddr: "oof-osdf-api" name: "oof-osdf" port: 8698 config: @@ -176,7 +144,11 @@ ingress: oof-has: enabled: true - certSecret: *oof-certs + +readinessCheck: + wait_for: + services: + - policy-xacml-pdp #Pods Service Account serviceAccount: diff --git a/kubernetes/platform/Chart.yaml b/kubernetes/platform/Chart.yaml index 559e5fe383..aec56cf9a1 100644 --- a/kubernetes/platform/Chart.yaml +++ b/kubernetes/platform/Chart.yaml @@ -19,15 +19,26 @@ apiVersion: v2 description: ONAP platform components name: platform -version: 11.0.0 +version: 13.0.1 dependencies: - name: oom-cert-service - version: ~11.x-0 - repository: 'file://components/oom-cert-service' + version: ~13.x-0 + repository: '@local' + condition: oom-cert-service.enabled - name: cmpv2-cert-provider - version: ~11.x-0 - repository: 'file://components/cmpv2-cert-provider' + version: ~13.x-0 + repository: '@local' + condition: cmpv2-cert-provider.enabled - name: chartmuseum - version: ~11.x-0 - repository: 'file://components/chartmuseum' + version: ~13.x-0 + repository: '@local' + condition: chartmuseum.enabled + - name: keycloak-init + version: ~13.x-0 + repository: '@local' + condition: keycloak-init.enabled + - name: oauth2-proxy + version: ~13.x-0 + repository: '@local' + condition: oauth2-proxy.enabled diff --git a/kubernetes/platform/Makefile b/kubernetes/platform/Makefile index 2a2c131027..4ecfbc53cc 100644 --- a/kubernetes/platform/Makefile +++ b/kubernetes/platform/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := dist resources templates charts HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") @@ -37,16 +43,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) -ifeq "$(findstring v3,$(HELM_VER))" "v3" - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) push -f $$PACKAGE_NAME local; fi -else - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi -endif - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/platform/components/Makefile b/kubernetes/platform/components/Makefile index be8e79090f..5970a97115 100644 --- a/kubernetes/platform/components/Makefile +++ b/kubernetes/platform/components/Makefile @@ -20,6 +20,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") @@ -38,16 +44,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) -ifeq "$(findstring v3,$(HELM_VER))" "v3" - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) push -f $$PACKAGE_NAME local; fi -else - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi -endif - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/platform/components/chartmuseum/Chart.yaml b/kubernetes/platform/components/chartmuseum/Chart.yaml index e8a5b839a5..14a2d0b9e1 100644 --- a/kubernetes/platform/components/chartmuseum/Chart.yaml +++ b/kubernetes/platform/components/chartmuseum/Chart.yaml @@ -20,18 +20,15 @@ apiVersion: v2 description: ONAP Chart Museum name: chartmuseum -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/platform/components/chartmuseum/templates/deployment.yaml b/kubernetes/platform/components/chartmuseum/templates/deployment.yaml index cc07f27bb1..3956255fb2 100644 --- a/kubernetes/platform/components/chartmuseum/templates/deployment.yaml +++ b/kubernetes/platform/components/chartmuseum/templates/deployment.yaml @@ -79,5 +79,4 @@ spec: emptyDir: {} {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" \ No newline at end of file + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/platform/components/chartmuseum/values.yaml b/kubernetes/platform/components/chartmuseum/values.yaml index 05a8b1537b..7068990c7d 100644 --- a/kubernetes/platform/components/chartmuseum/values.yaml +++ b/kubernetes/platform/components/chartmuseum/values.yaml @@ -82,16 +82,16 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "500Mi" requests: - cpu: 0.5 - memory: 512Mi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" unlimited: {} \ No newline at end of file diff --git a/kubernetes/platform/components/cmpv2-cert-provider/Chart.yaml b/kubernetes/platform/components/cmpv2-cert-provider/Chart.yaml index 1c6cb71630..a77fb20fd6 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/Chart.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: ONAP CMPv2 certificate external provider for cert-manager name: cmpv2-cert-provider -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/platform/components/cmpv2-cert-provider/templates/deployment.yaml b/kubernetes/platform/components/cmpv2-cert-provider/templates/deployment.yaml index ce5e410abe..3513c21d1a 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/templates/deployment.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/templates/deployment.yaml @@ -43,8 +43,7 @@ spec: {{- end }} {{- end }} spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} initContainers: {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: diff --git a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml index f05fbe1a08..6d48efd453 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml @@ -15,7 +15,7 @@ # Global global: nodePortPrefix: 302 - readinessImage: onap/oom/readiness:3.0.1 + readinessImage: onap/oom/readiness:6.0.3 loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 busyboxRepository: registry.hub.docker.com @@ -28,21 +28,22 @@ namespace: onap # Deployment configuration deployment: name: oom-certservice-cmpv2issuer - image: onap/org.onap.oom.platform.cert-service.oom-certservice-k8s-external-provider:2.5.0 + image: onap/org.onap.oom.platform.cert-service.oom-certservice-k8s-external-provider:2.6.0 proxyImage: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0 # fol local development use IfNotPresent pullPolicy: Always logLevel: debug resources: limits: - cpu: 250m - memory: 128Mi + cpu: "250m" + memory: "100Mi" requests: - cpu: 100m - memory: 64Mi + cpu: "100m" + memory: "60Mi" readinessCheck: wait_for: - - oom-cert-service + services: + - oom-cert-service # CMPv2Issuer cmpv2issuer: diff --git a/kubernetes/platform/components/keycloak-init/.helmignore b/kubernetes/platform/components/keycloak-init/.helmignore new file mode 100644 index 0000000000..cf02291a2a --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/.helmignore @@ -0,0 +1,25 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +ci/ +examples/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kubernetes/platform/components/keycloak-init/Chart.yaml b/kubernetes/platform/components/keycloak-init/Chart.yaml new file mode 100644 index 0000000000..44ac9f5213 --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/Chart.yaml @@ -0,0 +1,35 @@ +#============LICENSE_START======================================================== +# ================================================================================ +# Copyright © 2022 Deutsche Telekom +# ================================================================================ +# Original licence (https://github.com/codecentric/helm-charts/blob/master/LICENSE) +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +apiVersion: v2 +version: 13.0.1 +description: ONAP Realm creation and configuration +name: keycloak-init +sources: +- https://github.com/adorsys/keycloak-config-cli + +# Keycloakx chart version: 1.6.0 +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' + - name: onap-keycloak-config-cli + version: 5.10.0 + repository: 'file://components/keycloak-config-cli' diff --git a/kubernetes/platform/components/keycloak-init/Makefile b/kubernetes/platform/components/keycloak-init/Makefile new file mode 100644 index 0000000000..5970a97115 --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/Makefile @@ -0,0 +1,60 @@ +# Copyright © 2020 Samsung Electronics +# Modifications Copyright © 2020 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) +OUTPUT_DIR := $(ROOT_DIR)/../../dist +PACKAGE_DIR := $(OUTPUT_DIR)/packages +SECRET_DIR := $(OUTPUT_DIR)/secrets + +EXCLUDES := +HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + +HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) +HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") + +.PHONY: $(EXCLUDES) $(HELM_CHARTS) + +all: $(HELM_CHARTS) + +$(HELM_CHARTS): + @echo "\n[$@]" + @make package-$@ + +make-%: + @if [ -f $*/Makefile ]; then make -C $*; fi + +dep-%: make-% + @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi + +lint-%: dep-% + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi + +package-%: lint-% + @mkdir -p $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) + +clean: + @rm -f */Chart.lock + @rm -f *tgz */charts/*tgz + @rm -rf $(PACKAGE_DIR) +%: + @: diff --git a/kubernetes/platform/components/keycloak-init/components/Makefile b/kubernetes/platform/components/keycloak-init/components/Makefile new file mode 100644 index 0000000000..4ecfbc53cc --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/components/Makefile @@ -0,0 +1,59 @@ +# Copyright © 2020 Samsung Electronics, Orange, Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) +OUTPUT_DIR := $(ROOT_DIR)/../dist +PACKAGE_DIR := $(OUTPUT_DIR)/packages +SECRET_DIR := $(OUTPUT_DIR)/secrets + +EXCLUDES := dist resources templates charts +HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + +HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) +HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") + +.PHONY: $(EXCLUDES) $(HELM_CHARTS) + +all: $(HELM_CHARTS) + +$(HELM_CHARTS): + @echo "\n[$@]" + @make package-$@ + +make-%: + @if [ -f $*/Makefile ]; then make -C $*; fi + +dep-%: make-% + @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi + +lint-%: dep-% + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi + +package-%: lint-% + @mkdir -p $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) + +clean: + @rm -f */Chart.lock + @rm -f *tgz */charts/*tgz + @rm -rf $(PACKAGE_DIR) +%: + @: diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/.helmignore b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml new file mode 100644 index 0000000000..abcf889834 --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml @@ -0,0 +1,45 @@ +#============LICENSE_START======================================================== +# ================================================================================ +# Copyright © adorsys GmbH & Co. KG +# Modifications © 2022 Deutsche Telekom +# ================================================================================ +# Original licence (https://github.com/codecentric/helm-charts/blob/master/LICENSE) +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +apiVersion: v2 +name: onap-keycloak-config-cli +description: Import JSON-formatted configuration files into Keycloak - Configuration as Code for Keycloak. +home: https://github.com/adorsys/keycloak-config-cli +version: 5.10.0 +appVersion: 5.10.0 +maintainers: + - name: jkroepke + email: joe@adorsys.de + url: https://github.com/jkroepke +keywords: + - keycloak + - config + - import + - json + - continuous-integration + - keycloak-config-cli +sources: + - https://github.com/adorsys/keycloak-config-cli + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/_helpers.tpl b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/_helpers.tpl new file mode 100644 index 0000000000..cc1ad7ad8d --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* + # Copyright © adorsys GmbH & Co. KG + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. +*/}} +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "keycloak-config-cli.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "keycloak-config-cli.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "keycloak-config-cli.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "keycloak-config-cli.labels" -}} +helm.sh/chart: {{ include "keycloak-config-cli.chart" . }} +{{ include "keycloak-config-cli.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "keycloak-config-cli.selectorLabels" -}} +app.kubernetes.io/name: {{ include "keycloak-config-cli.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/job.yaml b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/job.yaml new file mode 100644 index 0000000000..322db2b7a1 --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/job.yaml @@ -0,0 +1,103 @@ +{{/* + # Copyright © adorsys GmbH & Co. KG + # Modifications © 2022, Deutsche Telekom + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. +*/}} +--- +apiVersion: batch/v1 +kind: Job +metadata: + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ template "keycloak-config-cli.fullname" . }} + labels: + {{- include "keycloak-config-cli.labels" . | nindent 4 }} +spec: + backoffLimit: {{ .Values.backoffLimit }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- . | nindent 8 }} + {{- end }} + labels: + {{- include "keycloak-config-cli.selectorLabels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + restartPolicy: Never + containers: + - name: keycloak-config-cli + image: "{{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.repository }}:{{ tpl .Values.image.tag $ }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + env: + {{- range $name, $value := .Values.env }} + - name: {{ $name | quote }} + value: {{ tpl $value $ | quote }} + {{- end }} + {{- range $name, $value := .Values.secrets }} + - name: {{ $name | quote }} + valueFrom: + secretKeyRef: + name: "{{ template "keycloak-config-cli.fullname" $ }}" + key: {{ $name | quote }} + {{- end }} + {{- if and .Values.existingSecret .Values.existingSecretKey }} + - name: "KEYCLOAK_PASSWORD" + valueFrom: + secretKeyRef: + name: "{{ tpl .Values.existingSecret . }}" + key: "{{ .Values.existingSecretKey }}" + {{- end }} + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 10 }} + {{- end }} + volumeMounts: + - name: config + mountPath: /config + {{- with .Values.extraVolumeMounts }} + {{- tpl . $ | nindent 12 }} + {{- end }} + {{ include "common.waitForJobContainer" . | indent 8 | trim }} + volumes: + - name: config + secret: + {{- if .Values.existingConfigSecret }} + secretName: "{{ tpl .Values.existingConfigSecret $ }}" + {{- else }} + secretName: "{{ template "keycloak-config-cli.fullname" . }}-config-realms" + {{- end }} + defaultMode: 0555 + {{- with .Values.extraVolumes }} + {{- tpl . $ | nindent 8 }} + {{- end }} + {{- with .Values.serviceAccount }} + serviceAccountName: "{{ tpl . $ }}" + {{- end }} + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/realms.yaml b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/realms.yaml new file mode 100644 index 0000000000..fa9363e9d0 --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/realms.yaml @@ -0,0 +1,32 @@ +{{/* + # Copyright © adorsys GmbH & Co. KG + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. +*/}} +{{ if not .Values.existingConfigSecret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "keycloak-config-cli.fullname" . }}-config-realms + labels: + {{- include "keycloak-config-cli.labels" . | nindent 4 }} +data: + {{- range $name, $config := .Values.config }} + {{- if hasKey $config "file" }} + {{ $name }}.json: "{{ tpl ($.Files.Get $config.file) $ | b64enc }}" + {{- else if hasKey $config "inline" }} + {{ $name }}.json: "{{ tpl (toJson $config.inline) $ | b64enc }}" + {{- end }} + {{- end }} +{{- end }} diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/secrets.yaml b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/secrets.yaml new file mode 100644 index 0000000000..94505289e6 --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/secrets.yaml @@ -0,0 +1,28 @@ +{{/* + # Copyright © adorsys GmbH & Co. KG + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. +*/}} +{{ if .Values.secrets }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "keycloak-config-cli.fullname" . }} + labels: + {{- include "keycloak-config-cli.labels" . | nindent 4 }} +data: + {{- range $name, $value := .Values.secrets }} + {{ $name }}: "{{ tpl $value $ | b64enc }}" + {{- end }} + {{- end }} diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml new file mode 100644 index 0000000000..5f8d4a3fd5 --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml @@ -0,0 +1,97 @@ +# Copyright © adorsys GmbH & Co. KG +# Modifications © 2022, Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +global: + pullPolicy: Always + persistence: {} + dockerHubRepository: docker.io + +fullnameOverride: "" +nameOverride: "" + +image: + repository: adorsys/keycloak-config-cli + tag: "{{ .Chart.AppVersion }}-22.0.4" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + pullSecrets: [] + # - myRegistryKeySecretName + +# Count of re(!)tries. A value of 2 means 3 tries in total. +backoffLimit: 1 + +# annotations of the Job. Define helm post hook here +# currently disabled to see the results and to be compliant with ArgoCD +#annotations: +# "helm.sh/hook": "post-install,post-upgrade,post-rollback" +# "helm.sh/hook-delete-policy": "hook-succeeded,before-hook-creation" +# "helm.sh/hook-weight": "5" + +labels: {} + +resources: {} + # limits: + # cpu: "100m" + # memory: "1Gi" + # requests: + # cpu: "100m" +# memory: "1Gi" + +env: + KEYCLOAK_URL: http://keycloak:8080 + KEYCLOAK_USER: admin + IMPORT_PATH: /config/ + +secrets: {} +# KEYCLOAK_PASSWORD: + +# Specifies an existing secret to be used for the admin password +existingSecret: "" + +# The key in the existing secret that stores the password +existingSecretKey: password + +securityContext: {} +containerSecurityContext: {} + +## Additional pod labels +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +podLabels: {} + +## Extra Annotations to be added to pod +podAnnotations: {} + +config: {} + # : + # inline: + # realm: + # clients: [] + # : + # file: + +existingConfigSecret: "" + +# Add additional volumes, e.g. for custom secrets +extraVolumes: "" + +# Add additional volumes mounts, e. g. for custom secrets +extraVolumeMounts: "" + +wait_for_job_container: + containers: + - 'keycloak-config-cli' diff --git a/kubernetes/platform/components/keycloak-init/resources/realms/onap-realm.json b/kubernetes/platform/components/keycloak-init/resources/realms/onap-realm.json new file mode 100644 index 0000000000..d845c60cfb --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/resources/realms/onap-realm.json @@ -0,0 +1,426 @@ +{ + "id": "ONAP", + "realm": "ONAP", + "enabled": true, + "roles": { + "realm": [ + { + "name": "onap_admin", + "description": "User role for administration tasks in the portal.", + "composite": false, + "clientRole": false, + "containerId": "onap", + "attributes": {} + }, + { + "name": "user", + "composite": false, + "clientRole": false, + "containerId": "onap", + "attributes": {} + }, + { + "name": "admin", + "composite": false, + "clientRole": false, + "containerId": "onap", + "attributes": {} + }, + { + "name": "onap_designer", + "description": "User role for designer tasks in the portal.", + "composite": false, + "clientRole": false, + "containerId": "onap", + "attributes": {} + }, + { + "name": "offline_access", + "description": "${role_offline-access}", + "composite": false, + "clientRole": false, + "containerId": "onap", + "attributes": {} + }, + { + "name": "onap_operator", + "description": "User role for operator tasks in the portal.", + "composite": false, + "clientRole": false, + "containerId": "onap", + "attributes": {} + }, + { + "name": "uma_authorization", + "description": "${role_uma_authorization}", + "composite": false, + "clientRole": false, + "containerId": "onap", + "attributes": {} + }, + { + "name": "default-roles-onap", + "description": "${role_default-roles}", + "composite": true, + "composites": { + "realm": [ + "offline_access", + "uma_authorization" + ], + "client": { + "account": [ + "view-profile", + "manage-account" + ] + } + }, + "clientRole": false, + "containerId": "onap", + "attributes": {} + } + ] + }, + "groups": [ + { + "name": "admins", + "path": "/admins", + "attributes": {}, + "realmRoles": [], + "clientRoles": {}, + "subGroups": [] + } + ], + "clients": [ + { + "clientId": "oauth2-proxy", + "name": "Oauth2 Proxy", + "description": "", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "5YSOkJz99WHv8enDZPknzJuGqVSerELp", + "redirectUris": [ + "*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "tls-client-certificate-bound-access-tokens": "false", + "oidc.ciba.grant.enabled": "false", + "backchannel.logout.session.required": "true", + "client_credentials.use_refresh_token": "false", + "acr.loa.map": "{}", + "require.pushed.authorization.requests": "false", + "oauth2.device.authorization.grant.enabled": "false", + "display.on.consent.screen": "false", + "backchannel.logout.revoke.offline.tokens": "false", + "token.response.type.bearer.lower-case": "false", + "use.refresh.tokens": "true" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "name": "SDC-User", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "multivalued": "false", + "userinfo.token.claim": "true", + "user.attribute": "sdc_user", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "sdc_user", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "groups", + "microprofile-jwt" + ] + }, + { + "clientId": "portal-app", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "{{ .Values.portalUrl }}/*", + "http://localhost/*" + ], + "webOrigins": [ + "*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "backchannel.logout.session.required": "true", + "post.logout.redirect.uris": "{{ .Values.portalUrl }}/*", + "oauth2.device.authorization.grant.enabled": "false", + "display.on.consent.screen": "false", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "name": "User-Roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "roles", + "multivalued": "true", + "userinfo.token.claim": "true" + } + }, + { + "name": "SDC-User", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "sdc_user", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "sdc_user", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "profile", + "roles", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "clientId" : "portal-bff", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "pKOuVH1bwRZoNzp5P5t4GV8CqcCJYVtr", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : false, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : true, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "saml.force.post.binding" : "false", + "saml.multivalued.roles" : "false", + "frontchannel.logout.session.required" : "false", + "oauth2.device.authorization.grant.enabled" : "false", + "backchannel.logout.revoke.offline.tokens" : "false", + "saml.server.signature.keyinfo.ext" : "false", + "use.refresh.tokens" : "true", + "oidc.ciba.grant.enabled" : "false", + "backchannel.logout.session.required" : "true", + "client_credentials.use_refresh_token" : "false", + "require.pushed.authorization.requests" : "false", + "saml.client.signature" : "false", + "saml.allow.ecp.flow" : "false", + "id.token.as.detached.signature" : "false", + "saml.assertion.signature" : "false", + "client.secret.creation.time" : "1665048112", + "saml.encrypt" : "false", + "saml.server.signature" : "false", + "exclude.session.state.from.auth.response" : "false", + "saml.artifact.binding" : "false", + "saml_force_name_id_format" : "false", + "acr.loa.map" : "{}", + "tls.client.certificate.bound.access.tokens" : "false", + "saml.authnstatement" : "false", + "display.on.consent.screen" : "false", + "token.response.type.bearer.lower-case" : "false", + "saml.onetimeuse.condition" : "false" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : true, + "nodeReRegistrationTimeout" : -1, + "protocolMappers" : [ { + "name" : "Client Host", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usersessionmodel-note-mapper", + "consentRequired" : false, + "config" : { + "user.session.note" : "clientHost", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "clientHost", + "jsonType.label" : "String" + } + }, { + "name" : "Client IP Address", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usersessionmodel-note-mapper", + "consentRequired" : false, + "config" : { + "user.session.note" : "clientAddress", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "clientAddress", + "jsonType.label" : "String" + } + } ], + "defaultClientScopes" : [ "web-origins", "acr", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + } + ], + "users": [ + { + "createdTimestamp" : 1664965113698, + "username" : "onap-admin", + "enabled" : true, + "totp" : false, + "emailVerified" : false, + "attributes" : { + "sdc_user" : [ "cs0008" ] + }, + "credentials" : [ { + "type" : "password", + "createdDate" : 1664965134586, + "secretData" : "{\"value\":\"nD4K4x8HEgk6xlWIAgzZOE+EOjdbovJfEa7N3WXwIMCWCfdXpn7Riys7hZhI1NbKcc9QPI9j8LQB/JSuZVcXKA==\",\"salt\":\"T8X9A9tT2cyLvEjHFo+zuQ==\",\"additionalParameters\":{}}", + "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" + } ], + "disableableCredentialTypes" : [ ], + "requiredActions" : [ ], + "realmRoles" : [ "default-roles-onap", "onap_admin" ], + "notBefore" : 0, + "groups" : [ ] + }, { + "createdTimestamp" : 1665048354760, + "username" : "onap-designer", + "enabled" : true, + "totp" : false, + "emailVerified" : false, + "attributes" : { + "sec_user" : [ "cs0008" ] + }, + "credentials" : [ ], + "disableableCredentialTypes" : [ ], + "requiredActions" : [ ], + "realmRoles" : [ "default-roles-onap", "onap_designer" ], + "notBefore" : 0, + "groups" : [ ] + }, { + "createdTimestamp" : 1665048547054, + "username" : "onap-operator", + "enabled" : true, + "totp" : false, + "emailVerified" : false, + "attributes" : { + "sdc_user" : [ "cs0008" ] + }, + "credentials" : [ ], + "disableableCredentialTypes" : [ ], + "requiredActions" : [ ], + "realmRoles" : [ "default-roles-onap", "onap_operator" ], + "notBefore" : 0, + "groups" : [ ] + }, { + "createdTimestamp" : 1665048112458, + "username" : "service-account-portal-bff", + "enabled" : true, + "totp" : false, + "emailVerified" : false, + "serviceAccountClientId" : "portal-bff", + "credentials" : [ ], + "disableableCredentialTypes" : [ ], + "requiredActions" : [ ], + "realmRoles" : [ "default-roles-onap" ], + "clientRoles" : { + "realm-management" : [ "manage-realm", "manage-users" ] + }, + "notBefore" : 0, + "groups" : [ ] + } + ], + "clientScopes": [ + { + "name": "groups", + "description": "Membership to a group", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "gui.order": "", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-group-membership-mapper", + "consentRequired": false, + "config": { + "full.path": "false", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "groups", + "userinfo.token.claim": "true" + } + } + ] + } + ], + "attributes": { + "frontendUrl": "{{ .Values.KEYCLOAK_URL }}", + "acr.loa.map": "{\"ABC\":\"5\"}" + } +} diff --git a/kubernetes/platform/components/keycloak-init/templates/secret.yaml b/kubernetes/platform/components/keycloak-init/templates/secret.yaml new file mode 100644 index 0000000000..0d9b387dfa --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/templates/secret.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: keycloak-config-cli-config-realms + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +{{- with .Files.Glob "resources/realms/*json" }} +data: +{{- range $path, $bytes := . }} + {{ base $path }}: {{ tpl ($.Files.Get $path) $ | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/kubernetes/platform/components/keycloak-init/values.yaml b/kubernetes/platform/components/keycloak-init/values.yaml new file mode 100644 index 0000000000..a33ef2c932 --- /dev/null +++ b/kubernetes/platform/components/keycloak-init/values.yaml @@ -0,0 +1,41 @@ +# Copyright © 2022, Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +global: + # Global ingress configuration + ingress: + enabled: false + virtualhost: + baseurl: "simpledemo.onap.org" + +KEYCLOAK_URL: &kc-url "https://keycloak-ui.simpledemo.onap.org/auth/" +PORTAL_URL: "https://portal-ui.simpledemo.onap.org" + +onap-keycloak-config-cli: + image: + pullSecrets: + - name: onap-docker-registry-key + #existingSecret: "keycloak-keycloakx-admin-creds" + env: + KEYCLOAK_URL: http://keycloak-keycloakx-http.keycloak.svc.cluster.local/auth/ + KEYCLOAK_SSLVERIFY: "false" + KEYCLOAK_AVAILABILITYCHECK_ENABLED: "true" + secrets: + KEYCLOAK_PASSWORD: secret + existingConfigSecret: "keycloak-config-cli-config-realms" + +serviceAccount: + nameOverride: keycloak-init + roles: + - read diff --git a/kubernetes/platform/components/oauth2-proxy/.helmignore b/kubernetes/platform/components/oauth2-proxy/.helmignore new file mode 100644 index 0000000000..825c007791 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj + +OWNERS diff --git a/kubernetes/platform/components/oauth2-proxy/Chart.yaml b/kubernetes/platform/components/oauth2-proxy/Chart.yaml new file mode 100644 index 0000000000..13da57793c --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/Chart.yaml @@ -0,0 +1,34 @@ +#============LICENSE_START======================================================== +# ================================================================================ +# Copyright © 2022 Deutsche Telekom +# ================================================================================ +# Original licence (https://github.com/codecentric/helm-charts/blob/master/LICENSE) +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +apiVersion: v2 +version: 13.0.0 +description: ONAP Oauth2-proxy +name: oauth2-proxy +sources: +- https://github.com/oauth2-proxy/manifests + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' + - name: onap-oauth2-proxy + version: 6.10.1 + repository: 'file://components/oauth2-proxy' \ No newline at end of file diff --git a/kubernetes/platform/components/oauth2-proxy/Makefile b/kubernetes/platform/components/oauth2-proxy/Makefile new file mode 100644 index 0000000000..5970a97115 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/Makefile @@ -0,0 +1,60 @@ +# Copyright © 2020 Samsung Electronics +# Modifications Copyright © 2020 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) +OUTPUT_DIR := $(ROOT_DIR)/../../dist +PACKAGE_DIR := $(OUTPUT_DIR)/packages +SECRET_DIR := $(OUTPUT_DIR)/secrets + +EXCLUDES := +HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + +HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) +HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") + +.PHONY: $(EXCLUDES) $(HELM_CHARTS) + +all: $(HELM_CHARTS) + +$(HELM_CHARTS): + @echo "\n[$@]" + @make package-$@ + +make-%: + @if [ -f $*/Makefile ]; then make -C $*; fi + +dep-%: make-% + @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi + +lint-%: dep-% + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi + +package-%: lint-% + @mkdir -p $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) + +clean: + @rm -f */Chart.lock + @rm -f *tgz */charts/*tgz + @rm -rf $(PACKAGE_DIR) +%: + @: diff --git a/kubernetes/platform/components/oauth2-proxy/components/Makefile b/kubernetes/platform/components/oauth2-proxy/components/Makefile new file mode 100755 index 0000000000..9544d70f33 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/Makefile @@ -0,0 +1,58 @@ +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) +OUTPUT_DIR := $(ROOT_DIR)/../../dist +PACKAGE_DIR := $(OUTPUT_DIR)/packages +SECRET_DIR := $(OUTPUT_DIR)/secrets + +EXCLUDES := +HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + +HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) + +.PHONY: $(EXCLUDES) $(HELM_CHARTS) + +all: $(HELM_CHARTS) + +$(HELM_CHARTS): + @echo "\n[$@]" + @make package-$@ + +make-%: + @if [ -f $*/Makefile ]; then make -C $*; fi + +dep-%: make-% + @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi + +lint-%: dep-% + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi + +package-%: lint-% + @mkdir -p $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) + +clean: + @rm -f */Chart.lock + @rm -f *tgz */charts/*tgz + @rm -rf $(PACKAGE_DIR) +%: + @: diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/.helmignore b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/.helmignore new file mode 100644 index 0000000000..825c007791 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj + +OWNERS diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/Chart.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/Chart.yaml new file mode 100644 index 0000000000..b31b35f46d --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/Chart.yaml @@ -0,0 +1,41 @@ +name: onap-oauth2-proxy +version: 6.10.1 +apiVersion: v2 +appVersion: 7.4.0 +home: https://oauth2-proxy.github.io/oauth2-proxy/ +description: A reverse proxy that provides authentication with Google, Github or other providers +keywords: + - kubernetes + - oauth + - oauth2 + - authentication + - google + - github + - redis +dependencies: + - name: redis + version: ~16.13.2 + repository: https://charts.bitnami.com/bitnami + alias: redis + condition: redis.enabled + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + +sources: + - https://github.com/oauth2-proxy/oauth2-proxy + - https://github.com/oauth2-proxy/manifests +maintainers: + - name: desaintmartin + email: cedric@desaintmartin.fr + - name: tlawrie + - name: NickMeves + email: nicholas.meves@gmail.com + - name: JoelSpeed + email: joel.speed@hotmail.co.uk + - name: pierluigilenoci + email: pierluigi.lenoci@gmail.com +kubeVersion: ">=1.9.0-0" diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/README.md b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/README.md new file mode 100644 index 0000000000..9e18388501 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/README.md @@ -0,0 +1,323 @@ +# oauth2-proxy + +[oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) is a reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group. + +## TL;DR; + +```console +$ helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests +$ helm install my-release oauth2-proxy/oauth2-proxy +``` + +## Introduction + +This chart bootstraps an oauth2-proxy deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```console +$ helm install my-release oauth2-proxy/oauth2-proxy +``` + +The command deploys oauth2-proxy on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```console +$ helm uninstall my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Upgrading an existing Release to a new major version + +A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an +incompatible breaking change needing manual actions. + +### To 1.0.0 + +This version upgrades oauth2-proxy to v4.0.0. Please see the [changelog](https://github.com/oauth2-proxy/oauth2-proxy/blob/v4.0.0/CHANGELOG.md#v400) in order to upgrade. + +### To 2.0.0 + +Version 2.0.0 of this chart introduces support for Kubernetes v1.16.x by way of addressing the deprecation of the Deployment object apiVersion `apps/v1beta2`. See [the v1.16 API deprecations page](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for more information. + +Due to [this issue](https://github.com/helm/helm/issues/6583) there may be errors performing a `helm upgrade` of this chart from versions earlier than 2.0.0. + +### To 3.0.0 + +Version 3.0.0 introduces support for [EKS IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) by adding a managed service account to the chart. This is a breaking change since the service account is enabled by default. To disable this behaviour set `serviceAccount.enabled` to `false` + +### To 4.0.0 + +Version 4.0.0 adds support for the new Ingress apiVersion **networking.k8s.io/v1**. +Therefore the `ingress.extraPaths` parameter needs to be updated to the new format. +See the [v1.22 API deprecations guide](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#ingress-v122) for more information. + +For the same reason `service.port` was renamed to `service.portNumber`. + +### To 5.0.0 + +Version 5.0.0 introduces support for custom labels and refactor [Kubernetes recommended labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/). This is a breaking change because many labels of all resources need to be updated to stay consistent. + +In order to upgrade, delete the Deployment before upgrading: + +```bash +kubectl delete deployment my-release-oauth2-proxy +``` + +This will introduce a slight downtime. + +For users who don't want downtime, you can perform these actions: + +- Perform a non-cascading removal of the deployment that keeps the pods running +- Add new labels to pods +- Perform `helm upgrade` + +### To 6.0.0 + +Version 6.0.0 bumps the version of the redis subchart from ~10.6.0 to ~16.4.0. You probably need to adjust your redis config. See [here](https://github.com/bitnami/charts/tree/master/bitnami/redis#upgrading) for detailed upgrade instructions. + +## Configuration + +The following table lists the configurable parameters of the oauth2-proxy chart and their default values. + +Parameter | Description | Default +--- | --- | --- +`affinity` | node/pod affinities | None +`authenticatedEmailsFile.enabled` | Enables authorize individual email addresses | `false` +`authenticatedEmailsFile.persistence` | Defines how the email addresses file will be projected, via a configmap or secret | `configmap` +`authenticatedEmailsFile.template` | Name of the configmap or secret that is handled outside of that chart | `""` +`authenticatedEmailsFile.restrictedUserAccessKey` | The key of the configmap or secret that holds the email addresses list | `""` +`authenticatedEmailsFile.restricted_access` | [email addresses](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#email-authentication) list config | `""` +`authenticatedEmailsFile.annotations` | configmap or secret annotations | `nil` +`config.clientID` | oauth client ID | `""` +`config.clientSecret` | oauth client secret | `""` +`config.cookieSecret` | server specific cookie for the secret; create a new one with `openssl rand -base64 32 \| head -c 32 \| base64` | `""` +`config.existingSecret` | existing Kubernetes secret to use for OAuth2 credentials. See [secret template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret.yaml) for the required values | `nil` +`config.configFile` | custom [oauth2_proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example) contents for settings not overridable via environment nor command line | `""` +`config.existingConfig` | existing Kubernetes configmap to use for the configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap.yaml) for the required values | `nil` +`config.cookieName` | The name of the cookie that oauth2-proxy will create. | `""` +`alphaConfig.enabled` | Flag to toggle any alpha config related logic | `false` +`alphaConfig.annotations` | Configmap annotations | `{}` +`alphaConfig.serverConfigData` | Arbitrary configuration data to append to the server section | `{}` +`alphaConfig.metricsConfigData` | Arbitrary configuration data to append to the metrics section | `{}` +`alphaConfig.configData` | Arbitrary configuration data to append | `{}` +`alphaConfig.existingConfig` | existing Kubernetes configmap to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap-alpha.yaml) for the required values | `nil` +`customLabels` | Custom labels to add into metadata | `{}` | +`config.google.adminEmail` | user impersonated by the google service account | `""` +`config.google.useApplicationDefaultCredentials` | use the application-default credentials (i.e. Workload Identity on GKE) instead of providing a service account json | `false` +`config.google.targetPrincipal` | service account to use/impersonate | `""` +`config.google.serviceAccountJson` | google service account json contents | `""` +`config.google.existingConfig` | existing Kubernetes configmap to use for the service account file. See [google secret template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/google-secret.yaml) for the required values | `nil` +`config.google.groups` | restrict logins to members of these google groups | `[]` +`containerPort` | used to customise port on the deployment | `""` +`extraArgs` | Extra arguments to give the binary. Either as a map with key:value pairs or as a list type, which allows to configure the same flag multiple times. (e.g. `["--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_A", "--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_B"]`). | `{}` or `[]` +`extraContainers` | List of extra containers to be added to the pod | `[]` +`extraEnv` | key:value list of extra environment variables to give the binary | `[]` +`extraVolumes` | list of extra volumes | `[]` +`extraVolumeMounts` | list of extra volumeMounts | `[]` +`hostAlias.enabled` | provide extra ip:hostname alias for network name resolution. +`hostAlias.ip` | `ip` address `hostAliases.hostname` should resolve to. +`hostAlias.hostname` | `hostname` associated to `hostAliases.ip`. +`htpasswdFile.enabled` | enable htpasswd-file option | `false` +`htpasswdFile.entries` | list of [encrypted user:passwords](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview#command-line-options) | `{}` +`htpasswdFile.existingSecret` | existing Kubernetes secret to use for OAuth2 htpasswd file | `""` +`httpScheme` | `http` or `https`. `name` used for port on the deployment. `httpGet` port `name` and `scheme` used for `liveness`- and `readinessProbes`. `name` and `targetPort` used for the service. | `http` +`image.pullPolicy` | Image pull policy | `IfNotPresent` +`image.repository` | Image repository | `quay.io/oauth2-proxy/oauth2-proxy` +`image.tag` | Image tag | `""` (defaults to appVersion) +`imagePullSecrets` | Specify image pull secrets | `nil` (does not add image pull secrets to deployed pods) +`ingress.enabled` | Enable Ingress | `false` +`ingress.className` | name referencing IngressClass | `nil` +`ingress.path` | Ingress accepted path | `/` +`ingress.pathType` | Ingress [path type](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) | `ImplementationSpecific` +`ingress.extraPaths` | Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions). | `[]` +`ingress.annotations` | Ingress annotations | `nil` +`ingress.hosts` | Ingress accepted hostnames | `nil` +`ingress.tls` | Ingress TLS configuration | `nil` +`livenessProbe.enabled` | enable Kubernetes livenessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` +`livenessProbe.initialDelaySeconds` | number of seconds | 0 +`livenessProbe.timeoutSeconds` | number of seconds | 1 +`nodeSelector` | node labels for pod assignment | `{}` +`deploymentAnnotations` | annotations to add to the deployment | `{}` +`podAnnotations` | annotations to add to each pod | `{}` +`podLabels` | additional labesl to add to each pod | `{}` +`podDisruptionBudget.enabled`| Enabled creation of PodDisruptionBudget (only if replicaCount > 1) | true +`podDisruptionBudget.minAvailable`| minAvailable parameter for PodDisruptionBudget | 1 +`podSecurityContext` | Kubernetes security context to apply to pod | `{}` +`priorityClassName` | priorityClassName | `nil` +`readinessProbe.enabled` | enable Kubernetes readinessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` +`readinessProbe.initialDelaySeconds` | number of seconds | 0 +`readinessProbe.timeoutSeconds` | number of seconds | 5 +`readinessProbe.periodSeconds` | number of seconds | 10 +`readinessProbe.successThreshold` | number of successes | 1 +`replicaCount` | desired number of pods | `1` +`resources` | pod resource requests & limits | `{}` +`revisionHistoryLimit` | maximum number of revisions maintained | 10 +`service.portNumber` | port number for the service | `80` +`service.appProtocol` | application protocol on the port of the service | `http` +`service.type` | type of service | `ClusterIP` +`service.clusterIP` | cluster ip address | `nil` +`service.loadBalancerIP` | ip of load balancer | `nil` +`service.loadBalancerSourceRanges` | allowed source ranges in load balancer | `nil` +`service.nodePort` | external port number for the service when service.type is `NodePort` | `nil` +`serviceAccount.enabled` | create a service account | `true` +`serviceAccount.name` | the service account name | `` +`serviceAccount.annotations` | (optional) annotations for the service account | `{}` +`tolerations` | list of node taints to tolerate | `[]` +`securityContext.enabled` | enable Kubernetes security context on container | `false` +`securityContext.runAsNonRoot` | make sure that the container runs as a non-root user | `true` +`proxyVarsAsSecrets` | choose between environment values or secrets for setting up OAUTH2_PROXY variables. When set to false, remember to add the variables OAUTH2_PROXY_CLIENT_ID, OAUTH2_PROXY_CLIENT_SECRET, OAUTH2_PROXY_COOKIE_SECRET in extraEnv | `true` +`sessionStorage.type` | Session storage type which can be one of the following: cookie or redis | `cookie` +`sessionStorage.redis.existingSecret` | Name of the Kubernetes secret containing the redis & redis sentinel password values (see also `sessionStorage.redis.passwordKey`) | `""` +`sessionStorage.redis.password` | Redis password. Applicable for all Redis configurations. Taken from redis subchart secret if not set. sessionStorage.redis.existingSecret takes precedence | `nil` +`sessionStorage.redis.passwordKey` | Key of the Kubernetes secret data containing the redis password value | `redis-password` +`sessionStorage.redis.clientType` | Allows the user to select which type of client will be used for redis instance. Possible options are: `sentinel`, `cluster` or `standalone` | `standalone` +`sessionStorage.redis.standalone.connectionUrl` | URL of redis standalone server for redis session storage (e.g. `redis://HOST[:PORT]`). Automatically generated if not set. | `""` +`sessionStorage.redis.cluster.connectionUrls` | List of Redis cluster connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]` +`sessionStorage.redis.sentinel.existingSecret` | Name of the Kubernetes secret containing the redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret` | `""` +`sessionStorage.redis.sentinel.password` | Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `sessionStorage.redis.password` | `nil` +`sessionStorage.redis.sentinel.passwordKey` | Key of the Kubernetes secret data containing the redis sentinel password value | `redis-sentinel-password` +`sessionStorage.redis.sentinel.masterName` | Redis sentinel master name | `nil` +`sessionStorage.redis.sentinel.connectionUrls` | List of Redis sentinel connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]` +`topologySpreadConstraints` | List of pod topology spread constraints | `[]` +`redis.enabled` | Enable the redis subchart deployment | `false` +`checkDeprecation` | Enable deprecation checks | `true` +`metrics.enabled` | Enable Prometheus metrics endpoint | `true` +`metrics.port` | Serve Prometheus metrics on this port | `44180` +`metrics.nodePort` | External port for the metrics when service.type is `NodePort` | `nil` +`metrics.service.appProtocol` | application protocol of the metrics port in the service | `http` +`metrics.servicemonitor.enabled` | Enable Prometheus Operator ServiceMonitor | `false` +`metrics.servicemonitor.namespace` | Define the namespace where to deploy the ServiceMonitor resource | `""` +`metrics.servicemonitor.prometheusInstance` | Prometheus Instance definition | `default` +`metrics.servicemonitor.interval` | Prometheus scrape interval | `60s` +`metrics.servicemonitor.scrapeTimeout` | Prometheus scrape timeout | `30s` +`metrics.servicemonitor.labels` | Add custom labels to the ServiceMonitor resource| `{}` +`extraObjects` | Extra K8s manifests to deploy | `[]` + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +$ helm install my-release oauth2-proxy/oauth2-proxy \ + --set=image.tag=v0.0.2,resources.limits.cpu=200m +``` + +Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, + +```console +$ helm install my-release oauth2-proxy/oauth2-proxy -f values.yaml +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## TLS Configuration + +See: [TLS Configuration](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/tls). +Use ```values.yaml``` like: + +```yaml +... +extraArgs: + tls-cert-file: /path/to/cert.pem + tls-key-file: /path/to/cert.key + +extraVolumes: + - name: ssl-cert + secret: + secretName: my-ssl-secret + +extraVolumeMounts: + - mountPath: /path/to/ + name: ssl-cert +... +``` + +With a secret called `my-ssl-secret`: + +```yaml +... +data: + cert.pem: AB..== + cert.key: CD..== +``` + +## Extra environment variable templating +The extraEnv value supports the tpl function which evaluate strings as templates inside the deployment template. +This is useful to pass a template string as a value to the chart's extra environment variables and to render external configuration environment values + + +```yaml +... +tplValue: "This is a test value for the tpl function" +extraEnv: + - name: TEST_ENV_VAR_1 + value: test_value_1 + - name: TEST_ENV_VAR_2 + value: '{{ .Values.tplValue }}' +``` + +## Custom templates configuration +You can replace the default template files using a Kubernetes `configMap` volume. The default templates are the two files [sign_in.html](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/pkg/app/pagewriter/sign_in.html) and [error.html](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/pkg/app/pagewriter/error.html). + +```yaml +config: + configFile: | + ... + custom_templates_dir = "/data/custom-templates" + +extraVolumes: + - name: custom-templates + configMap: + name: oauth2-proxy-custom-templates + +extraVolumeMounts: + - name: custom-templates + mountPath: "/data/custom-templates" + readOnly: true + +extraObjects: + - apiVersion: v1 + kind: ConfigMap + metadata: + name: oauth2-proxy-custom-templates + data: + sign_in.html: | + + + sign_in + + error.html: | + + + +

error

+

{{.StatusCode}}

+ + +``` +## Multi whitelist-domain configuration +For using multi whitelist-domain configuration for one Oauth2-proxy instance, you have to use the config.configFile section. + +It will be overwriting the `/etc/oauth2_proxy/oauth2_proxy.cfg` configuration file. +In this example, Google provider is used, but you can find all other provider configuration here [oauth_provider](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider/) + +```yaml +config: + ... + clientID="$YOUR_GOOGLE_CLIENT_ID" + clientSecret="$YOUR_GOOGLE_CLIENT_SECRET" + cookieSecret="$YOUR_COOKIE_SECRET" + configFile: | + ... + email_domains = [ "*" ] + upstreams = [ "file:///dev/null" ] + cookie_secure = "false" + cookie_domains = [ ".domain.com", ".otherdomain.io" ] + whitelist_domains = [ ".domain.com", ".otherdomain.io"] + provider = "google" +``` diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/default-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/default-values.yaml new file mode 100644 index 0000000000..fc2ba605ad --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/default-values.yaml @@ -0,0 +1 @@ +# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-args-as-dict-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-args-as-dict-values.yaml new file mode 100644 index 0000000000..92dc451807 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-args-as-dict-values.yaml @@ -0,0 +1,4 @@ +extraArgs: + pass-authorization-header: "true" + request-logging: "true" + allowed-role: client_id:client_role diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-args-as-list-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-args-as-list-values.yaml new file mode 100644 index 0000000000..5f47a5f479 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-args-as-list-values.yaml @@ -0,0 +1,5 @@ +extraArgs: + - "--pass-authorization-header=true" + - "--request-logging=true" + - --allowed-role=client_id:client_role_A + - --allowed-role=client_id_B:client_role_C diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-env-tpl-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-env-tpl-values.yaml new file mode 100644 index 0000000000..357dba9153 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-env-tpl-values.yaml @@ -0,0 +1,6 @@ +tplValue: "This is a test value for the template function" +extraEnv: + - name: TEST_ENV_VAR_1 + value: test_value_1 + - name: TEST_ENV_VAR_2 + value: '{{ .Values.tplValue }}' diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/ingress-extra-paths-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/ingress-extra-paths-values.yaml new file mode 100644 index 0000000000..e74a393db0 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/ingress-extra-paths-values.yaml @@ -0,0 +1,14 @@ +ingress: + enabled: true + path: / + pathType: ImplementationSpecific + hosts: + - chart-example.local + extraPaths: + - path: /* + pathType: ImplementationSpecific + backend: + service: + name: ssl-redirect + port: + name: use-annotation diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/pdb-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/pdb-values.yaml new file mode 100644 index 0000000000..25b16272a7 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/pdb-values.yaml @@ -0,0 +1 @@ +replicaCount: 2 # Enables PodDisruptionBudget which is disabled when replicaCount is 1 diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/pod-security-context-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/pod-security-context-values.yaml new file mode 100644 index 0000000000..b7c8cea546 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/pod-security-context-values.yaml @@ -0,0 +1,4 @@ +# Allocate a FSGroup that owns the pod’s volumes via podSecurityContext +--- +podSecurityContext: + fsGroup: 2000 diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/redis-standalone-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/redis-standalone-values.yaml new file mode 100644 index 0000000000..e3418c39fa --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/redis-standalone-values.yaml @@ -0,0 +1,12 @@ +sessionStorage: + type: redis + redis: + clientType: "standalone" + password: "foo" +redis: + # provision an instance of the redis sub-chart + enabled: true + architecture: standalone + global: + redis: + password: "foo" diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/servicemonitor-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/servicemonitor-values.yaml new file mode 100644 index 0000000000..9d31c28541 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/servicemonitor-values.yaml @@ -0,0 +1,4 @@ +metrics: + enabled: true + serviceMonitor: + enabled: true diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/tpl-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/tpl-values.yaml new file mode 100644 index 0000000000..65977d921b --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/tpl-values.yaml @@ -0,0 +1,21 @@ +extraEnv: + - name: TEST_ENV_VAR_2 + value: '{{ $.Release.Name }}' +ingress: + enabled: true + hosts: + - "{{ $.Release.Name }}.local" + tls: + - hosts: + - "{{ $.Release.Name }}.local" +oauth2-proxy: + checkDeprecation: false + config: + clientSecret: '{{ $.Release.Name }}' + configFile: | + oidc_issuer_url = "https://{{ $.Release.Name }}/dex" + +pass_authorization_header: "true" + +extraArgs: + pass-authorization-header: "{{ $.Values.pass_authorization_header }}" diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/NOTES.txt b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/NOTES.txt new file mode 100644 index 0000000000..aa749e0b9d --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/NOTES.txt @@ -0,0 +1,3 @@ +To verify that oauth2-proxy has started, run: + + kubectl --namespace={{ .Release.Namespace }} get pods -l "app={{ template "oauth2-proxy.name" . }}" diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_capabilities.tpl b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_capabilities.tpl new file mode 100644 index 0000000000..f959f10e49 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_capabilities.tpl @@ -0,0 +1,23 @@ +{{/* +Returns the appropriate apiVersion for podDisruptionBudget object. +*/}} +{{- define "capabilities.podDisruptionBudget.apiVersion" -}} +{{- if semverCompare ">=1.21-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) -}} +{{- print "policy/v1" -}} +{{- else -}} +{{- print "policy/v1beta1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress object. +*/}} +{{- define "capabilities.ingress.apiVersion" -}} +{{- if semverCompare "<1.14-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_helpers.tpl b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_helpers.tpl new file mode 100644 index 0000000000..87c64493b7 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_helpers.tpl @@ -0,0 +1,110 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "oauth2-proxy.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "oauth2-proxy.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "oauth2-proxy.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Generate basic labels +*/}} +{{- define "oauth2-proxy.labels" }} +helm.sh/chart: {{ include "oauth2-proxy.chart" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/component: authentication-proxy +app.kubernetes.io/part-of: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if .Values.customLabels }} +{{ toYaml .Values.customLabels }} +{{- end }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "oauth2-proxy.selectorLabels" }} +app.kubernetes.io/name: {{ include "oauth2-proxy.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Get the secret name. +*/}} +{{- define "oauth2-proxy.secretName" -}} +{{- if .Values.config.existingSecret -}} +{{- printf "%s" .Values.config.existingSecret -}} +{{- else -}} +{{- printf "%s" (include "oauth2-proxy.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "oauth2-proxy.serviceAccountName" -}} +{{- if .Values.serviceAccount.enabled -}} + {{ default (include "oauth2-proxy.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Redis subcharts fullname +*/}} +{{- define "oauth2-proxy.redis.fullname" -}} +{{- if .Values.redis.enabled -}} +{{- include "common.names.fullname" (dict "Chart" (dict "Name" "redis") "Release" .Release "Values" .Values.redis) -}} +{{- else -}} +{{ fail "attempting to use redis subcharts fullname, even though the subchart is not enabled. This will lead to misconfiguration" }} +{{- end -}} +{{- end -}} + +{{/* +Compute the redis url if not set explicitly. +*/}} +{{- define "oauth2-proxy.redis.StandaloneUrl" -}} +{{- if .Values.sessionStorage.redis.standalone.connectionUrl -}} +{{ .Values.sessionStorage.redis.standalone.connectionUrl }} +{{- else if .Values.redis.enabled -}} +{{- printf "redis://%s-master:%.0f" (include "oauth2-proxy.redis.fullname" .) .Values.redis.master.service.ports.redis -}} +{{- else -}} +{{ fail "please set sessionStorage.redis.standalone.connectionUrl or enable the redis subchart via redis.enabled" }} +{{- end -}} +{{- end -}} + +{{/* +Returns the version +*/}} +{{- define "oauth2-proxy.version" -}} +{{ trimPrefix "v" (lower (.Values.image.tag | default (printf "v%s" .Chart.AppVersion))) }} +{{- end -}} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_ingress.tpl b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_ingress.tpl new file mode 100644 index 0000000000..f4a3cad0e4 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_ingress.tpl @@ -0,0 +1,46 @@ +{{/* +Returns `true` if the API `ingressClassName` field is supported and `false` otherwise +*/}} +{{- define "ingress.supportsIngressClassName" -}} +{{- if ( semverCompare "<1.18-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) ) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns `true` if the API `pathType` field is supported and `false` otherwise +*/}} +{{- define "ingress.supportsPathType" -}} +{{- if ( semverCompare "<1.18-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) ) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns the appropriate ingress `backend` fields depending on the Kubernetes API version. +e.g.: `{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }}` +Where the dict must contain the following entries: +- `serviceName` {String} - Name of an existing service backend +- `servicePort` {String|Number} - Port name or port number of the service. +- `context` {Dict} - (Parent) Context for the template evaluation required for the API version detection. +*/}} +{{- define "ingress.backend" -}} +{{- $apiVersion := ( include "capabilities.ingress.apiVersion" .context ) -}} +{{- if or ( eq $apiVersion "extensions/v1beta1" ) ( eq $apiVersion "networking.k8s.io/v1beta1" ) -}} +serviceName: {{ .serviceName }} +servicePort: {{ .servicePort }} +{{- else -}} +service: + name: {{ .serviceName }} + port: + {{- if typeIs "string" .servicePort }} + name: {{ .servicePort }} + {{- else if or ( typeIs "int" .servicePort ) ( typeIs "float64" .servicePort ) }} + number: {{ .servicePort }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-alpha.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-alpha.yaml new file mode 100644 index 0000000000..7ba0273ab2 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-alpha.yaml @@ -0,0 +1,32 @@ +{{- if .Values.alphaConfig.enabled }} +{{- if not .Values.alphaConfig.existingConfig }} +apiVersion: v1 +kind: ConfigMap +metadata: +{{- if .Values.alphaConfig.annotations }} + annotations: {{- toYaml .Values.alphaConfig.annotations | nindent 4 }} +{{- end }} + labels: + app: {{ template "oauth2-proxy.name" . }} + {{- include "oauth2-proxy.labels" . | indent 4 }} + name: {{ template "oauth2-proxy.fullname" . }}-alpha +data: + oauth2_proxy.yml: | + --- + server: + BindAddress: '0.0.0.0:4180' + {{- if .Values.alphaConfig.serverConfigData }} + {{- toYaml .Values.alphaConfig.serverConfigData | nindent 6 }} + {{- end }} + {{- if .Values.metrics.enabled }} + metricsServer: + BindAddress: '0.0.0.0:44180' + {{- if .Values.alphaConfig.metricsConfigData }} + {{- toYaml .Values.alphaConfig.metricsConfigData | nindent 6 }} + {{- end }} + {{- end }} + {{- if .Values.alphaConfig.configData }} + {{- toYaml .Values.alphaConfig.configData | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml new file mode 100644 index 0000000000..cf4e77eaaa --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml @@ -0,0 +1,17 @@ +{{- if .Values.authenticatedEmailsFile.enabled }} +{{- if and (.Values.authenticatedEmailsFile.restricted_access) (eq .Values.authenticatedEmailsFile.persistence "configmap") }} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} +{{- if .Values.authenticatedEmailsFile.annotations }} + annotations: +{{ toYaml .Values.authenticatedEmailsFile.annotations | indent 4 }} +{{- end }} + name: {{ template "oauth2-proxy.fullname" . }}-accesslist +data: + {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }}: {{ .Values.authenticatedEmailsFile.restricted_access | quote }} +{{- end }} +{{- end }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap.yaml new file mode 100644 index 0000000000..8a19ccb943 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap.yaml @@ -0,0 +1,17 @@ +{{- if not .Values.config.existingConfig }} +{{- if .Values.config.configFile }} +apiVersion: v1 +kind: ConfigMap +metadata: +{{- if .Values.config.annotations }} + annotations: +{{ toYaml .Values.config.annotations | indent 4 }} +{{- end }} + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + name: {{ template "oauth2-proxy.fullname" . }} +data: + oauth2_proxy.cfg: {{ tpl .Values.config.configFile $ | quote }} +{{- end }} +{{- end }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/deployment.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/deployment.yaml new file mode 100644 index 0000000000..4523591231 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/deployment.yaml @@ -0,0 +1,345 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + {{- if .Values.deploymentAnnotations }} + annotations: +{{ toYaml .Values.deploymentAnnotations | indent 8 }} + {{- end }} + name: {{ template "oauth2-proxy.fullname" . }} +spec: + replicas: {{ .Values.replicaCount }} + {{- if .Values.revisionHistoryLimit }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + {{- end }} + selector: + matchLabels: + {{- include "oauth2-proxy.selectorLabels" . | indent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- if .Values.alphaConfig.enabled }} + checksum/alpha-config: {{ include (print $.Template.BasePath "/configmap-alpha.yaml") . | sha256sum }} + {{- end }} + checksum/config-emails: {{ include (print $.Template.BasePath "/configmap-authenticated-emails-file.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + checksum/google-secret: {{ include (print $.Template.BasePath "/google-secret.yaml") . | sha256sum }} + checksum/redis-secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }} +{{- if .Values.htpasswdFile.enabled }} + checksum/htpasswd: {{ include (print $.Template.BasePath "/secret-htpasswd-file.yaml") . | sha256sum }} +{{- end }} + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + labels: + app: {{ template "oauth2-proxy.name" . }} + {{- include "oauth2-proxy.labels" . | indent 8 }} + {{- if .Values.podLabels }} +{{ toYaml .Values.podLabels | indent 8 }} + {{- end }} + spec: + {{- if .Values.priorityClassName }} + priorityClassName: "{{ .Values.priorityClassName }}" + {{- end }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "oauth2-proxy.serviceAccountName" . }} + automountServiceAccountToken : {{ .Values.serviceAccount.automountServiceAccountToken }} + {{- if .Values.hostAlias.enabled }} + hostAliases: + - ip: {{ .Values.hostAlias.ip }} + hostnames: + - {{ .Values.hostAlias.hostname }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ include "repositoryGenerator.quayRepository" . }}/{{ .Values.image.repository }}:v{{ include "oauth2-proxy.version" . }}" + #image: "{{ .Values.image.repository }}:v{{ include "oauth2-proxy.version" . }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + {{- if .Values.alphaConfig.enabled }} + - --alpha-config=/etc/oauth2_proxy/oauth2_proxy.yml + {{- else }} + - --http-address=0.0.0.0:4180 + - --https-address=0.0.0.0:4443 + {{- if .Values.metrics.enabled }} + - --metrics-address=0.0.0.0:44180 + {{- end }} + {{- end }} + {{- if .Values.config.cookieName }} + - --cookie-name={{ .Values.config.cookieName }} + {{- end }} + {{- if kindIs "map" .Values.extraArgs }} + {{- range $key, $value := .Values.extraArgs }} + {{- if $value }} + - --{{ $key }}={{ tpl ($value | toString) $ }} + {{- else }} + - --{{ $key }} + {{- end }} + {{- end }} + {{- end }} + {{- if kindIs "slice" .Values.extraArgs }} + {{- with .Values.extraArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} + {{- end }} + {{- if or .Values.config.existingConfig .Values.config.configFile }} + - --config=/etc/oauth2_proxy/oauth2_proxy.cfg + {{- end }} + {{- if .Values.authenticatedEmailsFile.enabled }} + {{- if .Values.authenticatedEmailsFile.template }} + - --authenticated-emails-file=/etc/oauth2-proxy/{{ .Values.authenticatedEmailsFile.template }} + {{- else }} + - --authenticated-emails-file=/etc/oauth2-proxy/authenticated-emails-list + {{- end }} + {{- end }} + {{- with .Values.config.google }} + {{- if and .adminEmail (or .serviceAccountJson .existingSecret .useApplicationDefaultCredentials) }} + - --google-admin-email={{ .adminEmail }} + {{- if .useApplicationDefaultCredentials }} + - --google-use-application-default-credentials=true + {{- else }} + - --google-service-account-json=/google/service-account.json + {{- end }} + {{- if .targetPrincipal }} + - --google-target-principal={{ .targetPrincipal }} + {{- end }} + {{- end }} + {{- if .groups }} + {{- range $group := .groups }} + - --google-group={{ $group }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.htpasswdFile.enabled }} + - --htpasswd-file=/etc/oauth2_proxy/htpasswd/users.txt + {{- end }} + env: + {{- if .Values.proxyVarsAsSecrets }} + - name: OAUTH2_PROXY_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ template "oauth2-proxy.secretName" . }} + key: client-id + - name: OAUTH2_PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ template "oauth2-proxy.secretName" . }} + key: client-secret + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "oauth2-proxy.secretName" . }} + key: cookie-secret + {{- end }} + {{- if eq (default "cookie" .Values.sessionStorage.type) "redis" }} + - name: OAUTH2_PROXY_SESSION_STORE_TYPE + value: "redis" + {{- if or .Values.sessionStorage.redis.existingSecret .Values.sessionStorage.redis.password (and .Values.redis.enabled (.Values.redis.auth).enabled )}} + - name: OAUTH2_PROXY_REDIS_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.sessionStorage.redis.existingSecret }} + name: {{ .Values.sessionStorage.redis.existingSecret }} + {{- else if .Values.sessionStorage.redis.password }} + name: {{ template "oauth2-proxy.fullname" . }}-redis-access + {{- else }} + name: {{ include "oauth2-proxy.redis.fullname" . }} + {{- end }} + key: {{ .Values.sessionStorage.redis.passwordKey }} + {{- end }} + {{- if eq (default "" .Values.sessionStorage.redis.clientType) "standalone" }} + - name: OAUTH2_PROXY_REDIS_CONNECTION_URL + value: {{ include "oauth2-proxy.redis.StandaloneUrl" . }} + {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "cluster" }} + - name: OAUTH2_PROXY_REDIS_USE_CLUSTER + value: "true" + - name: OAUTH2_PROXY_REDIS_CLUSTER_CONNECTION_URLS + value: {{ .Values.sessionStorage.redis.cluster.connectionUrls }} + {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "sentinel" }} + - name: OAUTH2_PROXY_REDIS_USE_SENTINEL + value: "true" + - name: OAUTH2_PROXY_REDIS_SENTINEL_MASTER_NAME + value: {{ .Values.sessionStorage.redis.sentinel.masterName }} + - name: OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS + value: {{ .Values.sessionStorage.redis.sentinel.connectionUrls }} + {{- if or .Values.sessionStorage.redis.sentinel.existingSecret .Values.sessionStorage.redis.existingSecret .Values.sessionStorage.redis.sentinel.password }} + - name: OAUTH2_PROXY_REDIS_SENTINEL_PASSWORD + valueFrom: + secretKeyRef: + {{- if or .Values.sessionStorage.redis.sentinel.existingSecret .Values.sessionStorage.redis.existingSecret }} + name: {{ .Values.sessionStorage.redis.sentinel.existingSecret | default .Values.sessionStorage.redis.existingSecret }} + {{- else }} + name: {{ template "oauth2-proxy.fullname" . }}-redis-access + {{- end }} + key: {{ .Values.sessionStorage.redis.sentinel.passwordKey }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.extraEnv }} +{{ tpl (toYaml .Values.extraEnv) . | indent 8 }} + {{- end }} + ports: + {{- if .Values.containerPort }} + - containerPort: {{ .Values.containerPort }} + {{- else if (and (eq .Values.httpScheme "http") (empty .Values.containerPort)) }} + - containerPort: 4180 + {{- else if (and (eq .Values.httpScheme "https") (empty .Values.containerPort)) }} + - containerPort: 4443 + {{- else }} + {{- end}} + name: {{ .Values.httpScheme }} + protocol: TCP +{{- if .Values.metrics.enabled }} + - containerPort: 44180 + protocol: TCP + name: metrics +{{- end }} +{{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: /ping + port: {{ .Values.httpScheme }} + scheme: {{ .Values.httpScheme | upper }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} +{{- end }} +{{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ if gt (include "oauth2-proxy.version" .) "7.4.0" }}/ready{{ else }}/ping{{ end }} + port: {{ .Values.httpScheme }} + scheme: {{ .Values.httpScheme | upper }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} +{{- end }} + resources: +{{ toYaml .Values.resources | indent 10 }} + volumeMounts: +{{- with .Values.config.google }} +{{- if and .adminEmail (or .serviceAccountJson .existingSecret) }} + - name: google-secret + mountPath: /google + readOnly: true +{{- end }} +{{- end }} +{{- if or .Values.config.existingConfig .Values.config.configFile }} + - mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg + name: configmain + subPath: oauth2_proxy.cfg +{{- end }} +{{- if .Values.alphaConfig.enabled }} + - mountPath: /etc/oauth2_proxy/oauth2_proxy.yml + name: configalpha + subPath: oauth2_proxy.yml +{{- end }} +{{- if .Values.authenticatedEmailsFile.enabled }} + - mountPath: /etc/oauth2-proxy + name: configaccesslist + readOnly: true +{{- end }} +{{- if .Values.htpasswdFile.enabled }} + - mountPath: /etc/oauth2_proxy/htpasswd + name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file + readOnly: true +{{- end }} +{{- if ne (len .Values.extraVolumeMounts) 0 }} +{{ toYaml .Values.extraVolumeMounts | indent 8 }} +{{- end }} +{{- if .Values.securityContext.enabled }} +{{- $securityContext := unset .Values.securityContext "enabled" }} + securityContext: + {{- toYaml $securityContext | nindent 10 }} +{{- end }} +{{- if .Values.extraContainers }} + {{- toYaml .Values.extraContainers | nindent 6 }} +{{- end }} + volumes: +{{- with .Values.config.google }} +{{- if and .adminEmail (or .serviceAccountJson .existingSecret) }} + - name: google-secret + secret: + secretName: {{ if .existingSecret }}{{ .existingSecret }}{{ else }} {{ template "oauth2-proxy.secretName" $ }}-google{{ end }} +{{- end }} +{{- end }} + +{{- if .Values.htpasswdFile.enabled }} + - name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file + secret: + secretName: {{ if .Values.htpasswdFile.existingSecret }}{{ .Values.htpasswdFile.existingSecret }}{{ else }} {{ template "oauth2-proxy.fullname" . }}-htpasswd-file {{ end }} +{{- end }} + +{{- if and (.Values.authenticatedEmailsFile.enabled) (eq .Values.authenticatedEmailsFile.persistence "secret") }} + - name: configaccesslist + secret: + items: + - key: {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }} +{{- if .Values.authenticatedEmailsFile.template }} + path: {{ .Values.authenticatedEmailsFile.template }} +{{- else }} + path: authenticated-emails-list +{{- end }} +{{- if .Values.authenticatedEmailsFile.template }} + secretName: {{ .Values.authenticatedEmailsFile.template }} +{{- else }} + secretName: {{ template "oauth2-proxy.fullname" . }}-accesslist +{{- end }} +{{- end }} + +{{- if or .Values.config.existingConfig .Values.config.configFile }} + - configMap: + defaultMode: 420 + name: {{ if .Values.config.existingConfig }}{{ .Values.config.existingConfig }}{{ else }}{{ template "oauth2-proxy.fullname" . }}{{ end }} + name: configmain +{{- end }} +{{- if .Values.alphaConfig.enabled }} + - configMap: + defaultMode: 420 + name: {{ if .Values.alphaConfig.existingConfig }}{{ .Values.alphaConfig.existingConfig }}{{ else }}{{ template "oauth2-proxy.fullname" . }}-alpha{{ end }} + name: configalpha +{{- end }} +{{- if ne (len .Values.extraVolumes) 0 }} +{{ toYaml .Values.extraVolumes | indent 6 }} +{{- end }} +{{- if and (.Values.authenticatedEmailsFile.enabled) (eq .Values.authenticatedEmailsFile.persistence "configmap") }} + - configMap: +{{- if .Values.authenticatedEmailsFile.template }} + name: {{ .Values.authenticatedEmailsFile.template }} +{{- else }} + name: {{ template "oauth2-proxy.fullname" . }}-accesslist +{{- end }} + items: + - key: {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }} +{{- if .Values.authenticatedEmailsFile.template }} + path: {{ .Values.authenticatedEmailsFile.template }} +{{- else }} + path: authenticated-emails-list +{{- end }} + name: configaccesslist +{{- end }} + + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} + {{- end }} + tolerations: +{{ toYaml .Values.tolerations | indent 8 }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/deprecation.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/deprecation.yaml new file mode 100644 index 0000000000..126d3e7a18 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/deprecation.yaml @@ -0,0 +1,12 @@ +{{- if .Values.checkDeprecation }} + {{- if .Values.service.port }} + {{ fail "`service.port` does no longer exist. It has been renamed to `service.portNumber`" }} + {{- end }} + {{- if eq ( include "capabilities.ingress.apiVersion" . ) "networking.k8s.io/v1" -}} + {{- range .Values.ingress.extraPaths }} + {{- if or (.backend.serviceName) (.backend.servicePort) }} + {{ fail "Please update the format of your `ingress.extraPaths` to the new ingress apiVersion `networking.k8s.io/v1` format" }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/extra-manifests.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/extra-manifests.yaml new file mode 100644 index 0000000000..a9bb3b6ba8 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/extra-manifests.yaml @@ -0,0 +1,4 @@ +{{ range .Values.extraObjects }} +--- +{{ tpl (toYaml .) $ }} +{{ end }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/google-secret.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/google-secret.yaml new file mode 100644 index 0000000000..5703273d93 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/google-secret.yaml @@ -0,0 +1,12 @@ +{{- if and .Values.config.google (and (not .Values.config.google.existingSecret) (not .Values.config.google.useApplicationDefaultCredentials)) }} +apiVersion: v1 +kind: Secret +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + name: {{ template "oauth2-proxy.fullname" . }}-google +type: Opaque +data: + service-account.json: {{ .Values.config.google.serviceAccountJson | b64enc | quote }} +{{- end -}} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/ingress.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/ingress.yaml new file mode 100644 index 0000000000..73fd758d16 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/ingress.yaml @@ -0,0 +1,40 @@ +{{- if .Values.ingress.enabled -}} +{{- $serviceName := include "oauth2-proxy.fullname" . -}} +{{- $servicePort := .Values.service.portNumber -}} +{{- $ingressPath := .Values.ingress.path -}} +{{- $ingressPathType := .Values.ingress.pathType -}} +{{- $extraPaths := .Values.ingress.extraPaths -}} +apiVersion: {{ include "capabilities.ingress.apiVersion" . }} +kind: Ingress +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + name: {{ template "oauth2-proxy.fullname" . }} +{{- with .Values.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + {{- if and .Values.ingress.className ( eq "true" ( include "ingress.supportsIngressClassName" . ) ) }} + ingressClassName: {{ .Values.ingress.className | quote }} + {{- end }} + rules: + {{- range $host := .Values.ingress.hosts }} + - host: {{ tpl $host $ | quote }} + http: + paths: +{{- if $extraPaths }} +{{ toYaml $extraPaths | indent 10 }} +{{- end }} + - path: {{ $ingressPath }} + {{- if eq "true" ( include "ingress.supportsPathType" $ ) }} + pathType: {{ $ingressPathType }} + {{- end }} + backend: {{- include "ingress.backend" ( dict "serviceName" $serviceName "servicePort" $servicePort "context" $ ) | nindent 14 }} + {{- end -}} + {{- if .Values.ingress.tls }} + tls: +{{ tpl (toYaml .Values.ingress.tls) $ | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/poddisruptionbudget.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..7cdbbbeabb --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/poddisruptionbudget.yaml @@ -0,0 +1,14 @@ +{{- if and .Values.podDisruptionBudget.enabled (gt (.Values.replicaCount | int) 1) }} +apiVersion: {{ include "capabilities.podDisruptionBudget.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + name: {{ template "oauth2-proxy.fullname" . }} +spec: + selector: + matchLabels: + {{- include "oauth2-proxy.selectorLabels" . | indent 6 }} + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} +{{- end }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/redis-secret.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/redis-secret.yaml new file mode 100644 index 0000000000..7a1555d8b3 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/redis-secret.yaml @@ -0,0 +1,22 @@ +{{- $name := include "oauth2-proxy.name" . -}} +{{- $fullName := include "oauth2-proxy.fullname" . -}} +{{- $labels := include "oauth2-proxy.labels" . -}} +{{- with .Values.sessionStorage }} +{{- if and (eq .type "redis") (not .redis.existingSecret) (or .redis.password .redis.sentinel.password) }} +apiVersion: v1 +kind: Secret +metadata: + labels: + app: {{ $name }} + {{- $labels | indent 4 }} + name: {{ $fullName }}-redis-access +type: Opaque +data: + {{- if and .redis.password (not .redis.existingSecret) }} + {{ .redis.passwordKey }}: {{ .redis.password | b64enc | quote }} + {{- end }} + {{- if and .redis.sentinel.password (not .redis.sentinel.existingSecret) (ne .redis.sentinel.passwordKey .redis.passwordKey) }} + {{ .redis.sentinel.passwordKey }}: {{ .redis.sentinel.password | b64enc | quote }} + {{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml new file mode 100644 index 0000000000..ce79db1dce --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml @@ -0,0 +1,18 @@ +{{- if .Values.authenticatedEmailsFile.enabled }} +{{- if and (.Values.authenticatedEmailsFile.restricted_access) (eq .Values.authenticatedEmailsFile.persistence "secret") }} +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} +{{- if .Values.authenticatedEmailsFile.annotations }} + annotations: +{{ toYaml .Values.authenticatedEmailsFile.annotations | indent 4 }} +{{- end }} + name: {{ template "oauth2-proxy.fullname" . }}-accesslist +data: + {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }}: {{ .Values.authenticatedEmailsFile.restricted_access | b64enc }} +{{- end }} +{{- end }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret-htpasswd-file.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret-htpasswd-file.yaml new file mode 100644 index 0000000000..44fe67e96a --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret-htpasswd-file.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.htpasswdFile.enabled (not .Values.htpasswdFile.existingSecret) }} +apiVersion: v1 +kind: Secret +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file +type: Opaque +stringData: + users.txt: |- + {{- range $entries := .Values.htpasswdFile.entries }} + {{ $entries }} + {{- end -}} +{{- end }} \ No newline at end of file diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret.yaml new file mode 100644 index 0000000000..c9b3791f89 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret.yaml @@ -0,0 +1,18 @@ +{{- if and (not .Values.config.existingSecret) (.Values.proxyVarsAsSecrets) }} +apiVersion: v1 +kind: Secret +metadata: +{{- if .Values.config.annotations }} + annotations: +{{ toYaml .Values.config.annotations | indent 4 }} +{{- end }} + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + name: {{ template "oauth2-proxy.fullname" . }} +type: Opaque +data: + cookie-secret: {{ tpl .Values.config.cookieSecret $ | b64enc | quote }} + client-secret: {{ tpl .Values.config.clientSecret $ | b64enc | quote }} + client-id: {{ tpl .Values.config.clientID $ | b64enc | quote }} +{{- end -}} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/service.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/service.yaml new file mode 100644 index 0000000000..d9563ac283 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/service.yaml @@ -0,0 +1,54 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + name: {{ template "oauth2-proxy.fullname" . }} +{{- if .Values.service.annotations }} + annotations: +{{ toYaml .Values.service.annotations | indent 4 }} +{{- end }} +spec: +{{- if (or (eq .Values.service.type "ClusterIP") (empty .Values.service.type)) }} + type: ClusterIP + {{- if .Values.service.clusterIP }} + clusterIP: {{ .Values.service.clusterIP }} + {{end}} +{{- else if eq .Values.service.type "LoadBalancer" }} + type: {{ .Values.service.type }} + {{- if .Values.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- if .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.service.loadBalancerSourceRanges | indent 4 }} + {{- end -}} +{{- else }} + type: {{ .Values.service.type }} +{{- end }} + ports: + - port: {{ .Values.service.portNumber }} + targetPort: {{ .Values.httpScheme }} + {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }} + nodePort: {{ .Values.service.nodePort }} + {{- end }} + protocol: TCP + {{- with .Values.service.appProtocol }} + appProtocol: {{ . }} + {{- end }} + name: {{ .Values.httpScheme }} + {{- if and .Values.metrics.enabled .Values.metrics.port }} + - port: {{ .Values.metrics.port }} + protocol: TCP + {{- with .Values.metrics.service.appProtocol }} + appProtocol: {{ . }} + {{- end }} + targetPort: metrics + {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.metrics.nodePort))) }} + nodePort: {{ .Values.metrics.nodePort }} + {{- end }} + name: metrics + {{- end }} + selector: + {{- include "oauth2-proxy.selectorLabels" . | indent 4 }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/serviceaccount.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/serviceaccount.yaml new file mode 100644 index 0000000000..6d0a9d7c59 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/serviceaccount.yaml @@ -0,0 +1,14 @@ +{{- if or .Values.serviceAccount.enabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + name: {{ template "oauth2-proxy.serviceAccountName" . }} +automountServiceAccountToken : {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end -}} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/servicemonitor.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/servicemonitor.yaml new file mode 100644 index 0000000000..9c29d1bfd1 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/servicemonitor.yaml @@ -0,0 +1,31 @@ +{{- if and .Values.metrics.enabled .Values.metrics.servicemonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "oauth2-proxy.fullname" . }} +{{- if .Values.metrics.servicemonitor.namespace }} + namespace: {{ .Values.metrics.servicemonitor.namespace }} +{{- else }} + namespace: {{ .Release.Namespace | quote }} +{{- end }} + labels: + prometheus: {{ .Values.metrics.servicemonitor.prometheusInstance }} + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} +{{- if .Values.metrics.servicemonitor.labels }} +{{ toYaml .Values.metrics.servicemonitor.labels | indent 4}} +{{- end }} +spec: + jobLabel: {{ template "oauth2-proxy.fullname" . }} + selector: + matchLabels: + {{- include "oauth2-proxy.selectorLabels" . | indent 6 }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + endpoints: + - port: metrics + path: "/metrics" + interval: {{ .Values.metrics.servicemonitor.interval }} + scrapeTimeout: {{ .Values.metrics.servicemonitor.scrapeTimeout }} +{{- end }} diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/values.yaml new file mode 100644 index 0000000000..8f81e15d03 --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/values.yaml @@ -0,0 +1,364 @@ +global: + quayRepository: quay.io + +# Force the target Kubernetes version (it uses Helm `.Capabilities` if not set). +# This is especially useful for `helm template` as capabilities are always empty +# due to the fact that it doesn't query an actual cluster +kubeVersion: + +# Oauth client configuration specifics +config: + # Add config annotations + annotations: {} + # OAuth client ID + clientID: "XXXXXXX" + # OAuth client secret + clientSecret: "XXXXXXXX" + # Create a new secret with the following command + # openssl rand -base64 32 | head -c 32 | base64 + # Use an existing secret for OAuth2 credentials (see secret.yaml for required fields) + # Example: + # existingSecret: secret + cookieSecret: "XXXXXXXXXXXXXXXX" + # The name of the cookie that oauth2-proxy will create + # If left empty, it will default to the release name + cookieName: "" + google: {} + # adminEmail: xxxx + # useApplicationDefaultCredentials: true + # targetPrincipal: xxxx + # serviceAccountJson: xxxx + # Alternatively, use an existing secret (see google-secret.yaml for required fields) + # Example: + # existingSecret: google-secret + # groups: [] + # Example: + # - group1@example.com + # - group2@example.com + # Default configuration, to be overridden + configFile: |- + email_domains = [ "*" ] + upstreams = [ "file:///dev/null" ] + # Custom configuration file: oauth2_proxy.cfg + # configFile: |- + # pass_basic_auth = false + # pass_access_token = true + # Use an existing config map (see configmap.yaml for required fields) + # Example: + # existingConfig: config + +alphaConfig: + enabled: false + # Add config annotations + annotations: {} + # Arbitrary configuration data to append to the server section + serverConfigData: {} + # Arbitrary configuration data to append to the metrics section + metricsConfigData: {} + # Arbitrary configuration data to append + configData: {} + # Use an existing config map (see configmap-alpha.yaml for required fields) + existingConfig: ~ + +image: + #repository: "quay.io/oauth2-proxy/oauth2-proxy" + repository: "oauth2-proxy/oauth2-proxy" + # appVersion is used by default + tag: "" + pullPolicy: "IfNotPresent" + +# Optionally specify an array of imagePullSecrets. +# Secrets must be manually created in the namespace. +# ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod +# imagePullSecrets: + # - name: myRegistryKeySecretName + +# Set a custom containerPort if required. +# This will default to 4180 if this value is not set and the httpScheme set to http +# This will default to 4443 if this value is not set and the httpScheme set to https +# containerPort: 4180 + +extraArgs: {} +extraEnv: [] + +# -- Custom labels to add into metadata +customLabels: {} + +# To authorize individual email addresses +# That is part of extraArgs but since this needs special treatment we need to do a separate section +authenticatedEmailsFile: + enabled: false + # Defines how the email addresses file will be projected, via a configmap or secret + persistence: configmap + # template is the name of the configmap what contains the email user list but has been configured without this chart. + # It's a simpler way to maintain only one configmap (user list) instead changing it for each oauth2-proxy service. + # Be aware the value name in the extern config map in data needs to be named to "restricted_user_access" or to the + # provided value in restrictedUserAccessKey field. + template: "" + # The configmap/secret key under which the list of email access is stored + # Defaults to "restricted_user_access" if not filled-in, but can be overridden to allow flexibility + restrictedUserAccessKey: "" + # One email per line + # example: + # restricted_access: |- + # name1@domain + # name2@domain + # If you override the config with restricted_access it will configure a user list within this chart what takes care of the + # config map resource. + restricted_access: "" + annotations: {} + # helm.sh/resource-policy: keep + +service: + type: ClusterIP + # when service.type is ClusterIP ... + # clusterIP: 192.0.2.20 + # when service.type is LoadBalancer ... + # loadBalancerIP: 198.51.100.40 + # loadBalancerSourceRanges: 203.0.113.0/24 + # when service.type is NodePort ... + # nodePort: 80 + portNumber: 80 + # Protocol set on the service + appProtocol: http + annotations: {} + # foo.io/bar: "true" + +## Create or use ServiceAccount +serviceAccount: + ## Specifies whether a ServiceAccount should be created + enabled: true + ## The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template + name: + automountServiceAccountToken: true + annotations: {} + +ingress: + enabled: false + # className: nginx + path: / + # Only used if API capabilities (networking.k8s.io/v1) allow it + pathType: ImplementationSpecific + # Used to create an Ingress record. + # hosts: + # - chart-example.local + # Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + # Warning! The configuration is dependant on your current k8s API version capabilities (networking.k8s.io/v1) + # extraPaths: + # - path: /* + # pathType: ImplementationSpecific + # backend: + # service: + # name: ssl-redirect + # port: + # name: use-annotation + # annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # tls: + # Secrets must be manually created in the namespace. + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # limits: + # cpu: "100m" + # memory: "300Mi" + # requests: + # cpu: "100m" + # memory: "300Mi" + +extraVolumes: [] + # - name: ca-bundle-cert + # secret: + # secretName: + +extraVolumeMounts: [] + # - mountPath: /etc/ssl/certs/ + # name: ca-bundle-cert + +# Additional containers to be added to the pod. +extraContainers: [] + # - name: my-sidecar + # image: nginx:latest + +priorityClassName: "" + +# Host aliases, useful when working "on premise" where (public) DNS resolver does not know about my hosts. +hostAlias: + enabled: false + # ip: "10.xxx.xxx.xxx" + # hostname: "auth.example.com" + +# [TopologySpreadConstraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) configuration. +# Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling +# topologySpreadConstraints: [] + +# Affinity for pod assignment +# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +# affinity: {} + +# Tolerations for pod assignment +# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +tolerations: [] + +# Node labels for pod assignment +# Ref: https://kubernetes.io/docs/user-guide/node-selection/ +nodeSelector: {} + +# Whether to use secrets instead of environment values for setting up OAUTH2_PROXY variables +proxyVarsAsSecrets: true + +# Configure Kubernetes liveness and readiness probes. +# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ +# Disable both when deploying with Istio 1.0 mTLS. https://istio.io/help/faq/security/#k8s-health-checks +livenessProbe: + enabled: true + initialDelaySeconds: 0 + timeoutSeconds: 1 + +readinessProbe: + enabled: true + initialDelaySeconds: 0 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + +# Configure Kubernetes security context for container +# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +securityContext: + enabled: false + runAsNonRoot: true + # allowPrivilegeEscalation: false + # runAsUser: 2000 + +deploymentAnnotations: {} +podAnnotations: {} +podLabels: {} +replicaCount: 1 +revisionHistoryLimit: 10 + +## PodDisruptionBudget settings +## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ +podDisruptionBudget: + enabled: true + minAvailable: 1 + +# Configure Kubernetes security context for pod +# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +podSecurityContext: {} + +# whether to use http or https +httpScheme: http + +# Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -B" for bcrypt encryption. +# Alternatively supply an existing secret which contains the required information. +htpasswdFile: + enabled: false + existingSecret: "" + entries: {} + # One row for each user + # example: + # entries: + # - testuser:$2y$05$gY6dgXqjuzFhwdhsiFe7seM9q9Tile4Y3E.CBpAZJffkeiLaC21Gy + +# Configure the session storage type, between cookie and redis +sessionStorage: + # Can be one of the supported session storage cookie|redis + type: cookie + redis: + # Name of the Kubernetes secret containing the redis & redis sentinel password values (see also `sessionStorage.redis.passwordKey`) + existingSecret: "" + # Redis password value. Applicable for all Redis configurations. Taken from redis subchart secret if not set. `sessionStorage.redis.existingSecret` takes precedence + password: "" + # Key of the Kubernetes secret data containing the redis password value + passwordKey: "redis-password" + # Can be one of standalone|cluster|sentinel + clientType: "standalone" + standalone: + # URL of redis standalone server for redis session storage (e.g. `redis://HOST[:PORT]`). Automatically generated if not set + connectionUrl: "" + cluster: + # List of Redis cluster connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) + connectionUrls: [] + sentinel: + # Name of the Kubernetes secret containing the redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret` + existingSecret: "" + # Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `sessionStorage.redis.password` + password: "" + # Key of the Kubernetes secret data containing the redis sentinel password value + passwordKey: "redis-sentinel-password" + # Redis sentinel master name + masterName: "" + # List of Redis sentinel connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) + connectionUrls: [] + +# Enables and configure the automatic deployment of the redis subchart +redis: + # provision an instance of the redis sub-chart + enabled: false + # Redis specific helm chart settings, please see: + # https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters + # redisPort: 6379 + # cluster: + # enabled: false + # slaveCount: 1 + +# Enables apiVersion deprecation checks +checkDeprecation: true + +metrics: + # Enable Prometheus metrics endpoint + enabled: true + # Serve Prometheus metrics on this port + port: 44180 + # when service.type is NodePort ... + # nodePort: 44180 + # Protocol set on the service for the metrics port + service: + appProtocol: http + servicemonitor: + # Enable Prometheus Operator ServiceMonitor + enabled: false + # Define the namespace where to deploy the ServiceMonitor resource + namespace: "" + # Prometheus Instance definition + prometheusInstance: default + # Prometheus scrape interval + interval: 60s + # Prometheus scrape timeout + scrapeTimeout: 30s + # Add custom labels to the ServiceMonitor resource + labels: {} + +# Extra K8s manifests to deploy +extraObjects: [] + # - apiVersion: secrets-store.csi.x-k8s.io/v1 + # kind: SecretProviderClass + # metadata: + # name: oauth2-proxy-secrets-store + # spec: + # provider: aws + # parameters: + # objects: | + # - objectName: "oauth2-proxy" + # objectType: "secretsmanager" + # jmesPath: + # - path: "client_id" + # objectAlias: "client-id" + # - path: "client_secret" + # objectAlias: "client-secret" + # - path: "cookie_secret" + # objectAlias: "cookie-secret" + # secretObjects: + # - data: + # - key: client-id + # objectName: client-id + # - key: client-secret + # objectName: client-secret + # - key: cookie-secret + # objectName: cookie-secret + # secretName: oauth2-proxy-secrets-store + # type: Opaque diff --git a/kubernetes/platform/components/oauth2-proxy/values.yaml b/kubernetes/platform/components/oauth2-proxy/values.yaml new file mode 100644 index 0000000000..81a9986d3d --- /dev/null +++ b/kubernetes/platform/components/oauth2-proxy/values.yaml @@ -0,0 +1,74 @@ +onap-oauth2-proxy: + # Oauth client configuration specifics + config: + cookieSecret: "CbgXFXDJ16laaCfChtFBpKy1trNEmJZDIjaiaIMLyRA=" + configFile: |- + email_domains = [ "*" ] # Restrict to these E-Mail Domains, a wildcard "*" allows any email + + alphaConfig: + enabled: true + configData: + providers: + - clientID: "oauth2-proxy" + clientSecret: "5YSOkJz99WHv8enDZPknzJuGqVSerELp" + id: oidc-istio + provider: oidc # We use the generic 'oidc' provider + loginURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/auth + #redeemURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/token + redeemURL: http://keycloak-http.keycloak/auth/realms/ONAP/protocol/openid-connect/token + profileURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/userinfo + validateURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/userinfo + scope: "openid email profile groups" + #allowedGroups: + # - admins # List all groups managed at our your IdP which should be allowed access + # - infrateam + # - anothergroup + oidcConfig: + emailClaim: email # Name of the clain in JWT containing the E-Mail + groupsClaim: groups # Name of the claim in JWT containing the Groups + userIDClaim: email # Name of the claim in JWT containing the User ID + audienceClaims: ["aud"] + insecureAllowUnverifiedEmail: true + insecureSkipIssuerVerification: true + skipDiscovery: true # You can try using the well-knwon endpoint directly for auto discovery, here we won't use it + issuerURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP + jwksURL: http://keycloak-http.keycloak/auth/realms/ONAP/protocol/openid-connect/certs + upstreamConfig: + upstreams: + - id: static_200 + path: / + static: true + staticCode: 200 + # Headers that should be added to responses from the proxy + injectResponseHeaders: # Send this headers in responses from oauth2-proxy + - name: X-Auth-Request-Preferred-Username + values: + - claim: preferred_username + - name: X-Auth-Request-Email + values: + - claim: email + + extraArgs: + cookie-secure: "false" + cookie-domain: ".simpledemo.onap.org" # Replace with your base domain + cookie-samesite: lax + cookie-expire: 12h # How long our Cookie is valid + auth-logging: true # Enable / Disable auth logs + request-logging: true # Enable / Disable request logs + standard-logging: true # Enable / Disable the standart logs + show-debug-on-error: true # Disable in production setups + skip-provider-button: true # We only have one provider configured (Keycloak) + silence-ping-logging: true # Keeps our logs clean + whitelist-domain: ".simpledemo.onap.org" # Replace with your base domain + + # Enables and configure the automatic deployment of the redis subchart + redis: + # provision an instance of the redis sub-chart + enabled: false + + +serviceAccount: + nameOverride: oauth2-proxy + roles: + - read + diff --git a/kubernetes/platform/components/oom-cert-service/Chart.yaml b/kubernetes/platform/components/oom-cert-service/Chart.yaml index 30da403445..c71653b778 100644 --- a/kubernetes/platform/components/oom-cert-service/Chart.yaml +++ b/kubernetes/platform/components/oom-cert-service/Chart.yaml @@ -17,18 +17,18 @@ apiVersion: v2 description: ONAP Cert Service name: oom-cert-service -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: certManagerCertificate - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: cmpv2Config - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml b/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml index fd317703e3..8f49424b54 100644 --- a/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml +++ b/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml @@ -14,4 +14,57 @@ # limitations under the License. */}} +{{- if .Values.global.cmpv2Enabled }} {{ include "certManagerCertificate.certificate" . }} +{{- end -}} + +{{- if (include "common.onServiceMesh" .) }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: ingress-ca-certificate + namespace: {{ .Values.tls.issuer.ingressCa.namespace }} +spec: + isCA: true + commonName: "{{ .Values.global.ingress.virtualhost.baseurl }}" #not important as it is self signed + secretName: {{ .Values.tls.issuer.ingressCa.secret.name }} + usages: + - server auth + - client auth + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: {{ .Values.tls.issuer.ingressSelfsigned.name }} + kind: Issuer + group: cert-manager.io +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: ingress-selfsigned-certificate + namespace: {{ .Values.tls.issuer.ingressSelfsigned.namespace }} +spec: + secretName: ingress-tls-secret + privateKey: + rotationPolicy: Always + algorithm: RSA + encoding: PKCS1 + size: 4096 + duration: 9000h0m0s # 1 Year + renewBefore: 4000h0m0s #9 months + commonName: "*.{{ .Values.global.ingress.virtualhost.baseurl }}" +# usages: +# - server auth +# - client auth + dnsNames: + - {{ .Values.global.ingress.virtualhost.baseurl }} + - "*.{{ .Values.global.ingress.virtualhost.baseurl }}" + - "*.*.{{ .Values.global.ingress.virtualhost.baseurl }}" + - "*.*.*.{{ .Values.global.ingress.virtualhost.baseurl }}" + issuerRef: + name: {{ .Values.tls.issuer.ingressCa.name }} + kind: Issuer + group: cert-manager.io +{{- end -}} diff --git a/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml b/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml index 5f80a7dc75..4c97359714 100644 --- a/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml +++ b/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml @@ -33,8 +33,7 @@ spec: {{- end }} {{- end }} spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} volumes: {{- if .Values.global.addTestingComponents }} - name: cmp-servers-template-volume @@ -57,7 +56,7 @@ spec: command: - /app/ready.py args: - - --container-name + - --service-name - ejbca-ejbca env: - name: NAMESPACE @@ -67,6 +66,13 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" - name: subsitute-envs image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} diff --git a/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml b/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml index 9047ab73d3..1220ad35a9 100644 --- a/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml +++ b/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml @@ -14,6 +14,7 @@ # limitations under the License. */}} +{{- if .Values.global.cmpv2Enabled }} apiVersion: cert-manager.io/v1 kind: Issuer metadata: @@ -29,4 +30,25 @@ metadata: namespace: {{ include "common.namespace" . }} spec: ca: - secretName: {{ .Values.tls.issuer.ca.secret.name }} \ No newline at end of file + secretName: {{ .Values.tls.issuer.ca.secret.name }} +{{- end -}} + +{{- if (include "common.onServiceMesh" .) }} +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ .Values.tls.issuer.ingressSelfsigned.name }} + namespace: {{ .Values.tls.issuer.ingressSelfsigned.namespace }} +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ .Values.tls.issuer.ingressCa.name }} + namespace: {{ .Values.tls.issuer.ingressCa.namespace }} +spec: + ca: + secretName: {{ .Values.tls.issuer.ingressCa.secret.name }} +{{- end -}} \ No newline at end of file diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml index c74fe9b2c0..52e7649d6f 100644 --- a/kubernetes/platform/components/oom-cert-service/values.yaml +++ b/kubernetes/platform/components/oom-cert-service/values.yaml @@ -22,6 +22,16 @@ global: # Standard OOM pullPolicy: "Always" repository: "nexus3.onap.org:10001" + ingress: + enabled: true + # All http requests via ingress will be redirected + config: + ssl: "redirect" + # you can set an own Secret containing a certificate + # tls: + # secret: 'my-ingress-cert' + # optional: Namespace of the Istio IngressGateway + namespace: &ingressNamespace istio-ingress # Service configuration @@ -34,7 +44,7 @@ service: # Deployment configuration repository: "nexus3.onap.org:10001" -image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.5.0 +image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.6.0 pullPolicy: Always replicaCount: 1 @@ -51,18 +61,18 @@ flavor: small resources: small: limits: - cpu: 0.5 - memory: 1Gi + cpu: "1" + memory: "500Mi" requests: - cpu: 0.2 - memory: 512Mi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 1 - memory: 2Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 0.4 - memory: 1Gi + cpu: "1" + memory: "1Gi" unlimited: {} @@ -82,6 +92,14 @@ tls: name: &caIssuer cmpv2-issuer-onap secret: name: &caKeyPairSecret cmpv2-ca-key-pair + ingressSelfsigned: + name: ingress-selfsigned-issuer + namespace: *ingressNamespace + ingressCa: + name: ingress-ca-issuer + namespace: *ingressNamespace + secret: + name: ingress-ca-key-pair server: secret: name: &serverSecret oom-cert-service-server-tls-secret diff --git a/kubernetes/platform/values.yaml b/kubernetes/platform/values.yaml index a30dabbcc2..5cc7612473 100644 --- a/kubernetes/platform/values.yaml +++ b/kubernetes/platform/values.yaml @@ -32,6 +32,18 @@ global: # Application configuration defaults. ################################################################# +# Control deployment of Platform services at ONAP installation time +chartmuseum: + enabled: true +cmpv2-cert-provider: + enabled: true +oom-cert-service: + enabled: true +keycloak-init: + enabled: false +oauth2-proxy: + enabled: false + flavor: small # default number of instances replicaCount: 1 diff --git a/kubernetes/policy/Chart.yaml b/kubernetes/policy/Chart.yaml index 803298aadc..b305ef48e1 100755 --- a/kubernetes/policy/Chart.yaml +++ b/kubernetes/policy/Chart.yaml @@ -1,7 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018, 2020 AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021, 2022 Nordix Foundation +# Modifications Copyright © 2021, 2022, 2023, 2024 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,77 +18,82 @@ apiVersion: v2 description: ONAP Policy name: policy -version: 11.0.0 +version: 14.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: mariadb-galera - version: ~11.x-0 + version: ~13.x-0 repository: '@local' + condition: global.mariadbGalera.localCluster - name: policy-nexus - version: ~11.x-0 + version: ~14.x-0 repository: 'file://components/policy-nexus' condition: policy-nexus.enabled - name: policy-api - version: ~11.x-0 + version: ~14.x-0 repository: 'file://components/policy-api' condition: policy-api.enabled - name: policy-pap - version: ~11.x-0 + version: ~14.x-0 repository: 'file://components/policy-pap' condition: policy-pap.enabled - name: policy-xacml-pdp - version: ~11.x-0 + version: ~14.x-0 repository: 'file://components/policy-xacml-pdp' condition: policy-xacml-pdp.enabled - name: policy-apex-pdp - version: ~11.x-0 + version: ~14.x-0 repository: 'file://components/policy-apex-pdp' condition: policy-apex-pdp.enabled - name: policy-drools-pdp - version: ~11.x-0 + version: ~14.x-0 repository: 'file://components/policy-drools-pdp' condition: policy-drools-pdp.enabled - name: policy-distribution - version: ~11.x-0 + version: ~14.x-0 repository: 'file://components/policy-distribution' condition: policy-distribution.enabled - - name: policy-clamp-be - version: ~11.x-0 - repository: 'file://components/policy-clamp-be' - condition: policy-clamp-be.enabled - name: policy-clamp-ac-k8s-ppnt - version: ~11.x-0 + version: ~14.x-0 repository: 'file://components/policy-clamp-ac-k8s-ppnt' condition: policy-clamp-ac-k8s-ppnt.enabled - name: policy-clamp-ac-http-ppnt - version: ~11.x-0 + version: ~14.x-0 repository: 'file://components/policy-clamp-ac-http-ppnt' condition: policy-clamp-ac-http-ppnt.enabled + - name: policy-clamp-ac-a1pms-ppnt + version: ~14.x-0 + repository: 'file://components/policy-clamp-ac-a1pms-ppnt' + condition: policy-clamp-ac-a1pms-ppnt.enabled + - name: policy-clamp-ac-kserve-ppnt + version: ~14.x-0 + repository: 'file://components/policy-clamp-ac-kserve-ppnt' + condition: policy-clamp-ac-kserve-ppnt.enabled - name: policy-clamp-ac-pf-ppnt - version: ~11.x-0 + version: ~14.x-0 repository: 'file://components/policy-clamp-ac-pf-ppnt' condition: policy-clamp-ac-pf-ppnt.enabled - name: policy-clamp-runtime-acm - version: ~11.x-0 + version: ~14.x-0 repository: 'file://components/policy-clamp-runtime-acm' condition: policy-clamp-runtime-acm.enabled - name: policy-gui - version: ~11.x-0 + version: ~14.x-0 repository: 'file://components/policy-gui' condition: policy-gui.enabled - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: postgres - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: global.postgres.localCluster diff --git a/kubernetes/policy/Makefile b/kubernetes/policy/Makefile index 51d7de122c..08ed7cb9da 100755 --- a/kubernetes/policy/Makefile +++ b/kubernetes/policy/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := dist resources templates charts docker HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -36,12 +42,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/policy/components/Makefile b/kubernetes/policy/components/Makefile index f4c9784bc4..9544d70f33 100755 --- a/kubernetes/policy/components/Makefile +++ b/kubernetes/policy/components/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -36,12 +42,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/policy/components/policy-apex-pdp/Chart.yaml b/kubernetes/policy/components/policy-apex-pdp/Chart.yaml index 92af552fac..c8a2862326 100755 --- a/kubernetes/policy/components/policy-apex-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/Chart.yaml @@ -1,7 +1,8 @@ # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021, 2024 Nordix Foundation +# Modification (C) 2023 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,18 +22,15 @@ apiVersion: v2 description: ONAP Policy APEX PDP name: policy-apex-pdp -version: 11.0.0 +version: 14.0.0 dependencies: - name: common - version: ~11.x-0 - repository: '@local' - - name: certInitializer - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json b/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json index 0c9d6a504f..441955f1ed 100755 --- a/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json +++ b/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json @@ -5,10 +5,10 @@ "port": 6969, "userName": "${RESTSERVER_USER}", "password": "${RESTSERVER_PASSWORD}", - "https": true, + "https": "false", "prometheus": true }, - "pdpStatusParameters":{ + "pdpStatusParameters": { "pdpGroup": "defaultGroup", "timeIntervalMs": 120000, "pdpType":"apex", @@ -25,18 +25,29 @@ ] }, "topicParameterGroup": { - "topicSources" : [{ - "topic" : "POLICY-PDP-PAP", - "servers" : [ "message-router" ], - "useHttps" : true, - "fetchTimeout": 15000, - "topicCommInfrastructure" : "dmaap" - }], - "topicSinks" : [{ - "topic" : "POLICY-PDP-PAP", - "servers" : [ "message-router" ], - "useHttps" : true, - "topicCommInfrastructure" : "dmaap" - }] + "topicSources": [{ + "topic": "${PAP_TOPIC}", + "useHttps": false, + "fetchTimeout": 15000, + "servers": [ "${KAFKA_URL}" ], + "topicCommInfrastructure": "kafka", + "additionalProps": { + "group.id" : "${GROUP_ID}", + "security.protocol": "SASL_PLAINTEXT", + "sasl.mechanism": "${SASL}", + "sasl.jaas.config": "${JAASLOGIN}" + }}], + "topicSinks" : [{ + "topic": "${PAP_TOPIC}", + "useHttps": false, + "servers": [ "${KAFKA_URL}" ], + "topicCommInfrastructure": "kafka", + "additionalProps": { + "group.id" : "${GROUP_ID}", + "security.protocol": "SASL_PLAINTEXT", + "sasl.mechanism": "${SASL}", + "sasl.jaas.config": "${JAASLOGIN}" + } + }] } } diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml new file mode 100755 index 0000000000..de3e6d1004 --- /dev/null +++ b/kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml @@ -0,0 +1,115 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2018 Ericsson. All rights reserved. +# Modifications Copyright (C) 2020 AT&T Intellectual Property. +# Modifications Copyright © 2022 Nordix Foundation +# Modification (C) 2023 Deutsche Telekom. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + - command: ["/bin/sh", "-cx"] + args: + - JAASLOGIN=`echo $JAASLOGIN | tr -d '"'`; + cd /config-input && for PFILE in `ls -1`; + do envsubst <${PFILE} >/config/${PFILE}; done + env: + - name: RESTSERVER_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }} + - name: RESTSERVER_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "password") | indent 10 }} + - name: JAASLOGIN + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + - name: KAFKA_URL + value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + - name: SASL + value: {{ .Values.kafkaUser.authenticationType | upper }} + - name: GROUP_ID + value: {{ .Values.config.kafka.consumer.groupId }} + - name: PAP_TOPIC + value: {{ .Values.config.app.listener.policyPdpPapTopic }} + volumeMounts: + - mountPath: /config-input + name: apexconfig-input + - mountPath: /config + name: apexconfig + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: [ "/bin/sh", "-cx" ] + args: + - id apexuser; + cat /home/apexuser/config/OnapPfConfig.json; + /opt/app/policy/apex-pdp/bin/apexOnapPf.sh -c /home/apexuser/config/OnapPfConfig.json + ports: {{ include "common.containerPorts" . | nindent 12 }} + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{- end }} + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: + - name: REPLICAS + value: "{{ .Values.replicaCount }}" + volumeMounts: + - mountPath: /var/log/onap + name: policy-logs + - mountPath: /home/apexuser/config + name: apexconfig + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: policy-logs + emptyDir: {} + - name: apexconfig-input + configMap: + name: {{ include "common.fullname" . }}-configmap + defaultMode: 0755 + - name: apexconfig + emptyDir: + medium: Memory + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml new file mode 100644 index 0000000000..4259381afe --- /dev/null +++ b/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} + diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/service.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/service.yaml index e28331baca..f96e81074e 100755 --- a/kubernetes/policy/components/policy-apex-pdp/templates/service.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/templates/service.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. +# Modification (C) 2023 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,29 +19,4 @@ # ============LICENSE_END========================================================= */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - sessionAffinity: None +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/statefulset.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/statefulset.yaml deleted file mode 100755 index 4d9ff9250e..0000000000 --- a/kubernetes/policy/components/policy-apex-pdp/templates/statefulset.yaml +++ /dev/null @@ -1,134 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2018 Ericsson. All rights reserved. -# Modifications Copyright (C) 2020 AT&T Intellectual Property. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - serviceName: {{ include "common.servicename" . }} - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - command: - - sh - args: - - -c - - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" - env: - - name: TRUSTSTORE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-pass" "key" "password") | indent 10 }} - - name: KEYSTORE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-pass" "key" "password") | indent 10 }} - - name: RESTSERVER_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }} - - name: RESTSERVER_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "password") | indent 10 }} - volumeMounts: - - mountPath: /config-input - name: apexconfig-input - - mountPath: /config - name: apexconfig - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 6 }} - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["sh","-c"] - args: ["if [ -f {{ .Values.certInitializer.credsPath }}/.ci ]; then \ - . {{ .Values.certInitializer.credsPath }}/.ci; fi;\ - /opt/app/policy/apex-pdp/bin/apexOnapPf.sh -c /home/apexuser/config/OnapPfConfig.json"] - ports: - - containerPort: {{ .Values.service.externalPort }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.externalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{- end }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.externalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: REPLICAS - value: "{{ .Values.replicaCount }}" -{{- if not .Values.global.aafEnabled }} - - name: KEYSTORE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-pass" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-pass" "key" "password") | indent 12 }} -{{- end }} - volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /var/log/onap - name: policy-logs - - mountPath: /home/apexuser/config - name: apexconfig - resources: -{{ include "common.resources" . }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - - name: policy-logs - emptyDir: {} - - name: apexconfig-input - configMap: - name: {{ include "common.fullname" . }}-configmap - defaultMode: 0755 - - name: apexconfig - emptyDir: - medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/policy/components/policy-apex-pdp/values.yaml b/kubernetes/policy/components/policy-apex-pdp/values.yaml index db5251913e..3cea773d0f 100755 --- a/kubernetes/policy/components/policy-apex-pdp/values.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/values.yaml @@ -1,6 +1,8 @@ # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright (C) 2019-2021 AT&T Intellectual Property. +# Modifications Copyright © 2022 Nordix Foundation +# Modification (C) 2023 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,7 +24,6 @@ ################################################################# global: nodePortPrefix: 302 - aafEnabled: true persistence: {} ################################################################# @@ -34,22 +35,19 @@ secrets: externalSecret: '{{ tpl (default "" .Values.restServer.credsExternalSecret) . }}' login: '{{ .Values.restServer.user }}' password: '{{ .Values.restServer.password }}' - - uid: truststore-pass - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required - - uid: keystore-pass - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required + - uid: policy-kafka-user + externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' + type: genericKV + envs: + - name: sasl.jaas.config + value: '{{ .Values.config.someConfig }}' + policy: generate ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/policy-apex-pdp:2.7.3 +image: onap/policy-apex-pdp:3.1.0 pullPolicy: Always # flag to enable debugging - application support required @@ -60,29 +58,6 @@ debugEnabled: false restServer: user: healthcheck password: zb!XztG34 -truststore: - password: Pol1cy_0nap -certStores: - keyStorePassword: Pol1cy_0nap - trustStorePassword: Pol1cy_0nap - -certInitializer: - nameOverride: policy-apex-pdp-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 101 - gid: 102 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" >> {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWORD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); # default number of instances replicaCount: 1 @@ -106,32 +81,37 @@ readiness: service: type: ClusterIP name: policy-apex-pdp - portName: policy-apex-pdp - externalPort: 6969 internalPort: 6969 - nodePort: 37 + ports: + - name: http + port: 6969 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: strimzi-kafka-read + # Resource Limit flavor -By Default using small # Segregation for Different environment (Small and Large) flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 10m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 20m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account @@ -149,7 +129,7 @@ metrics: enabled: true port: policy-apex-pdp interval: 60s - isHttps: true + isHttps: false basicAuth: enabled: true externalSecretNameSuffix: policy-apex-pdp-restserver-creds @@ -160,3 +140,28 @@ metrics: chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' release: '{{ include "common.release" . }}' heritage: '{{ .Release.Service }}' + +# application configuration +config: +# Event consumption (kafka) properties + kafka: + consumer: + groupId: policy-apex + app: + listener: + policyPdpPapTopic: policy-pdp-pap + +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: policy-apex + type: group + operations: [Create, Describe, Read, Write] + - name: policy-pdp-pap + type: topic + patternType: prefix + operations: [Create, Describe, Read, Write] + - name: policy-heartbeat + type: topic + patternType: prefix + operations: [Create, Describe, Read, Write] diff --git a/kubernetes/policy/components/policy-api/Chart.yaml b/kubernetes/policy/components/policy-api/Chart.yaml index d317b9e513..32c22cbe6c 100755 --- a/kubernetes/policy/components/policy-api/Chart.yaml +++ b/kubernetes/policy/components/policy-api/Chart.yaml @@ -1,7 +1,8 @@ # ============LICENSE_START======================================================= # Copyright (C) 2019-2020 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021, 2024 Nordix Foundation +# Modification (C) 2023 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,18 +22,15 @@ apiVersion: v2 description: ONAP Policy Design API name: policy-api -version: 11.0.0 +version: 14.0.0 dependencies: - name: common - version: ~11.x-0 - repository: '@local' - - name: certInitializer - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml b/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml index e6cf2b3571..4e73dc0b5b 100644 --- a/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml +++ b/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml @@ -1,5 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2022 Bell Canada. All rights reserved. +# Modifications Copyright (C) 2022 AT&T Intellectual Property. +# Modification (C) 2023 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,6 +20,10 @@ server: port: {{ .Values.service.internalPort }} + ssl: + enabled: false + servlet: + context-path: /policy/api/v1 spring: security.user: @@ -25,7 +31,8 @@ spring: password: "${RESTSERVER_PASSWORD}" mvc.converters.preferred-json-mapper: gson datasource: - url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort}}/policyadmin +{{ if not .Values.global.postgres.localCluster }} + url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/policyadmin driverClassName: org.mariadb.jdbc.Driver username: "${SQL_USER}" password: "${SQL_PASSWORD}" @@ -40,6 +47,27 @@ spring: naming: physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy +{{ else }} + url: jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.internalPgPort}}/policyadmin + driverClassName: org.postgresql.Driver + username: "${SQL_USER}" + password: "${SQL_PASSWORD}" + hikari: + connectionTimeout: 30000 + idleTimeout: 600000 + maxLifetime: 1800000 + maximumPoolSize: 10 + jpa: + hibernate: + ddl-auto: none + naming: + physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl + implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy + properties: + hibernate: + dialect: org.hibernate.dialect.PostgreSQLDialect + format_sql: true +{{ end }} policy-api: name: ApiGroup @@ -49,7 +77,7 @@ database: name: PolicyProviderParameterGroup implementation: org.onap.policy.models.provider.impl.DatabasePolicyModelsProviderImpl driver: org.mariadb.jdbc.Driver - url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort}}/policyadmin + url: jdbc:mariadb://{{ .Values.db.service.name }}/policyadmin user: "${SQL_USER}" password: "${SQL_PASSWORD}" persistenceUnit: PolicyDb @@ -57,6 +85,7 @@ database: policy-preload: policyTypes: - policytypes/onap.policies.monitoring.tcagen2.yaml + - policytypes/onap.policies.monitoring.tcagen2.v2.yaml - policytypes/onap.policies.monitoring.dcaegen2.collectors.datafile.datafile-app-server.yaml - policytypes/onap.policies.monitoring.dcae-restconfcollector.yaml - policytypes/onap.policies.monitoring.dcae-pm-subscription-handler.yaml diff --git a/kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-api/templates/deployment.yaml b/kubernetes/policy/components/policy-api/templates/deployment.yaml index f19233e3b4..8de035e5d1 100755 --- a/kubernetes/policy/components/policy-api/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-api/templates/deployment.yaml @@ -1,30 +1,22 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - command: - /app/ready.py args: - --job-name +{{ if not .Values.global.postgres.localCluster }} - {{ include "common.release" . }}-policy-galera-config +{{ else }} + - {{ include "common.release" . }}-policy-pg-config +{{ end }} env: - name: NAMESPACE valueFrom: @@ -34,6 +26,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" - command: - sh args: @@ -56,26 +55,13 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 8 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- if .Values.global.aafEnabled }} - command: ["sh","-c"] - args: ["source {{ .Values.certInitializer.credsPath }}/.ci;\ - /opt/app/policy/api/bin/policy-api.sh /opt/app/policy/api/etc/mounted/apiParameters.yaml"] -{{- else }} command: ["/opt/app/policy/api/bin/policy-api.sh"] args: ["/opt/app/policy/api/etc/mounted/apiParameters.yaml"] - env: - - name: KEYSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} -{{- end }} - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if eq .Values.liveness.enabled true }} @@ -92,21 +78,16 @@ spec: httpHeaders: - name: Authorization value: Basic {{ printf "%s:%s" .Values.restServer.user .Values.restServer.password | b64enc }} - scheme: {{ .Values.readiness.scheme }} + scheme: HTTP successThreshold: {{ .Values.readiness.successThreshold }} failureThreshold: {{ .Values.readiness.failureThreshold }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeout }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/policy/api/etc/mounted name: apiconfig-processed - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -117,10 +98,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - name: apiconfig configMap: name: {{ include "common.fullname" . }}-configmap @@ -128,5 +105,4 @@ spec: - name: apiconfig-processed emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" \ No newline at end of file + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-api/templates/service.yaml b/kubernetes/policy/components/policy-api/templates/service.yaml index a1b5585db6..abb9a44bbe 100755 --- a/kubernetes/policy/components/policy-api/templates/service.yaml +++ b/kubernetes/policy/components/policy-api/templates/service.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2019 AT&T Intellectual Property. All rights reserved. +# Modification (C) 2023 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,28 +19,4 @@ # ============LICENSE_END========================================================= */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-api/values.yaml b/kubernetes/policy/components/policy-api/values.yaml index 0e3ada8956..530f021d85 100755 --- a/kubernetes/policy/components/policy-api/values.yaml +++ b/kubernetes/policy/components/policy-api/values.yaml @@ -1,6 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2019-2021 AT&T Intellectual Property. All rights reserved. # Modifications Copyright (C) 2022 Bell Canada. All rights reserved. +# Modification (C) 2023 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,7 +24,8 @@ global: nodePortPrefix: 304 persistence: {} - aafEnabled: true + postgres: + localCluster: false ################################################################# # Secrets metaconfig @@ -41,45 +43,12 @@ secrets: login: '{{ .Values.restServer.user }}' password: '{{ .Values.restServer.password }}' passwordPolicy: required - - uid: keystore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required - - uid: truststore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required - -certStores: - keyStorePassword: Pol1cy_0nap - trustStorePassword: Pol1cy_0nap - -certInitializer: - nameOverride: policy-api-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/policy-api:2.6.3 +image: onap/policy-api:3.1.0 pullPolicy: Always # flag to enable debugging - application support required @@ -87,11 +56,13 @@ debugEnabled: false # application configuration db: - user: policy_user + user: policy-user password: policy_user service: name: policy-mariadb + pgName: policy-pg-primary internalPort: 3306 + internalPgPort: 5432 restServer: user: policyadmin @@ -116,7 +87,6 @@ readiness: initialDelaySeconds: 10 periodSeconds: 120 api: /policy/api/v1/healthcheck - scheme: HTTPS successThreshold: 1 failureThreshold: 3 timeout: 60 @@ -124,30 +94,35 @@ readiness: service: type: ClusterIP name: policy-api - portName: policy-api - externalPort: 6969 internalPort: 6969 - nodePort: 40 + ports: + - name: http + port: 6969 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: policy-pap-read + flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account @@ -165,7 +140,7 @@ metrics: enabled: true port: policy-api interval: 60s - isHttps: true + isHttps: false basicAuth: enabled: true externalSecretNameSuffix: policy-api-user-creds diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml new file mode 100755 index 0000000000..e35dd3d6f0 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml @@ -0,0 +1,33 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2022-2024 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +apiVersion: v2 +description: ONAP Policy Clamp A1PMS Participant +name: policy-clamp-ac-a1pms-ppnt +version: 14.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml new file mode 100755 index 0000000000..31aa1b746a --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml @@ -0,0 +1,85 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2022 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +spring: + autoconfigure: + exclude: + - org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration + - org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration + - org.springframework.boot.autoconfigure.jdbc.DataSourceTransactionManagerAutoConfiguration + - org.springframework.boot.autoconfigure.data.web.SpringDataWebAutoConfiguration + security: + user: + name: ${RESTSERVER_USER} + password: ${RESTSERVER_PASSWORD} + +security: + enable-csrf: false + +participant: + intermediaryParameters: + reportingTimeIntervalMs: 120000 + description: Participant Description + participantId: 101c62b3-8918-41b9-a747-d21eb79c6c00 + clampAutomationCompositionTopics: + topicSources: + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + group.id: {{ (first .Values.kafkaUser.acls).name }} + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + topicSinks: + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + participantSupportedElementTypes: + - + typeName: org.onap.policy.clamp.acm.A1PMSAutomationCompositionElement + typeVersion: 1.0.1 + + +management: + endpoints: + web: + base-path: / + exposure: + include: health, metrics, prometheus +server: + port: 8086 + servlet: + context-path: /onap/policy/clamp/acm/a1pmsparticipant + ssl: + enabled: false + + diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/logback.xml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/logback.xml new file mode 100755 index 0000000000..b0d310e3de --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/logback.xml @@ -0,0 +1,103 @@ + + + + + + /var/log/onap/policy/a1pms-participant/error.log + + /var/log/onap/policy/a1pms-participant/error.%d{yyyy-MM-dd}.%i.log.zip + + 50MB + 30 + 10GB + + + WARN + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n + + + + + + + + + /var/log/onap/policy/a1pms-participant/debug.log + + /var/log/onap/policy/a1pms-participant/debug.%d{yyyy-MM-dd}.%i.log.zip + + 50MB + 30 + 10GB + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n + + + + + + + + + /var/log/onap/policy/a1pms-participant/network.log + + /var/log/onap/policy/a1pms-participant/network.%d{yyyy-MM-dd}.%i.log.zip + + 50MB + 30 + 10GB + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%t]%m%n + + + + + + + + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/configmap.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/configmap.yaml new file mode 100755 index 0000000000..4a0c2aaef4 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/configmap.yaml @@ -0,0 +1,36 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2022 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{- if .Values.a1pmsconfig }} +{{ tpl (.Files.Glob "resources/config/A1pmsParticipantParameters.yaml").AsConfig . | indent 2 }} +{{ toYaml .Values.a1pmsconfig | indent 4 }} +{{- end }} +{{ tpl (.Files.Glob "resources/config/*.{json,xml,sh}").AsConfig . | indent 2 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/deployment.yaml new file mode 100755 index 0000000000..d34da146a5 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/deployment.yaml @@ -0,0 +1,96 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2022-2023 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: RESTSERVER_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "login") | indent 10 }} + - name: RESTSERVER_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "password") | indent 10 }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + volumeMounts: + - mountPath: /config-input + name: ac-a1pms-ppnt-config + - mountPath: /config + name: ac-a1pms-ppnt-config-processed + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: ["/opt/app/policy/clamp/bin/a1pms-participant.sh"] + args: ["/opt/app/policy/clamp/etc/mounted/A1pmsParticipantParameters.yaml"] + ports: {{ include "common.containerPorts" . | nindent 12 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.liveness.port }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{ .Values.readiness.port }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + volumeMounts: + - mountPath: /opt/app/policy/clamp/etc/mounted + name: ac-a1pms-ppnt-config-processed + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}} + volumes: + - name: ac-a1pms-ppnt-config + configMap: + name: {{ include "common.fullname" . }}-configmap + defaultMode: 0755 + - name: ac-a1pms-ppnt-config-processed + emptyDir: + medium: Memory + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/secrets.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/secrets.yaml new file mode 100755 index 0000000000..3401d7f01f --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/secrets.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright (C) 2022 Nordix Foundation. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/service.yaml new file mode 100644 index 0000000000..19f522a71e --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/service.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2022 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml new file mode 100755 index 0000000000..5954d657f1 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml @@ -0,0 +1,140 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2022-2023 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +################################################################# +# Global configuration defaults. +################################################################# +global: + persistence: {} + kafkaTopics: + acRuntimeTopic: + name: &acRuntimeTopic policy.clamp-runtime-acm + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: restserver-secret + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.restServer.credsExternalSecret) . }}' + login: '{{ .Values.restServer.user }}' + password: '{{ .Values.restServer.password }}' + passwordPolicy: required + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/policy-clamp-ac-a1pms-ppnt:7.1.0 +pullPolicy: Always + +componentName: &componentName policy-clamp-ac-a1pms-ppnt + +# application configuration +restServer: + user: participantUser + password: zb!XztG34 + +a1pmsconfig: + a1pms: + baseUrl: http://a1policymanagement.onap:8081 + headers: + content-type: application/json + endpoints: + health: /a1-policy/v2/rics + services: /a1-policy/v2/services + service: /a1-policy/v2/services/{service_id} + +# flag to enable debugging - application support required +debugEnabled: false + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} +ingress: + enabled: false + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: strimzi-kafka-read + +# probe configuration parameters +liveness: + initialDelaySeconds: 60 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + port: http-a1pms-api + +readiness: + initialDelaySeconds: 60 + periodSeconds: 10 + port: http-a1pms-api + +service: + type: ClusterIP + name: *componentName + ports: + - name: http-a1pms-api + port: 8086 + +flavor: small +resources: + small: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "0.5" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "1" + memory: "2Gi" + unlimited: {} +#Pods Service Account +serviceAccount: + nameOverride: *componentName + roles: + - create + +config: +# Any new property can be added in the env by setting in overrides in the format mentioned below +# All the added properties must be in "key: value" format instead of yaml. +# additional: +# spring.config.max-size: 200 +# spring.config.min-size: 10 + +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: *componentName + type: group + operations: [Read] + - name: *acRuntimeTopic + type: topic + operations: [Read, Write] diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml index 2fa60d513d..faa7014a79 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2022, 2024 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,18 +19,16 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop Http Participant name: policy-clamp-ac-http-ppnt -version: 11.0.0 +version: 14.0.0 dependencies: - name: common - version: ~11.x-0 - repository: '@local' - - name: certInitializer - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 - repository: '@local' \ No newline at end of file + version: ~13.x-0 + repository: '@local' + diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml index 406b59c545..a04c37fe3d 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,24 +17,16 @@ # ============LICENSE_END========================================================= spring: + autoconfigure: + exclude: > + org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration, + org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration, + org.springframework.boot.autoconfigure.jdbc.DataSourceTransactionManagerAutoConfiguration security: user: name: ${RESTSERVER_USER} password: ${RESTSERVER_PASSWORD} -{{- if .Values.config.useStrimziKafka }} - kafka: - bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 - security.protocol: SASL_PLAINTEXT - properties.sasl: - mechanism: SCRAM-SHA-512 - jaas.config: ${JAASLOGIN} -{{ else }} -{{ toYaml .Values.config.eventPublisher | nindent 2 }} -{{- end }} -{{- if .Values.config.additional }} -{{ toYaml .Values.config.additional | nindent 2 }} -{{- end }} security: enable-csrf: false @@ -42,26 +34,40 @@ participant: intermediaryParameters: reportingTimeIntervalMs: 120000 description: Participant Description - participantId: - name: HttpParticipant0 - version: 1.0.0 - participantType: - name: org.onap.policy.clamp.acm.HttpParticipant - version: 2.3.4 + participantId: 101c62b3-8918-41b9-a747-d21eb79c6c01 clampAutomationCompositionTopics: topicSources: - - topic: POLICY-ACRUNTIME-PARTICIPANT - servers: - - ${topicServer:message-router} - topicCommInfrastructure: dmaap + - + useHttps: false fetchTimeout: 15000 - useHttps: true + topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + group.id: {{ (first .Values.kafkaUser.acls).name }} + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} topicSinks: - - topic: POLICY-ACRUNTIME-PARTICIPANT + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topicCommInfrastructure: kafka servers: - - ${topicServer:message-router} - topicCommInfrastructure: dmaap - useHttps: true + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + participantSupportedElementTypes: + - + typeName: org.onap.policy.clamp.acm.HttpAutomationCompositionElement + typeVersion: 1.0.0 + management: endpoints: @@ -72,3 +78,6 @@ server: port: 8084 servlet: context-path: /onap/httpparticipant + ssl: + enabled: false + diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml index 044be0ff70..e502c1a091 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml @@ -1,6 +1,6 @@ {{/* # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -38,10 +38,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "login") | indent 10 }} - name: RESTSERVER_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "password") | indent 10 }} -{{- if .Values.config.useStrimziKafka }} - - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-kafka-user" "key" "sasl.jaas.config") | indent 10 }} -{{- end }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config volumeMounts: - mountPath: /config-input name: ac-http-ppnt-config @@ -50,24 +51,12 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- if .Values.global.aafEnabled }} - command: ["sh","-c"] - args: ["source {{ .Values.certInitializer.credsPath }}/.ci;\ - /opt/app/policy/clamp/bin/http-participant.sh /opt/app/policy/clamp/etc/mounted/HttpParticipantParameters.yaml"] -{{- else }} command: ["/opt/app/policy/clamp/bin/http-participant.sh"] args: ["/opt/app/policy/clamp/etc/mounted/HttpParticipantParameters.yaml"] - env: - - name: KEYSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} -{{- end }} ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container @@ -84,14 +73,9 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/policy/clamp/etc/mounted name: ac-http-ppnt-config-processed - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -102,10 +86,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - name: ac-http-ppnt-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -113,5 +93,4 @@ spec: - name: ac-http-ppnt-config-processed emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml index 5f8aa3b5a1..17e4d31968 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,7 +21,10 @@ ################################################################# global: persistence: {} - aafEnabled: true + #Strimzi Kafka properties + kafkaTopics: + acRuntimeTopic: + name: &acRuntimeTopic policy.clamp-runtime-acm ################################################################# # Secrets metaconfig @@ -33,54 +36,16 @@ secrets: login: '{{ .Values.restServer.user }}' password: '{{ .Values.restServer.password }}' passwordPolicy: required - - uid: keystore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required - - uid: truststore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required - - uid: policy-kafka-user - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate - -certStores: - keyStorePassword: Pol1cy_0nap - trustStorePassword: Pol1cy_0nap - -certInitializer: - nameOverride: policy-clamp-ac-http-ppnt-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-http-ppnt:6.2.3 +image: onap/policy-clamp-ac-http-ppnt:7.1.0 pullPolicy: Always +componentName: &componentName policy-clamp-ac-http-ppnt + # application configuration restServer: user: participantUser @@ -98,9 +63,14 @@ affinity: {} ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: strimzi-kafka-read + # probe configuration parameters liveness: - initialDelaySeconds: 20 + initialDelaySeconds: 60 periodSeconds: 10 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container @@ -108,65 +78,54 @@ liveness: port: http-api readiness: - initialDelaySeconds: 20 + initialDelaySeconds: 60 periodSeconds: 10 port: http-api service: type: ClusterIP - name: policy-clamp-ac-http-ppnt - useNodePortExt: true + name: *componentName ports: - name: http-api port: 8084 - nodePort: 42 - flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account serviceAccount: - nameOverride: policy-clamp-ac-http-ppnt + nameOverride: *componentName roles: - read config: -# Event consumption (kafka) properties - useStrimziKafka: true - kafkaBootstrap: strimzi-kafka-bootstrap - kafka: - consumer: - groupId: policy-group - app: - listener: - acRuntimeTopic: policy-acruntime-participant -# If targeting a custom kafka cluster, ie useStrimziKakfa: false -# uncomment below config and target your kafka bootstrap servers, -# along with any other security config. -# -# eventConsumption: -# spring.kafka.bootstrap-servers: :9092 -# spring.kafka.security.protocol: PLAINTEXT -# spring.kafka.consumer.group-id: policy-group -# # Any new property can be added in the env by setting in overrides in the format mentioned below # All the added properties must be in "key: value" format instead of yaml. # additional: # spring.config.max-size: 200 # spring.config.min-size: 10 +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: *componentName + type: group + operations: [Read] + - name: *acRuntimeTopic + type: topic + operations: [Read, Write] diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml index 2ca3762603..aa6d08a3de 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml @@ -1,7 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2021 Nordix Foundation. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021-2022 Nordix Foundation +# Modifications Copyright © 2021-2022, 2024 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,18 +21,15 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop K8s Participant name: policy-clamp-ac-k8s-ppnt -version: 11.0.0 +version: 14.0.0 dependencies: - name: common - version: ~11.x-0 - repository: '@local' - - name: certInitializer - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml index 6c14fd2207..14deab557b 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml @@ -17,24 +17,16 @@ # ============LICENSE_END========================================================= spring: + autoconfigure: + exclude: > + org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration, + org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration, + org.springframework.boot.autoconfigure.jdbc.DataSourceTransactionManagerAutoConfiguration security: user: name: ${RESTSERVER_USER} password: ${RESTSERVER_PASSWORD} -{{- if .Values.config.useStrimziKafka }} - kafka: - bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 - security.protocol: SASL_PLAINTEXT - properties.sasl: - mechanism: SCRAM-SHA-512 - jaas.config: ${JAASLOGIN} -{{ else }} -{{ toYaml .Values.config.eventPublisher | nindent 2 }} -{{- end }} -{{- if .Values.config.additional }} -{{ toYaml .Values.config.additional | nindent 2 }} -{{- end }} security: enable-csrf: false @@ -44,28 +36,39 @@ participant: intermediaryParameters: reportingTimeIntervalMs: 120000 description: Participant Description - participantId: - name: K8sParticipant0 - version: 1.0.0 - participantType: - name: org.onap.policy.clamp.acm.KubernetesParticipant - version: 2.3.4 + participantId: 101c62b3-8918-41b9-a747-d21eb79c6c02 clampAutomationCompositionTopics: topicSources: - - topic: POLICY-ACRUNTIME-PARTICIPANT - servers: - - ${topicServer:message-router} - topicCommInfrastructure: dmaap + useHttps: false fetchTimeout: 15000 - useHttps: true + topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + group.id: {{ (first .Values.kafkaUser.acls).name }} + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} topicSinks: - - topic: POLICY-ACRUNTIME-PARTICIPANT + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topicCommInfrastructure: kafka servers: - - ${topicServer:message-router} - topicCommInfrastructure: dmaap - useHttps: true + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + participantSupportedElementTypes: + - + typeName: org.onap.policy.clamp.acm.K8SMicroserviceAutomationCompositionElement + typeVersion: 1.0.0 management: endpoints: @@ -79,6 +82,9 @@ server: port: 8083 servlet: context-path: /onap/policy/clamp/acm/k8sparticipant + ssl: + enabled: false + logging: # Configuration of logging diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml index 54c595cc8f..8a6cf830ca 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml @@ -29,9 +29,8 @@ metadata: release: {{ include "common.release" . }} heritage: {{ .Release.Service }} data: -{{ tpl (.Files.Glob "resources/config/*.{xml,yaml}").AsConfig . | indent 2 }} {{- if .Values.repoList }} {{ tpl (.Files.Glob "resources/config/KubernetesParticipantParameters.yaml").AsConfig . | indent 2 }} {{ toYaml .Values.repoList | indent 4 }} -{{ tpl (.Files.Glob "resources/config/*.{json,xml,sh}").AsConfig . | indent 2 }} -{{- end }} \ No newline at end of file +{{- end }} +{{ tpl (.Files.Glob "resources/config/*.{json,xml,sh}").AsConfig . | indent 2 }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml index e8650fe350..cfc2fc7fac 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml @@ -1,6 +1,6 @@ {{/* # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -38,10 +38,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "login") | indent 10 }} - name: RESTSERVER_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "password") | indent 10 }} -{{- if .Values.config.useStrimziKafka }} - - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-kafka-user" "key" "sasl.jaas.config") | indent 10 }} -{{- end }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config volumeMounts: - mountPath: /config-input name: ac-k8s-ppnt-config @@ -50,24 +51,12 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- if .Values.global.aafEnabled }} - command: ["sh","-c"] - args: ["source {{ .Values.certInitializer.credsPath }}/.ci;\ - /opt/app/policy/clamp/bin/kubernetes-participant.sh /opt/app/policy/clamp/etc/mounted/KubernetesParticipantParameters.yaml"] -{{- else }} command: ["/opt/app/policy/clamp/bin/kubernetes-participant.sh"] args: ["/opt/app/policy/clamp/etc/mounted/KubernetesParticipantParameters.yaml"] - env: - - name: KEYSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} -{{- end }} ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container @@ -84,14 +73,9 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/policy/clamp/etc/mounted name: ac-k8s-ppnt-config-processed - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -102,10 +86,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}} volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - name: ac-k8s-ppnt-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -113,5 +93,4 @@ spec: - name: ac-k8s-ppnt-config-processed emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml index 2cf8d2d723..407f5dd724 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,7 +22,10 @@ global: nodePortPrefixExt: 304 persistence: {} - aafEnabled: true + #Strimzi Kafka properties + kafkaTopics: + acRuntimeTopic: + name: &acRuntimeTopic policy.clamp-runtime-acm ################################################################# # Secrets metaconfig @@ -34,54 +37,16 @@ secrets: login: '{{ .Values.restServer.user }}' password: '{{ .Values.restServer.password }}' passwordPolicy: required - - uid: keystore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required - - uid: truststore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required - - uid: policy-kafka-user - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate - -certStores: - keyStorePassword: Pol1cy_0nap - trustStorePassword: Pol1cy_0nap - -certInitializer: - nameOverride: policy-clamp-ac-k8s-ppnt-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-k8s-ppnt:6.2.3 +image: onap/policy-clamp-ac-k8s-ppnt:7.1.0 pullPolicy: Always +componentName: &componentName policy-clamp-ac-k8s-ppnt + # flag to enable debugging - application support required debugEnabled: false @@ -98,7 +63,7 @@ nodeSelector: {} affinity: {} # probe configuration parameters liveness: - initialDelaySeconds: 20 + initialDelaySeconds: 60 periodSeconds: 10 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container @@ -106,43 +71,46 @@ liveness: port: http-api readiness: - initialDelaySeconds: 20 + initialDelaySeconds: 60 periodSeconds: 10 port: http-api service: type: ClusterIP - name: policy-clamp-ac-k8s-ppnt - useNodePortExt: true + name: *componentName ports: - name: http-api port: 8083 - nodePort: 42 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: strimzi-kafka-read + flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account serviceAccount: - nameOverride: policy-clamp-ac-k8s-ppnt + nameOverride: *componentName roles: - create # Update the config here for permitting repositories and protocols @@ -161,26 +129,20 @@ repoList: - https config: -# Event consumption (kafka) properties - useStrimziKafka: true - kafkaBootstrap: strimzi-kafka-bootstrap - kafka: - consumer: - groupId: policy-group - app: - listener: - acRuntimeTopic: policy-acruntime-participant -# If targeting a custom kafka cluster, ie useStrimziKakfa: false -# uncomment below config and target your kafka bootstrap servers, -# along with any other security config. -# -# eventConsumption: -# spring.kafka.bootstrap-servers: :9092 -# spring.kafka.security.protocol: PLAINTEXT -# spring.kafka.consumer.group-id: policy-group -# # Any new property can be added in the env by setting in overrides in the format mentioned below # All the added properties must be in "key: value" format instead of yaml. # additional: # spring.config.max-size: 200 # spring.config.min-size: 10 + +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: *componentName + type: group + operations: [Read] + - name: *acRuntimeTopic + type: topic + operations: [Read, Write] + diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml new file mode 100755 index 0000000000..44c80ff879 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml @@ -0,0 +1,33 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2023-2024 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +apiVersion: v2 +description: ONAP Policy Clamp Kserve Participant +name: policy-clamp-ac-kserve-ppnt +version: 14.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml new file mode 100755 index 0000000000..89cf9494a3 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml @@ -0,0 +1,100 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2023 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +spring: + cloud: + kubernetes: + enabled: false + discovery: + enabled: false + security: + user: + name: ${RESTSERVER_USER} + password: ${RESTSERVER_PASSWORD} + autoconfigure: + exclude: + - org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration + - org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration + - org.springframework.boot.autoconfigure.jdbc.DataSourceTransactionManagerAutoConfiguration + - org.springframework.boot.autoconfigure.data.web.SpringDataWebAutoConfiguration + - io.kubernetes.client.spring.extended.manifests.config.KubernetesManifestsAutoConfiguration + - io.kubernetes.client.spring.extended.network.config.KubernetesLoadBalancerAutoConfiguration + +security: + enable-csrf: false + +participant: + intermediaryParameters: + reportingTimeIntervalMs: 120000 + description: Participant Description + participantId: 101c62b3-8918-41b9-a747-d21eb79c6c04 + clampAutomationCompositionTopics: + topicSources: + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + group.id: {{ (first .Values.kafkaUser.acls).name }} + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + topicSinks: + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + participantSupportedElementTypes: + - + typeName: org.onap.policy.clamp.acm.KserveAutomationCompositionElement + typeVersion: 1.0.1 + - + typeName: org.onap.policy.clamp.acm.AutomationCompositionElement + typeVersion: 1.0.0 + +customresourcedefinition: + group: serving.kserve.io + version: v1beta1 + plural: inferenceservices + grace-period: 10 + +management: + endpoints: + web: + base-path: / + exposure: + include: health, metrics, prometheus +server: + port: 8087 + servlet: + context-path: /onap/policy/clamp/acm/kserveparticipant + ssl: + enabled: false + + diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/logback.xml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/logback.xml new file mode 100755 index 0000000000..897d62a487 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/logback.xml @@ -0,0 +1,103 @@ + + + + + + /var/log/onap/policy/kserve-participant/error.log + + /var/log/onap/policy/kserve-participant/error.%d{yyyy-MM-dd}.%i.log.zip + + 50MB + 30 + 10GB + + + WARN + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n + + + + + + + + + /var/log/onap/policy/kserve-participant/debug.log + + /var/log/onap/policy/kserve-participant/debug.%d{yyyy-MM-dd}.%i.log.zip + + 50MB + 30 + 10GB + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n + + + + + + + + + /var/log/onap/policy/kserve-participant/network.log + + /var/log/onap/policy/kserve-participant/network.%d{yyyy-MM-dd}.%i.log.zip + + 50MB + 30 + 10GB + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%t]%m%n + + + + + + + + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/configmap.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/configmap.yaml new file mode 100755 index 0000000000..d3e2833904 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/configmap.yaml @@ -0,0 +1,32 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2023 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/*.{xml,yaml}").AsConfig . | indent 2 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/deployment.yaml new file mode 100755 index 0000000000..8574979cbc --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/deployment.yaml @@ -0,0 +1,96 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2023 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: RESTSERVER_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "login") | indent 10 }} + - name: RESTSERVER_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "password") | indent 10 }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + volumeMounts: + - mountPath: /config-input + name: ac-kserve-ppnt-config + - mountPath: /config + name: ac-kserve-ppnt-config-processed + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: ["/opt/app/policy/clamp/bin/kserve-participant.sh"] + args: ["/opt/app/policy/clamp/etc/mounted/KserveParticipantParameters.yaml"] + ports: {{ include "common.containerPorts" . | nindent 12 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.liveness.port }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{ .Values.readiness.port }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + volumeMounts: + - mountPath: /opt/app/policy/clamp/etc/mounted + name: ac-kserve-ppnt-config-processed + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}} + volumes: + - name: ac-kserve-ppnt-config + configMap: + name: {{ include "common.fullname" . }}-configmap + defaultMode: 0755 + - name: ac-kserve-ppnt-config-processed + emptyDir: + medium: Memory + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/kafkauser.yaml new file mode 100755 index 0000000000..b7e7364eab --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/secrets.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/secrets.yaml new file mode 100755 index 0000000000..339fe339c5 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/secrets.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright (C) 2023 Nordix Foundation. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml new file mode 100644 index 0000000000..ac5ee0b72f --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml @@ -0,0 +1,38 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2023 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "common.namespace" . }}-policy-clamp-ac-kserve-ppnt-binding + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}} + namespace: {{ include "common.namespace" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml new file mode 100755 index 0000000000..6f737a0c23 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml @@ -0,0 +1,130 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2023 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +################################################################# +# Global configuration defaults. +################################################################# +global: + persistence: {} + #Strimzi Kafka properties + kafkaTopics: + acRuntimeTopic: + name: &acRuntimeTopic policy.clamp-runtime-acm + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: restserver-secret + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.restServer.credsExternalSecret) . }}' + login: '{{ .Values.restServer.user }}' + password: '{{ .Values.restServer.password }}' + passwordPolicy: required + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/policy-clamp-ac-kserve-ppnt:7.1.0 +pullPolicy: Always + +componentName: &componentName policy-clamp-ac-kserve-ppnt + +# application configuration +restServer: + user: participantUser + password: zb!XztG34 + +# flag to enable debugging - application support required +debugEnabled: false + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} +ingress: + enabled: false + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: strimzi-kafka-read + +# probe configuration parameters +liveness: + initialDelaySeconds: 60 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + port: kserve-api + +readiness: + initialDelaySeconds: 60 + periodSeconds: 10 + port: kserve-api + +service: + type: ClusterIP + name: *componentName + ports: + - name: kserve-api + port: 8087 + +flavor: small +resources: + small: + limits: + cpu: "1" + memory: "700Mi" + requests: + cpu: "0.5" + memory: "700Mi" + large: + limits: + cpu: "2" + memory: "1.4Gi" + requests: + cpu: "1" + memory: "1.4Gi" + unlimited: {} +#Pods Service Account +serviceAccount: + nameOverride: *componentName + roles: + - create + +config: +# Any new property can be added in the env by setting in overrides in the format mentioned below +# All the added properties must be in "key: value" format instead of yaml. +# additional: +# spring.config.max-size: 200 +# spring.config.min-size: 10 +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: *componentName + type: group + operations: [Read] + - name: *acRuntimeTopic + type: topic + operations: [Read, Write] diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml index fc9d432047..f860393f43 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2022, 2024 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,18 +19,15 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop Policy Participant name: policy-clamp-ac-pf-ppnt -version: 11.0.0 +version: 14.0.0 dependencies: - name: common - version: ~11.x-0 - repository: '@local' - - name: certInitializer - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 - repository: '@local' \ No newline at end of file + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml index 856b16d91d..1cd4ba318c 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,24 +17,16 @@ # ============LICENSE_END========================================================= spring: + autoconfigure: + exclude: > + org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration, + org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration, + org.springframework.boot.autoconfigure.jdbc.DataSourceTransactionManagerAutoConfiguration security: user: name: ${RESTSERVER_USER} password: ${RESTSERVER_PASSWORD} -{{- if .Values.config.useStrimziKafka }} - kafka: - bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 - security.protocol: SASL_PLAINTEXT - properties.sasl: - mechanism: SCRAM-SHA-512 - jaas.config: ${JAASLOGIN} -{{ else }} -{{ toYaml .Values.config.eventPublisher | nindent 2 }} -{{- end }} -{{- if .Values.config.additional }} -{{ toYaml .Values.config.additional | nindent 2 }} -{{- end }} security: enable-csrf: false @@ -47,7 +39,7 @@ participant: port: 6969 userName: ${API_USER} password: ${API_PASSWORD} - useHttps: true + useHttps: "false" allowSelfSignedCerts: true policyPapParameters: clientName: pap @@ -55,33 +47,44 @@ participant: port: 6969 userName: ${PAP_USER} password: ${PAP_PASSWORD} - useHttps: true + useHttps: "false" allowSelfSignedCerts: true intermediaryParameters: reportingTimeIntervalMs: 120000 description: Participant Description - participantId: - name: org.onap.PM_Policy - version: 1.0.0 - participantType: - name: org.onap.policy.clamp.acm.PolicyParticipant - version: 2.3.1 + participantId: 101c62b3-8918-41b9-a747-d21eb79c6c03 clampAutomationCompositionTopics: topicSources: - - topic: POLICY-ACRUNTIME-PARTICIPANT - servers: - - ${topicServer:message-router} - topicCommInfrastructure: dmaap + useHttps: false fetchTimeout: 15000 - useHttps: true + topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + group.id: {{ (first .Values.kafkaUser.acls).name }} + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} topicSinks: - - topic: POLICY-ACRUNTIME-PARTICIPANT + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topicCommInfrastructure: kafka servers: - - ${topicServer:message-router} - topicCommInfrastructure: dmaap - useHttps: true + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + participantSupportedElementTypes: + - + typeName: org.onap.policy.clamp.acm.PolicyAutomationCompositionElement + typeVersion: 1.0.0 management: endpoints: @@ -93,3 +96,6 @@ server: port: 8085 servlet: context-path: /onap/policyparticipant + ssl: + enabled: false + diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml index a127885cce..9026309fa1 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml @@ -1,6 +1,6 @@ {{/* # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -46,10 +46,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "login") | indent 10 }} - name: RESTSERVER_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "password") | indent 10 }} -{{- if .Values.config.useStrimziKafka }} - - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-kafka-user" "key" "sasl.jaas.config") | indent 10 }} -{{- end }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config volumeMounts: - mountPath: /config-input name: ac-pf-ppnt-config @@ -58,24 +59,12 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- if .Values.global.aafEnabled }} - command: ["sh","-c"] - args: ["source {{ .Values.certInitializer.credsPath }}/.ci;\ - /opt/app/policy/clamp/bin/policy-participant.sh /opt/app/policy/clamp/etc/mounted/PolicyParticipantParameters.yaml"] -{{- else }} command: ["/opt/app/policy/clamp/bin/policy-participant.sh"] args: ["/opt/app/policy/clamp/etc/mounted/PolicyParticipantParameters.yaml"] - env: - - name: KEYSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} -{{- end }} ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container @@ -92,14 +81,9 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/policy/clamp/etc/mounted name: ac-pf-ppnt-config-processed - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -110,10 +94,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - name: ac-pf-ppnt-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -121,5 +101,4 @@ spec: - name: ac-pf-ppnt-config-processed emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml index 6fefa02783..b763699019 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,7 +21,10 @@ ################################################################# global: persistence: {} - aafEnabled: true + #Strimzi Kafka properties + kafkaTopics: + acRuntimeTopic: + name: &acRuntimeTopic policy.clamp-runtime-acm ################################################################# # Secrets metaconfig @@ -45,54 +48,16 @@ secrets: login: '{{ .Values.restServer.pap.user }}' password: '{{ .Values.restServer.pap.password }}' passwordPolicy: required - - uid: keystore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required - - uid: truststore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required - - uid: policy-kafka-user - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate - -certStores: - keyStorePassword: Pol1cy_0nap - trustStorePassword: Pol1cy_0nap - -certInitializer: - nameOverride: policy-clamp-ac-pf-ppnt-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-pf-ppnt:6.2.3 +image: onap/policy-clamp-ac-pf-ppnt:7.1.0 pullPolicy: Always +componentName: &componentName policy-clamp-ac-pf-ppnt + # flag to enable debugging - application support required debugEnabled: false @@ -114,12 +79,18 @@ restServer: nodeSelector: {} affinity: {} + ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: strimzi-kafka-read + # probe configuration parameters liveness: - initialDelaySeconds: 20 + initialDelaySeconds: 60 periodSeconds: 10 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container @@ -127,63 +98,55 @@ liveness: port: http-api readiness: - initialDelaySeconds: 20 + initialDelaySeconds: 60 periodSeconds: 10 port: http-api service: type: ClusterIP - name: policy-clamp-ac-pf-ppnt - useNodePortExt: true + name: *componentName + internalPort: 8085 ports: - name: http-api port: 8085 - nodePort: 42 flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account serviceAccount: - nameOverride: policy-clamp-ac-pf-ppnt + nameOverride: *componentName roles: - read config: -# Event consumption (kafka) properties - useStrimziKafka: true - kafkaBootstrap: strimzi-kafka-bootstrap - kafka: - consumer: - groupId: policy-group - app: - listener: - acRuntimeTopic: policy-acruntime-participant -# If targeting a custom kafka cluster, ie useStrimziKakfa: false -# uncomment below config and target your kafka bootstrap servers, -# along with any other security config. -# -# eventConsumption: -# spring.kafka.bootstrap-servers: :9092 -# spring.kafka.security.protocol: PLAINTEXT -# spring.kafka.consumer.group-id: policy-group -# # Any new property can be added in the env by setting in overrides in the format mentioned below # All the added properties must be in "key: value" format instead of yaml. # additional: # spring.config.max-size: 200 # spring.config.min-size: 10 + +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: *componentName + type: group + operations: [Read] + - name: *acRuntimeTopic + type: topic + operations: [Read, Write] diff --git a/kubernetes/policy/components/policy-clamp-be/Chart.yaml b/kubernetes/policy/components/policy-clamp-be/Chart.yaml deleted file mode 100644 index 9b0cdf6a87..0000000000 --- a/kubernetes/policy/components/policy-clamp-be/Chart.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Policy Clamp Backend -name: policy-clamp-be -version: 11.0.0 - -dependencies: - - name: certInitializer - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/policy/components/policy-clamp-be/resources/config/application.properties b/kubernetes/policy/components/policy-clamp-be/resources/config/application.properties deleted file mode 100644 index 03e55e15f5..0000000000 --- a/kubernetes/policy/components/policy-clamp-be/resources/config/application.properties +++ /dev/null @@ -1,77 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# ONAP CLAMP -# ================================================================================ -# Copyright (C) 2017-2019 AT&T Intellectual Property. All rights -# reserved. -# ================================================================================ -# Modifications copyright (c) 2019 Nokia -# Modifications Copyright (c) 2022 Nordix Foundation -# ================================================================================\ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END============================================ -# =================================================================== -# -### -*/}} -{{- if .Values.global.aafEnabled }} -server.ssl.key-store=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.keystoreFile }} -server.ssl.key-store-password=${cadi_keystore_password_p12} -server.ssl.key-password=${cadi_key_password} -server.ssl.key-store-type=PKCS12 -server.ssl.key-alias={{ .Values.certInitializer.fqi }} - -# The key file used to decode the key store and trust store password -# If not defined, the key store and trust store password will not be decrypted -clamp.config.keyFile=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.keyFile }} - -## Config part for Client certificates -server.ssl.client-auth=want -server.ssl.trust-store=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.truststoreFile }} -server.ssl.trust-store-password=${cadi_truststore_password} -{{- end }} - -#clds datasource connection details -spring.datasource.username=${MYSQL_USER} -spring.datasource.password=${MYSQL_PASSWORD} -spring.datasource.url=jdbc:mariadb:sequential://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/policyclamp?autoReconnect=true&connectTimeout=10000&socketTimeout=10000&retriesAllDown=3 -spring.profiles.active=clamp-default,clamp-aaf-authentication,clamp-sdc-controller,clamp-ssl-config,clamp-policy-controller,default-dictionary-elements - -#The log folder that will be used in logback.xml file -clamp.config.files.sdcController=file:/opt/policy/clamp/sdc-controllers-config-pass.json - -# -# Configuration Settings for Policy Engine Components -clamp.config.policy.api.url=https://policy-api.{{ include "common.namespace" . }}:6969 -clamp.config.policy.api.userName=policyadmin -clamp.config.policy.api.password=zb!XztG34 -clamp.config.policy.pap.url=https://policy-pap.{{ include "common.namespace" . }}:6969 -clamp.config.policy.pap.userName=policyadmin -clamp.config.policy.pap.password=zb!XztG34 - -#DCAE Inventory Url Properties -clamp.config.dcae.inventory.url=https://inventory.{{ include "common.namespace" . }}:8080 -clamp.config.dcae.dispatcher.url=https://deployment-handler.{{ include "common.namespace" . }}:8443 -#DCAE Deployment Url Properties -clamp.config.dcae.deployment.url=https://deployment-handler.{{ include "common.namespace" . }}:8443 -clamp.config.dcae.deployment.userName=none -clamp.config.dcae.deployment.password=none - -#AAF related parameters -clamp.config.cadi.aafLocateUrl=https://aaf-locate.{{ include "common.namespace" . }}:8095 - -# Configuration settings for ControlLoop Runtime Rest API -clamp.config.acm.runtime.url=https://policy-clamp-runtime-acm.{{ include "common.namespace" . }}:6969 -clamp.config.acm.runtime.userName=${RUNTIME_USER} -clamp.config.acm.runtime.password=${RUNTIME_PASSWORD} diff --git a/kubernetes/policy/components/policy-clamp-be/resources/config/create-db-tables.sh b/kubernetes/policy/components/policy-clamp-be/resources/config/create-db-tables.sh deleted file mode 100755 index ad9984c26c..0000000000 --- a/kubernetes/policy/components/policy-clamp-be/resources/config/create-db-tables.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh -{{/* -# Copyright © 2017 Amdocs, Bell Canada, AT&T -# Modifications Copyright © 2018, 2020-2021 AT&T Intellectual Property -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -mysql -h"${MYSQL_HOST}" -P"${MYSQL_PORT}" -u"${MYSQL_USER}" -p"${MYSQL_PASSWORD}" -f policyclamp < /dbcmd-config/policy-clamp-create-tables.sql diff --git a/kubernetes/policy/components/policy-clamp-be/resources/config/log/filebeat/filebeat.yml b/kubernetes/policy/components/policy-clamp-be/resources/config/log/filebeat/filebeat.yml deleted file mode 100644 index 8717e6f33a..0000000000 --- a/kubernetes/policy/components/policy-clamp-be/resources/config/log/filebeat/filebeat.yml +++ /dev/null @@ -1,55 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -filebeat.prospectors: -#it is mandatory, in our case it's log -- input_type: log - #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. - paths: - - /var/log/onap/*/*/*/*.log - - /var/log/onap/*/*/*.log - - /var/log/onap/*/*.log - #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive - ignore_older: 48h - # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit - clean_inactive: 96h - -# Name of the registry file. If a relative path is used, it is considered relative to the -# data path. Else full qualified file name. -#filebeat.registry_file: ${path.data}/registry - - -output.logstash: - #List of logstash server ip addresses with port number. - #But, in our case, this will be the loadbalancer IP address. - #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. - hosts: ["{{.Values.config.log.logstashServiceName}}:{{.Values.config.log.logstashPort}}"] - #If enable will do load balancing among availabe Logstash, automatically. - loadbalance: true - - #The list of root certificates for server verifications. - #If certificate_authorities is empty or not set, the trusted - #certificate authorities of the host system are used. - #ssl.certificate_authorities: $ssl.certificate_authorities - - #The path to the certificate for SSL client authentication. If the certificate is not specified, - #client authentication is not available. - #ssl.certificate: $ssl.certificate - - #The client certificate key used for client authentication. - #ssl.key: $ssl.key - - #The passphrase used to decrypt an encrypted key stored in the configured key file - #ssl.key_passphrase: $ssl.key_passphrase diff --git a/kubernetes/policy/components/policy-clamp-be/resources/config/policy-clamp-create-tables.sql b/kubernetes/policy/components/policy-clamp-be/resources/config/policy-clamp-create-tables.sql deleted file mode 100644 index 1652dc18c3..0000000000 --- a/kubernetes/policy/components/policy-clamp-be/resources/config/policy-clamp-create-tables.sql +++ /dev/null @@ -1,275 +0,0 @@ -/* - * ============LICENSE_START======================================================= - * Copyright (C) 2021 Nordix Foundation - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * SPDX-License-Identifier: Apache-2.0 - * ============LICENSE_END========================================================= - */ - -create table if not exists dictionary ( - name varchar(255) not null, - created_by varchar(255), - created_timestamp datetime(6) not null, - updated_by varchar(255), - updated_timestamp datetime(6) not null, - dictionary_second_level integer, - dictionary_type varchar(255), - primary key (name) - ) engine=InnoDB; - -create table if not exists dictionary_elements ( - short_name varchar(255) not null, - created_by varchar(255), - created_timestamp datetime(6) not null, - updated_by varchar(255), - updated_timestamp datetime(6) not null, - description varchar(255) not null, - name varchar(255) not null, - subdictionary_name varchar(255), - type varchar(255) not null, - primary key (short_name) - ) engine=InnoDB; - -create table if not exists dictionary_to_dictionaryelements ( - dictionary_name varchar(255) not null, - dictionary_element_short_name varchar(255) not null, - primary key (dictionary_name, dictionary_element_short_name) - ) engine=InnoDB; - -create table if not exists hibernate_sequence ( - next_val bigint -) engine=InnoDB; - -insert into hibernate_sequence values ( 1 ); - -create table if not exists loop_element_models ( - name varchar(255) not null, - created_by varchar(255), - created_timestamp datetime(6) not null, - updated_by varchar(255), - updated_timestamp datetime(6) not null, - blueprint_yaml MEDIUMTEXT, - dcae_blueprint_id varchar(255), - loop_element_type varchar(255) not null, - short_name varchar(255), - primary key (name) - ) engine=InnoDB; - -create table if not exists loop_logs ( - id bigint not null, - log_component varchar(255) not null, - log_instant datetime(6) not null, - log_type varchar(255) not null, - message MEDIUMTEXT not null, - loop_id varchar(255) not null, - primary key (id) - ) engine=InnoDB; - -create table if not exists loop_templates ( - name varchar(255) not null, - created_by varchar(255), - created_timestamp datetime(6) not null, - updated_by varchar(255), - updated_timestamp datetime(6) not null, - allowed_loop_type varchar(255), - blueprint_yaml MEDIUMTEXT, - dcae_blueprint_id varchar(255), - maximum_instances_allowed integer, - svg_representation MEDIUMTEXT, - unique_blueprint boolean default false, - service_uuid varchar(255), - primary key (name) - ) engine=InnoDB; - -create table if not exists loopelementmodels_to_policymodels ( - loop_element_name varchar(255) not null, - policy_model_type varchar(255) not null, - policy_model_version varchar(255) not null, - primary key (loop_element_name, policy_model_type, policy_model_version) - ) engine=InnoDB; - -create table if not exists loops ( - name varchar(255) not null, - created_by varchar(255), - created_timestamp datetime(6) not null, - updated_by varchar(255), - updated_timestamp datetime(6) not null, - dcae_deployment_id varchar(255), - dcae_deployment_status_url varchar(255), - global_properties_json json, - last_computed_state varchar(255) not null, - svg_representation MEDIUMTEXT, - loop_template_name varchar(255) not null, - service_uuid varchar(255), - primary key (name) - ) engine=InnoDB; - -create table if not exists loops_to_microservicepolicies ( - loop_name varchar(255) not null, - microservicepolicy_name varchar(255) not null, - primary key (loop_name, microservicepolicy_name) - ) engine=InnoDB; - -create table if not exists looptemplates_to_loopelementmodels ( - loop_element_model_name varchar(255) not null, - loop_template_name varchar(255) not null, - flow_order integer not null, - primary key (loop_element_model_name, loop_template_name) - ) engine=InnoDB; - -create table if not exists micro_service_policies ( - name varchar(255) not null, - created_by varchar(255), - created_timestamp datetime(6) not null, - updated_by varchar(255), - updated_timestamp datetime(6) not null, - configurations_json json, - json_representation json not null, - pdp_group varchar(255), - pdp_sub_group varchar(255), - context varchar(255), - dcae_blueprint_id varchar(255), - dcae_deployment_id varchar(255), - dcae_deployment_status_url varchar(255), - device_type_scope varchar(255), - shared bit not null, - loop_element_model_id varchar(255), - policy_model_type varchar(255), - policy_model_version varchar(255), - primary key (name) - ) engine=InnoDB; - -create table if not exists operational_policies ( - name varchar(255) not null, - created_by varchar(255), - created_timestamp datetime(6) not null, - updated_by varchar(255), - updated_timestamp datetime(6) not null, - configurations_json json, - json_representation json not null, - pdp_group varchar(255), - pdp_sub_group varchar(255), - loop_element_model_id varchar(255), - policy_model_type varchar(255), - policy_model_version varchar(255), - loop_id varchar(255) not null, - primary key (name) - ) engine=InnoDB; - -create table if not exists policy_models ( - policy_model_type varchar(255) not null, - version varchar(255) not null, - created_by varchar(255), - created_timestamp datetime(6) not null, - updated_by varchar(255), - updated_timestamp datetime(6) not null, - policy_acronym varchar(255), - policy_tosca MEDIUMTEXT, - policy_pdp_group json, - primary key (policy_model_type, version) - ) engine=InnoDB; - -create table if not exists services ( - service_uuid varchar(255) not null, - name varchar(255) not null, - resource_details json, - service_details json, - version varchar(255), - primary key (service_uuid) - ) engine=InnoDB; - -alter table dictionary_to_dictionaryelements - add constraint FK68hjjinnm8nte2owstd0xwp23 - foreign key (dictionary_element_short_name) - references dictionary_elements (short_name); - -alter table dictionary_to_dictionaryelements - add constraint FKtqfxg46gsxwlm2gkl6ne3cxfe - foreign key (dictionary_name) - references dictionary (name); - -alter table loop_logs - add constraint FK1j0cda46aickcaoxqoo34khg2 - foreign key (loop_id) - references loops (name); - -alter table loop_templates - add constraint FKn692dk6281wvp1o95074uacn6 - foreign key (service_uuid) - references services (service_uuid); - -alter table loopelementmodels_to_policymodels - add constraint FK23j2q74v6kaexefy0tdabsnda - foreign key (policy_model_type, policy_model_version) - references policy_models (policy_model_type, version); - -alter table loopelementmodels_to_policymodels - add constraint FKjag1iu0olojfwryfkvb5o0rk5 - foreign key (loop_element_name) - references loop_element_models (name); - -alter table loops - add constraint FK844uwy82wt0l66jljkjqembpj - foreign key (loop_template_name) - references loop_templates (name); - -alter table loops - add constraint FK4b9wnqopxogwek014i1shqw7w - foreign key (service_uuid) - references services (service_uuid); - -alter table loops_to_microservicepolicies - add constraint FKle255jmi7b065fwbvmwbiehtb - foreign key (microservicepolicy_name) - references micro_service_policies (name); - -alter table loops_to_microservicepolicies - add constraint FK8avfqaf7xl71l7sn7a5eri68d - foreign key (loop_name) - references loops (name); - -alter table looptemplates_to_loopelementmodels - add constraint FK1k7nbrbugvqa0xfxkq3cj1yn9 - foreign key (loop_element_model_name) - references loop_element_models (name); - -alter table looptemplates_to_loopelementmodels - add constraint FKj29yxyw0x7ue6mwgi6d3qg748 - foreign key (loop_template_name) - references loop_templates (name); - -alter table micro_service_policies - add constraint FKqvvdypacbww07fuv8xvlvdjgl - foreign key (loop_element_model_id) - references loop_element_models (name); - -alter table micro_service_policies - add constraint FKn17j9ufmyhqicb6cvr1dbjvkt - foreign key (policy_model_type, policy_model_version) - references policy_models (policy_model_type, version); - -alter table operational_policies - add constraint FKi9kh7my40737xeuaye9xwbnko - foreign key (loop_element_model_id) - references loop_element_models (name); - -alter table operational_policies - add constraint FKlsyhfkoqvkwj78ofepxhoctip - foreign key (policy_model_type, policy_model_version) - references policy_models (policy_model_type, version); - -alter table operational_policies - add constraint FK1ddoggk9ni2bnqighv6ecmuwu - foreign key (loop_id) - references loops (name); diff --git a/kubernetes/policy/components/policy-clamp-be/resources/config/sdc-controllers-config.json b/kubernetes/policy/components/policy-clamp-be/resources/config/sdc-controllers-config.json deleted file mode 100644 index 6021b21d21..0000000000 --- a/kubernetes/policy/components/policy-clamp-be/resources/config/sdc-controllers-config.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "sdc-connections":{ - "sdc-controller":{ - "user": "clamp", - "consumerGroup": "clamp", - "consumerId": "clamp", - "environmentName": "AUTO", - "sdcAddress": "sdc-be.{{ include "common.namespace" . }}:8443", - "password": "${SDC_CLIENT_PASSWORD_ENC}", - "pollingInterval":30, - "pollingTimeout":30, - "activateServerTLSAuth":"false", - "keyStorePassword":"", - "keyStorePath":"", - "messageBusAddresses":["message-router.{{ include "common.namespace" . }}"] - } - } -} diff --git a/kubernetes/policy/components/policy-clamp-be/templates/NOTES.txt b/kubernetes/policy/components/policy-clamp-be/templates/NOTES.txt deleted file mode 100644 index e36d6a5bfb..0000000000 --- a/kubernetes/policy/components/policy-clamp-be/templates/NOTES.txt +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ template "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit https://127.0.0.1:8443 to use your application" - kubectl port-forward $POD_NAME 8443:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/policy/components/policy-clamp-be/templates/configmap.yaml b/kubernetes/policy/components/policy-clamp-be/templates/configmap.yaml deleted file mode 100644 index aeadc37bd4..0000000000 --- a/kubernetes/policy/components/policy-clamp-be/templates/configmap.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} - -{{ include "common.log.configMap" . }} diff --git a/kubernetes/policy/components/policy-clamp-be/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-be/templates/deployment.yaml deleted file mode 100644 index 4354c00a30..0000000000 --- a/kubernetes/policy/components/policy-clamp-be/templates/deployment.yaml +++ /dev/null @@ -1,135 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-policy-clamp-galera-config - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness -{{ include "common.certInitializer.initContainer" . | indent 6 }} - containers: - # side car containers - {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.sidecar" . | nindent 8 }}{{ end }} - # main container - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - workingDir: "/opt/policy/clamp/" - args: - - -c - - | - {{- if .Values.global.aafEnabled }} - export $(grep '^cadi_' {{ .Values.certInitializer.credsPath }}/org.onap.clamp.cred.props | xargs -0) - export SDC_CLIENT_PASSWORD_ENC=`java -jar {{ .Values.certInitializer.credsPath }}/aaf-cadi-aaf-2.1.20-full.jar cadi digest ${SDC_CLIENT_PASSWORD} {{ .Values.certInitializer.credsPath }}/org.onap.clamp.keyfile`; - envsubst < "/opt/policy/clamp/sdc-controllers-config.json" > "/opt/policy/clamp/sdc-controllers-config-pass.json" - {{- end }} - java -Djava.security.egd=file:/dev/./urandom ${JAVA_RAM_CONFIGURATION} -jar ./policy-clamp-backend.jar --spring.config.location=optional:classpath:/,optional:classpath:/config/,optional:file:./,optional:file:./config/ - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - name: logs - mountPath: {{ .Values.log.path }} - - mountPath: /opt/policy/clamp/sdc-controllers-config.json - name: {{ include "common.fullname" . }}-config - subPath: sdc-controllers-config.json - - mountPath: /opt/policy/clamp/application.properties - name: {{ include "common.fullname" . }}-config - subPath: application.properties - env: - - name: RUNTIME_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "runtime-be-secret" "key" "login") | indent 12 }} - - name: RUNTIME_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "runtime-be-secret" "key" "password") | indent 12 }} - - name: MYSQL_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "login") | indent 12 }} - - name: MYSQL_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "password") | indent 12 }} - - name: SDC_CLIENT_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdc-creds" "key" "password") | indent 12 }} - {{- if ne "unlimited" (include "common.flavor" .) }} - - name: JAVA_RAM_CONFIGURATION - value: -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=75 - {{- end }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }}-configmap - items: - - key: sdc-controllers-config.json - path: sdc-controllers-config.json - - key: application.properties - path: application.properties - - name: logs - emptyDir: {} - {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.volumes" . | nindent 8 }}{{ end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/policy/components/policy-clamp-be/templates/job.yaml b/kubernetes/policy/components/policy-clamp-be/templates/job.yaml deleted file mode 100755 index b942dd3fb2..0000000000 --- a/kubernetes/policy/components/policy-clamp-be/templates/job.yaml +++ /dev/null @@ -1,86 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# Modifications Copyright © 2020-2021 AT&T Intellectual Property -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.release" . }}-policy-clamp-galera-config - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-policy-clamp-job - release: {{ include "common.release" . }} -spec: - template: - metadata: - labels: - app: {{ include "common.name" . }}-policy-clamp-job - release: {{ include "common.release" . }} - spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - initContainers: -#This container checks that all galera instances are up before initializing it. - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - - --job-name - - {{ include "common.release" . }}-policy-galera-config - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - name: {{ include "common.release" . }}-policy-clamp-galera-config - image: {{ include "repositoryGenerator.image.mariadb" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /dbcmd-config/create-db-tables.sh - name: {{ include "common.fullname" . }}-config - subPath: create-db-tables.sh - - mountPath: /dbcmd-config/policy-clamp-create-tables.sql - name: {{ include "common.fullname" . }}-config - subPath: policy-clamp-create-tables.sql - command: - - /bin/sh - args: - - -x - - /dbcmd-config/create-db-tables.sh - env: - - name: MYSQL_HOST - value: "{{ .Values.db.service.name }}" - - name: MYSQL_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "login") | indent 10 }} - - name: MYSQL_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "password") | indent 10 }} - - name: MYSQL_PORT - value: "{{ .Values.db.service.internalPort }}" - resources: -{{ include "common.resources" . }} - restartPolicy: Never - volumes: - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }}-configmap - items: - - key: create-db-tables.sh - path: create-db-tables.sh - - key: policy-clamp-create-tables.sql - path: policy-clamp-create-tables.sql diff --git a/kubernetes/policy/components/policy-clamp-be/templates/secrets.yaml b/kubernetes/policy/components/policy-clamp-be/templates/secrets.yaml deleted file mode 100644 index 4cf8155f6c..0000000000 --- a/kubernetes/policy/components/policy-clamp-be/templates/secrets.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/policy/components/policy-clamp-be/templates/service.yaml b/kubernetes/policy/components/policy-clamp-be/templates/service.yaml deleted file mode 100644 index c01d36a53d..0000000000 --- a/kubernetes/policy/components/policy-clamp-be/templates/service.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/policy/components/policy-clamp-be/values.yaml b/kubernetes/policy/components/policy-clamp-be/values.yaml deleted file mode 100644 index c23657c421..0000000000 --- a/kubernetes/policy/components/policy-clamp-be/values.yaml +++ /dev/null @@ -1,172 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018-2021 AT&T -# Modifications Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: # global defaults - nodePortPrefix: 302 - persistence: {} - centralizedLoggingEnabled: true - #AAF service - aafEnabled: true - -################################################################# -# AAF part -################################################################# -certInitializer: - permission_user: 1000 - permission_group: 999 - keystoreFile: 'org.onap.clamp.p12' - truststoreFile: 'org.onap.clamp.trust.jks' - keyFile: 'org.onap.clamp.keyfile' - truststoreFileONAP: 'truststoreONAPall.jks' - nameOverride: clamp-backend-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: clamp - fqi: clamp@clamp.onap.org - public_fqdn: clamp.onap.org - cadi_longitude: '-72.0' - cadi_latitude: '38.0' - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop; - cd {{ .Values.credsPath }}; - chmod a+rx *; - -secrets: - - uid: db-creds - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.db.credsExternalSecret) . }}' - login: '{{ .Values.db.user }}' - password: '{{ .Values.db.password }}' - passwordPolicy: required - - uid: sdc-creds - type: password - externalSecret: '{{ tpl (default "" .Values.sdc.sdcClientExternalSecret) . }}' - password: '{{ .Values.sdc.clientPassword }}' - passwordPolicy: required - - uid: runtime-be-secret - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.appUserExternalSecret) . }}' - login: '{{ .Values.config.policyAppUserName }}' - password: '{{ .Values.config.policyAppUserPassword }}' - passwordPolicy: required - -flavor: small - -# application image -image: onap/policy-clamp-backend:6.2.3 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# log configuration -log: - path: /var/log/onap - -################################################################# -# Application configuration defaults. -################################################################# - -#####dummy values for db user and password to pass lint!!!####### -sdc: - clientPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U - -db: - user: policy_user - password: policy_user - image: mariadb:10.5.8 - service: - name: policy-mariadb - internalPort: 3306 - -config: - policyAppUserName: runtimeUser - policyAppUserPassword: none - log: - logstashServiceName: log-ls - logstashPort: 5044 - mysqlPassword: strong_pitchou - dataRootDir: /dockerdata-nfs - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 120 - periodSeconds: 10 - timeoutSeconds: 3 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 3 - -service: - type: ClusterIP - name: policy-clamp-be - portName: policy-clamp-be - internalPort: 8443 - externalPort: 8443 - -ingress: - enabled: false - -#resources: {} -# We usually recommend not to specify default resources and to leave this as a conscious -# choice for the user. This also increases chances charts run on environments with little -# resources, such as Minikube. If you do want to specify resources, uncomment the following -# lines, adjust them as necessary, and remove the curly braces after 'resources:'. -# -# Example: -# Configure resource requests and limits -# ref: http://kubernetes.io/docs/user-guide/compute-resources/ -# Minimum memory for development is 2 CPU cores and 4GB memory -# Minimum memory for production is 4 CPU cores and 8GB memory -resources: - small: - limits: - cpu: 1 - memory: 1Gi - requests: - cpu: 1m - memory: 1Gi - large: - limits: - cpu: 1 - memory: 3Gi - requests: - cpu: 10m - memory: 3Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: policy-clamp-be - roles: - - read diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml index 42e02efb8d..bdd6c99c53 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. All rights reserved. +# Copyright (C) 2021, 2024 Nordix Foundation. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021-2022 Nordix Foundation # ================================================================================ @@ -21,18 +21,16 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop Runtime name: policy-clamp-runtime-acm -version: 11.0.0 +version: 14.0.0 dependencies: - name: common - version: ~11.x-0 - repository: '@local' - - name: certInitializer - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' + diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml index 219be24079..35e42c589d 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -44,20 +44,10 @@ spring: hibernate: dialect: org.hibernate.dialect.MariaDB103Dialect format_sql: true -{{- if .Values.config.useStrimziKafka }} - kafka: - bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 - security.protocol: SASL_PLAINTEXT - properties.sasl: - mechanism: SCRAM-SHA-512 - jaas.config: ${JAASLOGIN} -{{ else }} -{{ toYaml .Values.config.eventPublisher | nindent 2 }} -{{- end }} -{{- if .Values.config.additional }} -{{ toYaml .Values.config.additional | nindent 2 }} -{{- end }} +metrics: + security: + disabled: false security: enable-csrf: false @@ -68,7 +58,8 @@ server: context-path: /onap/policy/clamp/acm error: path: /error - + ssl: + enabled: false runtime: participantParameters: @@ -81,19 +72,34 @@ runtime: topicParameterGroup: topicSources: - - topic: POLICY-ACRUNTIME-PARTICIPANT - servers: - - ${topicServer:message-router} - topicCommInfrastructure: dmaap - useHttps: true + useHttps: false fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + group.id: {{ (first .Values.kafkaUser.acls).name }} + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} topicSinks: - - topic: POLICY-ACRUNTIME-PARTICIPANT + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeTopic.name }} + topicCommInfrastructure: kafka servers: - - ${topicServer:message-router} - topicCommInfrastructure: dmaap - useHttps: true + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + acmParameters: + toscaElementName: {{ .Values.customNaming.toscaElementName }} + toscaCompositionName: {{ .Values.customNaming.toscaCompositionName }} management: endpoints: diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/logback.xml b/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/logback.xml index 206b19b049..7e646a8c9b 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/logback.xml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/logback.xml @@ -18,7 +18,7 @@ - /var/log/onap/policy/pap/error.log + /var/log/onap/policy/policy-clamp-runtime-acm/error.log /var/log/onap/policy/policy-clamp-runtime-acm/error.%d{yyyy-MM-dd}.%i.log.zip @@ -39,7 +39,7 @@ - /var/log/onap/policy/pap/debug.log + /var/log/onap/policy/policy-clamp-runtime-acm/debug.log /var/log/onap/policy/policy-clamp-runtime-acm/debug.%d{yyyy-MM-dd}.%i.log.zip diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml index 361045af94..b0ea909e55 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml @@ -1,6 +1,6 @@ {{/* # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -41,7 +41,14 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness + name: {{ include "common.name" . }}-galera-config-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" - command: - sh args: @@ -56,10 +63,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "runtime-secret" "key" "login") | indent 10 }} - name: RUNTIME_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "runtime-secret" "key" "password") | indent 10 }} -{{- if .Values.config.useStrimziKafka }} - - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-kafka-user" "key" "sasl.jaas.config") | indent 10 }} -{{- end }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config volumeMounts: - mountPath: /config-input name: ac-runtime-config @@ -68,24 +76,12 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- if .Values.global.aafEnabled }} - command: ["sh","-c"] - args: ["source {{ .Values.certInitializer.credsPath }}/.ci;\ - /opt/app/policy/clamp/bin/acm-runtime.sh /opt/app/policy/clamp/etc/mounted/acRuntimeParameters.yaml"] -{{- else }} command: ["/opt/app/policy/clamp/bin/acm-runtime.sh"] args: ["/opt/app/policy/clamp/etc/mounted/acRuntimeParameters.yaml"] - env: - - name: KEYSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} -{{- end }} ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container @@ -102,14 +98,9 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/policy/clamp/etc/mounted name: ac-runtime-config-processed - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -120,10 +111,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - name: ac-runtime-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -131,5 +118,4 @@ spec: - name: ac-runtime-config-processed emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/kafkatopic.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/kafkatopic.yaml new file mode 100644 index 0000000000..5601154ddd --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/kafkatopic.yaml @@ -0,0 +1,18 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ if .Values.global.useStrimziKafka }} +{{ include "common.kafkatopic" . }} +{{ end }} diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml index d224aa6bc4..cc399d38da 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,7 +22,10 @@ global: nodePortPrefixExt: 304 persistence: {} - aafEnabled: true + #Strimzi Kafka properties + kafkaTopics: + acRuntimeTopic: + name: &acRuntimeTopic policy.clamp-runtime-acm ################################################################# # Secrets metaconfig @@ -34,60 +37,22 @@ secrets: login: '{{ .Values.db.user }}' password: '{{ .Values.db.password }}' passwordPolicy: required - - uid: keystore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required - - uid: truststore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required - uid: runtime-secret type: basicAuth externalSecret: '{{ tpl (default "" .Values.config.appUserExternalSecret) . }}' login: '{{ .Values.config.policyAppUserName }}' password: '{{ .Values.config.policyAppUserPassword }}' passwordPolicy: required - - uid: policy-kafka-user - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate - -certStores: - keyStorePassword: Pol1cy_0nap - trustStorePassword: Pol1cy_0nap - -certInitializer: - nameOverride: policy-clamp-runtime-acm-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-runtime-acm:6.2.3 +image: onap/policy-clamp-runtime-acm:7.1.0 pullPolicy: Always +componentName: &componentName policy-clamp-runtime-acm + # flag to enable debugging - application support required debugEnabled: false @@ -95,33 +60,28 @@ debugEnabled: false config: policyAppUserName: runtimeUser policyAppUserPassword: none - -# Event consumption (kafka) properties - useStrimziKafka: true - kafkaBootstrap: strimzi-kafka-bootstrap - kafka: - consumer: - groupId: policy-group - app: - listener: - acRuntimeTopic: policy.policy-acruntime-participant -# If targeting a custom kafka cluster, ie useStrimziKakfa: false -# uncomment below config and target your kafka bootstrap servers, -# along with any other security config. -# -# eventConsumption: -# spring.kafka.bootstrap-servers: :9092 -# spring.kafka.security.protocol: PLAINTEXT -# spring.kafka.consumer.group-id: policy-group -# # Any new property can be added in the env by setting in overrides in the format mentioned below # All the added properties must be in "key: value" format instead of yaml. # additional: # spring.config.max-size: 200 # spring.config.min-size: 10 +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: *componentName + type: group + operations: [Read] + - name: *acRuntimeTopic + type: topic + operations: [Read, Write] + +kafkaTopic: + - name: *acRuntimeTopic + db: - user: policy_user + user: policy-user password: policy_user service: name: policy-mariadb @@ -136,7 +96,7 @@ affinity: {} # probe configuration parameters liveness: - initialDelaySeconds: 20 + initialDelaySeconds: 60 periodSeconds: 10 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container @@ -144,42 +104,54 @@ liveness: port: http-api readiness: - initialDelaySeconds: 20 + initialDelaySeconds: 60 periodSeconds: 10 port: http-api service: type: ClusterIP - name: policy-clamp-runtime-acm - useNodePortExt: true + name: *componentName ports: - name: http-api port: 6969 - nodePort: 42 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: strimzi-kafka-read + - serviceAccount: policy-gui-read + flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account serviceAccount: - nameOverride: policy-clamp-runtime-acm + nameOverride: *componentName roles: - read + +wait_for_job_container: + containers: + - '{{ include "common.release" . }}-policy-galera-config' + +customNaming: + toscaElementName: org.onap.policy.clamp.acm.AutomationCompositionElement + toscaCompositionName: org.onap.policy.clamp.acm.AutomationComposition \ No newline at end of file diff --git a/kubernetes/policy/components/policy-distribution/Chart.yaml b/kubernetes/policy/components/policy-distribution/Chart.yaml index 6a5222f087..3de47d06e9 100755 --- a/kubernetes/policy/components/policy-distribution/Chart.yaml +++ b/kubernetes/policy/components/policy-distribution/Chart.yaml @@ -1,7 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021, 2024 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,18 +21,15 @@ apiVersion: v2 description: ONAP Policy Distribution name: policy-distribution -version: 11.0.0 +version: 14.0.0 dependencies: - name: common - version: ~11.x-0 - repository: '@local' - - name: certInitializer - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-distribution/resources/config/config.json b/kubernetes/policy/components/policy-distribution/resources/config/config.json index 615afc6351..8def9aebd8 100755 --- a/kubernetes/policy/components/policy-distribution/resources/config/config.json +++ b/kubernetes/policy/components/policy-distribution/resources/config/config.json @@ -3,6 +3,7 @@ # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright (C) 2020 AT&T Intellectual Property. # Modifications Copyright (C) 2021 Bell Canada. All rights reserved. +# Modifications Copyright (C) 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,7 +27,7 @@ "port":6969, "userName":"${RESTSERVER_USER}", "password":"${RESTSERVER_PASSWORD}", - "https":true, + "https": "false", "prometheus": true }, "receptionHandlerParameters":{ @@ -56,26 +57,25 @@ "sdcConfiguration":{ "parameterClassName":"org.onap.policy.distribution.reception.handling.sdc.SdcReceptionHandlerConfigurationParameterGroup", "parameters":{ - "asdcAddress": "sdc-be:8443", - "messageBusAddress": [ - "message-router.{{ include "common.namespace" . }}" - ], + "environmentName": "AUTO", + "isUseHttpsWithSdc": false, + "keyStorePath": "null", + "keyStorePassword": "null", + "activeserverTlsAuth": false, + "sdcAddress": "sdc-be.{{ include "common.namespace" . }}:8080", "user": "${SDCBE_USER}", "password": "${SDCBE_PASSWORD}", + {{ with (first .Values.kafkaUser.acls) }} + "consumerId": "{{ .name }}-id", + "consumerGroup": "{{ .name }}", + {{ end }} "pollingInterval":20, "pollingTimeout":30, - "consumerId": "policy-id", "artifactTypes": [ "TOSCA_CSAR", "HEAT" ], - "consumerGroup": "policy-group", - "environmentName": "AUTO", - "keyStorePath": "null", - "keyStorePassword": "null", - "activeserverTlsAuth": false, - "isFilterinEmptyResources": true, - "isUseHttpsWithDmaap": true + "isFilterinEmptyResources": true } } }, @@ -98,7 +98,7 @@ "port": 6969, "userName": "${API_USER}", "password": "${API_PASSWORD}", - "useHttps": true + "useHttps": "false" }, "papParameters": { "clientName": "policy-pap", @@ -106,7 +106,7 @@ "port": 6969, "userName": "${PAP_USER}", "password": "${PAP_PASSWORD}", - "useHttps": true + "useHttps": "false" }, "deployPolicies": true } diff --git a/kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-distribution/templates/deployment.yaml b/kubernetes/policy/components/policy-distribution/templates/deployment.yaml index 4745aac23b..62a3bfc98e 100755 --- a/kubernetes/policy/components/policy-distribution/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-distribution/templates/deployment.yaml @@ -20,24 +20,12 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - command: @@ -70,26 +58,19 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- if .Values.global.aafEnabled }} - command: ["sh","-c"] - args: ["source {{ .Values.certInitializer.credsPath }}/.ci;\ - /opt/app/policy/distribution/bin/policy-dist.sh /opt/app/policy/distribution/etc/mounted/config.json"] -{{- else }} + env: + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config command: ["/opt/app/policy/distribution/bin/policy-dist.sh"] args: ["/opt/app/policy/distribution/etc/mounted/config.json"] - env: - - name: KEYSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} -{{- end }} - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if eq .Values.liveness.enabled true }} @@ -105,14 +86,9 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/policy/distribution/etc/mounted name: distributionconfig - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -123,10 +99,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - name: distributionconfig-input configMap: name: {{ include "common.fullname" . }}-configmap @@ -134,5 +106,4 @@ spec: - name: distributionconfig emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-distribution/templates/kafkauser.yaml b/kubernetes/policy/components/policy-distribution/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/policy/components/policy-distribution/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-distribution/templates/service.yaml b/kubernetes/policy/components/policy-distribution/templates/service.yaml index 4b91692749..ef4f2613cf 100755 --- a/kubernetes/policy/components/policy-distribution/templates/service.yaml +++ b/kubernetes/policy/components/policy-distribution/templates/service.yaml @@ -19,21 +19,4 @@ # ============LICENSE_END========================================================= */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - ports: - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-distribution/values.yaml b/kubernetes/policy/components/policy-distribution/values.yaml index d36f1c2275..fd2fe2e5df 100755 --- a/kubernetes/policy/components/policy-distribution/values.yaml +++ b/kubernetes/policy/components/policy-distribution/values.yaml @@ -1,6 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright (C) 2019-2021 AT&T Intellectual Property. +# Modifications Copyright (C) 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -45,16 +46,6 @@ secrets: login: '{{ .Values.sdcBe.user }}' password: '{{ .Values.sdcBe.password }}' passwordPolicy: required - - uid: keystore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required - - uid: truststore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required ################################################################# # Global configuration defaults. @@ -67,13 +58,22 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/policy-distribution:2.7.3 +image: onap/policy-distribution:3.1.0 pullPolicy: Always # flag to enable debugging - application support required debugEnabled: false -# application configuration +#Strimzi Kafka User def +kafkaUser: + acls: + - name: policy-distribution + type: group + operations: [Read] + - name: SDC-DISTR + type: topic + patternType: prefix + operations: [Read, Write] restServer: user: healthcheck @@ -87,27 +87,6 @@ papParameters: sdcBe: user: policy password: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U -certStores: - keyStorePassword: Pol1cy_0nap - trustStorePassword: Pol1cy_0nap - -certInitializer: - nameOverride: policy-distribution-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" >> {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); # default number of instances replicaCount: 1 @@ -131,29 +110,35 @@ readiness: service: type: ClusterIP name: policy-distribution - portName: policy-distribution - externalPort: 6969 internalPort: 6969 + ports: + - name: http + port: 6969 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: policy-pap-read + flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "500Mi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "1Gi" unlimited: {} #Pods Service Account @@ -171,7 +156,7 @@ metrics: enabled: true port: policy-distribution interval: 60s - isHttps: true + isHttps: false basicAuth: enabled: true externalSecretNameSuffix: policy-distribution-restserver-creds diff --git a/kubernetes/policy/components/policy-drools-pdp/Chart.yaml b/kubernetes/policy/components/policy-drools-pdp/Chart.yaml index 1c9c73d340..63c4984ac9 100755 --- a/kubernetes/policy/components/policy-drools-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/Chart.yaml @@ -1,7 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018, 2020 AT&T Intellectual Property # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021, 2024 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,18 +18,15 @@ apiVersion: v2 description: ONAP Drools Policy Engine (PDP-D) name: policy-drools-pdp -version: 11.0.0 +version: 14.0.0 dependencies: - name: common - version: ~11.x-0 - repository: '@local' - - name: certInitializer - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf index 57fa29bc3d..2e6efae345 100755 --- a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf +++ b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf @@ -42,32 +42,29 @@ REPOSITORY_OFFLINE={{.Values.nexus.offline}} SQL_HOST={{ .Values.db.name }} SQL_PORT=3306 +JDBC_URL=jdbc:mariadb://{{ .Values.db.name }}:3306/ +JDBC_OPTS= +MYSQL_CMD= # Liveness LIVENESS_CONTROLLERS=* -# AAF - -AAF={{.Values.aaf.enabled}} -AAF_NAMESPACE=org.onap.policy -AAF_HOST=aaf-locate.{{.Release.Namespace}} - # HTTP Servers -HTTP_SERVER_HTTPS=true +HTTP_SERVER_HTTPS="false" PROMETHEUS=true # PDP-D DMaaP configuration channel -PDPD_CONFIGURATION_TOPIC=PDPD-CONFIGURATION -PDPD_CONFIGURATION_SERVERS=message-router +PDPD_CONFIGURATION_TOPIC=pdpd_configuration +PDPD_CONFIGURATION_SERVERS={{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} PDPD_CONFIGURATION_CONSUMER_GROUP= PDPD_CONFIGURATION_CONSUMER_INSTANCE= PDPD_CONFIGURATION_PARTITION_KEY= # PAP-PDP configuration channel -POLICY_PDP_PAP_TOPIC=POLICY-PDP-PAP +POLICY_PDP_PAP_TOPIC=policy-pdp-pap POLICY_PDP_PAP_GROUP=defaultGroup POLICY_PDP_PAP_POLICYTYPES=onap.policies.controlloop.operational.common.Drools @@ -88,19 +85,19 @@ GUARD_DISABLED=false # DCAE DMaaP -DCAE_TOPIC=unauthenticated.DCAE_CL_OUTPUT -DCAE_SERVERS=message-router +DCAE_TOPIC=unauthenticated.dcae_cl_output +DCAE_SERVERS={{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} DCAE_CONSUMER_GROUP=dcae.policy.shared # Open DMaaP -DMAAP_SERVERS=message-router -DMAAP_HTTPS=true +KAFKA_SERVERS={{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} +DMAAP_HTTPS="false" # AAI AAI_HOST=aai.{{.Release.Namespace}} -AAI_PORT=8443 +AAI_PORT=8080 AAI_CONTEXT_URI= # MSO diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-pooling-dmaap.conf b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-pooling-dmaap.conf index 761e8afef8..006388af61 100755 --- a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-pooling-dmaap.conf +++ b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-pooling-dmaap.conf @@ -15,4 +15,4 @@ # limitations under the License. */}} -POOLING_TOPIC=POOLING +POOLING_TOPIC=pooling diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/secrets/credentials.conf b/kubernetes/policy/components/policy-drools-pdp/resources/secrets/credentials.conf index a2a34056f1..c535a950b5 100755 --- a/kubernetes/policy/components/policy-drools-pdp/resources/secrets/credentials.conf +++ b/kubernetes/policy/components/policy-drools-pdp/resources/secrets/credentials.conf @@ -18,12 +18,6 @@ # ============LICENSE_END========================================================= */}} -{{- if not .Values.global.aafEnabled }} -KEYSTORE_PASSWD={{.Values.keystore.password}} -{{- end }} - -TRUSTSTORE_PASSWD={{.Values.truststore.password}} - TELEMETRY_USER={{.Values.telemetry.user}} TELEMETRY_PASSWORD={{.Values.telemetry.password}} diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/kafkauser.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/kafkauser.yaml new file mode 100644 index 0000000000..1d571df8b7 --- /dev/null +++ b/kubernetes/policy/components/policy-drools-pdp/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2024 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml index b41bf4fdb9..c7322b1f94 100755 --- a/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml @@ -15,34 +15,5 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}-{{ .Values.service.externalPort }} - - port: {{ .Values.service.externalPort2 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} - name: {{ .Values.service.portName }}-{{ .Values.service.externalPort2 }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}-{{ .Values.service.externalPort }} - - port: {{ .Values.service.externalPort2 }} - targetPort: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.portName }}-{{ .Values.service.externalPort2 }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} + diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml index 7dee453771..ba0e2d1a41 100755 --- a/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml @@ -17,25 +17,13 @@ apiVersion: apps/v1 kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: + selector: {{- include "common.selectors" . | nindent 4 }} serviceName: {{ include "common.servicename" . }} replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - command: @@ -52,11 +40,18 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-db-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" {{- if not .Values.nexus.offline }} - command: - /app/ready.py args: - - --container-name + - --service-name - {{ .Values.nexus.name }} env: - name: NAMESPACE @@ -64,23 +59,32 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + - name: KAFKA_URL + value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + - name: SASL + value: {{ .Values.kafkaUser.authenticationType | upper }} + - name: GROUP_ID + value: {{ .Values.config.kafka.consumer.groupId }} + - name: PAP_TOPIC + value: {{ .Values.config.app.listener.policyPdpPapTopic }} image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" {{- end }} -{{ include "common.certInitializer.initContainer" . | indent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: ["sh","-c"] - args: ["if [ -f {{ .Values.certInitializer.credsPath }}/.ci ]; then \ - source {{ .Values.certInitializer.credsPath }}/.ci; fi;\ - cp {{ .Values.certInitializer.credsPath }}/org.onap.policy.p12 ${POLICY_HOME}/etc/ssl/policy-keystore;\ - /opt/app/policy/bin/pdpd-cl-entrypoint.sh boot"] - ports: - - containerPort: {{ .Values.service.externalPort }} - - containerPort: {{ .Values.service.externalPort2 }} + args: ["/opt/app/policy/bin/pdpd-cl-entrypoint.sh boot"] + ports: {{ include "common.containerPorts" . | nindent 12 }} {{- if eq .Values.liveness.enabled true }} livenessProbe: httpGet: @@ -92,7 +96,7 @@ spec: {{- end }} readinessProbe: tcpSocket: - port: {{ .Values.service.externalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: @@ -103,10 +107,6 @@ spec: - name: SQL_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true {{- range $path, $bytes := .Files.Glob "resources/secrets/*" }} - mountPath: /tmp/policy-install/config/{{ base $path }} name: drools-secret @@ -117,8 +117,7 @@ spec: name: drools-config subPath: {{ base $path }} {{- end }} - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -129,10 +128,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - name: drools-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -151,5 +146,4 @@ spec: path: {{ base $path }} mode: 0644 {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-drools-pdp/values.yaml b/kubernetes/policy/components/policy-drools-pdp/values.yaml index 74c743cb2b..710acd2c4f 100755 --- a/kubernetes/policy/components/policy-drools-pdp/values.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/values.yaml @@ -41,7 +41,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-pdpd-cl:1.10.3 +image: onap/policy-pdpd-cl:2.1.1 pullPolicy: Always # flag to enable debugging - application support required @@ -70,50 +70,24 @@ readiness: service: type: ClusterIP name: policy-drools-pdp - portName: policy-drools-pdp internalPort: 6969 - externalPort: 6969 - nodePort: 17 - internalPort2: 9696 - externalPort2: 9696 - nodePort2: 21 + ports: + - name: http + port: 6969 + - name: http-2 + port: 9696 ingress: enabled: false -# Default installation values to be overridden - -certInitializer: - nameOverride: policy-drools-pdp-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" >> {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - echo "export CADI_KEYFILE='{{ .Values.credsPath }}/org.onap.policy.keyfile'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: strimzi-kafka-read server: jvmOpts: -server -XshowSettings:vm -aaf: - enabled: "false" - -keystore: - password: Pol1cy_0nap - -truststore: - password: Pol1cy_0nap - telemetry: user: demo@people.osaaf.org password: demo123456! @@ -127,7 +101,7 @@ nexus: db: name: policy-mariadb - user: policy_user + user: policy-user password: policy_user pap: @@ -183,18 +157,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "800Mi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "800Mi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "1.6Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "1.6Gi" unlimited: {} #Pods Service Account @@ -212,7 +186,7 @@ metrics: enabled: true port: policy-drools-pdp-9696 interval: 60s - isHttps: true + isHttps: false basicAuth: enabled: true externalSecretNameSuffix: policy-drools-pdp-telemetry-creds @@ -223,3 +197,24 @@ metrics: chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' release: '{{ include "common.release" . }}' heritage: '{{ .Release.Service }}' + +config: + # Event consumption (kafka) properties + kafka: + consumer: + groupId: policy-drools-pdp + app: + listener: + policyPdpPapTopic: policy-pdp-pap + +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: policy-drools-pdp + type: group + operations: [ Create, Describe, Read, Write ] + - name: policy-pdp-pap + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] diff --git a/kubernetes/policy/components/policy-gui/Chart.yaml b/kubernetes/policy/components/policy-gui/Chart.yaml index fed1af9895..28972b59b0 100644 --- a/kubernetes/policy/components/policy-gui/Chart.yaml +++ b/kubernetes/policy/components/policy-gui/Chart.yaml @@ -1,7 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2021 Nordix Foundation. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021, 2024 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,15 +21,12 @@ apiVersion: v2 description: ONAP Policy GUI name: policy-gui -version: 11.0.0 +version: 14.0.0 dependencies: - - name: certInitializer - version: ~11.x-0 - repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-gui/resources/config/application.yml b/kubernetes/policy/components/policy-gui/resources/config/application.yml new file mode 100644 index 0000000000..f81a1b452a --- /dev/null +++ b/kubernetes/policy/components/policy-gui/resources/config/application.yml @@ -0,0 +1,19 @@ +server: + port: 2443 + ssl: + enabled: false + +clamp: + url: + disable-ssl-validation: true + disable-ssl-hostname-check: true + +apex-editor: + upload-url: + upload-userid: + +management: + endpoints: + web: + exposure: + include: health, metrics, prometheus diff --git a/kubernetes/policy/components/policy-gui/resources/config/logback.xml b/kubernetes/policy/components/policy-gui/resources/config/logback.xml new file mode 100644 index 0000000000..c20df8329d --- /dev/null +++ b/kubernetes/policy/components/policy-gui/resources/config/logback.xml @@ -0,0 +1,118 @@ + + + + + + TRACE + + + %d{yyyy-MM-dd HH:mm:ss.SSS} [%thread] %-5level %logger{1024} - %msg%n + + + + + + ${POLICY_LOGS}/error.log + + ${POLICY_LOGS}/error.%d{yyyy-MM-dd}.%i.log.zip + + 50MB + 30 + 10GB + + + TRACE + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n + + + + + + + + + ${POLICY_LOGS}/debug.log + + ${POLICY_LOGS}/debug.%d{yyyy-MM-dd}.%i.log.zip + + 50MB + 30 + 10GB + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n + + + + + + + + + ${POLICY_LOGS}/network.log + + ${POLICY_LOGS}/network.%d{yyyy-MM-dd}.%i.log.zip + + 50MB + 30 + 10GB + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%t]%m%n + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/kubernetes/policy/components/policy-gui/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-gui/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-gui/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-gui/templates/configmap.yaml b/kubernetes/policy/components/policy-gui/templates/configmap.yaml index 4f600882e9..9426b0f54f 100644 --- a/kubernetes/policy/components/policy-gui/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-gui/templates/configmap.yaml @@ -21,7 +21,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "common.fullname" . }} + name: {{ include "common.fullname" . }}-configmap namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} @@ -29,6 +29,6 @@ metadata: release: {{ include "common.release" . }} heritage: {{ .Release.Service }} data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} +{{ tpl (.Files.Glob "resources/config/*.{xml,yaml,yml}").AsConfig . | indent 2 }} {{ include "common.log.configMap" . }} diff --git a/kubernetes/policy/components/policy-gui/templates/deployment.yaml b/kubernetes/policy/components/policy-gui/templates/deployment.yaml index a155715580..a236d5f558 100644 --- a/kubernetes/policy/components/policy-gui/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-gui/templates/deployment.yaml @@ -20,31 +20,35 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: + - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: POLICY_LOGS + value: {{ .Values.log.path }} + volumeMounts: + - mountPath: /config-input + name: policy-gui-config + - mountPath: /config + name: policy-gui-config-processed + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config - command: - /app/ready.py args: - - --container-name - - policy-clamp-be + - --service-name + - policy-clamp-runtime-acm env: - name: NAMESPACE valueFrom: @@ -54,7 +58,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness -{{ include "common.certInitializer.initContainer" . | nindent 6 }} + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: # side car containers {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.sidecar" . | nindent 8 }}{{ end }} @@ -62,22 +72,11 @@ spec: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- if .Values.global.aafEnabled }} - command: ["sh","-c"] - args: ["source {{ .Values.certInitializer.credsPath }}/.ci;/opt/app/policy/gui/bin/policy-gui.sh"] - env: -{{- else }} command: ["/opt/app/policy/gui/bin/policy-gui.sh"] env: - - name: KEYSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} -{{- end }} - name: CLAMP_URL - value: https://policy-clamp-be:8443 - ports: - - containerPort: {{ .Values.service.internalPort }} + value: http://policy-clamp-runtime-acm:6969 + ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if eq .Values.liveness.enabled true }} @@ -92,11 +91,16 @@ spec: port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} + volumeMounts: - name: logs mountPath: {{ .Values.log.path }} - resources: -{{ include "common.resources" . | indent 12 }} + - mountPath: /opt/app/policy/gui/etc/application.yml + name: policy-gui-config-processed + subPath: application.yml + - mountPath: /opt/app/policy/gui/etc/logback.xml + name: policy-gui-config-processed + subPath: logback.xml + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -106,12 +110,18 @@ spec: {{ toYaml .Values.affinity | indent 10 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} + volumes: - name: {{ include "common.fullname" . }}-config configMap: name: {{ include "common.fullname" . }} - name: logs emptyDir: {} {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.volumes" . | nindent 8 }}{{ end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + - name: policy-gui-config + configMap: + name: {{ include "common.fullname" . }}-configmap + defaultMode: 0755 + - name: policy-gui-config-processed + emptyDir: + medium: Memory + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-gui/templates/service.yaml b/kubernetes/policy/components/policy-gui/templates/service.yaml index 44e66b8680..36406228d5 100644 --- a/kubernetes/policy/components/policy-gui/templates/service.yaml +++ b/kubernetes/policy/components/policy-gui/templates/service.yaml @@ -18,29 +18,4 @@ # ============LICENSE_END========================================================= */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} ---- +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-gui/values.yaml b/kubernetes/policy/components/policy-gui/values.yaml index 60a6ce38c4..3338d8f724 100644 --- a/kubernetes/policy/components/policy-gui/values.yaml +++ b/kubernetes/policy/components/policy-gui/values.yaml @@ -22,50 +22,6 @@ global: # global defaults nodePortPrefix: 304 centralizedLoggingEnabled: true - #AAF service - aafEnabled: true - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: keystore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required - - uid: truststore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required - -certStores: - keyStorePassword: Pol1cy_0nap - trustStorePassword: Pol1cy_0nap - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: policy-gui-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; - echo "export TRUSTSTORE='{{ .Values.credsPath }}/org.onap.policy.trust.jks'" >> {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - echo "export TRUSTSTORE_PASSWD='${cadi_truststore_password}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); subChartsOnly: enabled: true @@ -73,7 +29,7 @@ subChartsOnly: flavor: small # application image -image: onap/policy-gui:2.2.3 +image: onap/policy-gui:3.1.0 pullPolicy: Always # flag to enable debugging - application support required @@ -116,22 +72,30 @@ readiness: service: type: NodePort name: policy-gui - portName: policy-gui internalPort: 2443 - nodePort: 43 + ports: + - name: http + port: 2443 + nodePort: 43 # see https://wiki.onap.org/display/DW/OOM+NodePort+List ingress: enabled: false service: - - baseaddr: "policygui.api" - name: "policygui" + - baseaddr: "policy-ui" + name: "policy-gui" port: 2443 config: ssl: "redirect" -#resources: {} +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: istio-ingress + namespace: istio-ingress + + #resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following @@ -145,18 +109,18 @@ ingress: resources: small: limits: - cpu: 1 - memory: 200Mi + cpu: "1" + memory: "700Mi" requests: - cpu: 1m - memory: 50Mi + cpu: "0.5" + memory: "700Mi" large: limits: - cpu: 1 - memory: 500Mi + cpu: "2" + memory: "1.4Gi" requests: - cpu: 10m - memory: 50Mi + cpu: "1" + memory: "1.4Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/policy/components/policy-nexus/Chart.yaml b/kubernetes/policy/components/policy-nexus/Chart.yaml index e8ba92a81c..8d04647a75 100755 --- a/kubernetes/policy/components/policy-nexus/Chart.yaml +++ b/kubernetes/policy/components/policy-nexus/Chart.yaml @@ -1,7 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018-2020 AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021, 2024 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,18 +18,18 @@ apiVersion: v2 description: ONAP Policy Nexus name: policy-nexus -version: 11.0.0 +version: 14.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-nexus/templates/deployment.yaml b/kubernetes/policy/components/policy-nexus/templates/deployment.yaml index 4c945f4605..3d03338836 100755 --- a/kubernetes/policy/components/policy-nexus/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-nexus/templates/deployment.yaml @@ -17,24 +17,12 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - command: ["sh", "-c", "chown -R 200:200 /share"] @@ -48,25 +36,21 @@ spec: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.externalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} {{- if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: - port: {{ .Values.service.externalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end -}} readinessProbe: httpGet: path: {{ .Values.readiness.path }} - port: {{ .Values.service.externalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /sonatype-work name: nexus-data resources: @@ -85,9 +69,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "nothing" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: nexus-data {{- if .Values.persistence.enabled }} persistentVolumeClaim: @@ -95,5 +76,4 @@ spec: {{- else }} emptyDir: {} {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-nexus/templates/service.yaml b/kubernetes/policy/components/policy-nexus/templates/service.yaml index 55defa9e92..6aee4ca230 100755 --- a/kubernetes/policy/components/policy-nexus/templates/service.yaml +++ b/kubernetes/policy/components/policy-nexus/templates/service.yaml @@ -15,28 +15,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-nexus/values.yaml b/kubernetes/policy/components/policy-nexus/values.yaml index 3d77e67456..f10d55dcee 100755 --- a/kubernetes/policy/components/policy-nexus/values.yaml +++ b/kubernetes/policy/components/policy-nexus/values.yaml @@ -56,14 +56,18 @@ readiness: service: type: ClusterIP name: policy-nexus - portName: policy-nexus - externalPort: 8081 internalPort: 8081 - nodePort: 36 + ports: + - name: http + port: 8081 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: [] + ## Persist data to a persitent volume persistence: enabled: true @@ -79,18 +83,18 @@ resources: flavor: small small: limits: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 1m - memory: 0.5Gi + cpu: "1m" + memory: "500Mi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 2m - memory: 1Gi + cpu: "2m" + memory: "1Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/policy/components/policy-pap/Chart.yaml b/kubernetes/policy/components/policy-pap/Chart.yaml index 27358908e2..0634118a4f 100755 --- a/kubernetes/policy/components/policy-pap/Chart.yaml +++ b/kubernetes/policy/components/policy-pap/Chart.yaml @@ -2,7 +2,7 @@ # Copyright (C) 2019 Nordix Foundation. # Modified Copyright (C) 2020 AT&T Intellectual Property. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021, 2024 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,18 +22,15 @@ apiVersion: v2 description: ONAP Policy Administration (PAP) name: policy-pap -version: 11.0.0 +version: 14.0.0 dependencies: - name: common - version: ~11.x-0 - repository: '@local' - - name: certInitializer - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml b/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml index 195b087ff1..614116ae23 100644 --- a/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml +++ b/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2022 Bell Canada. All rights reserved. +# Modifications Copyright © 2022 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,7 +26,8 @@ spring: converters: preferred-json-mapper: gson datasource: - url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort}}/policyadmin +{{ if not .Values.global.postgres.localCluster }} + url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/policyadmin driverClassName: org.mariadb.jdbc.Driver username: "${SQL_USER}" password: "${SQL_PASSWORD}" @@ -40,29 +42,42 @@ spring: naming: physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy -{{- if .Values.config.useStrimziKafka }} - kafka: - bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 - security.protocol: SASL_PLAINTEXT - properties.sasl: - mechanism: SCRAM-SHA-512 - jaas.config: ${JAASLOGIN} -{{ else }} -{{ toYaml .Values.config.eventPublisher | nindent 2 }} -{{- end }} - -{{- if .Values.config.additional }} -{{ toYaml .Values.config.additional | nindent 2 }} -{{- end }} +{{- else }} + url: jdbc:postgresql://{{ .Values.db.service.pgName }}:{{ .Values.db.service.internalPgPort }}/policyadmin + driverClassName: org.postgresql.Driver + username: "${SQL_USER}" + password: "${SQL_PASSWORD}" + hikari: + connectionTimeout: 30000 + idleTimeout: 600000 + maxLifetime: 1800000 + maximumPoolSize: 10 + jpa: + hibernate: + ddl-auto: none + naming: + physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl + implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy + properties: + hibernate: + dialect: org.hibernate.dialect.PostgreSQLDialect + format_sql: true +{{ end }} server: port: 6969 ssl: - enabled: true + enabled: false + servlet: + context-path: /policy/pap/v1 pap: name: PapGroup aaf: false + topic: + pdp-pap.name: {{ .Values.config.kafka.topics.policyPdpPap }} + notification.name: {{ .Values.config.kafka.topics.policyNotification }} + heartbeat.name: {{ .Values.config.kafka.topics.policyHeartbeat }} pdpParameters: heartBeatMs: 120000 updateParameters: @@ -71,54 +86,78 @@ pap: stateChangeParameters: maxRetryCount: 1 maxWaitMs: 30000 - savePdpStatisticsInDb: false + savePdpStatisticsInDb: true topicParameterGroup: topicSources: - - topic: POLICY-PDP-PAP - servers: - - message-router - useHttps: true - fetchTimeout: 15000 - topicCommInfrastructure: dmaap - - topic: POLICY-HEARTBEAT - effectiveTopic: POLICY-PDP-PAP - consumerGroup: policy-pap - servers: - - message-router - useHttps: true - fetchTimeout: 15000 - topicCommInfrastructure: dmaap + - useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.config.kafka.topics.policyPdpPap }} + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + topicCommInfrastructure: kafka + additionalProps: + group.id : {{ .Values.config.kafka.consumer.groupId }} + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${JAASLOGIN} + - useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.config.kafka.topics.policyHeartbeat }} + effectiveTopic: {{ .Values.config.kafka.topics.policyPdpPap }} + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + topicCommInfrastructure: kafka + additionalProps: + group.id : {{ .Values.config.kafka.consumer.groupId }} + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${JAASLOGIN} topicSinks: - - topic: POLICY-PDP-PAP - servers: - - message-router - useHttps: true - topicCommInfrastructure: dmaap - - topic: POLICY-NOTIFICATION - servers: - - message-router - useHttps: true - topicCommInfrastructure: dmaap + - useHttps: false + topic: {{ .Values.config.kafka.topics.policyPdpPap }} + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + topicCommInfrastructure: kafka + additionalProps: + group.id : {{ .Values.config.kafka.consumer.groupId }} + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${JAASLOGIN} + - useHttps: false + topic: {{ .Values.config.kafka.topics.policyNotification }} + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + topicCommInfrastructure: kafka + additionalProps: + group.id : {{ .Values.config.kafka.consumer.groupId }} + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${JAASLOGIN} + +# If Strimzi Kafka to be used for communication, replace following configuration for topicSources and topicSinks +# servers: +# - {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 +# topicCommInfrastructure: kafka +# additionalProps: +# security.protocol: SASL_PLAINTEXT +# sasl.mechanism: SCRAM-SHA-512 +# sasl.jaas.config: ${JAASLOGIN} + healthCheckRestClientParameters: - clientName: api hostname: policy-api port: 6969 userName: "${API_USER}" password: "${API_PASSWORD}" - useHttps: true + useHttps: false basePath: policy/api/v1/healthcheck - clientName: distribution hostname: policy-distribution port: 6969 userName: "${DISTRIBUTION_USER}" password: "${DISTRIBUTION_PASSWORD}" - useHttps: true + useHttps: false basePath: healthcheck - - clientName: dmaap - hostname: message-router - port: 3905 - useHttps: true - basePath: topics management: endpoints: diff --git a/kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-pap/templates/deployment.yaml b/kubernetes/policy/components/policy-pap/templates/deployment.yaml index 6f02f8e4c0..9ca8b84a47 100755 --- a/kubernetes/policy/components/policy-pap/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-pap/templates/deployment.yaml @@ -33,8 +33,11 @@ spec: - /app/ready.py args: - --job-name +{{ if not .Values.global.postgres.localCluster }} - {{ include "common.release" . }}-policy-galera-config - env: +{{ else }} + - {{ include "common.release" . }}-policy-pg-config +{{ end }} env: - name: NAMESPACE valueFrom: fieldRef: @@ -42,7 +45,14 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness + name: {{ include "common.name" . }}-db-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" - command: - sh args: @@ -65,10 +75,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "distribution-secret" "key" "login") | indent 10 }} - name: DISTRIBUTION_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "distribution-secret" "key" "password") | indent 10 }} -{{- if .Values.config.useStrimziKafka }} - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-kafka-user" "key" "sasl.jaas.config") | indent 10 }} -{{- end }} + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config volumeMounts: - mountPath: /config-input name: papconfig @@ -77,24 +88,15 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- if .Values.global.aafEnabled }} - command: ["sh","-c"] - args: ["source {{ .Values.certInitializer.credsPath }}/.ci;\ - /opt/app/policy/pap/bin/policy-pap.sh /opt/app/policy/pap/etc/mounted/papParameters.yaml"] -{{- else }} - command: ["/opt/app/policy/pap/bin/policy-pap.sh"] - args: ["/opt/app/policy/pap/etc/mounted/papParameters.yaml"] - env: - - name: KEYSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} -{{- end }} + + command: [ "/bin/sh", "-cx" ] + args: + - cat /opt/app/policy/pap/etc/mounted/papParameters.yaml; + /opt/app/policy/pap/bin/policy-pap.sh /opt/app/policy/pap/etc/mounted/papParameters.yaml ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container @@ -112,21 +114,16 @@ spec: httpHeaders: - name: Authorization value: Basic {{ printf "%s:%s" .Values.restServer.user .Values.restServer.password | b64enc }} - scheme: {{ .Values.readiness.scheme }} + scheme: "HTTP" successThreshold: {{ .Values.readiness.successThreshold }} failureThreshold: {{ .Values.readiness.failureThreshold }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeout }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/policy/pap/etc/mounted name: papconfig-processed - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -137,10 +134,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - name: papconfig configMap: name: {{ include "common.fullname" . }}-configmap @@ -148,5 +141,4 @@ spec: - name: papconfig-processed emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-pap/templates/kafkauser.yaml b/kubernetes/policy/components/policy-pap/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/policy/components/policy-pap/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-pap/values.yaml b/kubernetes/policy/components/policy-pap/values.yaml index 2c240d2347..484ff64a6c 100755 --- a/kubernetes/policy/components/policy-pap/values.yaml +++ b/kubernetes/policy/components/policy-pap/values.yaml @@ -2,6 +2,7 @@ # Copyright (C) 2019 Nordix Foundation. # Modifications Copyright (C) 2019-2021 AT&T Intellectual Property. # Modifications Copyright (C) 2020-2022 Bell Canada. All rights reserved. +# Modifications Copyright © 2022 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -24,7 +25,8 @@ global: nodePortPrefixExt: 304 persistence: {} - aafEnabled: true + postgres: + localCluster: false ################################################################# # Secrets metaconfig @@ -54,16 +56,6 @@ secrets: login: '{{ .Values.healthCheckRestClient.distribution.user }}' password: '{{ .Values.healthCheckRestClient.distribution.password }}' passwordPolicy: required - - uid: keystore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required - - uid: truststore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required - uid: policy-kafka-user externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' type: genericKV @@ -72,34 +64,11 @@ secrets: value: '{{ .Values.config.someConfig }}' policy: generate -certStores: - keyStorePassword: Pol1cy_0nap - trustStorePassword: Pol1cy_0nap - -certInitializer: - nameOverride: policy-pap-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); - - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/policy-pap:2.6.3 +image: onap/policy-pap:3.1.0 pullPolicy: Always # flag to enable debugging - application support required @@ -108,11 +77,13 @@ debugEnabled: false # application configuration db: - user: policy_user + user: policy-user password: policy_user service: name: policy-mariadb + pgName: policy-pg-primary internalPort: 3306 + internalPgPort: 5432 restServer: user: policyadmin @@ -147,7 +118,6 @@ readiness: periodSeconds: 120 port: http-api api: /policy/pap/v1/healthcheck - scheme: HTTPS successThreshold: 1 failureThreshold: 3 timeout: 60 @@ -155,31 +125,38 @@ readiness: service: type: ClusterIP name: policy-pap - useNodePortExt: true ports: - name: http-api port: 6969 - nodePort: 42 + - name: debug-port + port: 5005 + protocol: TCP ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: strimzi-kafka-read + - serviceAccount: portal-app-read + flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account @@ -197,7 +174,7 @@ metrics: enabled: true port: http-api interval: 60s - isHttps: true + isHttps: false basicAuth: enabled: true externalSecretNameSuffix: policy-pap-user-creds @@ -207,14 +184,17 @@ metrics: # application configuration config: # Event consumption (kafka) properties - useStrimziKafka: true - kafkaBootstrap: strimzi-kafka-bootstrap kafka: + topics: + policyHeartbeat: policy-heartbeat + policyNotification: policy-notification + policyPdpPap: policy-pdp-pap consumer: - groupId: poicy-group + groupId: policy-pap app: listener: policyPdpPapTopic: policy-pdp-pap + # If targeting a custom kafka cluster, ie useStrimziKakfa: false # uncomment below config and target your kafka bootstrap servers, # along with any other security config. @@ -226,3 +206,22 @@ config: # # Any new property can be added in the env by setting in overrides in the format mentioned below # All the added properties must be in "key: value" format instead of yaml. +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: policy-pap + type: group + operations: [Create, Describe, Read, Write] + - name: policy-pdp-pap + type: topic + patternType: prefix + operations: [Create, Describe, Read, Write] + - name: policy-heartbeat + type: topic + patternType: prefix + operations: [Create, Describe, Read, Write] + - name: policy-notification + type: topic + patternType: prefix + operations: [Create, Describe, Read, Write] + diff --git a/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml b/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml index faa9d79f42..a46d6128e8 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml @@ -1,7 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2019-2020 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021, 2024 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,18 +21,15 @@ apiVersion: v2 description: ONAP Policy XACML PDP (PDP-X) name: policy-xacml-pdp -version: 11.0.0 +version: 14.0.0 dependencies: - name: common - version: ~11.x-0 - repository: '@local' - - name: certInitializer - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-xacml-pdp/resources/config/config.json b/kubernetes/policy/components/policy-xacml-pdp/resources/config/config.json index 19b4d9c03b..7bf6707136 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/resources/config/config.json +++ b/kubernetes/policy/components/policy-xacml-pdp/resources/config/config.json @@ -26,7 +26,7 @@ "port": 6969, "userName": "${RESTSERVER_USER}", "password": "${RESTSERVER_PASSWORD}", - "https": true, + "https": "false", "aaf": false, "prometheus": true }, @@ -35,25 +35,37 @@ "port": 6969, "userName": "${API_USER}", "password": "${API_PASSWORD}", - "useHttps": true, + "useHttps": "false", "aaf": false }, "applicationParameters": { "applicationPath": "/opt/app/policy/pdpx/apps" }, "topicParameterGroup": { - "topicSources" : [{ - "topic" : "POLICY-PDP-PAP", - "servers" : [ "message-router" ], - "useHttps" : true, - "fetchTimeout" : 15000, - "topicCommInfrastructure" : "dmaap" + "topicSources": [{ + "topic": "${PAP_TOPIC}", + "useHttps": false, + "fetchTimeout": 15000, + "servers": [ "${KAFKA_URL}" ], + "topicCommInfrastructure": "kafka", + "additionalProps": { + "group.id": "${GROUP_ID}", + "security.protocol": "SASL_PLAINTEXT", + "sasl.mechanism": "${SASL}", + "sasl.jaas.config": "${JAASLOGIN}" + } }], "topicSinks" : [{ - "topic" : "POLICY-PDP-PAP", - "servers" : [ "message-router" ], - "useHttps" : true, - "topicCommInfrastructure" : "dmaap" - }] + "topic": "${PAP_TOPIC}", + "useHttps": false, + "servers": [ "${KAFKA_URL}" ], + "topicCommInfrastructure": "kafka", + "additionalProps": { + "group.id": "${GROUP_ID}", + "security.protocol": "SASL_PLAINTEXT", + "sasl.mechanism": "${SASL}", + "sasl.jaas.config": "${JAASLOGIN}" + } + }] } } diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/configmap.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/configmap.yaml index 64b7c0a126..3b1a12399e 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/configmap.yaml @@ -1,6 +1,6 @@ {{/* # ============LICENSE_START======================================================= -# Copyright (C) 2019-2020 AT&T Intellectual Property. All rights reserved. +# Copyright (C) 2019-2020, 2022 AT&T Intellectual Property. All rights reserved. # Modifications Copyright (C) 2020 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -36,4 +36,4 @@ binaryData: {{- end }} {{- end }} data: -{{ tpl (.Files.Glob "resources/config/*.{json,properties,xml}").AsConfig . | indent 2 }} +{{ tpl (.Files.Glob "resources/config/*.{sql,json,properties,xml}").AsConfig . | indent 2 }} diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml index 2da0035fa0..cda1aa4bae 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml @@ -20,24 +20,12 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - command: @@ -54,11 +42,18 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" - command: - sh args: - -c - - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" + - JAASLOGIN=`echo $JAASLOGIN | tr -d '"'`; cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done env: - name: RESTSERVER_USER {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }} @@ -72,6 +67,19 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} - name: SQL_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} + - name: JAASLOGIN + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + - name: KAFKA_URL + value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + - name: SASL + value: {{ .Values.kafkaUser.authenticationType | upper }} + - name: GROUP_ID + value: {{ .Values.config.kafka.consumer.groupId }} + - name: PAP_TOPIC + value: {{ .Values.config.app.listener.policyPdpPapTopic }} volumeMounts: - mountPath: /config-input name: pdpxconfig @@ -80,26 +88,13 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- if .Values.global.aafEnabled }} - command: ["sh","-c"] - args: ["source {{ .Values.certInitializer.credsPath }}/.ci;\ - /opt/app/policy/pdpx/bin/policy-pdpx.sh /opt/app/policy/pdpx/etc/mounted/config.json"] -{{- else }} command: ["/opt/app/policy/pdpx/bin/policy-pdpx.sh"] args: ["/opt/app/policy/pdpx/etc/mounted/config.json"] - env: - - name: KEYSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} -{{- end }} - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if eq .Values.liveness.enabled true }} @@ -115,14 +110,9 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/policy/pdpx/etc/mounted name: pdpxconfig-processed - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -133,10 +123,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - name: pdpxconfig configMap: name: {{ include "common.fullname" . }}-configmap @@ -144,5 +130,4 @@ spec: - name: pdpxconfig-processed emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/kafkauser.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/kafkauser.yaml new file mode 100644 index 0000000000..1d571df8b7 --- /dev/null +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2024 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/service.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/service.yaml index 123ae66432..3e76c2ba36 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/templates/service.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/service.yaml @@ -18,22 +18,4 @@ # ============LICENSE_END========================================================= */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-xacml-pdp/values.yaml b/kubernetes/policy/components/policy-xacml-pdp/values.yaml index e7e7eebefe..15ef5e3de1 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/values.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/values.yaml @@ -21,7 +21,6 @@ ################################################################# global: persistence: {} - aafEnabled: true ################################################################# # Secrets metaconfig @@ -45,54 +44,23 @@ secrets: login: '{{ .Values.apiServer.user }}' password: '{{ .Values.apiServer.password }}' passwordPolicy: required - - uid: keystore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required - - uid: truststore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required - -certStores: - keyStorePassword: Pol1cy_0nap - trustStorePassword: Pol1cy_0nap - -certInitializer: - nameOverride: policy-xacml-pdp-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/policy-xacml-pdp:2.6.3 +image: onap/policy-xacml-pdp:3.1.1 pullPolicy: Always +componentName: &componentName policy-xacml-pdp + # flag to enable debugging - application support required debugEnabled: false # application configuration db: - user: policy_user + user: policy-user password: policy_user service: name: policy-mariadb @@ -127,35 +95,61 @@ readiness: service: type: ClusterIP - name: policy-xacml-pdp - portName: policy-xacml-pdp - externalPort: 6969 + name: *componentName internalPort: 6969 + ports: + - name: http + port: 6969 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: dcae-datafile-collector-read + - serviceAccount: dcae-datalake-admin-ui-read + - serviceAccount: dcae-datalake-des-read + - serviceAccount: dcae-datalake-feeder-read + - serviceAccount: dcae-heartbeat-read + - serviceAccount: dcae-hv-ves-collector-read + - serviceAccount: dcae-kpi-ms-read + - serviceAccount: dcae-pm-mapper-read + - serviceAccount: dcae-pmsh-read + - serviceAccount: dcae-prh-read + - serviceAccount: dcae-restconf-collector-read + - serviceAccount: dcae-slice-analysis-ms-read + - serviceAccount: dcae-snmptrap-collector-read + - serviceAccount: dcae-son-handler-read + - serviceAccount: dcae-tcagen2-read + - serviceAccount: dcae-ves-collector-read + - serviceAccount: dcae-ves-mapper-read + - serviceAccount: dcae-ves-openapi-manager-read + - serviceAccount: strimzi-kafka-read + - serviceAccount: oof-read + - serviceAccount: sdnc-read + flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account serviceAccount: - nameOverride: policy-xacml-pdp + nameOverride: *componentName roles: - read @@ -168,7 +162,7 @@ metrics: enabled: true port: policy-xacml-pdp interval: 60s - isHttps: true + isHttps: false basicAuth: enabled: true externalSecretNameSuffix: policy-xacml-pdp-restserver-creds @@ -179,3 +173,26 @@ metrics: chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' release: '{{ include "common.release" . }}' heritage: '{{ .Release.Service }}' + +config: + # Event consumption (kafka) properties + kafka: + consumer: + groupId: policy-xacml-pdp + app: + listener: + policyPdpPapTopic: policy-pdp-pap + +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: policy-xacml-pdp + type: group + operations: [ Create, Describe, Read, Write ] + - name: policy-pdp-pap + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + + diff --git a/kubernetes/policy/resources/config/db.sh b/kubernetes/policy/resources/config/db.sh index 866d422c14..d793a024df 100755 --- a/kubernetes/policy/resources/config/db.sh +++ b/kubernetes/policy/resources/config/db.sh @@ -17,12 +17,31 @@ # limitations under the License. */}} -mysql() { /usr/bin/mysql -h ${MYSQL_HOST} -P ${MYSQL_USER} "$@"; }; +mysqlcmd() { mysql -h ${MYSQL_HOST} -P ${MYSQL_PORT} "$@"; }; +i=5 +RESULT_VARIABLE=0 +echo "Check if user ${MYSQL_USER} is created in DB ${MYSQL_HOST}" +while [ $i -gt 0 ] && [ "$RESULT_VARIABLE" != 1 ] +do + i=$(( i-1 )) + RESULT_VARIABLE="$(mysqlcmd -uroot -p"${MYSQL_ROOT_PASSWORD}" -se "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = '${MYSQL_USER}')")" + if [ "$RESULT_VARIABLE" = 1 ]; then + echo "User ${MYSQL_USER} exists" + else + echo "User ${MYSQL_USER} does not exist" + sleep 10 + fi +done +if [ "$RESULT_VARIABLE" != 1 ]; then + exit 1 +fi for db in migration pooling policyadmin policyclamp operationshistory clampacm do - mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "CREATE DATABASE IF NOT EXISTS ${db};" - mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "GRANT ALL PRIVILEGES ON \`${db}\`.* TO '${MYSQL_USER}'@'%' ;" + echo "Create DB ${db}" + mysqlcmd -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "CREATE DATABASE IF NOT EXISTS ${db};" + echo "Grand access for user ${MYSQL_USER}" + mysqlcmd -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "GRANT ALL PRIVILEGES ON \`${db}\`.* TO '${MYSQL_USER}'@'%' ;" done - -mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "FLUSH PRIVILEGES;" +echo "Flush privileges" +mysqlcmd -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "FLUSH PRIVILEGES;" diff --git a/kubernetes/policy/templates/job.yaml b/kubernetes/policy/templates/job.yaml index 9fea669c37..3880d2383c 100755 --- a/kubernetes/policy/templates/job.yaml +++ b/kubernetes/policy/templates/job.yaml @@ -16,40 +16,29 @@ # limitations under the License. */}} +{{ if not .Values.global.postgres.localCluster }} apiVersion: batch/v1 kind: Job metadata: - name: {{ include "common.release" . }}-policy-galera-config + name: {{ include "common.fullname" . }}-galera-init namespace: {{ include "common.namespace" . }} labels: - app: {{ include "common.name" . }}-job + app: {{ include "common.name" . }}-galera-init release: {{ include "common.release" . }} spec: template: metadata: labels: - app: {{ include "common.name" . }}-job + app: {{ include "common.name" . }}-galera-init release: {{ include "common.release" . }} + name: {{ include "common.name" . }}-galera-init spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - initContainers: {{ if .Values.global.postgres.localCluster }}{{ include "common.readinessCheck.waitFor" . | nindent 6 }}{{ end }} -#This container checks that all galera instances are up before initializing it. - - name: {{ include "common.name" . }}-mariadb-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - - --container-name - - {{ index .Values "mariadb-galera" "service" "name" }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: {{ include "common.release" . }}-policy-galera-config - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.mariadb.image }} + {{- include "common.imagePullSecrets" . | nindent 6 }} + initContainers: + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_mariadb ) | indent 6 | trim }} + containers: + - name: {{ include "common.name" . }}-galera-config + image: {{ include "repositoryGenerator.image.mariadb" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} volumeMounts: - mountPath: /dbcmd-config/db.sh @@ -57,9 +46,11 @@ spec: subPath: db.sh command: - /bin/sh - args: - - -x - - /dbcmd-config/db.sh + - -cx + - | + {{- if include "common.onServiceMesh" . }} + echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} + /dbcmd-config/db.sh env: - name: MYSQL_ROOT_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-password" "key" "password") | indent 10 }} @@ -69,11 +60,60 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} - name: MYSQL_PORT value: "{{ index .Values "mariadb-galera" "service" "internalPort" }}" - resources: -{{ include "common.resources" . }} - {{ if .Values.global.postgres.localCluster }} - - name: {{ include "common.release" . }}-policy-pg-config - image: {{ .Values.repository }}/{{ .Values.postgresImage }} + resources: {{ include "common.resources" . | nindent 10 }} + {{- if (include "common.onServiceMesh" .) }} + - name: policy-service-mesh-wait-for-job-container + image: {{ include "repositoryGenerator.image.quitQuit" . }} + imagePullPolicy: Always + command: + - /bin/sh + - "-c" + args: + - echo "waiting 10s for istio side cars to be up"; sleep 10s; + /app/ready.py --service-mesh-check {{ include "common.name" . }}-galera-config -t 45; + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + {{- end }} + restartPolicy: Never + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: {{ include "common.fullname" . }}-config + configMap: + name: {{ include "common.fullname" . }}-db-configmap + defaultMode: 0755 + items: + - key: db.sh + path: db.sh +{{ end }} + +{{ if .Values.global.postgres.localCluster }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "common.fullname" . }}-pg-init + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }}-pg-init + release: {{ include "common.release" . }} +spec: + template: + metadata: + labels: + app: {{ include "common.name" . }}-pg-init + release: {{ include "common.release" . }} + name: {{ include "common.name" . }}-pg-init + spec: + {{- include "common.imagePullSecrets" . | nindent 6 }} + initContainers: + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_postgres ) | indent 6 | trim }} + containers: + - name: {{ include "common.name" . }}-pg-config + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.postgresImage }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} volumeMounts: - mountPath: /docker-entrypoint-initdb.d/db-pg.sh @@ -81,25 +121,95 @@ spec: subPath: db-pg.sh command: - /bin/sh - args: - - -x - - /docker-entrypoint-initdb.d/db-pg.sh + - -cx + - | + {{- if include "common.onServiceMesh" . }} + echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} + /docker-entrypoint-initdb.d/db-pg.sh env: - name: PG_ADMIN_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-root-pass" "key" "password") | indent 12 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-password" "key" "password") | indent 12 }} - name: PG_HOST value: "{{ .Values.postgres.service.name2 }}" - name: PG_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 12 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} - name: PG_USER_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 12 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} - name: PG_PORT value: "{{ .Values.postgres.service.internalPort }}" + resources: {{ include "common.resources" . | nindent 10 }} + {{- if (include "common.onServiceMesh" .) }} + - name: policy-service-mesh-wait-for-job-container + image: {{ include "repositoryGenerator.image.quitQuit" . }} + imagePullPolicy: Always + command: + - /bin/sh + - "-c" + args: + - echo "waiting 10s for istio side cars to be up"; sleep 10s; + /app/ready.py --service-mesh-check {{ include "common.name" . }}-pg-config -t 45; + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + {{- end }} + restartPolicy: Never + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: {{ include "common.fullname" . }}-config + configMap: + name: {{ include "common.fullname" . }}-db-configmap + defaultMode: 0755 + items: + - key: db-pg.sh + path: db-pg.sh +{{ end }} + +--- +{{ if not .Values.global.postgres.localCluster }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "common.fullname" . }}-galera-config + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }}-galera-config + release: {{ include "common.release" . }} +spec: + template: + metadata: + labels: + app: {{ include "common.name" . }}-galera-config + release: {{ include "common.release" . }} + name: {{ include "common.name" . }}-galera-config + spec: + {{- include "common.imagePullSecrets" . | nindent 6 }} + initContainers: + - name: {{ include "common.name" . }}-init-readiness + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /app/ready.py + args: + - --job-name + - {{ include "common.fullname" . }}-galera-init + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace resources: -{{ include "common.resources" . }} - {{ end }} + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - - name: {{ include "common.release" . }}-policy-galera-db-migrator + - name: {{ include "common.name" . }}-galera-db-migrator image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} volumeMounts: @@ -108,9 +218,11 @@ spec: subPath: db_migrator_policy_init.sh command: - /bin/sh - args: - - -x - - /dbcmd-config/db_migrator_policy_init.sh + - -cx + - | + {{- if include "common.onServiceMesh" . }} + echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} + /dbcmd-config/db_migrator_policy_init.sh env: - name: SQL_HOST value: "{{ index .Values "mariadb-galera" "service" "name" }}" @@ -124,10 +236,78 @@ spec: value: {{ .Values.dbmigrator.policy_home }} - name: SCRIPT_DIRECTORY value: "sql" + resources: {{ include "common.resources" . | nindent 10 }} + {{- if (include "common.onServiceMesh" .) }} + - name: policy-service-mesh-wait-for-job-container + image: {{ include "repositoryGenerator.image.quitQuit" . }} + imagePullPolicy: Always + command: + - /bin/sh + - "-c" + args: + - echo "waiting 10s for istio side cars to be up"; sleep 10s; + /app/ready.py --service-mesh-check {{ include "common.name" . }}-galera-db-migrator -t 45; + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + {{- end }} + restartPolicy: Never + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: {{ include "common.fullname" . }}-config + configMap: + name: {{ include "common.fullname" . }}-db-configmap + defaultMode: 0755 + items: + - key: db_migrator_policy_init.sh + path: db_migrator_policy_init.sh +{{ end }} +{{ if .Values.global.postgres.localCluster }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "common.fullname" . }}-pg-config + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }}-pg-config + release: {{ include "common.release" . }} +spec: + template: + metadata: + labels: + app: {{ include "common.name" . }}-pg-config + release: {{ include "common.release" . }} + name: {{ include "common.name" . }}-pg-config + spec: + {{- include "common.imagePullSecrets" . | nindent 6 }} + initContainers: + - name: {{ include "common.name" . }}-init-readiness + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /app/ready.py + args: + - --job-name + - {{ include "common.fullname" . }}-pg-init + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace resources: -{{ include "common.resources" . }} - {{ if .Values.global.postgres.localCluster }} - - name: {{ include "common.release" . }}-policy-pg-db-migrator + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + containers: + - name: {{ include "common.name" . }}-pg-db-migrator image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} volumeMounts: @@ -136,16 +316,18 @@ spec: subPath: db_migrator_pg_policy_init.sh command: - /bin/sh - args: - - -x - - /dbcmd-config/db_migrator_pg_policy_init.sh + - -cx + - | + {{- if include "common.onServiceMesh" . }} + echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} + /dbcmd-config/db_migrator_pg_policy_init.sh env: - name: SQL_HOST value: "{{ .Values.postgres.service.name2 }}" - name: SQL_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} - name: SQL_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} - name: SQL_DB value: {{ .Values.dbmigrator.schema }} - name: POLICY_HOME @@ -153,23 +335,33 @@ spec: - name: SCRIPT_DIRECTORY value: "postgres" - name: PGPASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} - resources: -{{ include "common.resources" . }} - {{ end }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} + resources: {{ include "common.resources" . | nindent 10 }} + {{- if (include "common.onServiceMesh" .) }} + - name: policy-service-mesh-wait-for-job-container + image: {{ include "repositoryGenerator.image.quitQuit" . }} + imagePullPolicy: Always + command: + - /bin/sh + - "-c" + args: + - echo "waiting 10s for istio side cars to be up"; sleep 10s; + /app/ready.py --service-mesh-check {{ include "common.name" . }}-pg-db-migrator -t 45; + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + {{- end }} restartPolicy: Never serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: {{ include "common.fullname" . }}-config configMap: name: {{ include "common.fullname" . }}-db-configmap + defaultMode: 0755 items: - - key: db.sh - path: db.sh - - key: db_migrator_policy_init.sh - path: db_migrator_policy_init.sh - - key: db-pg.sh - path: db-pg.sh - key: db_migrator_pg_policy_init.sh path: db_migrator_pg_policy_init.sh - +{{ end }} diff --git a/kubernetes/policy/templates/policy-kafka-topics.yaml b/kubernetes/policy/templates/policy-kafka-topics.yaml index 1894d62a42..feb29f3b0c 100644 --- a/kubernetes/policy/templates/policy-kafka-topics.yaml +++ b/kubernetes/policy/templates/policy-kafka-topics.yaml @@ -13,19 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -{{- if .Values.config.useStrimziKafka }} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: {{ .Values.config.acRuntimeTopic.name }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - partitions: {{ .Values.config.acRuntimeTopic.partitions }} - config: - retention.ms: {{ .Values.config.acRuntimeTopic.retentionMs }} - segment.bytes: {{ .Values.config.acRuntimeTopic.segmentBytes }} ---- + apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaTopic metadata: @@ -61,4 +49,3 @@ spec: config: retention.ms: {{ .Values.config.policyNotificationTopic.retentionMs }} segment.bytes: {{ .Values.config.policyNotificationTopic.segmentBytes }} -{{- end }} diff --git a/kubernetes/policy/templates/policy-kafka-user.yaml b/kubernetes/policy/templates/policy-kafka-user.yaml index 1bc7ab1d3a..ed399ed9c7 100644 --- a/kubernetes/policy/templates/policy-kafka-user.yaml +++ b/kubernetes/policy/templates/policy-kafka-user.yaml @@ -1,5 +1,5 @@ {{/* -# Copyright © 2022 Nordix Foundation +# Copyright © 2022-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -{{- if .Values.config.useStrimziKafka }} + apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaUser metadata: @@ -28,14 +28,17 @@ spec: acls: - resource: type: group - name: {{ .Values.config.acRuntimeTopic.consumer.groupId }} - operation: Read + name: {{ .Values.config.policyPdpPapTopic.consumer.groupId }} + operation: All - resource: type: topic - name: {{ .Values.config.acRuntimeTopic.name }} - operation: Read + name: {{ .Values.config.policyPdpPapTopic.name }} + operation: All - resource: type: topic - name: {{ .Values.config.acRuntimeTopic.name }} - operation: Write -{{- end }} + name: {{ .Values.config.policyHeartbeatTopic.name }} + operation: All + - resource: + type: topic + name: {{ .Values.config.policyNotificationTopic.name }} + operation: All diff --git a/kubernetes/policy/values.yaml b/kubernetes/policy/values.yaml index d7d556a39f..9497c3c2c4 100755 --- a/kubernetes/policy/values.yaml +++ b/kubernetes/policy/values.yaml @@ -1,6 +1,6 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018-2020 AT&T Intellectual Property -# Modifications Copyright (C) 2021-2022 Nordix Foundation. +# Modifications Copyright (C) 2021-2023 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,15 +18,22 @@ # Global configuration defaults. ################################################################# global: - aafEnabled: true - mariadb: + mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true + # if useOperator set to "true", set "enableServiceAccount to "false" + # as the SA is created by the Operator + enableServiceAccount: false + localCluster: true # '&mariadbConfig' means we "store" the values for later use in the file # with '*mariadbConfig' pointer. config: &mariadbConfig mysqlDatabase: policyadmin - service: &mariadbService - name: &policy-mariadb policy-mariadb - internalPort: 3306 + service: &mariadbService policy-mariadb + internalPort: 3306 + nameOverride: *mariadbService + # (optional) if localCluster=false and an external secret is used set this variable + #userRootSecret: prometheusEnabled: false postgres: localCluster: false @@ -36,9 +43,11 @@ global: name3: tcp-pgset-replica container: name: postgres - kafkaBootstrap: strimzi-kafka-bootstrap + kafkaBootstrap: strimzi-kafka-bootstrap:9092 policyKafkaUser: policy-kafka-user - + kafkaTopics: + acRuntimeTopic: + name: policy.clamp-runtime-acm ################################################################# # Secrets metaconfig ################################################################# @@ -46,7 +55,19 @@ secrets: - uid: db-root-password name: &dbRootPassSecretName '{{ include "common.release" . }}-policy-db-root-password' type: password - externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .) (hasSuffix "policy-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret"))}}' + externalSecret: '{{ .Values.global.mariadbGalera.localCluster | + ternary (( hasSuffix "policy-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret")) | + ternary + "" + (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .) + ) + ( (not (empty (default "" .Values.global.mariadbGalera.userRootSecret))) | + ternary + .Values.global.mariadbGalera.userRootSecret + (include "common.mariadb.secret.rootPassSecretName" + (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride) + ) + ) }}' password: '{{ (index .Values "mariadb-galera" "rootUser" "password") }}' policy: generate - uid: db-secret @@ -77,19 +98,6 @@ secrets: login: '{{ .Values.restServer.policyApiUserName }}' password: '{{ .Values.restServer.policyApiUserPassword }}' passwordPolicy: required - - uid: pg-root-pass - name: &pgRootPassSecretName '{{ include "common.release" . }}-policy-pg-root-pass' - type: password - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "policy-pg-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret) }}' - password: '{{ .Values.postgres.config.pgRootpassword }}' - policy: generate - - uid: pg-user-creds - name: &pgUserCredsSecretName '{{ include "common.release" . }}-policy-pg-user-creds' - type: basicAuth - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "policy-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' - login: '{{ .Values.postgres.config.pgUserName }}' - password: '{{ .Values.postgres.config.pgUserPassword }}' - passwordPolicy: generate db: &dbSecretsHook credsExternalSecret: *dbSecretName @@ -120,48 +128,37 @@ policy-apex-pdp: config: jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-drools-pdp: - enabled: true + enabled: false db: *dbSecretsHook config: jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-distribution: enabled: true db: *dbSecretsHook - config: - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' -policy-clamp-be: - enabled: true - db: *dbSecretsHook - config: - appUserExternalSecret: *policyAppCredsSecret - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-clamp-ac-k8s-ppnt: enabled: true - config: - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-clamp-ac-pf-ppnt: enabled: true restServer: apiUserExternalSecret: *policyApiCredsSecret papUserExternalSecret: *policyPapCredsSecret - config: - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-clamp-ac-http-ppnt: enabled: true - config: - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' -policy-nexus: - enabled: false - config: - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' +policy-clamp-ac-a1pms-ppnt: + enabled: true +policy-clamp-ac-kserve-ppnt: + enabled: true policy-clamp-runtime-acm: enabled: true db: *dbSecretsHook config: appUserExternalSecret: *policyAppCredsSecret +policy-nexus: + enabled: false + config: jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-gui: - enabled: true + enabled: false config: jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' @@ -169,14 +166,8 @@ policy-gui: # DB configuration defaults. ################################################################# -repository: nexus3.onap.org:10001 -pullPolicy: Always - -mariadb: - image: mariadb:10.5.8 - dbmigrator: - image: onap/policy-db-migrator:2.4.3 + image: onap/policy-db-migrator:3.1.0 schema: policyadmin policy_home: "/opt/app/policy" @@ -208,14 +199,6 @@ readiness: config: policyAppUserName: runtimeUser - useStrimziKafka: true - acRuntimeTopic: - name: policy-acruntime-participant - partitions: 10 - retentionMs: 7200000 - segmentBytes: 1073741824 - consumer: - groupId: policy-group policyPdpPapTopic: name: policy-pdp-pap partitions: 10 @@ -237,25 +220,30 @@ config: segmentBytes: 1073741824 consumer: groupId: policy-group + someConfig: blah mariadb-galera: - # mariadb-galera.config and global.mariadb.config must be equals + # mariadb-galera.config and global.mariadbGalera.config must be equals db: - user: policy_user + user: policy-user # password: externalSecret: *dbSecretName name: &mysqlDbName policyadmin rootUser: externalSecret: *dbRootPassSecretName - nameOverride: *policy-mariadb - # mariadb-galera.service and global.mariadb.service must be equals - service: *mariadbService + nameOverride: *mariadbService + # mariadb-galera.service and global.mariadbGalera.service must be equals + service: + name: *mariadbService replicaCount: 1 + mariadbOperator: + galera: + enabled: false persistence: enabled: true mountSubPath: policy/maria/data serviceAccount: - nameOverride: *policy-mariadb + nameOverride: *mariadbService postgresImage: library/postgres:latest # application configuration override for postgres @@ -273,14 +261,18 @@ postgres: mountSubPath: policy/postgres/data mountInitPath: policy config: - pgUserName: policy_user + pgUserName: policy-user pgDatabase: policyadmin - pgUserExternalSecret: *pgUserCredsSecretName - pgRootPasswordExternalSecret: *pgRootPassSecretName + pgUserExternalSecret: *dbSecretName + pgRootPasswordExternalSecret: *dbRootPassSecretName readinessCheck: - wait_for: - - '{{ ternary .Values.postgres.service.name "postgres" .Values.global.postgres.localCluster }}' + wait_for_postgres: + services: + - '{{ .Values.global.postgres.service.name2 }}' + wait_for_mariadb: + services: + - '{{ include "common.mariadbService" . }}' restServer: policyPapUserName: policyadmin @@ -294,18 +286,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "100m" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "200m" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/portal-ng/.helmignore b/kubernetes/portal-ng/.helmignore new file mode 100644 index 0000000000..5483707e0d --- /dev/null +++ b/kubernetes/portal-ng/.helmignore @@ -0,0 +1,33 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.config/ +.local/ +# OOM specific dirs +components/ + diff --git a/kubernetes/portal-ng/Chart.yaml b/kubernetes/portal-ng/Chart.yaml new file mode 100644 index 0000000000..32a45042b4 --- /dev/null +++ b/kubernetes/portal-ng/Chart.yaml @@ -0,0 +1,36 @@ +# Copyright (C) 2022 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP Next Generation Portal +name: portal-ng +version: 13.0.1 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: portal-ng-bff + version: ~13.x-0 + repository: '@local' + - name: portal-ng-preferences + version: ~13.x-0 + repository: '@local' + - name: portal-ng-history + version: ~13.x-0 + repository: '@local' + - name: portal-ng-ui + version: ~13.x-0 + repository: '@local' + diff --git a/kubernetes/portal-ng/Makefile b/kubernetes/portal-ng/Makefile new file mode 100644 index 0000000000..08ed7cb9da --- /dev/null +++ b/kubernetes/portal-ng/Makefile @@ -0,0 +1,58 @@ +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) +OUTPUT_DIR := $(ROOT_DIR)/../dist +PACKAGE_DIR := $(OUTPUT_DIR)/packages +SECRET_DIR := $(OUTPUT_DIR)/secrets + +EXCLUDES := dist resources templates charts docker +HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + +HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) + +.PHONY: $(EXCLUDES) $(HELM_CHARTS) + +all: $(HELM_CHARTS) + +$(HELM_CHARTS): + @echo "\n[$@]" + @make package-$@ + +make-%: + @if [ -f $*/Makefile ]; then make -C $*; fi + +dep-%: make-% + @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi + +lint-%: dep-% + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi + +package-%: lint-% + @mkdir -p $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) + +clean: + @rm -f */Chart.lock + @rm -f *tgz */charts/*tgz + @rm -rf $(PACKAGE_DIR) +%: + @: diff --git a/kubernetes/portal-ng/README.md b/kubernetes/portal-ng/README.md new file mode 100644 index 0000000000..82813a6705 --- /dev/null +++ b/kubernetes/portal-ng/README.md @@ -0,0 +1,19 @@ + +# Helm Chart for the Portal Application \ No newline at end of file diff --git a/kubernetes/portal-ng/components/Makefile b/kubernetes/portal-ng/components/Makefile new file mode 100644 index 0000000000..08ed7cb9da --- /dev/null +++ b/kubernetes/portal-ng/components/Makefile @@ -0,0 +1,58 @@ +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) +OUTPUT_DIR := $(ROOT_DIR)/../dist +PACKAGE_DIR := $(OUTPUT_DIR)/packages +SECRET_DIR := $(OUTPUT_DIR)/secrets + +EXCLUDES := dist resources templates charts docker +HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + +HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) + +.PHONY: $(EXCLUDES) $(HELM_CHARTS) + +all: $(HELM_CHARTS) + +$(HELM_CHARTS): + @echo "\n[$@]" + @make package-$@ + +make-%: + @if [ -f $*/Makefile ]; then make -C $*; fi + +dep-%: make-% + @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi + +lint-%: dep-% + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi + +package-%: lint-% + @mkdir -p $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) + +clean: + @rm -f */Chart.lock + @rm -f *tgz */charts/*tgz + @rm -rf $(PACKAGE_DIR) +%: + @: diff --git a/kubernetes/portal-ng/components/portal-ng-bff/.helmignore b/kubernetes/portal-ng/components/portal-ng-bff/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kubernetes/portal-ng/components/portal-ng-bff/Chart.yaml b/kubernetes/portal-ng/components/portal-ng-bff/Chart.yaml new file mode 100644 index 0000000000..ec9769d819 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/Chart.yaml @@ -0,0 +1,49 @@ +# Copyright (C) 2022 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +name: portal-ng-bff +description: Helm chart of the backend for ONAP portal. This micro service follows the backend for frontend approach. + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 13.0.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +appVersion: latest + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' + diff --git a/kubernetes/portal-ng/components/portal-ng-bff/README.md b/kubernetes/portal-ng/components/portal-ng-bff/README.md new file mode 100644 index 0000000000..4baa4f2d08 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/README.md @@ -0,0 +1,8 @@ +# Portal-bff helm chart +This repository contains the chart for the portal-bff. + +# Redis chart +The app has a dependency to Redis. The chart for this was obtained from [artifacthub](https://artifacthub.io/packages/helm/bitnami/redis). For updates to that chart, go there click on `Install` and copy the direct link. Then do a +``` bash +wget -P charts/ https://charts.bitnami.com/bitnami/redis-16.8.7.tgz +``` diff --git a/kubernetes/portal-ng/components/portal-ng-bff/templates/configmap.yaml b/kubernetes/portal-ng/components/portal-ng-bff/templates/configmap.yaml new file mode 100644 index 0000000000..b45ead6a52 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/templates/configmap.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap + namespace: {{ include "common.namespace" . }} +data: + {{- range $key, $val := .Values.env }} + {{ $key }}: {{ $val | quote }} + {{- end -}} \ No newline at end of file diff --git a/kubernetes/portal-ng/components/portal-ng-bff/templates/deployment.yaml b/kubernetes/portal-ng/components/portal-ng-bff/templates/deployment.yaml new file mode 100644 index 0000000000..ef54110af4 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/templates/deployment.yaml @@ -0,0 +1,36 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + {{- include "common.imagePullSecrets" . | nindent 6 }} + containers: + - name: {{ .Chart.Name }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image.imageName }}:{{ .Values.image.tag | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + envFrom: + - configMapRef: + name: {{ include "common.fullname" . }}-configmap + - secretRef: + name: {{ include "common.fullname" . }}-secret + ports: + - name: http + containerPort: {{ .Values.service.port }} + protocol: TCP + readinessProbe: + httpGet: + path: /actuator/health/readiness + port: {{ .Values.service.port }} + initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }} + failureThreshold: {{ .Values.probes.readiness.failureThreshold }} + livenessProbe: + httpGet: + path: /actuator/health/liveness + port: {{ .Values.service.port }} + initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} + failureThreshold: {{ .Values.probes.liveness.failureThreshold }} diff --git a/kubernetes/portal-ng/components/portal-ng-bff/templates/hpa.yaml b/kubernetes/portal-ng/components/portal-ng-bff/templates/hpa.yaml new file mode 100644 index 0000000000..b686ac998b --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/templates/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "common.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubernetes/portal-ng/components/portal-ng-bff/templates/secret.yaml b/kubernetes/portal-ng/components/portal-ng-bff/templates/secret.yaml new file mode 100644 index 0000000000..a47b707284 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/templates/secret.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.fullname" . }}-secret + namespace: {{ include "common.namespace" . }} +type: Opaque +data: + {{- range $key, $val := .Values.secretEnv }} + {{ $key }}: {{ $val | b64enc | quote }} + {{- end -}} \ No newline at end of file diff --git a/kubernetes/portal-ng/components/portal-ng-bff/templates/service.yaml b/kubernetes/portal-ng/components/portal-ng-bff/templates/service.yaml new file mode 100644 index 0000000000..301d358c3b --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/templates/service.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/portal-ng/components/portal-ng-bff/templates/tests/test-connection.yaml b/kubernetes/portal-ng/components/portal-ng-bff/templates/tests/test-connection.yaml new file mode 100644 index 0000000000..327df40ef6 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/templates/tests/test-connection.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "common.fullname" . }}-test-connection + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "common.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/kubernetes/portal-ng/components/portal-ng-bff/values.yaml b/kubernetes/portal-ng/components/portal-ng-bff/values.yaml new file mode 100644 index 0000000000..b8b7c3d061 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/values.yaml @@ -0,0 +1,59 @@ +global: {} + +# Default values for bff. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +image: + imageName: onap/portal-ng/bff + pullPolicy: Always + # Overrides the image tag whose default value is the chart appVersion. + # tag: 0.1.0 + +replicaCount: 2 + +# Specifies how many old replicas will be retained in a deployment +revisionHistoryLimit: 2 + +# Custom selector label (for bigger namespaces with other components) +partOf: portal + +service: + type: ClusterIP + port: 9080 + ports: + - name: http + port: 9080 + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + +probes: + readiness: + initialDelaySeconds: 20 + failureThreshold: 4 + liveness: + initialDelaySeconds: 20 + failureThreshold: 4 + +env: + KEYCLOAK_URL: http://keycloakx-http.keycloak/auth + KEYCLOAK_REALM: ONAP + HISTORY_URL: http://portal-ng-history:9002 + PREFERENCES_URL: http://portal-ng-preferences:9001 + TRACING_ENABLED: true + COLLECTOR_HOST: jaeger-collector.istio-system + COLLECTOR_PORT: 9411 + +secretEnv: + KEYCLOAK_CLIENT_ID: portal-bff + KEYCLOAK_CLIENT_SECRET: pKOuVH1bwRZoNzp5P5t4GV8CqcCJYVtr + +#Pods Service Account +serviceAccount: + nameOverride: portal-ng-bff + roles: + - read + diff --git a/kubernetes/portal-ng/components/portal-ng-history/.helmignore b/kubernetes/portal-ng/components/portal-ng-history/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kubernetes/portal-ng/components/portal-ng-history/Chart.yaml b/kubernetes/portal-ng/components/portal-ng-history/Chart.yaml new file mode 100644 index 0000000000..27e7f58afd --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/Chart.yaml @@ -0,0 +1,51 @@ +# Copyright (C) 2022 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +name: portal-ng-history +description: Helm chart of the history. This micro service provides the latest user actions of the ONAP portal. + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 13.0.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +appVersion: latest + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' + - name: mongodb + version: 14.12.2 + repository: '@local' diff --git a/kubernetes/portal-ng/components/portal-ng-history/README.md b/kubernetes/portal-ng/components/portal-ng-history/README.md new file mode 100644 index 0000000000..0c0e7b34bb --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/README.md @@ -0,0 +1,2 @@ +# History helm chart +This repository contains the chart for the history service. \ No newline at end of file diff --git a/kubernetes/portal-ng/components/portal-ng-history/templates/configmap.yaml b/kubernetes/portal-ng/components/portal-ng-history/templates/configmap.yaml new file mode 100644 index 0000000000..f8c23479e1 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/templates/configmap.yaml @@ -0,0 +1,24 @@ +{{/* +# Copyright © 2024 Deutsche Telekom AG. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap + namespace: {{ include "common.namespace" . }} +data: + {{- range $key, $val := .Values.env }} + {{ $key }}: {{ $val | quote }} + {{- end -}} \ No newline at end of file diff --git a/kubernetes/portal-ng/components/portal-ng-history/templates/deployment.yaml b/kubernetes/portal-ng/components/portal-ng-history/templates/deployment.yaml new file mode 100644 index 0000000000..a2a924b488 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/templates/deployment.yaml @@ -0,0 +1,48 @@ +{{/* +# Copyright © 2024 Deutsche Telekom AG. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + {{- include "common.imagePullSecrets" . | nindent 6 }} + containers: + - name: {{ .Chart.Name }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image.imageName }}:{{ .Values.image.tag | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + envFrom: + - configMapRef: + name: {{ include "common.fullname" . }}-configmap + - secretRef: + name: {{ include "common.fullname" . }}-secret + ports: {{ include "common.containerPorts" . | nindent 12 }} + livenessProbe: + httpGet: + path: /actuator/health/liveness + port: {{ .Values.service.port }} + initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} + failureThreshold: {{ .Values.probes.liveness.failureThreshold }} + readinessProbe: + httpGet: + path: /actuator/health/readiness + port: {{ .Values.service.port }} + initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }} + failureThreshold: {{ .Values.probes.readiness.failureThreshold }} \ No newline at end of file diff --git a/kubernetes/portal-ng/components/portal-ng-history/templates/hpa.yaml b/kubernetes/portal-ng/components/portal-ng-history/templates/hpa.yaml new file mode 100644 index 0000000000..9ac9406eda --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/templates/hpa.yaml @@ -0,0 +1,47 @@ +{{/* +# Copyright © 2024 Deutsche Telekom AG. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "common.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- end }} diff --git a/kubernetes/portal-ng/components/portal-ng-history/templates/secret.yaml b/kubernetes/portal-ng/components/portal-ng-history/templates/secret.yaml new file mode 100644 index 0000000000..9fee578d43 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/templates/secret.yaml @@ -0,0 +1,25 @@ +{{/* +# Copyright © 2024 Deutsche Telekom AG. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.fullname" . }}-secret + namespace: {{ include "common.namespace" . }} +type: Opaque +data: + {{- range $key, $val := .Values.secretEnv }} + {{ $key }}: {{ $val | b64enc | quote }} + {{- end -}} \ No newline at end of file diff --git a/kubernetes/portal-ng/components/portal-ng-history/templates/service.yaml b/kubernetes/portal-ng/components/portal-ng-history/templates/service.yaml new file mode 100644 index 0000000000..301d358c3b --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/templates/service.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/portal-ng/components/portal-ng-history/templates/tests/test-connection.yaml b/kubernetes/portal-ng/components/portal-ng-history/templates/tests/test-connection.yaml new file mode 100644 index 0000000000..327df40ef6 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/templates/tests/test-connection.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "common.fullname" . }}-test-connection + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "common.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/kubernetes/portal-ng/components/portal-ng-history/values.yaml b/kubernetes/portal-ng/components/portal-ng-history/values.yaml new file mode 100644 index 0000000000..dc999841ef --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/values.yaml @@ -0,0 +1,81 @@ +global: {} + +image: + imageName: onap/portal-ng/history + pullPolicy: Always + # Overrides the image tag whose default value is the chart appVersion. + # tag: 0.1.0 + +replicaCount: 1 + +# Specifies how many old replicas will be retained in a deployment +revisionHistoryLimit: 2 + +imagePullSecrets: + - name: onap-docker-registry-key +nameOverride: "" +fullnameOverride: "" + +# Custom selector label (for bigger namespaces with other components) +partOf: portal + +service: + type: ClusterIP + port: 9002 + ports: + - name: http + port: 9002 + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +probes: + readiness: + initialDelaySeconds: 20 + failureThreshold: 4 + liveness: + initialDelaySeconds: 20 + failureThreshold: 4 + +secretEnv: + MONGO_USERNAME: dbuser + MONGO_PASSWORD: dbpassword + MONGO_DATABASE: history + +env: + KEYCLOAK_URL: http://keycloakx-http.keycloak + KEYCLOAK_REALM: ONAP + MONGO_HOST: history-mongodb + MONGO_PORT: 27017 + TRACING_ENABLED: true + COLLECTOR_HOST: jaeger-collector.istio-system + COLLECTOR_PORT: 9411 + +mongodb: + nameOverride: history-mongodb + service: + portName: tcp-mongodb + auth: + rootPassword: TrWAweN9y9eW + usernames: + - dbuser + passwords: + - dbpassword + databases: + - history + resources: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "250m" + memory: "500Mi" + +#Pods Service Account +serviceAccount: + nameOverride: portal-ng-history + roles: + - read diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/.helmignore b/kubernetes/portal-ng/components/portal-ng-preferences/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/Chart.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/Chart.yaml new file mode 100644 index 0000000000..2ec186a800 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/Chart.yaml @@ -0,0 +1,53 @@ +# Copyright (C) 2024 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +name: portal-ng-preferences +description: Helm chart of the preferences. This micro service provides the user preferences for the ONAP portal. + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 13.0.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +appVersion: latest + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' + - name: mongodb + version: 14.12.2 + repository: '@local' + + diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/README.md b/kubernetes/portal-ng/components/portal-ng-preferences/README.md new file mode 100644 index 0000000000..4ae034609d --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/README.md @@ -0,0 +1,2 @@ +# Preferences helm chart +This repository contains the chart for the preferences service. \ No newline at end of file diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/templates/configmap.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/templates/configmap.yaml new file mode 100644 index 0000000000..f8c23479e1 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/templates/configmap.yaml @@ -0,0 +1,24 @@ +{{/* +# Copyright © 2024 Deutsche Telekom AG. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap + namespace: {{ include "common.namespace" . }} +data: + {{- range $key, $val := .Values.env }} + {{ $key }}: {{ $val | quote }} + {{- end -}} \ No newline at end of file diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/templates/deployment.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/templates/deployment.yaml new file mode 100644 index 0000000000..a2a924b488 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/templates/deployment.yaml @@ -0,0 +1,48 @@ +{{/* +# Copyright © 2024 Deutsche Telekom AG. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + {{- include "common.imagePullSecrets" . | nindent 6 }} + containers: + - name: {{ .Chart.Name }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image.imageName }}:{{ .Values.image.tag | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + envFrom: + - configMapRef: + name: {{ include "common.fullname" . }}-configmap + - secretRef: + name: {{ include "common.fullname" . }}-secret + ports: {{ include "common.containerPorts" . | nindent 12 }} + livenessProbe: + httpGet: + path: /actuator/health/liveness + port: {{ .Values.service.port }} + initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} + failureThreshold: {{ .Values.probes.liveness.failureThreshold }} + readinessProbe: + httpGet: + path: /actuator/health/readiness + port: {{ .Values.service.port }} + initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }} + failureThreshold: {{ .Values.probes.readiness.failureThreshold }} \ No newline at end of file diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/templates/hpa.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/templates/hpa.yaml new file mode 100644 index 0000000000..9ac9406eda --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/templates/hpa.yaml @@ -0,0 +1,47 @@ +{{/* +# Copyright © 2024 Deutsche Telekom AG. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "common.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- end }} diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/templates/secret.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/templates/secret.yaml new file mode 100644 index 0000000000..90c67ee74a --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/templates/secret.yaml @@ -0,0 +1,25 @@ +{{/* +# Copyright © 2024 Deutsche Telekom AG. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.fullname" . }}-secret + namespace: {{ include "common.namespace" . }} +type: Opaque +data: + {{- range $key, $val := .Values.secretEnv }} + {{ $key }}: {{ $val | b64enc | quote }} + {{- end -}} \ No newline at end of file diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/templates/service.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/templates/service.yaml new file mode 100644 index 0000000000..3639dace48 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/templates/service.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2024 Deutsche Telekom. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/templates/tests/test-connection.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/templates/tests/test-connection.yaml new file mode 100644 index 0000000000..327df40ef6 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/templates/tests/test-connection.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "common.fullname" . }}-test-connection + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "common.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/values.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/values.yaml new file mode 100644 index 0000000000..2f6d1bae78 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/values.yaml @@ -0,0 +1,82 @@ +global: {} + +# Default values for preferences. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +image: + imageName: onap/portal-ng/preferences + pullPolicy: Always + # Overrides the image tag whose default value is the chart appVersion. + # tag: 0.1.0 + +replicaCount: 1 + +# Specifies how many old replicas will be retained in a deployment +revisionHistoryLimit: 2 + +nameOverride: "" +fullnameOverride: "" + +# Custom selector label (for bigger namespaces with other components) +partOf: portal + +service: + type: ClusterIP + port: 9001 + ports: + - name: http + port: 9001 + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +probes: + readiness: + initialDelaySeconds: 20 + failureThreshold: 4 + liveness: + initialDelaySeconds: 20 + failureThreshold: 4 + +secretEnv: + MONGO_USERNAME: dbuser + MONGO_PASSWORD: dbpassword + MONGO_DATABASE: Preferences + +env: + KEYCLOAK_URL: http://keycloakx-http.keycloak + KEYCLOAK_REALM: ONAP + MONGO_HOST: preferences-mongodb + MONGO_PORT: 27017 + TRACING_ENABLED: true + COLLECTOR_HOST: jaeger-collector.istio-system + COLLECTOR_PORT: 9411 + +mongodb: + nameOverride: preferences-mongodb + service: + portName: tcp-mongodb + auth: + rootPassword: TrWAweN9y9eW + usernames: + - dbuser + passwords: + - dbpassword + databases: + - Preferences + resources: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "250m" + memory: "500Mi" + +#Pods Service Account +serviceAccount: + nameOverride: portal-ng-preferences + roles: + - read diff --git a/kubernetes/portal-ng/components/portal-ng-ui/.helmignore b/kubernetes/portal-ng/components/portal-ng-ui/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kubernetes/portal-ng/components/portal-ng-ui/Chart.yaml b/kubernetes/portal-ng/components/portal-ng-ui/Chart.yaml new file mode 100644 index 0000000000..4dcb25cc3a --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/Chart.yaml @@ -0,0 +1,48 @@ +# Copyright (C) 2022 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +name: portal-ng-ui +description: Helm chart of the UI part of the ONAP portal. + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 13.0.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +appVersion: latest + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/cds.svg b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/cds.svg new file mode 100644 index 0000000000..a203d519ed --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/cds.svg @@ -0,0 +1,220 @@ + + + + + + image/svg+xml + + + + + + + logo + Created with Sketch. + + + + + + + + + + + + + + + + + + + diff --git a/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/onap.svg b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/onap.svg new file mode 100644 index 0000000000..2015be22f6 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/onap.svg @@ -0,0 +1,157 @@ + + + + + + + + image/svg+xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/sdc.svg b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/sdc.svg new file mode 100644 index 0000000000..84f9eeda35 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/sdc.svg @@ -0,0 +1,96 @@ + + + + + + + + + + + + + + image/svg+xml + + + + + + + + + + + diff --git a/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/sdnc-dg.svg b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/sdnc-dg.svg new file mode 100644 index 0000000000..6b93a58db5 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/sdnc-dg.svg @@ -0,0 +1,534 @@ + + + + + + + + + + diff --git a/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/sdnc-odl.svg b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/sdnc-odl.svg new file mode 100644 index 0000000000..6b93a58db5 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/sdnc-odl.svg @@ -0,0 +1,534 @@ + + + + + + + + + + diff --git a/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/tiles.json b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/tiles.json new file mode 100644 index 0000000000..a69855d639 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/tiles.json @@ -0,0 +1,128 @@ +{ + "items": [ + { + "id": 1, + "title": "Service Design and Creation (SDC)", + "description": "Open the SDC in a new tab", + "tooltipDE": "SDC ist das visuelle Modellierungs- und Designtool von ONAP. Es erstellt interne Metadaten, die Assets beschreiben, die von allen ONAP-Komponenten verwendet werden, sowohl zur Entwurfszeit als auch zur Laufzeit.", + "tooltipEN": "SDC is the ONAP visual modeling and design tool. It creates internal metadata that describes assets used by all ONAP components, both at design time and run time.", + "imageUrl": "sdc.svg", + "imageAltText": "SDC image", + "redirectUrl": "https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" .Values.tiles.SDC_URL) }}/sdc1/", + "groups": [], + "roles": [ + "PORTAL_ADMIN", + "PORTAL_OPERATOR", + "PORTAL_DESIGNER" + ] + }, + { + "id": 3, + "title": "Policy Framework", + "description": "Open Policy GUI in a new tab", + "tooltipDE": "Das ONAP Policy Framework legt die Architektur des Frameworks dar und zeigt die APIs, die anderen Komponenten bereitgestellt werden, die mit dem Framework zusammenarbeiten.", + "tooltipEN": "ONAP Policy Framework lays out the architecture of the framework and shows the APIs provided to other components that interwork with the framework.", + "imageUrl": "onap.svg", + "imageAltText": "Policy image", + "redirectUrl": "https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" .Values.tiles.POLICY_URL) }}", + "groups": [], + "roles": [ + "PORTAL_ADMIN" + ] + }, + { + "id": 4, + "title": "Service Orchestration (SO) Monitoring", + "description": "Open SO-Monitoring in a new tab", + "tooltipDE": "Der ONAP Service Orchestrator bietet die höchste Ebene der Service-Orchestrierung in der ONAP-Architektur.", + "tooltipEN": "The ONAP Service Orchestrator provides the highest level of service orchestration in the ONAP architecture.", + "imageUrl": "onap.svg", + "imageAltText": "SO-Monitoring image", + "redirectUrl": "https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" .Values.tiles.SO_URL) }}", + "groups": [], + "roles": [ + "PORTAL_OPERATOR" + ] + }, + { + "id": 7, + "title": "Controller Design Studio (CDS)", + "description": "Open CDS in a new tab", + "tooltipDE": "Die CDS Designer Benutzeroberfläche ist ein Framework zur Automatisierung der Auflösung von Ressourcen für die Instanziierung und aller Konfigurationsbereitstellung, wie z. B. die Konfiguration von Day0, Day1 oder Day2.", + "tooltipEN": "CDS Designer UI is a framework to automate the resolution of resources for instantiation and any config provisioning operation, such as day0, day1, or day2 configuration.", + "imageUrl": "cds.svg", + "imageAltText": "CDS image", + "redirectUrl": "https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" .Values.tiles.CDS_URL) }}", + "groups": [], + "roles": [ + "PORTAL_ADMIN", + "PORTAL_OPERATOR", + "PORTAL_DESIGNER" + ] + }, + { + "id": 9, + "title": "Holmes Rules", + "description": "Open Holmes in a new tab", + "tooltipDE": "Das Holmes-Projekt bietet Alarmkorrelation und -analyse für Telekommunikations-Cloudinfrastruktur und -Dienste, einschließlich Hosts, Vims, VNFs und NSs.", + "tooltipEN": "Holmes project provides alarm correlation and analysis for Telecom cloud infrastructure and services, including hosts, vims, VNFs and NSs.", + "imageUrl": "onap.svg", + "imageAltText": "Holmes image", + "redirectUrl": "https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" .Values.tiles.HOLMES_URL) }}/iui/holmes/default.html", + "groups": [], + "roles": [ + "PORTAL_ADMIN", + "PORTAL_OPERATOR", + "PORTAL_DESIGNER" + ] + }, + { + "id": 10, + "title": "A&AI Browser", + "description": "Open the A&AI Browser in a new tab", + "tooltipDE": "AAI ist eine Komponente der ONAP-Laufzeit (Echtzeitansichten von Ressourcen, Services, Produkten, Kundenabonnements und deren Beziehungen).", + "tooltipEN": "AAI is a component of ONAP runtime (Real-time views of Resources, Services, Products, Customer Subscriptions and their relationships).", + "imageUrl": "onap.svg", + "imageAltText": "A&AI Browser image", + "redirectUrl": "https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" .Values.tiles.AAI_URL) }}/services/aai/webapp/index.html#/browse", + "groups": [], + "roles": [ + "PORTAL_ADMIN", + "PORTAL_OPERATOR", + "PORTAL_DESIGNER" + ] + }, + { + "id": 11, + "title": "SDN-C Directed Graph Builder (SDC-C DGB)", + "description": "Open the SDN-C Directed Graph Builder in a new tab", + "tooltipDE": "SDNC DG soll eine Ausführungsumgebung für schnell geschriebene und hochgradig angepasste Serviceabläufe bereitstellen.", + "tooltipEN": "SDNC DG is to provide an execution environment for quickly written and highly customized service flows.", + "imageUrl": "sdnc-dg.svg", + "imageAltText": "SDN-C DG image", + "redirectUrl": "https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" .Values.tiles.SDNCDG_URL) }}", + "groups": [], + "roles": [ + "PORTAL_ADMIN", + "PORTAL_OPERATOR", + "PORTAL_DESIGNER" + ] + }, + { + "id": 12, + "title": "SDN-C Open Daylight UI (SDN-C ODL)", + "description": "Open the SDN-C Open Daylight UI (SDN-C ODL) in a new tab", + "tooltipDE": "Das OpenDaylight Project ist ein kollaboratives Open-Source-Projekt, das von der Linux Foundation gehostet wird. Das Projekt dient als Plattform für Software-Defined Networking (SDN) zur offenen, zentralisierten Überwachung von Netzwerkgeräten.", + "tooltipEN": "The OpenDaylight Project is a collaborative open-source project hosted by The Linux Foundation. The project serves as a platform for software-defined networking (SDN) for open, centralized, network device monitoring.", + "imageUrl": "sdnc-odl.svg", + "imageAltText": "SDN-C ODL image", + "redirectUrl": "https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" .Values.tiles.SDNCODL_URL) }}", + "groups": [], + "roles": [ + "PORTAL_ADMIN", + "PORTAL_OPERATOR", + "PORTAL_DESIGNER" + ] + } + ] +} diff --git a/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-tiles-icons.yaml b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-tiles-icons.yaml new file mode 100644 index 0000000000..33d9cf3a51 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-tiles-icons.yaml @@ -0,0 +1,28 @@ +{{/* +# Copyright © 2022 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-tiles-icons + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/tiles/icons/*").AsConfig . | indent 2 }} diff --git a/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-tiles.yaml b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-tiles.yaml new file mode 100644 index 0000000000..ef4ee2ea2c --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-tiles.yaml @@ -0,0 +1,28 @@ +{{/* +# Copyright © 2022 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-tiles-json + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/tiles/tiles.json").AsConfig . | indent 2 }} diff --git a/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap.yaml b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap.yaml new file mode 100644 index 0000000000..4895edd85b --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap.yaml @@ -0,0 +1,30 @@ +{{/* +# Copyright © 2022 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: + {{- range $key, $val := .Values.env }} + {{ $key }}: {{ $val | quote }} + {{- end -}} diff --git a/kubernetes/portal-ng/components/portal-ng-ui/templates/deployment.yaml b/kubernetes/portal-ng/components/portal-ng-ui/templates/deployment.yaml new file mode 100644 index 0000000000..6a16384346 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/templates/deployment.yaml @@ -0,0 +1,78 @@ +{{/* +# Copyright © 2022 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + {{- include "common.imagePullSecrets" . | nindent 6 }} + containers: + - name: {{ .Chart.Name }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image.imageName }}:{{ .Values.image.tag | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + envFrom: + - configMapRef: + name: {{ include "common.fullname" . }}-configmap + ports: {{ include "common.containerPorts" . | nindent 12 }} + livenessProbe: + httpGet: + path: / + port: {{ .Values.service.internalPort}} + initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} + failureThreshold: {{ .Values.probes.liveness.failureThreshold }} + readinessProbe: + httpGet: + path: / + port: {{ .Values.service.internalPort}} + initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }} + failureThreshold: {{ .Values.probes.readiness.failureThreshold }} + volumeMounts: + - name: tiles-icons + mountPath: {{ .Values.nginx.tilesIconsPath }} + readOnly: true + - name: tiles-json + mountPath: {{ .Values.nginx.tilesPath }} + subPath: tiles.json + readOnly: true + resources: {{ include "common.resources" . | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 10 }} + {{- end }} + volumes: + - name: tiles-icons + configMap: + name: {{ include "common.fullname" . }}-tiles-icons + - name: tiles-json + configMap: + name: {{ include "common.fullname" . }}-tiles-json + items: + - key: tiles.json + path: tiles.json diff --git a/kubernetes/portal-ng/components/portal-ng-ui/templates/ingress.yaml b/kubernetes/portal-ng/components/portal-ng-ui/templates/ingress.yaml new file mode 100644 index 0000000000..bc2d2bc363 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2022 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/portal-ng/components/portal-ng-ui/templates/service.yaml b/kubernetes/portal-ng/components/portal-ng-ui/templates/service.yaml new file mode 100644 index 0000000000..301d358c3b --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/templates/service.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/portal-ng/components/portal-ng-ui/values.yaml b/kubernetes/portal-ng/components/portal-ng-ui/values.yaml new file mode 100644 index 0000000000..bf28766bda --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/values.yaml @@ -0,0 +1,111 @@ +# Copyright © 2022, Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +global: + ingress: + virtualhost: + # Default Ingress base URL + # can be overwritten in component by setting ingress.baseurlOverride + baseurl: "simpledemo.onap.org" + # prefix for baseaddr + # can be overwritten in component by setting ingress.preaddrOverride + preaddr: "" + # postfix for baseaddr + # can be overwritten in component by setting ingress.postaddrOverride + postaddr: "" + +# Default values for ui. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +image: + imageName: onap/portal-ng/ui + pullPolicy: Always + # Overrides the image tag whose default value is the chart appVersion. + # tag: 0.1.0 + +replicaCount: 1 + +# Specifies how many old replicas will be retained in a deployment +revisionHistoryLimit: 2 + +nameOverride: "" +fullnameOverride: "" +# This is the overall name on which this component is ar part of. +partOf: portal + +service: + type: ClusterIP + internalPort: 8080 + ports: + - name: http + port: 80 + port_protocol: http + +ingress: + enabled: true + service: + - baseaddr: "portal-ng-ui" + name: "portal-ng-ui" + port: 80 + config: + ssl: "redirect" + +resources: {} + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 80 + +probes: + readiness: + initialDelaySeconds: 20 + failureThreshold: 4 + liveness: + initialDelaySeconds: 20 + failureThreshold: 4 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +env: + BFF_URL: http://portal-ng-bff.onap.svc.cluster.local:9080 + NGINX_PORT: 8080 + KEYCLOAK_REALM: ONAP + KEYCLOAK_INTERNAL_URL: http://keycloakx-http.keycloak.svc.cluster.local + KEYCLOAK_HOSTNAME: https://keycloak-ui.simpledemo.onap.org + +#Pods Service Account +serviceAccount: + nameOverride: portal-ng-ui + roles: + - read + +nginx: + tilesPath: /usr/share/nginx/html/assets/tiles/tiles.json + tilesIconsPath: /usr/share/nginx/html/assets/images/tiles + +tiles: + SDC_URL: "sdc-fe-ui" + POLICY_URL: "policy-ui" + SO_URL: "so-admin-cockpit-ui" + CDS_URL: "cds-ui" + HOLMES_URL: "holmes-rule-mgmt-ui" + AAI_URL: "aai-sparkybe-api" + SDNCDG_URL: "sdnc-dgbuilder-ui" + SDNCODL_URL: "sdnc-web-ui" \ No newline at end of file diff --git a/kubernetes/portal-ng/values.yaml b/kubernetes/portal-ng/values.yaml new file mode 100755 index 0000000000..12862a1930 --- /dev/null +++ b/kubernetes/portal-ng/values.yaml @@ -0,0 +1,19 @@ +# Copyright (C) 2021 Bell Canada +# Modifications Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# + diff --git a/kubernetes/portal/.helmignore b/kubernetes/portal/.helmignore deleted file mode 100644 index 7ddbad7ef4..0000000000 --- a/kubernetes/portal/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -components/ diff --git a/kubernetes/portal/Chart.yaml b/kubernetes/portal/Chart.yaml deleted file mode 100644 index 0f7b846607..0000000000 --- a/kubernetes/portal/Chart.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Web Portal -name: portal -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: portal-app - version: ~11.x-0 - repository: 'file://components/portal-app' - - name: portal-cassandra - version: ~11.x-0 - repository: 'file://components/portal-cassandra' - - name: portal-mariadb - version: ~11.x-0 - repository: 'file://components/portal-mariadb' - - name: portal-sdk - version: ~11.x-0 - repository: 'file://components/portal-sdk' - - name: portal-widget - version: ~11.x-0 - repository: 'file://components/portal-widget' diff --git a/kubernetes/portal/Makefile b/kubernetes/portal/Makefile deleted file mode 100644 index 2f6c6fe47c..0000000000 --- a/kubernetes/portal/Makefile +++ /dev/null @@ -1,56 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts docker -HELM_BIN := helm -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) -HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) -ifeq "$(findstring v3,$(HELM_VER))" "v3" - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) push -f $$PACKAGE_NAME local; fi -else - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi -endif - @$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/portal/components/Makefile b/kubernetes/portal/components/Makefile deleted file mode 100644 index 1688db2d44..0000000000 --- a/kubernetes/portal/components/Makefile +++ /dev/null @@ -1,56 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) -HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) -ifeq "$(findstring v3,$(HELM_VER))" "v3" - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) push -f $$PACKAGE_NAME local; fi -else - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi -endif - @$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/portal/components/portal-app/.helmignore b/kubernetes/portal/components/portal-app/.helmignore deleted file mode 100644 index daebc7da77..0000000000 --- a/kubernetes/portal/components/portal-app/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/portal/components/portal-app/Chart.yaml b/kubernetes/portal/components/portal-app/Chart.yaml deleted file mode 100644 index 375b11bb7d..0000000000 --- a/kubernetes/portal/components/portal-app/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Portal application -name: portal-app -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: certInitializer - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/fusion.properties b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/fusion.properties deleted file mode 100755 index 7020a40bb4..0000000000 --- a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/fusion.properties +++ /dev/null @@ -1,63 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -# domain settings -#domain_class_location = - -# validator settings -#default_error_message = Default error message - -login_url_no_ret_val = https://{{.Values.global.portalHostName}}:{{.Values.global.portalFEPort}}/ONAPPORTAL/login.htm - -user_attribute_name = user - -# User Session settings -roles_attribute_name = roles -role_functions_attribute_name = role_functions - -# menu settings -menu_query_name = menuData -application_menu_set_name = APP -application_menu_attribute_name = applicationMenuData -business_direct_menu_set_name = BD -business_direct_menu_attribute_name = businessDirectMenuData - -# ECOMP settings -ecomp_app_id = 1 -# Role settings -sys_admin_role_id = 1 -account_admin_role_id = 999 -restricted_app_role_id = 900 - -# Home Page index html -home_page = /index.html - -authentication_mechanism =DBAUTH - -login.error.hrid.empty = Login failed, please contact system administrator. -login.error.hrid.not-found = User not found, please contact system administrator. -login.error.user.inactive = Account is disabled, please contact system administrator. - -# -# Number of seconds to poll health (database operational, etc.) -# -health_poll_interval_seconds = 5 -# -# If a component is down a log entry will be written that triggers an alert. This parameter specifies how often this alert should be triggered -# if the component remains down. For example a value of 30, would translate to 30 * 60 seconds = 1800 seconds, or every 30 minutes -# -health_fail_alert_every_x_intervals = 30 diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/key.properties b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/key.properties deleted file mode 100644 index 791853db8f..0000000000 --- a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/key.properties +++ /dev/null @@ -1,4 +0,0 @@ -{{/* -# Encrypted Properties -*/}} -cipher.enc.key = ${CIPHER_ENC_KEY} diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/logback.xml b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/logback.xml deleted file mode 100644 index 325da8e9e3..0000000000 --- a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/logback.xml +++ /dev/null @@ -1,300 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ${applicationLoggerPattern} - - - - - - - - - - - - ${logDirectory}/${generalLogName}.log - - - ${logDirectory}/${generalLogName}.log.%d{yyyy-MM-dd}.zip - - 30 - - - ${applicationLoggerPattern} - - - - - - 256 - - true - - - - - - - - - - - - - - - - - - - ${logDirectory}/${auditLogName}.log - - - ${logDirectory}/${auditLogName}.log.%d{yyyy-MM-dd}.zip - - 30 - - - ${auditLoggerPattern} - - - - 256 - - - - - ${logDirectory}/${metricsLogName}.log - - - ${logDirectory}/${metricsLogName}.log.%d{yyyy-MM-dd}.zip - - 30 - - - ${metricsLoggerPattern} - - - - - - 256 - - - - - ${logDirectory}/${errorLogName}.log - - - ${logDirectory}/${errorLogName}.log.%d{yyyy-MM-dd}.zip - - 30 - - - ${errorLoggerPattern} - - - - - 256 - - - - - ${debugLogDirectory}/${debugLogName}.log - - - ${logDirectory}/${debugLogName}.log.%d{yyyy-MM-dd}.zip - - 30 - - - ${defaultLoggerPattern} - - - - - 256 - - true - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/music.properties b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/music.properties deleted file mode 100644 index 1fc99383cd..0000000000 --- a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/music.properties +++ /dev/null @@ -1,35 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - - -music.version = v2 -music.keyspace = keyspaces -music.session.keyspace = portal -music.tables = tables -music.session.attr.tables = spring_session_attributes -music.session.meta.tables = spring_session -music.consistency.info = type -music.consistency.info.value = eventual -music.cache = false -music.session.max.inactive.interval.seconds = 1800 -music.serialize.compress = true - -#By default it's eventual -music.atomic.get = false -music.atomic.put = false -cassandra.host={{.Values.cassandra.service.name}} -cassandra.user=${CASSA_USER} -cassandra.password=${CASSA_PASSWORD} diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/openid-connect.properties b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/openid-connect.properties deleted file mode 100755 index 63533621f7..0000000000 --- a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/openid-connect.properties +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -authentication_server_url = http://{{.Values.global.portalHostName}}:8383/openid-connect-server-webapp/ -ecomp_openid_connect_client = http://{{.Values.global.portalHostName}}:{{.Values.global.portalPort}}/ONAPPORTAL/openid_connect_login -ecomp_redirect_uri = http://{{.Values.global.portalHostName}}:{{.Values.global.portalPort}}/ONAPPORTAL/welcome.htm diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/portal.properties b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/portal.properties deleted file mode 100755 index 4da4854188..0000000000 --- a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/portal.properties +++ /dev/null @@ -1,45 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -# Not used by portal -portal.api.impl.class = org.onap.portalsdk.core.onboarding.client.OnBoardingApiServiceImpl.not.used.by.portal -portal.api.prefix = /api -max.idle.time = 5 -user.attribute.name = user_attribute - -# for single sign on -ecomp_redirect_url = http://{{.Values.global.portalHostName}}:{{.Values.global.portalFEPort}}/ONAPPORTAL/login.htm - -# URL of the ECOMP Portal REST API -ecomp_rest_url = http://{{.Values.global.portalHostName}}:{{.Values.global.portalPort}}/ONAPPORTAL/auxapi - -ueb_listeners_enable = true - -ueb_app_key = 7GkVcrO6sIDb3ngW -ueb_app_secret = uCYgKjWKK5IxPGNNZzYSSWo9 -ueb_app_mailbox_name = ECOMP-PORTAL-INBOX - -ueb_url_list = message-router -ecomp_portal_inbox_name = ECOMP-PORTAL-INBOX - -# Consumer group name for UEB topic. -# Use the special tag to generate a unique one for each sdk-app server. -ueb_app_consumer_group_name = {UUID} - -role_access_centralized = remote - -ext_req_connection_timeout = 15000 -ext_req_read_timeout = 20000 diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties deleted file mode 100755 index 34c7f1dee0..0000000000 --- a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties +++ /dev/null @@ -1,127 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# Modifications Copyright © 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -#mysql -db.driver = org.mariadb.jdbc.Driver -db.connectionURL = jdbc:mariadb:failover://portal-db:3306/portal -db.userName =${PORTAL_DB_USER} -db.password =${PORTAL_DB_PASSWORD} -db.hib.dialect = org.hibernate.dialect.MySQLDialect -db.min_pool_size = 5 -db.max_pool_size = 10 -hb.dialect = org.hibernate.dialect.MySQLDialect -hb.show_sql = false -hb.db_reconnect = true -hb.idle_connection_test_period = 3600 - -app_display_name = Portal -files_path = /tmp -context_root = ONAPPORTAL -# menu settings -menu_query_name = menuData -menu_properties_file_location = /WEB-INF/fusion/menu/ -application_menu_set_name = APP -application_menu_attribute_name = applicationMenuData -application_menu_properties_name = menu.properties -business_direct_menu_set_name = BD -business_direct_menu_properties_name = bd.menu.properties -business_direct_menu_attribute_name = businessDirectMenuData - -application_user_id = 30000 -post_default_role_id = 1 - -#Enable Fusion Mobile capabilities for the application -mobile_enable = false - -cache_config_file_path = /WEB-INF/conf/cache.ccf -cache_switch = 1 -cache_load_on_startup = false - -user_name = fullName -decryption_key = AGLDdG4D04BKm2IxIWEr8o== - - -#Cron Schedules -cron_site_name = one -log_cron = 0 * * * * ? * -sessiontimeout_feed_cron = 0 0/5 * * * ? * - -#Front end URL -frontend_url = https://{{.Values.global.portalHostName}}:{{.Values.global.portalFEPort}}/ONAPPORTAL/applicationsHome - - -# An Unqiue 128-bit value defined to indentify a specific version of -# ECOMP Portal deployed on a specific virtual machine. -# This value must be generated and updated at the time of -# the deployment. -# Online Unique UUID generator - https://www.uuidgenerator.net/ -instance_uuid = 90bc9497-10e6-49fe-916b-dcdfaa972383 - -elastic_search_url = http:// -contact_us_link = http:// -user_guide_link = http:// - -# Contact Us page properties -ush_ticket_url = http:// -feedback_email_address = portal@lists.onap.org -portal_info_url = https:// - -#Online user bar refresh interval, in seconds -online_user_update_rate = 30 - -#Online user bar refresh total duration, in seconds -online_user_update_duration = 300 - -#authenticate user server -authenticate_user_server=http://{{.Values.global.portalHostName}}:8383/openid-connect-server-webapp/allUsers - -#window width threshold to collapse left/right menu when page onload -window_width_threshold_left_menu = 1400 -window_width_threshold_right_menu = 1350 - -# User notification refresh interval and duration, in seconds -notification_update_rate = 90 -notification_update_duration = 900 - -#Microservices Related Properties for Portal -microservices.widget.protocol = http -microservices.widget.hostname = portal-widget -microservices.widget.username = widget_user -microservices.widget.password = M+KcrCMVrR1rAxtiFE49n1uXC3FCkNBqFgeYsubEC/U= -#This property won't be needed after consul is functional on VMs - -microservices.widget.local.port = 8082 -microservices.m-learn.local.port = 8083 -#HALO API enable flag -external_access_enable = false - -#delete auditlog from number of days ago -auditlog_del_day_from = 365 - -#External system notification URL -external_system_notification_url= https://jira.onap.org/browse/ - -#cookie domain -cookie_domain = onap.org - -# External Central Auth system access -remote_centralized_system_access = {{.Values.global.aafEnabled}} - -# External Access System Basic Auth Credentials & Rest endpoint -ext_central_access_user_name = aaf_admin@people.osaaf.org -ext_central_access_password = demo123456! -ext_central_access_url = {{.Values.aafURL}} -ext_central_access_user_domain = @people.osaaf.org diff --git a/kubernetes/portal/components/portal-app/resources/server/server.xml b/kubernetes/portal/components/portal-app/resources/server/server.xml deleted file mode 100644 index 38391ae774..0000000000 --- a/kubernetes/portal/components/portal-app/resources/server/server.xml +++ /dev/null @@ -1,157 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - {{ if .Values.global.aafEnabled }} - - {{ end }} - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/kubernetes/portal/components/portal-app/resources/server/web.xml b/kubernetes/portal/components/portal-app/resources/server/web.xml deleted file mode 100644 index 7c4f2a7275..0000000000 --- a/kubernetes/portal/components/portal-app/resources/server/web.xml +++ /dev/null @@ -1,155 +0,0 @@ - - - - - fusion - - - - - - - - - - - org.onap.portalapp.portal.listener.UserSessionListener - - - - CorsFilter - org.apache.catalina.filters.CorsFilter - - cors.allowed.origins - http://www.portal.onap.org:9200,http://www.portal.onap.org:9000 - - - cors.allowed.methods - GET,POST,HEAD,OPTIONS,PUT,DELETE - - - cors.allowed.headers - EPService,JSESSIONID,X-ECOMP-RequestID,X-Widgets-Type,Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers - - - cors.exposed.headers - Access-Control-Allow-Origin,Access-Control-Allow-Credentials - - - cors.support.credentials - true - - - cors.preflight.maxage - 10 - - - - - CorsFilter - /* - - - - SecurityXssFilter - org.onap.portalapp.filter.SecurityXssFilter - - - - SecurityXssFilter - /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/kubernetes/portal/components/portal-app/templates/NOTES.txt b/kubernetes/portal/components/portal-app/templates/NOTES.txt deleted file mode 100644 index 9a67a4c9bb..0000000000 --- a/kubernetes/portal/components/portal-app/templates/NOTES.txt +++ /dev/null @@ -1,19 +0,0 @@ -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ template "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/portal/components/portal-app/templates/configmap.yaml b/kubernetes/portal/components/portal-app/templates/configmap.yaml deleted file mode 100644 index a6d8234ee6..0000000000 --- a/kubernetes/portal/components/portal-app/templates/configmap.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onapportal - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/deliveries/properties/ONAPPORTAL/*").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/server/*").AsConfig . | indent 2 }} diff --git a/kubernetes/portal/components/portal-app/templates/deployment.yaml b/kubernetes/portal/components/portal-app/templates/deployment.yaml deleted file mode 100644 index 02926f59d6..0000000000 --- a/kubernetes/portal/components/portal-app/templates/deployment.yaml +++ /dev/null @@ -1,192 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: {{ include "common.name" . }}-job-completion - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: "{{ .Values.global.pullPolicy | default .Values.pullPolicy }}" - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-portal-db-config - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: {{ include "common.name" . }}-portal-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - args: - - "-c" - - | - cd /config-input && \ - for PFILE in `ls -1 *.xml` - do - cp ${PFILE} /config - chmod 0755 /config/${PFILE} - done - cd /config-input && \ - for PFILE in `ls -1 *.properties` - do - envsubst <${PFILE} >/config/${PFILE} - chmod 0755 /config/${PFILE} - done - env: - - name: CASSA_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "login") | indent 12 }} - - name: CASSA_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "password") | indent 12 }} - - name: CIPHER_ENC_KEY - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cipher-enc-key" "key" "password") | indent 12 }} - - name: PORTAL_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "login") | indent 12 }} - - name: PORTAL_DB_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "password") | indent 12 }} - volumeMounts: - - mountPath: /config-input - name: properties-onapportal-scrubbed - - mountPath: /config - name: properties-onapportal -{{ include "common.certInitializer.initContainer" . | indent 6 }} - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["bash","-c"] - {{- if .Values.global.aafEnabled }} - args: ["export $(grep '^c' {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0);\ - export _JAVA_OPTIONS=\"-Djavax.net.ssl.trustStorePassword=$cadi_truststore_password \ - -Djavax.net.ssl.keyStorePassword=$cadi_keystore_password_p12\";\ - /start-apache-tomcat.sh -i \"\" -n \"\" -b {{ .Values.global.env.tomcatDir }}"] - env: - - name: CATALINA_OPTS - value: > - -Djavax.net.ssl.keyStore="{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.keystoreFile }}" - -Djavax.net.ssl.trustStore="{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.truststoreFile }}" - {{- else }} - args: ["/start-apache-tomcat.sh -i \"\" -n \"\" -b {{ .Values.global.env.tomcatDir }}"] - {{- end }} - ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPort2 }} - - containerPort: {{ .Values.service.internalPort3 }} - - containerPort: {{ .Values.service.internalPort4 }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/fusion/conf/fusion.properties" - subPath: fusion.properties - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/openid-connect.properties" - subPath: openid-connect.properties - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/conf/system.properties" - subPath: system.properties - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/portal.properties" - subPath: portal.properties - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/key.properties" - subPath: key.properties - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/music.properties" - subPath: music.properties - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/logback.xml" - subPath: logback.xml - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/conf/server.xml" - subPath: server.xml - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/web.xml" - subPath: web.xml - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/temp" - - name: var-log-onap - mountPath: "{{ .Values.log.path }}" - resources: -{{ include "common.resources" . }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} -{{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - {{ include "common.log.sidecar" . | nindent 6 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - - name: properties-onapportal - emptyDir: - medium: Memory - - name: properties-onapportal-scrubbed - configMap: - name: {{ include "common.fullname" . }}-onapportal - defaultMode: 0755 - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - - name: var-log-onap - emptyDir: {} - - name: portal-tomcat-logs - emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/portal/components/portal-app/templates/ingress.yaml b/kubernetes/portal/components/portal-app/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/portal/components/portal-app/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/portal/components/portal-app/templates/secret.yaml b/kubernetes/portal/components/portal-app/templates/secret.yaml deleted file mode 100644 index 78fc709202..0000000000 --- a/kubernetes/portal/components/portal-app/templates/secret.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# Modifications Copyright © 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/portal/components/portal-app/templates/service.yaml b/kubernetes/portal/components/portal-app/templates/service.yaml deleted file mode 100644 index 523b950f8b..0000000000 --- a/kubernetes/portal/components/portal-app/templates/service.yaml +++ /dev/null @@ -1,59 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "portal", - "version": "v2", - "url": "/", - "protocol": "REST" - "port": "{{ .Values.service.externalPort }}", - "visualRange":"1" - } - ]' -spec: - type: {{ .Values.service.type }} - ports: - {{ if or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer") -}} - - port: {{ .Values.service.externalPort4 }} - targetPort: {{ .Values.service.internalPort4 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort4 }} - name: {{ .Values.service.portName }}4 - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - - port: {{ .Values.service.externalPort2 }} - targetPort: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.portName }}2 - - port: {{ .Values.service.externalPort3 }} - targetPort: {{ .Values.service.internalPort3 }} - name: {{ .Values.service.portName }}3 - {{- end }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/portal/components/portal-app/values.yaml b/kubernetes/portal/components/portal-app/values.yaml deleted file mode 100644 index 039f56016e..0000000000 --- a/kubernetes/portal/components/portal-app/values.yaml +++ /dev/null @@ -1,178 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018,2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - env: - tomcatDir: "/usr/local/tomcat" - nodePortPrefix: 302 - #AAF service - aafEnabled: true - -################################################################ -# Secrets metaconfig -################################################################# - -secrets: - - uid: portal-cass - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.cassandra.config.cassandraExternalSecret) . }}' - login: '{{ .Values.cassandra.config.cassandraUsername }}' - password: '{{ .Values.cassandra.config.cassandraPassword }}' - passwordPolicy: required - - uid: cipher-enc-key - type: password - externalSecret: '{{ .Values.config.cipherEncKeyExternalSecret}}' - password: '{{ .Values.config.cipherEncKey }}' - passwordPolicy: required - - uid: portal-backend-db - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.mariadb.config.backendDbExternalSecret) . }}' - login: '{{ .Values.mariadb.config.backendUserName }}' - password: '{{ .Values.mariadb.config.backendPassword }}' - passwordPolicy: required - -################################################################# -# Application configuration defaults. -################################################################# - -# application image -image: onap/portal-app:3.4.2 -pullPolicy: Always - -# application configuration -config: - # cipherEncKeyExternalSecret: some secret - cipherEncKey: AGLDdG4D04BKm2IxIWEr8o==! - -#AAF local config - -aafURL: https://aaf-service:8100/authz/ -certInitializer: - nameOverride: portal-app-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: portal - fqi: portal@portal.onap.org - public_fqdn: portal.onap.org - cadi_latitude: "38.0" - cadi_longitude: "-72.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - permission_user: 1000 - permission_group: 999 - keystoreFile: "org.onap.portal.p12" - truststoreFile: "org.onap.portal.trust.jks" - aaf_add_config: | - echo "cadi_truststore_password=$cadi_truststore_password" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" >> {{ .Values.credsPath }}/mycreds.prop - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: LoadBalancer - name: portal-app - portName: portal-app - externalPort: 8989 - internalPort: 8080 - nodePort: 15 - externalPort2: 8006 - internalPort2: 8005 - nodePort2: 13 - externalPort3: 8010 - internalPort3: 8009 - nodePort3: 14 - externalPort4: 8443 - internalPort4: 8443 - nodePort4: 25 - -mariadb: - service: - name: portal-db - config: - # backendDbExternalSecret: some secret - backendUserName: portal - backendPassword: portal -widget: - service: - name: portal-widget -cassandra: - service: - name: portal-cassandra - config: - # cassandraExternalSecret: some secret - cassandraUsername: root - cassandraPassword: Aa123456 -messageRouter: - service: - name: message-router - -ingress: - enabled: false - service: - - baseaddr: portal.api - name: "portal-app" - port: 8443 - config: - ssl: "redirect" - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2.2 - memory: 800Mi - requests: - cpu: 30m - memory: 460Mi - large: - limits: - cpu: 4 - memory: 15Gi - requests: - cpu: 2 - memory: 8Gi - unlimited: {} - -# Log configuration -log: - path: /var/log/onap -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -#Pods Service Account -serviceAccount: - nameOverride: portal-app - roles: - - read diff --git a/kubernetes/portal/components/portal-cassandra/.helmignore b/kubernetes/portal/components/portal-cassandra/.helmignore deleted file mode 100644 index daebc7da77..0000000000 --- a/kubernetes/portal/components/portal-cassandra/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/portal/components/portal-cassandra/Chart.yaml b/kubernetes/portal/components/portal-cassandra/Chart.yaml deleted file mode 100644 index 6da2158294..0000000000 --- a/kubernetes/portal/components/portal-cassandra/Chart.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Portal cassandra -name: portal-cassandra -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/portal/components/portal-cassandra/resources/config/cassandra/docker-entrypoint-initdb.d/portal.cql b/kubernetes/portal/components/portal-cassandra/resources/config/cassandra/docker-entrypoint-initdb.d/portal.cql deleted file mode 100644 index 21715a9e2a..0000000000 --- a/kubernetes/portal/components/portal-cassandra/resources/config/cassandra/docker-entrypoint-initdb.d/portal.cql +++ /dev/null @@ -1,72 +0,0 @@ -// Copyright (c) 2018 Amdocs, Bell Canada, AT&T -// Modifications Copyright (c) 2020 Nokia -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -CREATE KEYSPACE IF NOT EXISTS portal - WITH REPLICATION = { - 'class' : 'SimpleStrategy', - 'replication_factor': 1 - } - AND DURABLE_WRITES = true; - - -CREATE TABLE portal.spring_session ( - primary_id text PRIMARY KEY, - creation_time text, - expiry_time text, - last_access_time text, - max_inactive_interval text, - principal_name text, - session_id text, - vector_ts text -) WITH bloom_filter_fp_chance = 0.01 - AND caching = {'keys': 'ALL', 'rows_per_partition': '10'} - AND comment = '' - AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} - AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} - AND crc_check_chance = 1.0 - AND dclocal_read_repair_chance = 0.1 - AND default_time_to_live = 0 - AND gc_grace_seconds = 864000 - AND max_index_interval = 2048 - AND memtable_flush_period_in_ms = 0 - AND min_index_interval = 128 - AND read_repair_chance = 0.0 - AND speculative_retry = '99PERCENTILE'; - - -CREATE TABLE portal.spring_session_attributes ( - primary_id text, - attribute_name text, - attribute_bytes blob, - vector_ts text, - PRIMARY KEY (primary_id, attribute_name) -) WITH CLUSTERING ORDER BY (attribute_name ASC) - AND bloom_filter_fp_chance = 0.01 - AND caching = {'keys': 'ALL', 'rows_per_partition': '1'} - AND comment = '' - AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} - AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} - AND crc_check_chance = 1.0 - AND dclocal_read_repair_chance = 0.1 - AND default_time_to_live = 0 - AND gc_grace_seconds = 864000 - AND max_index_interval = 2048 - AND memtable_flush_period_in_ms = 0 - AND min_index_interval = 128 - AND read_repair_chance = 0.0 - AND speculative_retry = '99PERCENTILE'; - -CREATE TABLE portal.health_check (primary_id text PRIMARY KEY, creation_time text); -insert into portal.health_check (primary_id,creation_time) values ('ECOMPPortal-25927','2018-05-25T20:14:39.408Z'); diff --git a/kubernetes/portal/components/portal-cassandra/resources/config/cassandra/docker-entrypoint-initdb.d/portal_single.cql b/kubernetes/portal/components/portal-cassandra/resources/config/cassandra/docker-entrypoint-initdb.d/portal_single.cql deleted file mode 100644 index a9771bfa5d..0000000000 --- a/kubernetes/portal/components/portal-cassandra/resources/config/cassandra/docker-entrypoint-initdb.d/portal_single.cql +++ /dev/null @@ -1,145 +0,0 @@ -// Copyright © 2018 Amdocs, Bell Canada, AT&T -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - - -CREATE KEYSPACE IF NOT EXISTS admin - WITH REPLICATION = { - 'class' : 'SimpleStrategy', - 'replication_factor': 1 - } - AND DURABLE_WRITES = true; - -CREATE TABLE IF NOT EXISTS admin.keyspace_master ( - uuid uuid, - keyspace_name text, - application_name text, - is_api boolean, - password text, - username text, - is_aaf boolean, - PRIMARY KEY (uuid) -); - - -CREATE KEYSPACE IF NOT EXISTS portal - WITH REPLICATION = { - 'class' : 'SimpleStrategy', - 'replication_factor': 1 - } - AND DURABLE_WRITES = true; - - -CREATE TABLE portal.spring_session ( - primary_id text PRIMARY KEY, - creation_time text, - expiry_time text, - last_access_time text, - max_inactive_interval text, - principal_name text, - session_id text, - vector_ts text -) WITH bloom_filter_fp_chance = 0.01 - AND caching = {'keys': 'ALL', 'rows_per_partition': '10'} - AND comment = '' - AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} - AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} - AND crc_check_chance = 1.0 - AND dclocal_read_repair_chance = 0.1 - AND default_time_to_live = 0 - AND gc_grace_seconds = 864000 - AND max_index_interval = 2048 - AND memtable_flush_period_in_ms = 0 - AND min_index_interval = 128 - AND read_repair_chance = 0.0 - AND speculative_retry = '99PERCENTILE'; - - -CREATE TABLE portal.spring_session_attributes ( - primary_id text, - attribute_name text, - attribute_bytes blob, - vector_ts text, - PRIMARY KEY (primary_id, attribute_name) -) WITH CLUSTERING ORDER BY (attribute_name ASC) - AND bloom_filter_fp_chance = 0.01 - AND caching = {'keys': 'ALL', 'rows_per_partition': '1'} - AND comment = '' - AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} - AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} - AND crc_check_chance = 1.0 - AND dclocal_read_repair_chance = 0.1 - AND default_time_to_live = 0 - AND gc_grace_seconds = 864000 - AND max_index_interval = 2048 - AND memtable_flush_period_in_ms = 0 - AND min_index_interval = 128 - AND read_repair_chance = 0.0 - AND speculative_retry = '99PERCENTILE'; - - - -CREATE KEYSPACE IF NOT EXISTS portalsdk - WITH REPLICATION = { - 'class' : 'SimpleStrategy', - 'replication_factor': 1 - } - AND DURABLE_WRITES = true; - - -CREATE TABLE portalsdk.spring_session ( - primary_id text PRIMARY KEY, - creation_time text, - expiry_time text, - last_access_time text, - max_inactive_interval text, - principal_name text, - session_id text, - vector_ts text -) WITH bloom_filter_fp_chance = 0.01 - AND caching = {'keys': 'ALL', 'rows_per_partition': '10'} - AND comment = '' - AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} - AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} - AND crc_check_chance = 1.0 - AND dclocal_read_repair_chance = 0.1 - AND default_time_to_live = 0 - AND gc_grace_seconds = 864000 - AND max_index_interval = 2048 - AND memtable_flush_period_in_ms = 0 - AND min_index_interval = 128 - AND read_repair_chance = 0.0 - AND speculative_retry = '99PERCENTILE'; - - -CREATE TABLE portalsdk.spring_session_attributes ( - primary_id text, - attribute_name text, - attribute_bytes blob, - vector_ts text, - PRIMARY KEY (primary_id, attribute_name) -) WITH CLUSTERING ORDER BY (attribute_name ASC) - AND bloom_filter_fp_chance = 0.01 - AND caching = {'keys': 'ALL', 'rows_per_partition': '1'} - AND comment = '' - AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} - AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} - AND crc_check_chance = 1.0 - AND dclocal_read_repair_chance = 0.1 - AND default_time_to_live = 0 - AND gc_grace_seconds = 864000 - AND max_index_interval = 2048 - AND memtable_flush_period_in_ms = 0 - AND min_index_interval = 128 - AND read_repair_chance = 0.0 - AND speculative_retry = '99PERCENTILE'; \ No newline at end of file diff --git a/kubernetes/portal/components/portal-cassandra/resources/config/cassandra/docker-entrypoint-initdb.d/portalsdk.cql b/kubernetes/portal/components/portal-cassandra/resources/config/cassandra/docker-entrypoint-initdb.d/portalsdk.cql deleted file mode 100644 index 4f6148e3f1..0000000000 --- a/kubernetes/portal/components/portal-cassandra/resources/config/cassandra/docker-entrypoint-initdb.d/portalsdk.cql +++ /dev/null @@ -1,68 +0,0 @@ -// Copyright © 2018 Amdocs, Bell Canada, AT&T -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -CREATE KEYSPACE IF NOT EXISTS portalsdk - WITH REPLICATION = { - 'class' : 'SimpleStrategy', - 'replication_factor': 1 - } - AND DURABLE_WRITES = true; - - -CREATE TABLE portalsdk.spring_session ( - primary_id text PRIMARY KEY, - creation_time text, - expiry_time text, - last_access_time text, - max_inactive_interval text, - principal_name text, - session_id text, - vector_ts text -) WITH bloom_filter_fp_chance = 0.01 - AND caching = {'keys': 'ALL', 'rows_per_partition': '10'} - AND comment = '' - AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} - AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} - AND crc_check_chance = 1.0 - AND dclocal_read_repair_chance = 0.1 - AND default_time_to_live = 0 - AND gc_grace_seconds = 864000 - AND max_index_interval = 2048 - AND memtable_flush_period_in_ms = 0 - AND min_index_interval = 128 - AND read_repair_chance = 0.0 - AND speculative_retry = '99PERCENTILE'; - - -CREATE TABLE portalsdk.spring_session_attributes ( - primary_id text, - attribute_name text, - attribute_bytes blob, - vector_ts text, - PRIMARY KEY (primary_id, attribute_name) -) WITH CLUSTERING ORDER BY (attribute_name ASC) - AND bloom_filter_fp_chance = 0.01 - AND caching = {'keys': 'ALL', 'rows_per_partition': '1'} - AND comment = '' - AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} - AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} - AND crc_check_chance = 1.0 - AND dclocal_read_repair_chance = 0.1 - AND default_time_to_live = 0 - AND gc_grace_seconds = 864000 - AND max_index_interval = 2048 - AND memtable_flush_period_in_ms = 0 - AND min_index_interval = 128 - AND read_repair_chance = 0.0 - AND speculative_retry = '99PERCENTILE'; diff --git a/kubernetes/portal/components/portal-cassandra/templates/NOTES.txt b/kubernetes/portal/components/portal-cassandra/templates/NOTES.txt deleted file mode 100644 index ee7a285cc0..0000000000 --- a/kubernetes/portal/components/portal-cassandra/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/portal/components/portal-cassandra/templates/configmap.yaml b/kubernetes/portal/components/portal-cassandra/templates/configmap.yaml deleted file mode 100644 index 5cd33b43a2..0000000000 --- a/kubernetes/portal/components/portal-cassandra/templates/configmap.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-docker-entry-initd - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/cassandra/docker-entrypoint-initdb.d/*").AsConfig . | indent 2 }} - diff --git a/kubernetes/portal/components/portal-cassandra/templates/deployment.yaml b/kubernetes/portal/components/portal-cassandra/templates/deployment.yaml deleted file mode 100644 index 9becdaa707..0000000000 --- a/kubernetes/portal/components/portal-cassandra/templates/deployment.yaml +++ /dev/null @@ -1,158 +0,0 @@ -{{/* -# Copyright (c) 2017 Amdocs, Bell Canada -# Modifications Copyright (c) 2018 AT&T -# Modifications Copyright (c) 2020 Nokia, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /bin/bash - - -c - - | - /opt/bitnami/scripts/cassandra/entrypoint.sh /opt/bitnami/scripts/cassandra/run.sh - ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPort2 }} - - containerPort: {{ .Values.service.internalPort3 }} - - containerPort: {{ .Values.service.internalPort4 }} - - containerPort: {{ .Values.service.internalPort5 }} - {{ if eq .Values.liveness.enabled true }} - livenessProbe: - exec: - command: - - /bin/bash - - -ec - - | - nodetool status - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - successThreshold: {{ .Values.liveness.successThreshold }} - failureThreshold: {{ .Values.liveness.failureThreshold }} - {{ end }} - readinessProbe: - exec: - command: - - /bin/bash - - -ec - - | - nodetool status | grep -E "^UN\\s+${POD_IP}" - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} - successThreshold: {{ .Values.readiness.successThreshold }} - failureThreshold: {{ .Values.readiness.failureThreshold }} - lifecycle: - preStop: - exec: - command: - - bash - - -ec - - nodetool decommission - env: - - name: CASSANDRA_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "login") | indent 12}} - - name: CASSANDRA_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "password") | indent 12}} - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: CASSANDRA_PASSWORD_SEEDER - value: "yes" - - name: BITNAMI_DEBUG - value: "true" - - name: CASSANDRA_CLUSTER_NAME - value: cassandra - - name: CASSANDRA_NUM_TOKENS - value: "256" - - name: CASSANDRA_DATACENTER - value: dc1 - - name: CASSANDRA_ENDPOINT_SNITCH - value: SimpleSnitch - - name: CASSANDRA_RACK - value: rack1 - - name: CASSANDRA_ENABLE_RPC - value: "true" - {{- $flavor := include "common.flavor" . }} - {{- $heap := pluck $flavor .Values.heap | first }} - {{- if (hasKey $heap "max") }} - - name: MAX_HEAP_SIZE - value: {{ $heap.max }} - {{- end }} - {{- if (hasKey $heap "new") }} - - name: HEAP_NEWSIZE - value: {{ $heap.new }} - {{- end }} - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: cassandra-docker-entrypoint-initdb - mountPath: /docker-entrypoint-initdb.d/aaa_portal.cql - subPath: portal.cql - - name: {{ include "common.fullname" . }}-data - mountPath: /var/lib/cassandra/data - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: cassandra-docker-entrypoint-initdb - configMap: - name: {{ include "common.fullname" . }}-docker-entry-initd - - name: localtime - hostPath: - path: /etc/localtime - {{- if .Values.persistence.enabled }} - - name: {{ include "common.fullname" . }}-data - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - {{- else }} - emptyDir: {} - {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/portal/components/portal-cassandra/templates/pv.yaml b/kubernetes/portal/components/portal-cassandra/templates/pv.yaml deleted file mode 100644 index e10b003570..0000000000 --- a/kubernetes/portal/components/portal-cassandra/templates/pv.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -{{- if eq "True" (include "common.needPV" .) -}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.persistence.size}} - accessModes: - - {{ .Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" . }}-data" - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/portal/components/portal-cassandra/templates/pvc.yaml b/kubernetes/portal/components/portal-cassandra/templates/pvc.yaml deleted file mode 100644 index 1cadcc51d5..0000000000 --- a/kubernetes/portal/components/portal-cassandra/templates/pvc.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -{{- if .Values.persistence.annotations }} - annotations: -{{ toYaml .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size }} -{{- end -}} diff --git a/kubernetes/portal/components/portal-cassandra/templates/secrets.yaml b/kubernetes/portal/components/portal-cassandra/templates/secrets.yaml deleted file mode 100644 index 34932b713d..0000000000 --- a/kubernetes/portal/components/portal-cassandra/templates/secrets.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/portal/components/portal-cassandra/templates/service.yaml b/kubernetes/portal/components/portal-cassandra/templates/service.yaml deleted file mode 100644 index 8f486c2175..0000000000 --- a/kubernetes/portal/components/portal-cassandra/templates/service.yaml +++ /dev/null @@ -1,72 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - - port: {{ .Values.service.externalPort2 }} - targetPort: {{ .Values.service.internalPort2 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} - name: {{ .Values.service.portName }}2 - - port: {{ .Values.service.externalPort3 }} - targetPort: {{ .Values.service.internalPort3 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort3 }} - name: {{ .Values.service.portName }}3 - - port: {{ .Values.service.externalPort4 }} - targetPort: {{ .Values.service.internalPort4 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort4 }} - name: {{ .Values.service.portName }}4 - - port: {{ .Values.service.externalPort5 }} - targetPort: {{ .Values.service.internalPort5 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort5 }} - name: {{ .Values.service.portName }}5 - - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - - port: {{ .Values.service.externalPort2 }} - targetPort: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.portName }}2 - - port: {{ .Values.service.externalPort3 }} - targetPort: {{ .Values.service.internalPort3 }} - name: {{ .Values.service.portName }}3 - - port: {{ .Values.service.externalPort4 }} - targetPort: {{ .Values.service.internalPort4 }} - name: {{ .Values.service.portName }}4 - - port: {{ .Values.service.externalPort5 }} - targetPort: {{ .Values.service.internalPort5 }} - name: {{ .Values.service.portName }}5 - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/portal/components/portal-cassandra/values.yaml b/kubernetes/portal/components/portal-cassandra/values.yaml deleted file mode 100644 index c3ffb4ffec..0000000000 --- a/kubernetes/portal/components/portal-cassandra/values.yaml +++ /dev/null @@ -1,148 +0,0 @@ -# Copyright (c) 2017 Amdocs, Bell Canada -# Modifications Copyright (c) 2018 AT&T -# Modifications Copyright (c) 2020 Nokia, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Default values for mariadb. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. -global: # global defaults - nodePortPrefix: 302 - persistence: {} - - -# application image -image: bitnami/cassandra:3.11.9-debian-10-r30 -pullPolicy: Always - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: 'db-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.cassandraExternalSecret) . }}' - login: '{{ .Values.config.cassandraUsername }}' - password: '{{ .Values.config.cassandraPassword }}' - -# application configuration -config: - cassandraUsername: root - cassandraPassword: Aa123456 -# cassandraCredsExternalSecret: some secret - cassandraJvmOpts: -Xmx2536m -Xms2536m - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 20 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 20 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - -## Persist data to a persitent volume -persistence: - enabled: true - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - volumeReclaimPolicy: Retain - - ## database data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: "-" - accessMode: ReadWriteOnce - size: 2Gi - mountPath: /dockerdata-nfs - mountSubPath: portal/cassandra/data - -service: - type: ClusterIP - name: portal-cassandra - portName: portal-cassandra - externalPort: 9160 - internalPort: 9160 - externalPort2: 7000 - internalPort2: 7000 - externalPort3: 7001 - internalPort3: 7001 - externalPort4: 7199 - internalPort4: 7199 - externalPort5: 9042 - internalPort5: 9042 - -ingress: - enabled: false - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 500m - memory: 3.75Gi - requests: - cpu: 160m - memory: 3.1Gi - large: - limits: - cpu: 4 - memory: 10Gi - requests: - cpu: 2 - memory: 6Gi - unlimited: {} - -heap: - # Heap size is tightly correlated to RAM limits. - # If limit > 8G, Cassandra should define itself the best value. - # If not, you must set up it in a coherent way with limits set - # Refer to https://docs.datastax.com/en/cassandra-oss/3.0/cassandra/operations/opsTuneJVM.html#Determiningtheheapsize - # for more informations. - small: - max: 3G - new: 100M - large: {} - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: portal-cassandra - roles: - - read diff --git a/kubernetes/portal/components/portal-mariadb/.helmignore b/kubernetes/portal/components/portal-mariadb/.helmignore deleted file mode 100644 index daebc7da77..0000000000 --- a/kubernetes/portal/components/portal-mariadb/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/portal/components/portal-mariadb/Chart.yaml b/kubernetes/portal/components/portal-mariadb/Chart.yaml deleted file mode 100644 index ca58d58f18..0000000000 --- a/kubernetes/portal/components/portal-mariadb/Chart.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: MariaDB Service -name: portal-mariadb -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh deleted file mode 100644 index 63d266b75c..0000000000 --- a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh +++ /dev/null @@ -1,384 +0,0 @@ -#!/bin/bash - -set -eo pipefail - -# logging functions -mysql_log() { - local type - type="$1"; shift - printf '%s [%s] [Entrypoint]: %s\n' "$(date --rfc-3339=seconds)" "$type" "$*" -} -mysql_note() { - mysql_log Note "$@" -} -mysql_warn() { - mysql_log Warn "$@" >&2 -} -mysql_error() { - mysql_log ERROR "$@" >&2 - exit 1 -} - -# usage: file_env VAR [DEFAULT] -# ie: file_env 'XYZ_DB_PASSWORD' 'example' -# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of -# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) -file_env() { - local var - var="$1" - local fileVar - fileVar="${var}_FILE" - local def - def="${2:-}" - if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then - mysql_error "Both $var and $fileVar are set (but are exclusive)" - fi - local val - val="$def" - # val="${!var}" - # val="$(< "${!fileVar}")" - # eval replacement of the bashism equivalents above presents no security issue here - # since var and fileVar variables contents are derived from the file_env() function arguments. - # This method is only called inside this script with a limited number of possible values. - if [ "${!var:-}" ]; then - eval val=\$$var - elif [ "${!fileVar:-}" ]; then - val="$(< "$(eval echo "\$$fileVar")")" - fi - export "$var"="$val" - unset "$fileVar" -} - - -# usage: docker_process_init_files [file [file [...]]] -# ie: docker_process_init_files /always-initdb.d/* -# process initializer files, based on file extensions -docker_process_init_files() { - # mysql here for backwards compatibility "${mysql[@]}" - mysql=( docker_process_sql ) - - echo - local f - for f; do - case "$f" in - *.sh) - # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 - # https://github.com/docker-library/postgres/pull/452 - if [ -x "$f" ]; then - mysql_note "$0: running $f" - "$f" - else - mysql_note "$0: sourcing $f" - . "$f" - fi - ;; - *.sql) mysql_note "$0: running $f"; docker_process_sql < "$f"; echo ;; - *.sql.gz) mysql_note "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;; - *.sql.xz) mysql_note "$0: running $f"; xzcat "$f" | docker_process_sql; echo ;; - *) mysql_warn "$0: ignoring $f" ;; - esac - echo - done -} - -mysql_check_config() { - local toRun - local errors - toRun=( "$@" --verbose --help --log-bin-index="$(mktemp -u)" ) - if ! errors="$("${toRun[@]}" 2>&1 >/dev/null)"; then - mysql_error "$(printf 'mysqld failed while attempting to check config\n\tcommand was: ')${toRun[*]}$(printf'\n\t')$errors" - fi -} - -# Fetch value from server config -# We use mysqld --verbose --help instead of my_print_defaults because the -# latter only show values present in config files, and not server defaults -mysql_get_config() { - local conf - conf="$1"; shift - "$@" --verbose --help --log-bin-index="$(mktemp -u)" 2>/dev/null \ - | awk -v conf="$conf" '$1 == conf && /^[^ \t]/ { sub(/^[^ \t]+[ \t]+/, ""); print; exit }' - # match "datadir /some/path with/spaces in/it here" but not "--xyz=abc\n datadir (xyz)" -} - -# Do a temporary startup of the MySQL server, for init purposes -docker_temp_server_start() { - "$@" --skip-networking --socket="${SOCKET}" & - mysql_note "Waiting for server startup" - local i - for i in $(seq 30 -1 0); do - # only use the root password if the database has already been initializaed - # so that it won't try to fill in a password file when it hasn't been set yet - extraArgs="" - if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - extraArgs=${extraArgs}" --dont-use-mysql-root-password" - fi - if echo 'SELECT 1' |docker_process_sql ${extraArgs} --database=mysql >/dev/null 2>&1; then - break - fi - sleep 1 - done - if [ "$i" = 0 ]; then - mysql_error "Unable to start server." - fi -} - -# Stop the server. When using a local socket file mysqladmin will block until -# the shutdown is complete. -docker_temp_server_stop() { - if ! mysqladmin --defaults-extra-file=<( _mysql_passfile ) shutdown -uroot --socket="${SOCKET}"; then - mysql_error "Unable to shut down server." - fi -} - -# Verify that the minimally required password settings are set for new databases. -docker_verify_minimum_env() { - if [ -z "$MYSQL_ROOT_PASSWORD" -a -z "$MYSQL_ALLOW_EMPTY_PASSWORD" -a -z "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then - mysql_error "$(printf'Database is uninitialized and password option is not specified\n\tYou need to specify one of MYSQL_ROOT_PASSWORD, MYSQL_ALLOW_EMPTY_PASSWORD and MYSQL_RANDOM_ROOT_PASSWORD')" - fi -} - -# creates folders for the database -# also ensures permission for user mysql of run as root -docker_create_db_directories() { - local user - user="$(id -u)" - - # TODO other directories that are used by default? like /var/lib/mysql-files - # see https://github.com/docker-library/mysql/issues/562 - mkdir -p "$DATADIR" - - if [ "$user" = "0" ]; then - # this will cause less disk access than `chown -R` - find "$DATADIR" \! -user mysql -exec chown mysql '{}' + - fi -} - -# initializes the database directory -docker_init_database_dir() { - mysql_note "Initializing database files" - installArgs=" --datadir=$DATADIR --rpm " - if { mysql_install_db --help || :; } | grep -q -- '--auth-root-authentication-method'; then - # beginning in 10.4.3, install_db uses "socket" which only allows system user root to connect, switch back to "normal" to allow mysql root without a password - # see https://github.com/MariaDB/server/commit/b9f3f06857ac6f9105dc65caae19782f09b47fb3 - # (this flag doesn't exist in 10.0 and below) - installArgs=${installArgs}" --auth-root-authentication-method=normal" - fi - # "Other options are passed to mysqld." (so we pass all "mysqld" arguments directly here) - mysql_install_db ${installArgs} "$(echo ${@} | sed 's/^ *[^ ]* *//')" - mysql_note "Database files initialized" -} - -if [ -z "$DATADIR" ]; then - DATADIR='unknown' -fi -if [ -z "$SOCKET" ]; then - SOCKET='unknown' -fi -if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - DATABASE_ALREADY_EXISTS='false' -fi - -# Loads various settings that are used elsewhere in the script -# This should be called after mysql_check_config, but before any other functions -docker_setup_env() { - # Get config - DATADIR="$(mysql_get_config 'datadir' "$@")" - SOCKET="$(mysql_get_config 'socket' "$@")" - - # Initialize values that might be stored in a file - file_env 'MYSQL_ROOT_HOST' '%' - file_env 'MYSQL_DATABASE' - file_env 'MYSQL_USER' - file_env 'MYSQL_PASSWORD' - file_env 'MYSQL_ROOT_PASSWORD' - file_env 'PORTAL_DB_TABLES' - - if [ -d "$DATADIR/mysql" ]; then - DATABASE_ALREADY_EXISTS='true' - fi -} - -# Execute sql script, passed via stdin -# usage: docker_process_sql [--dont-use-mysql-root-password] [mysql-cli-args] -# ie: docker_process_sql --database=mydb <<<'INSERT ...' -# ie: docker_process_sql --dont-use-mysql-root-password --database=mydb /dev/null; then - set -- mysqld "$@" - fi - - # skip setup if they aren't running mysqld or want an option that stops mysqld - if [ "$1" = 'mysqld' ] && ! _mysql_want_help "$@"; then - mysql_note "Entrypoint script for MySQL Server ${MARIADB_VERSION} started." - - mysql_check_config "$@" - # Load various environment variables - docker_setup_env "$@" - docker_create_db_directories - - # If container is started as root user, restart as dedicated mysql user - if [ "$(id -u)" = "0" ]; then - mysql_note "Switching to dedicated user 'mysql'" - exec gosu mysql "$0" "$@" - fi - - # there's no database, so it needs to be initialized - if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - docker_verify_minimum_env - - # check dir permissions to reduce likelihood of half-initialized database - ls /docker-entrypoint-initdb.d/ > /dev/null - - docker_init_database_dir "$@" - - mysql_note "Starting temporary server" - docker_temp_server_start "$@" - mysql_note "Temporary server started." - - docker_setup_db - docker_process_init_files /docker-entrypoint-initdb.d/* - - for i in $(echo $PORTAL_DB_TABLES | sed "s/,/ /g") - do - echo "Granting portal user ALL PRIVILEGES for table $i" - echo "GRANT ALL ON \`$i\`.* TO '$MYSQL_USER'@'%' ;" | "${mysql[@]}" - done - - mysql_note "Stopping temporary server" - docker_temp_server_stop - mysql_note "Temporary server stopped" - - echo - mysql_note "MySQL init process done. Ready for start up." - echo - fi - fi - exec "$@" -} - -# If we are sourced from elsewhere, don't perform any further actions -# https://stackoverflow.com/questions/2683279/how-to-detect-if-a-script-is-being-sourced/2942183#2942183 -if [ "$(basename $0)" = "docker-entrypoint.sh" ]; then - _main "$@" -fi diff --git a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/oom_updates.sql b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/oom_updates.sql deleted file mode 100644 index f9db78ba4d..0000000000 --- a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/oom_updates.sql +++ /dev/null @@ -1,95 +0,0 @@ -/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -*/ - -USE portal; -/* -Any updates required by OOM to the portaldb are made here. -1. split up SDC-FE and SDC-BE. Originally both FE and BE point to the same IP -while the OOM K8s version has these service split up. -*/ --- app_url is the FE, app_rest_endpoint is the BE ---portal-sdk => TODO: doesn't open a node port yet -update fn_app set app_url = 'https://{{.Values.config.portalSdkHostName}}:{{.Values.config.portalSdkPort}}/ONAPPORTALSDK/welcome.htm', app_rest_endpoint = 'https://portal-sdk:8443/ONAPPORTALSDK/api/v3' where app_name = 'xDemo App'; ---dmaap-bc => the dmaap-bc doesn't open a node port.. -update fn_app set app_url = 'http://{{.Values.config.dmaapBcHostName}}:{{.Values.config.dmaapBcPort}}/ECOMPDBCAPP/dbc#/dmaap', app_rest_endpoint = 'http://dmaap-bc:8989/ECOMPDBCAPP/api/v2' where app_name = 'DMaaP Bus Ctrl'; ---sdc-be => 8443:30204 ---sdc-fe => 8181:30206, 9443:30207 -update fn_app set app_url = 'https://{{.Values.config.sdcFeHostName}}:{{.Values.config.sdcFePort}}/sdc1/portal', app_rest_endpoint = 'https://sdc-be:8443/api/v3' where app_name = 'SDC'; ---pap => 8443:30219 -update fn_app set app_url = 'https://{{.Values.config.papHostName}}:{{.Values.config.papPort}}/onap/policy', app_rest_endpoint = 'https://pap:8443/onap/api/v3' where app_name = 'Policy'; ---vid => 8080:30200 -update fn_app set app_url = 'https://{{.Values.config.vidHostName}}:{{.Values.config.vidPort}}/vid/welcome.htm', app_rest_endpoint = 'https://vid:8443/vid/api/v3' where app_name = 'Virtual Infrastructure Deployment'; ---sparky => TODO: sparky doesn't open a node port yet -update fn_app set app_url = 'https://{{.Values.config.aaiSparkyHostName}}:{{.Values.config.aaiSparkyPort}}/services/aai/webapp/index.html#/viewInspect', app_rest_endpoint = 'https://aai-sparky-be.{{.Release.Namespace}}:8000/api/v2' where app_name = 'A&AI UI'; ---cli => 8080:30260 -update fn_app set app_url = 'https://{{.Values.config.cliHostName}}:{{.Values.config.cliPort}}/', app_type = 1 where app_name = 'CLI'; ---msb-iag => 80:30280 -update fn_app set app_url = 'https://{{.Values.config.msbHostName}}:{{.Values.config.msbPort}}/iui/microservices/default.html' where app_name = 'MSB'; - - -/* -Create SO-Monitoring App -*/ -INSERT IGNORE INTO `fn_app` (`app_id`, `app_name`, `app_image_url`, `app_description`, `app_notes`, `app_url`, `app_alternate_url`, `app_rest_endpoint`, `ml_app_name`, `ml_app_admin_id`, `mots_id`, `app_password`, `open`, `enabled`, `thumbnail`, `app_username`, `ueb_key`, `ueb_secret`, `ueb_topic_name`, `app_type`,`auth_central`,`auth_namespace`) VALUES -(10, 'SO-Monitoring', 'images/cache/portal-345993588_92550.png', NULL, NULL, 'http://{{.Values.config.soMonitoringHostName}}:{{.Values.config.soMonitoringPort}}', NULL, 'http://so-monitoring:30224', '', '', NULL, 'password', 'Y', 'Y', NULL, 'user', '', '', '', 1,'N','SO-Monitoring'); - -/* -Add SO Monitoring to Default apps -*/ -INSERT IGNORE INTO `fn_pers_user_app_sel` VALUES (10,1,10,'S'); - -/* -Add Contact information for SO Monitoring -*/ -INSERT IGNORE INTO `fn_app_contact_us` (app_id, contact_name, contact_email, url, active_yn, description) VALUES ( 10,"SO Team","so@lists.onap.org","https://wiki.onap.org/display/DW/Approved+Projects",NULL, "Service Orchestration (SO)."); - -/* -Additionally, some more update statments; these should be refactored to another SQL file in future releases -*/ - --- portal -update fn_app set auth_central = 'Y' , auth_namespace = 'org.onap.portal' where app_id = 1; --- portal-sdk -update fn_app set app_username='Default', app_password='2VxipM8Z3SETg32m3Gp0FvKS6zZ2uCbCw46WDyK6T5E=', ueb_key='ueb_key' where app_id = 2; --- SDC -update fn_app set app_username='sdc', app_password='j85yNhyIs7zKYbR1VlwEfNhS6b7Om4l0Gx5O8931sCI=', ueb_key='ueb_key' where app_id = 4; --- policy -update fn_app set app_username='Default', app_password='2VxipM8Z3SETg32m3Gp0FvKS6zZ2uCbCw46WDyK6T5E=', ueb_key='ueb_key_5', auth_central = 'Y' , auth_namespace = 'org.onap.policy' where app_id = 5; --- vid -update fn_app set app_username='Default', app_password='2VxipM8Z3SETg32m3Gp0FvKS6zZ2uCbCw46WDyK6T5E=', ueb_key='2Re7Pvdkgw5aeAUD', auth_central = 'Y' , auth_namespace = 'org.onap.vid' where app_id = 6; --- aai sparky -update fn_app set app_username='aaiui', app_password='4LK69amiIFtuzcl6Gsv97Tt7MLhzo03aoOx7dTvdjKQ=', ueb_key='ueb_key_7' where app_id = 7; - --- Disabled Policy APP -UPDATE fn_app fa SET fa.enabled = 'N' WHERE app_name = 'Policy'; --- Disabled AAIUI APP -UPDATE fn_app fa SET fa.enabled = 'N' WHERE app_name = 'A&AI UI'; -/* -Replace spaces with underscores for role names to match AAF role names -*/ -UPDATE fn_role SET role_name= REPLACE(role_name, ' ', '_') WHERE active_yn= 'Y' AND role_id NOT IN (999); - - -/* -Onboard LF Acumos App -*/ -INSERT IGNORE INTO `fn_app` (`app_id`, `app_name`, `app_image_url`, `app_description`, `app_notes`, `app_url`, `app_alternate_url`, `app_rest_endpoint`, `ml_app_name`, `ml_app_admin_id`, `mots_id`, `app_password`, `open`, `enabled`, `thumbnail`, `app_username`, `ueb_key`, `ueb_secret`, `ueb_topic_name`, `app_type`,`auth_central`,`auth_namespace`) VALUES -(11, 'LF Acumos Marketplace', 'images/cache/portal_907838932_26954.png', NULL, NULL, 'https://marketplace.acumos.org/#/home', NULL, NULL, '', '', NULL, '', 'Y', 'Y', NULL, '', '', '', '', 2,'N',NULL); - - --- add Acumos thumbnail -UPDATE`fn_app`SET`thumbnail`=0x89504E470D0A1A0A0000000D494844520000010D0000004408060000009B326018000000017352474200AECE1CE90000000467414D410000B18F0BFC6105000000097048597300000EC400000EC401952B0E1B000051D749444154785EED7D07605555D6F54AEFBDF742120221F41E7A930E0A2A36D451B18E7DFC6C63EF3ACE388EBD6043054511A448EFBD844012D27BEFBD27FF5EFBBD28202558E67766B2E0E625EFB673CB5E67ED7DF639C7A443803F289A9BDB50515E8F152BE2B07A6D124C4C4DE0E06085871F9A0467672B242695A0ADDD048BBF3884E69676B8B8D962D8207F0C1FE887A8084F24A69600268087AB9D2CB63031913FBAD18D6EFC2AFC7F278DC2FC2AC41F2F4479692D2CADCD919F5B0D5F7F27F48EF6C5FAB509D8B93B0BA56575B077B4468B10C3002185E8DEDE58BE2A1E0E7696080E71C5965DE9B07790F56D406D630B5AE592AEBA241A3985B5D8B43713013E8E1814ED8388101739A329C2839CD13FD2D350806E74A31B1784FF6FA471707726962CDE8F92E21A2585BBFE321EC34787E2F18757A3674F2F9C482E415646194C2DCC6061618EC6D636F8783BE1A69B87E3B3250771F0483EEEBF672C3E5A72081DA6663033073ACC4CE507D0C2A5AD1D174F8BC489CC0A1C8C2B8095ADA5F085095ADADB10E2EB84293121F074B3C194E1C1C61275A31BDDE80AFEADA4D12A522023A504AFBFB811B107F2E02C465B5BDB8C19F3FBE1BE4726EB36CDB2CDE5733ED46D69E8266626686BEB40B390C05F1F9D821DBB32F0FDDA440C1D120467576BECDA93250AC502EDE27A989ACBB67239266666FA49A2B9624E1F1C4E2844625AB91CCF02AD72ACB0205704F9D8E3D3D589880872C193B78E44DF080F3D7F37BAD18D7343AAE6DF1759A92538B8331DFF7A76039EB9F73B3C74F357488E2F4280B8080162BC93A6F746700F77E3D6404E6639AAAB1B6069694E6140E180CAAA465CBB70308A44956CDB960A7B714B7CBCEC91935D095321156E632A3FDB4918F20779D054AECC4294C7722198FE3D3D1112E084E6A656D9B203365666B2AD097C3DEC515AD18067DFDF8BC389C5D87630475C20F171BAD18D6E9C15664F088CBFFF66686D6EC3C615C7F1CE4B9B4425B4E3BD57B6E2C89E0CE48991F78CF6C6806181E83F34182EEE7628CCADC4FEDD194200E5B016C5B0757332FAF4F545427C21CCC5E8EBEA5B3054B69F32B5279E7AEA079889AB626F6F891E611E481443178610C63085528709DD13611A3287280F33F9BEADBD0369D9559838320825E50DA8AC6D52F78401D29CC26A580939719BB6D60EFCE3B343D8775C084D088984D28D6E74E3E7F85D94464D5503CA4BAA111EE585CDDFC5C3D1C91A73AE1E827B9F9A0EDF405714E455E3DB2507B0EEDB38A48B12A14BB272D951EC1215B172591CEA6B9A71DB9DA34519B4C04388E5A2A99178F491756AE02489800017716B1A505BD748DB97A55D7F76B4B70B6F1874877E25DB9A8B5C696C6EC5EAADE9983C32183616E2CAC8AACADA46833221C7D0B591ED6C6DCC91955F855B9EDA886D877265AB6E74A31BA7E3778D6964A79562C95BBBE0EBE78CF8B83C242714C1CCDC1466A220CCADCDD121864AA36D1745D0DED20107676BF419E087E5CB6231624C18EEB8670C7C7D9CF0FE7B7BF1CD3747E1EC6A8792D25ADC7DCF587CF6C5117525CCCDCD657F03515068B4CBF13AC465818919AF4E8F4D57A54A148BAD9D05AE9E1D8DE89EEE2815D5F1F83BBB61696E8656F15AE64EEC818D7BB3515A590F37671B0CE8E981876E18063B1B0BC3C574A31BDD50FCA64AA3AEA6D1F89B01813DDC917EA2108BFFB90D19C9C5B013B7C2D6C61216E286988A410B65A82230E96817B7C314B9D915080C71839D9D158E1ECA868DAD052CACCC30615218EAEB5A9095550E7F21A0CCCC72545634A83A686B6B13C26947B3587E93B8450DCDED528E6654563608C1D4A1A0A81AC5A58D701542F2F3B4C7F4B1A1880EF7C0787179E68C0FD37D064779E2C68BFBE09EAB07E0A2114118D4CB03E5D54D4817D7A91BDDE8C6A9F8554AA3BDAD1DA50535D8BF351947F765236A4000D62F3F8A1B1F9D2CC6EF8A7D5B528420CC912A0AE3D8A11C5494D5A343C8C2C2C2523EDBD101337527DACD4415886BD1D8D486E8817EDAA272FC7821264C8D40AFDEBED8B02E11B32FE98BB008778486BAE39147D6E0E0915CB8B8DA6A1CC4D28A8B1C43140609C743C8C1DBD3019E1E767075B245634B2BF28A6B909255851BE747CB3A43BCE2D977F748194CB070566F04FA38EA77052535C8C8AB4589B85835428225423E61FECE18290AC84DDCAC6E74E37F1DBF9834F2324A11BB3303C7850C18836453C7F6EFE331686C0F210A4B34D43521490C7FD2DC3E6896DA9F6E4987FC4B4F2A467A6AA9A80E2B3172C377A6421A8C2FB4B677C02FD0052E1EF6D8B92D0DD3E74623E158018E1D2FC082AB07E3EE7BC7EAB95B455D3CF6F8063838580A5998CB37A259E4FC248DBAFA6694890A2912822A1157A356DC121373463D4C34DFE396AB07C2C949CE2D0AE799F7F68942E9C0B0BEDE78EECE51F866630A36EDCF4190B783B6CA3434B6C2CFCB1EF72F1CACE7ED4637BAF10B5B4FF2C43D483A9287A37BB3509A5F8D82AC0AA4C717C1D1CD0EA3A6F4C2F6B509E839C01F1525B5C84B2F478F282FA42516A140DC8F7E4383316058104E08193436B4AA719A98507188D10B5A5BDBE01BE08ADCCC32F41F1C80C2C26A3489F13258397D666FDD265548870961B1B105881342C9C8AC405A7A2952A55C39B955281375C0E42E4BB6B4385AC1C6CA12E6421C57CE89C2CE43F958B53515FE5E0EC82DAA858D28A176718F2AC5A5F97455BC0665738A6A905520D75552872BA74522C4CF49CF7B5814934F77AB4A37FEC771C1A4919F5186D59F1DC4CAC507909F5E863A632B04839AA3A7F5C291BD99A8AD6A847FB02B6A6B9A502D069C23063D767A14F2B24BB16753AAB8297598B770089CDCAC5155DE246E40931CD9A038D844EBE5EB888A8A460487B9232DA5144D0D2D98785124BEFD260E8D8D2D78E7ED3DEABE4C9A180E5F712B68E8241636B1527958989B69BC8344441DD5D8D48A9821816810923A9258289E503B22A47CCDADEDC828A8C2A59323B0799F2826E12D531353398E09A2C40D9A363A04EF7E7D0CF58D4DC82DAE45627A051EFEE72E38DA5B2032C4CD7043FECD484F4F47515109CA2BCA51525A8ABABA7A383B1B48AD1BDD381D35627F6952515695D6A1BCA0064599557016F5CCC688AE808E48E29E6C146654222FA904D6F69617E69E241ECEC1130B3F1735D00E7B91F8CC99606442BC0538B9DAA0F7D020ECDD9484E6A6360C1917266AA11C456294B4DC167103E6888B117F24178971F9AA307A0D0C44786F4F0D5A1E3D948B8AF23A315C33F41DE48FCAAA06F48EF6C1DAD509983AB30FF2F32AB17D7B3A1A8520DE7C6B3EEEB9F73B58D95868BE464888AB2809536489CA484A2B81B98519CC2CCDE59CEDA86F6E4564B827860DF4C7D2D5F13057774688A4A51DF75E3F148FBDB113B72D18802FD69D1032E980BBB30D068B32AAAD6FC57E51316CAE8D94E3975736C2CED60243FAF860E59654FCF5E6E188E9EFA7C7FA77A1AABA1AB7DF719794A54AAED70C2D52B6007F3FBCFBF6BF8C5B74A31BA762C9939BF1F1131BE1225E80982A8ACA2BB1F8E87D081197BC2B6066F69F7ABC8AAAE27A5434D5E2910F1674BDF5A4A2B806FFBCFF3B357647210833062F850C5833D78981470F0B46767231DA9A8546C4F8E84EB0C6679E9585F61F31C3FA15C7101EE58D9E7D7D5401A4C4E763CDD77128CAADC678511293448D58DB98225D8E13262A836C16DDD7175555F538723817F6F656183E2C5093BF7AF7F28295A5190A0A2AB1735726E2C4DD610BC96C513BE13DDC515FD3027F512C7D7A0A610CF0C39ACD295A16930EBA432668686A41AAB84B93C4553A72A244FE6EC55021A9182197A32965D829E446E5C126597B21272F775BA464552253C86BEAA810DCF7CA367CBE26D17073FE4D484FCF40756DAD90A2B9DE7F0B21C6CAEA2AE4648B4AEA4637CE80836B93606B632DCA9BFDB3E49D811992F6753D07898A9DEADD5AD4B5B5ECCD0AB9CBA4B14C6AE48AA23A58DB592963197E98A059DC054F7F6771356C912A866B2E86CC55861805C39C063010DA2A35E3C6157188EAEF8F3031FA56A9ED2D8484524F1461D5D223C813A39C3AA72FAEB969246EBD672C6EBC7524C27B7A61DBA614588B8190A7AEB86AB09245CCA8505538E6723318AFA8AA6EC4814379DA2BD65A2EF2963F0DC67BAFCEC11BCFCF10C337415E41B5121E6326CCEFA04B532F6ECF8BF78DC590686F5C3A25920D381AEF2816F7C9C64A6E2F133CE41A790D24391B6B33511F4568927D678DED81E73ED8872FD69CD0EBFB7720AFA040DD370B7323695858A05648242D33D3B84537BA712AF2922A602D0A99F6672A2E899D8D0DF67C7B21EFAC89DA0DED598EA079555D228DF48442EC58190F4B1BB28C9108E4477B7B1B3AE40833AF1A88AFDED90D3B472B35311EB8435E6EF57CD4E2E4D4F2BB419D9862F597471035C01F3DA37C34186A618C43241ECFC3CA2F631112E6AAB5285B3B7CFD1C515FDB2C46DE8AFEB24F546F2F9E1DE3C6F5808BB315DAC405A172A08B66656586868666ACDB90AC01CE4E8C1911848B64FB61E24E0CECE38D3E111E1810E98587160DD7F5D7CEEA8D84F412EC1275C1E0A9A5B02955462778CD3C07FFD94859576E4D839790E4D491C178FE83FD2828A9356EF9FB8171A3B4D474BDA72C0BC1CF367906054226DDE8C6E9488BCD47637DB3D8DD4F66CEE127B2C49E7F0DBA441A6B3E3E8086DA4635640365C84B2BFF5B5B3A10D9CF1FC70FE648ED4F16922FD53581760E63A733F15594343AC42DE0BE06C633C1C695C7111CEE8E883EBE68A8695426B31515D3D6DA8A7D3B33F4BC3C46B528883113C25059D1881917472361733ABE7C6E2B02029C1112EA8626512F3421AA045E0CF7099675B572B30A8A6BD1246EC8079FC7E2D0D13CA46694A1B8B4566E648B2A0DF639518821E617D769CCC2688FA7C2F825B7A65C73B4B5C4C7AB12B4235C94B851EF7F7B4CD7FF9E686C6840764E8E14C55066067309733373A4A6A58B826267BC5F86D2B2721C8F4F405CDC71A4A4A619BF3D376A6AEB909B9B2F845588A2A2626D81EA0A2A2A2A919F5F8002594A4B4B8DDF1A617C1C67425171313233B3905F58A0EE6F5751585884CCAC6C3DE7AF459DA8BAE494541C8D3BA69F3535BFAEB2A895FD4F2425EBBD4FCFC8D0BCA7DF12E9B185686E6E517BEB7C5F482035E50D28C9ADD2BF7F09BA14089DEEFD28BC825C55DEB00F28E3027CC2ACFD46CDE885C3DB33505FDF045331AE0E133331E416F4ECE7AB599EF187F345013065DCF0A2B38584BBD34D6017F68BE6F5D5CE6C69C92586B13398013AAD0F32334A515C5CA3B189B03E5E181113825917F7C513B33E959B51808F33EE475C6201EEB97B259C5D6DF5980CC07AFB3A62D28470AC589D48FEC29851C158B12E093636426062F0ADCC3597B25709A98C1E1288BBAE1BA22FE15FFEBE0D85A5F5E2FF9D9A36CE817FFAF52439B5235148874A8460F9A9662E9D128135DB33B1E485E9FAFDEF85FCC2423CF0E0C342A2B55A067D09E47EF3A5F0F1F6C2DF5F7E11F60E17D61CBC69F3567CBBE23B949697CBF3AB5715C3B47C6727470C1F3E14575F7105ECECEC8C5B9F8AE5DFACC0DBEF7F0027074778C9F99F7FFA49383A3A18D79E1D7FFBFB6BD8BE63973C810EF4EAD51B2F3EFBA4710DB0E09AEBE4FEDBA0AAAA0A77DE7E0B468F1A854F967C8E6DDB7748F91A9418593E2B2B4B840405E3F65B6F86A7E7CF8734A8936B79F783C5883B7A4C5CD07AC37EF2AED9D8DA62C4D0A1B8FCF2F9728D5D6F714A494DC5871F7E82ACDC6C51B28D72CF9BA542B494725821223C0CB7DF7233BCBCBA3EA8D3B1F8447CF8F147282E2CD6B2F259D2D5B4B1B6469F3E5172BC9BE020F7F5D7E2ADBB5663CD5BFBE1E06A2395B229DAE59DA50D971556E3E9D50B31647A4FE39667477B5B076E897A0DD5ECEC595287073E9D7F6EA5D12086F5C683AB60EF6CA3014FC801CC483152DBD5D736A1F7E0409497D6A1A2A446D7EB2A13210659DF202E859DAD35CF4A7A817C6DD88635921C877EB954F5F8F6A3FD881A148879D70CC6F5778CC6B44BFA234708E3C4B17CD456376B3F921D9B92111AE18E385119C7B6666A6C65F9ABBBD02FDA0F11F27D436D0B5AEA5BD1A7B73762860663F98A63A8AD6B4249592DECACE56188E2618F59AA040B59AC84CCE86A4489D2197BF5122CF93E01D7CE8ED2DEAD4CE8D20B3905244983DAE8045B2FAAEB5AB0646D12E64D0A47A5361BFF7E28CC93DAB9A0486B0A7B0707C4C4C4FC68E4256565C8931AB8ABC8CECDC51D77DD8FBF3CF81032B2B2D0D8D8A8C7B1104320A83C967CB10CD366CEC5DE7DFBF4BBD3D1D6D62A06D480C6A646DDBFD3653A1F9A5B9AE51E1BF669967D4F46BEB859C5A228D84AF4C3C64D983BEF727CF0E1C7A248CA757B1A575353132A2BABB067FF7E4C9F7B095E7BFD0D253C82EB972DFF0613264FC3AA55DFCB7594EAF6BA9F187A9990E3E7CB9661C6EC8BF1DDCAD57AFFCE052A89E75F7A190BAFBF09878FC66AF336AFD35A8C9B9FBCFE3DFBF663EEA597E39DF73F947B72EE6115CA45653DFEE4B3B8F6FA3F21E944326AEAEAF438DA7F4ACA585D5383F51B3763F28C3958FAF572E35EBF0C3C5EC2CE6CD8DA5BA2BAAC01F31F18A53DB9F96ED3ED4FDCFDCB83E767250DD6BE2FDFFE35B689013AB8D8A9AA2028723AE4E4D622D1C3A27D70786BAA30B8A53E00C37BC3D609533437081B4B4DCCDD648D128D6E4349201BF2A218CD6564F6E0F6345C77C718CC5D301033E645235E5C89BABA66D4892196145523BABF1FA2A27CF1BDB02607E4616067C757F168916D66CC8C4265553D2688E17A78D861D5DA04348BE133586A21ECCA1A8DA9EB94CFDA7222A4C1E65F17276B0D74BA3AD9606F5C81E68AF41577C35D58992ECF8FC4219FBC2EC3B59D0AC63758CE6FB6A42221B5144542A0BF1732A59663262CEF2163436347C7E82789902F7757E5774949291EFEEB13E2D2A4A0478F1EF2C25AA8D151FE17899AA9A8A8D04BF7F4F080938B339E7AF605AC5DFB8361E79340C94BD7882F3C09B9ABE0B6BA8F2CA7E70A58496DCB1A9C2A80AE9289AC670DCE6746A2A91405C2C06F9BBC3BF6A280820202F0FDDA75F8EB134FE9FEFF7AE36DBCFFFE62F8F9F9C2D5D555BFA3A1733FD6E87C193DDCDDE12ECBEB6FBD850F167FACDB9C0D4F3EFBBCAA315F5F1FD8DBDB0B41CAFB5852823CA36BC5BF1D85C0BDBDBCF09518F94B7FFB8771CF9F83E57FE6F917B06BCF6EBDEF241E920CCB5626A4CF67C867EB2AF7DCC7CB1B1F8852FAE8E34F8D7B5F38CAF36B64A916F56E8EA6D666F41E1988B0413E1AE360AA42AA7800BF14674DEE7A6CC12738BE37138ECEB654F5F222D1E06485B046A348E27173FB885B928646A9E5D90C43FFA3C354B7926DE4B593173A24D203A9C70B35B6C17C0E53715D94DDE580A6F2A9BD5CE54F4BB988590B06E879EDEDAD11D4C31DC347F5C0D09860F4EAE38BEB6F1B898AAC2ABC7AC7D770F370D2F3652617C23BD415D32FEF2F72DD547CC20AEC3B98A301513359CF7270F42E929BB5FC5D5ED5242445E33741ADB852F32E8AC4BA9DE92AD7AA453579BAD9A1ACAA01BD42DD902B6E115B584C29E984A4BC3D6C95344BCAEB7FF6A233685A2EFB6517D6A0A2BA51D3CE1DD8C2F41BE3BD0F3E16D96EE84047497CF5950BB062E52A91CAAD526337C1C5D909C3447A9F0F575F7B83D468D56A04AC29298BC78C1E2D527F11E6CE9E8D5E3D7B222B3B5B6B452B3160BA905BB76F47FF7E7DD5383A91909888FD070EC34A5E7E1AF094C993D46D381F76EFD9A33106C2C3C35DF7EB045D114AFECEDA97464E92701302183A7408264F1C0FFFA000A914C4784BCB94F429E9A950D6AD5F8FB8E3C7F5BA181C6E1077C64B5C9751A34662C2D831F0F1F4929ABD560D94C4642DE7D9272AC1598C3452AEF974BC4A376AD72EB9AFCEF22EB4A84B327CC810DC74D30D5878CD9518346080BA3D1999D9FA4ED8885B159F9080D696560C1CD0DF78949FF0F853CFE2C8915838CBF1E8BEB7C812E8EF8FF9975C82C99326C0C7C70BE5E5157ADFA90458C69DBB760B89B8213232C27894AEE3C09A64ECFE3651EE9189DC232B2C78740C9A4419EFFB3E09B68E56EA098CB9AC0F6CD89DE31C904780EFDFDC87A686568D05C65CD2FBCC4A63E5077B706C4F269CC490280CC8017439A8325A9ADBE017ECA646999F5AA63108AD8D4D459AB5B33A66CD2E062B37CFD2D2C2A8500CF91C1DF2309581A4A6903DE49FB8398DCDB0B631C7210EC493558E171F5E8D6D1B92B07CC9413CF9C04A1CDE9F096F4F47ACF8FB6E5881B2507615B8B838E0D34737CB31A05DEF776C4F959ACA4C5F24BD5259CC854CB2B32B85D9DD34206A2A17C3264B27B9515413F57213581C5B7161761CCA41CF6057EC3E928FE9A3427558C056B600C975B3A4C6D39E11DCFF84943D59CE157BA2CCF8ED6F8BD8B8A35A3B35CB0B1C121CA4DF458485C97535C2567CF5838762F5BB73E1F32FBE446945191CC4B0688CBD7AF5C45BFF7A0D0FDC77B71A419FA8DE98356B063E7AFF5D5C77F55572EC668D05D0C0FEFEFABF37818CB5708B18EAEC9933F0F187EFE1A1BFDC87CB2F9D8F3B6FB9056FFFEB9F78F2AF8FC8B336536366DC8535353F196B6240F1E6458BB058AEE39E3BFF8CCB64BFBBEFFE3316BFF70E16CA7551E5B2F2721445B3F893CF548D9C8CC38763B165C74E5511748B78DCA79F7C0C4F3CF608468F1C81F0D0508C17227AF2B147657958899704C2ED7FD8B0116969E9C62319B07BEF3EECD8B1038E8E8E5A5E1AF1C30FDE8FB7DFF827165C360F53A74CC6AD52DE8F3E7817375EBF50EF3B89D343D4DE3FFEF5CBEE7B6A6C3E5A44713339CB23C409F62EB6088CF65295C177B9AEBC1129877E99DAF8196964261661E5FB7BE12CB52B0FAE8BFC508540F690DFC3C52D39BE3F1B162C00BF5362309000C17DF467A7C1A9111BBEE3EFBC2134C60631DAB09E5E183ABA075E796C2D567C7608DB37266947B7F0080F5C76CD50F1170DAC3DED96A1B2B761842DC2D2DA0C1585B558FBEE014D275F70C540D48BABC0726A49F8299BB68A9131C78365D77F42062E4EB6A8956D35182BFC45366EA86F456E41B52671ED921B3E634CA8BA68243D5E3F8F792E38D858E2B0DCBBDDE25A192FF637035D8616216183F2694770908134FAF58BD60021C939F53CAD1ED5D5D5D82852DB450C852F2E7B1A3FFDC4E3521B9F3980B7E0F24B317BC674A9F92AB416E5F11910FC77A15E8C75EA9429B8E3B65BF4BA4FC730511E7F11B2A30A2009D070F91E9697970B09DE8B8B67CF306E792AAEBAE2725CB56081920CF761D075CBB6EDC6B506ACDFB4194D727E3E75BA7F2C0349F54C60396EF8D3427DB7E82E928C491227E34371833A039B54770FFDDF5F306AE448FDFB74CC9F7709AEBEEA0A7D5EBC6E12E3CA95DF1BD7761D25A2CCD95193EEBC5F989BAA73EF1017B87839C87B2DA421AA9895FE2FC1CF9EC6966F8EA2B2B816E63434351543FC81710AB624048A31338DBC30B35C5B4714F45BC44E9434E4C119BE6BD702F36FD11946E313C333AE673F10BF00174D375FF7F551B4092BDAD859C0D6CE5A7BC86E589388267123464F88C0076FED127FCC1753FE3408B5150DBA3FCF66EF6C8DE57FDB857629CF94291122A17D3536A18511B074626BAA2AACD9314DCAC37F9C07A5B8ACE1470223B998C90D8E4D2A45FF087764E456A348D6C70CF4937D0DC1ADCECB3A1B781C2A8E8DFBB2B16C7D8AF1DBDF06FB0F1E9617DC102C6300B957642FFD3EB26784948BD7C001884C909A7E76E2484E4ED5788685100C9B3D6FBDF90695F6E7C22D37DF68787EB2588A81B1D5E3DF01D6DA2E4E8E5824AEC0B9307CD8505C24C4525D5D23F700A815831C346800468B4B722E5C76E9251ADBE0794888DB4E228D969666ECD9BB57BF671075A8B82431230CF93C67C3B42917A17764A46E4F1C893DAACF8AA8A8AC404E7E9E1CCF5ACB396EDC580C1057EF5CB85208DBD3C35355A5B5EC177BEC9851B1770D65F9D5C84928D1CA84EF65483F43CAB8930801375F074365292E555EF26F401AC53995D8BD3A01760E56CA467C59D4E4E95AC817EDE287450D0F46DCAE74B918CA1C59ABEE0037960388FCEFBCB48E16832B63705FD8A2C24D643B395693280CBF00678C98148E355F1E5212222B32BB9379086672A1ACE5A7CCEA836C21A74FDED98D155FC7E2EA47C7C3C9D356FD4682637514A557206177365C84087A84BAA15F5F1F7978CCDD907F72523605B734B7C3D5C95A1E244B67026747A9618469D9BB5624882CE2CA48F92AAA1B50585287617D3DB1F560166CAD2C101DE681EA9A6634C98D56123C07D8FFC55AAE978AE3B704E3077413784F2CAD2DD5FF2502038244C2BA6A6D6B67678B6DDBCF6ED46C31696D6F55A5E2E4ECA43182AE60CCA81891EF75EA021D3B9E60FCF6F705DD8551725EBEF4E743CC88611A07E1B36D1675306FEE6CE39A7363FEFCB9DA4A43E24C3C9164FC562A98C616E4E6E4684C81EFFFC8E1C38C6BCE8DBE7DFB295170BFC2C242D4D51B82E2F1F189F23E1B62798C7D4C1A3F5EBF3F1FA65E344594739D3E77E69A5455767D402806414BB2AB74747E33331304F531BC2F768ED608161785E66A25B6937A300F7555A7B6607505A79046E2A16CD456366820B1D33C9406C48829FDFB8F0D436E7209AAA5B6A7B8A0612AC882FC9555B63C3CB23E13A7DAA586B79207CF422A64A7C6BA4678FA3961A4B8141BBE3D267FB3ED9DC3FD71F42ED9460ED1D0206E4BA427060E0BC28A2F63E5C19A61C907FBE01AEC8411737AA159540A37ACAF6AC2A069E1881CE10F6F0F7B79099A7464AF1E216E22C1DB34D8CA547533291753CB99A52AF7105E6EF6C6B472C335D018D98E6D29E5D87D341F23FBFA098199E2EB8DC9880872C64DF3FB625A4C885E42A9DC9FCA9A46540AE9742E0C80F2B35C1E4095289DEADA66DDF6B7006B85DCDC3C7D199BA416EC21FE742748141E6E547E2D2AB5D3334EF5A54F4683B1F5802D0FCE22959953D315D8D9DBA3B2AA5ADDA092B262E3B7BF2F5AE47AFC7C7C8C7F9D1B0E0EF64268361A0321B1D9D9762D57C5D7DB5B2B1FD6C4AD6DAD3FAA847A1A3B5F0C45071C1CBB962FC15C1955D282063916DD498284AB55AFDC7B4B2B4B25ECAE80DB65E7E46AAB566E5EBEC656BA8A8C6345FADEF09C76A2C67D420D2D490CFA07F47297EFDBD55D29CCA84055E9A9F19CAEE014D2387120076D2DA22CA486A6FD134A00626C6CC2ECD93F0087B7A569932779829B74928AFE4572503211C2905A9929DE6C52D56C41594D77C3D5C31113664561FD37C7502B8646C6E30BCC6DD984C7E1726A2A1BB170D1485494D661FBA6243839D92991FC202ECBC2C727C88368D45A9F893637BD320DFB572763EDBBFB70D32DC3F1AD10D184096172BA0E1D538342889DD148029CBA31C0D711F945D55A460E2DCA1B687CD61ADBE0A03D8744294C1D1D8A8AAA0684FA3962402F4FCC1A1B8AC76E1E81CBA7F4C49FE646E3964BFBE3D605FD71BB2C775C3E00B75D219FF2FB7D0B0763D2B04075E57E0B544A0D939797A7A4C09A67D8905307040A09095183A1FF5B595125EE598D71CD69A00AD440B53C1F7DEAC68B3E0F2E131FFBEF2FBF80179E7B1AF7DF738FF1DBDF0F343C4A71ED72D005E8BB6ABC14EE4BF2EF0AD8818BEF00F7E1313A732CA8167E245429C78F15E379C0B3D21E0883ED18FEB21322D3E3C8319988D7D0D0B566F9A183066AC21E03B0F7DF7B175C5C9C8D6BCE8F9443B91AFBA38DDA89C20E8AFA296EE51DEAA2F796EF404B633B724E9418D7741DA7DCE18C8442F179E526C9C90C2F9618BFBC68EC68367EDE006CFEFAB0484133BDA97A33C528F9A9FE96BC94FCCAB4DD38C0AFB0378D941314313FA2A9A1195E3ECE9830A70F562E39887AA9ADA942E404421386F8079B4E1BEADA30626C0F0C15A37DFD858D1ADF3097F7C7CAD214CB3EDE0F73776B4CBB7E08F28A4B31E78E91F00A71C66B37ADC0A78F6D85B3BD15AEBD76089E7F710B6EBF6504EC6C2CF502B3322BE1EFEF84DADA464C1EDD039B77640A9919A2C86C5161F9DAE5A5E1C3B61355B3FB709E267A3197C3C5591EBA11EEAED6281195B5431ECA27E2C6BDF6E921FC4B94D0BBDFC4E1BDAFE2F0CED771787F791C5EFA683F46DFB014B9856731E00B405A7ABA1099210988FD6F4EF7D7478E1CAEE3A3B28992E9DC59523B9D11BC58230CAF73D7C0969A91E2D30F1D3CE8BCBEF8FF179C7631AC2CBA02D6C23F816F89F1067512C685A2B3963D0D43878B1BA8F6C23398E09D7717D3AA0C2BCF011F1F6FCC9C310D93274C5017D1DADAC6B8E6FC48DE97AFEA9D15B157D0A9CAA6FFC41EB07660ACC3545CB166C46D3CBB3A3D1B4E218D9A8A7AED1B42A864978BA50FECEEE388C6FA46D494378A9F644898D25B4072E00DE08DD687209FFC2F44D32E4CD72612894A8299A5B6F6D61833B31776AC494093B83A1C8D9C7E0B9B67D97B8E8F9B29E6249149337BA3A2BC16FB76A58B3CB4963398889C3247B1B814EBBF4BC0C26726C0C5CA5EB3DC7EF8E020EA2AC43510F5B0E38B384C9FDD0B9EEE36F8528C79EA9408D8D858A0B4B4162E0EC2B801CE48CF2A975A9BE794F24A99D98AC3739BC9C568DC465D1513EC8DCDC7A8FE7E282EAFC396FDD9D8139B87A7DEDEAB4DC4D1E1EE9837310C574FEF8D20512E0DE2073343D456AE89FD57DC8468189C5DB7FBD7F73E4DCFCC56A5C71AD0CFD7578E7F6A5A3765B185B156A6FB525C7AE13547377E3F589A5B62A8A843B642D9DBDB69B0FAF1279E4195B87CBF07182FCC4B2D85A58DB9DA59FF2961C6350670D6421B3B4B7D9F989290117FE1F1B71F49E318FB7F70701C3118150DF283E4502F7E7ACF8101C817FF877E9A2637899D71ADEE2E864716FD31206A0447CBAA979ABD4E5C0D5B29E4DCEB0663EDD2232893DA9783F7980AB1F03CCA32240F35D876788B22183BB5173EFCC70E752998F04D22A1BAB1950B7EFBD5ED70F575C23F0FDD0A3731D88F1FD9A8AD288E2EB678EF8175F076B3C784F111484E29C521510C93C7856917782670B9CA368C653053B4336783B114CDD9901BDCC84C5271919CED2DE1EFE380C76F1B816F37A6E858A22BB7A7A14CAEE5586A197E103258B72B03C9B9E5983F290C8F2E1A0E2F371B1D098C933BD12D627F1B8ED3F16B9199912EB7A75D9B49434282B46FC6C9707674D20C48CA6B76F6CB48EBEE26FF47C3BD77DEAEA3ABD58A7BC96CD783878F60D16D7760F3D66DC62D7E3B146555C87B5AAD71C9BAB6460C9BF9F3C4B5DE314168A869520249FB0599A14A1A1C1323764B0AE6DC3412EE62904DA20C18372053B9FB39C1C5D316F1FB45D25B5BA87A205DD0255135220BA55EBB100AFD282693B00DD83FC405F3E478D73F380193E6F5C35AA9F91B6A9A6121F29F2D2406CA919F240C2106D6FD9C64E9D607262235B110077667E81406EA73CA5A06312D2C99CCD3847FBDBA4DFC342FBC7AFD724346AAA5B996ADAAB4012BFEB60B77DF351A33847838C87071492DA6882AE817ED8D0517472345589803F070D8401DB9DCCD4E7BAA4E1BDF03B3274660EA9810CC1A178E948C723C2BCAA257A8AB8E48EEED6AAF2D23D65206A6423736B7214988F4F9F70FE05D714BA68E0CC575B3A330634C0FF879D8C9353139ECDC7D11CE07F695C8C894FB6E69A81998CCD5D93FA413EE1E1CA13D5454468B3E07E652B0A9AE1B7F1C383939E31FAFBC02773737CDBF60C09681D7871E7D1CB7FDF96E6CDBB14353D27F0B6CFF2A1EB626563ACBA1B7872B3C835C8C6B7EC2F8ABFBA1BAA9415B368BCA2A50947D6153752869EC5A158F0DAA02AAD137A607265F31087D4784E0CFAFCCC5D34BAFC5C7CF6D109FCA122DA21E480C6D523B33D049D7857641DF89C1155B276BB8793B20A8A71716DE3701BD06FA638818A0871051694115CCA590745D0C1E5E2759C83F2111CAF946510403460663A39487C4C5E09E12926CC920255B66786E9F00839F66EF62A8753BFD53DE845DDF26A043882BBCA79BEC63AA599DE3C78661DAE49E18C39EB25323316E6408A68CEB81417DBC1115E1A199A4F12925D8272EC88A0DC958FCCD511D7478EBC11C8C18E0077B212492048FC773D17DE1EF9CF1CD5B08A249CAF4CED7B1F876530AF28A6A30B09717668E09C56C39C7D603BFBC6310D38AF30B0AF53E30101A1814605C732AD8078339272497DCDC5C7476E0EAC61F0741F2EC9E79F2714446466A65400406F823332B0B2FBCF8373CFED433DA09EFD722767D0A6C1CACD44DE931E0CC2D503DFAF9E8085E740C6C618D436B928D6BBA06531AFE916DA93A18F0814D4958FEC6766C5F1187BFBC7D29864B6DEDE6ED88EB1E9A8251337B63D2E5FD31FD9AC1987DE308CCBB3D0657DC331E57DD370E57DF3B1E178B441F3F371AFD4785C027D8552CD9780601ED9DC4221667F446D86221EA41B7216130FFC00C834787A24654CA66210D8EDD41462365304F84CA8663657096B57997F65797E28697A68A41B175C770322B31EE9423F9D8B5E204E6CCED8394B412AC597B420C4EB95131697C1876EFCBC61E21841DFBB2B079473A62138A5020245121F780238939DA5BA9A2609EC6BA1D9998333E140919A5F017426C6939E9C204BC060B7353383958A34E48EF6872093E5D2DC425DFD7335FBFE997AB8DA2E222D4371A92D94808BE3EBEFAFBE90813A541523113D78A636ED49E9616DD8D3F06820203F0F2F3CFE09A2BAF906754ABFD4CA83A98C075FC783C9E78F2193CF4C863F2DC7FB95B5B985E29B6648E5679EF7A0CF8A9AFD0C9B077B5416098A776ECB411577CEFAA9FF254BA025376712F2F96DA5164F54221873B5EB9180327448832F829505353598F0431B24352936E5A1E8B95EFEFC1672F6FC63B7FFD1E6F3FB2066F3DFA3D168B1AF9F2F5ED58FDD1416C5F790C6F3EB606B13BD3B1EA9383CA1F0347F740A3B827DAB4C51A5B3844DD0E59C7C2F71D168CC131A178FDC91FB4C544C7E0602C83D4411746544643631BFEFC9771422C0DB8FDFA2FD061698A2B1E9B809A52C3602854004C8679FFFEB5B0B630C7FD778FC30DD70FC3B7DFC5232BBB02B97955F87C692C6EB87A304244B63166C24E6DA41473EDB569D0403C17E3289C802921AD0C6EAEB64A003D7C1DB5A5E24C20A9B1BF8A839D05AE9D19A54DC45BF7E768B098B3D177AAA10BC1A1234785C4D853B8035EEE1E67CD5D0809098615631DBC4FB26D6CEC61E39A6EFCD1C044B43F5DB7102BBF5A863933A76B9C83791DAC141C1C1CE499C7E28AABAFC5D7DF7E6BDCA3EB483A90AB7147BE031636E6E815136C5CF373840AA1508D305C50927981EE495D7513FC42DC44DA5B60F3D24358F2D206EC5C791C2F2D5AAA999F6545D5F8FCD5ADA82AAB456579BD32189B73EC1DADE1222A84B9EC74495CDC1DE0EC6E0B7B7151189D8D1A1288951FEDC7472F6D4296487F374F7B8C12D78064A18381C8C9D54151FB6CC7F4F9FD34B6B26D5D229C5D6CB58F080D98A0BDB536B76B7F940917F5C292C5FB112B3768B3A888E9370D82AB9FA3BA4E848DA395104411F6AF4A44CC9860EC946BF8E18713D8BD374B5B4E366F4FC357E27E70D4F1A913C230415C155F2F3BED7BD2748A2A10BA1235C4806E49590382FD9C747473954AA741B311C5250A0B70C68C3161A811D2B3B1B1E421B06A5B1A0E8992F97194B00BC0891349DA94DA2244E5EEE90157D79FFBA704BF0FF0F3D52659F6F2DCBE73AF714D37FEA8B0B5B7C39D77DC867FBCF222A64C9CA041F9BADA3A1DC888CB3BEF7D88F73E586CDCBA6BC8385A8016A9586963D6527985449F7DC4F188C1FEE0F0066C8D600C3233AEEB43009A16A4976205E711D99381FADA16F1D54596DB5AA238BF123F2C398C6FDEDC8509F3FAE928E3E652B36B2F52A9D1D5748C06CF58039B2E69DCFC9B391001611EC816A9CE74F3CA925A241DCD07C79E9872991C4B24BEE6BF930C5ADAE1EC668721A274BE786B37EC8470D80CABAC42188D8DA9E131E37BE8EF5F7E7C4088C5068BDFDE0D07773B4CB8B29F0E61C6425125B8393AE3B3C736C3D9DE1AC1E22A31C18C6AA1A8B01691E11E62D4CD58BF350D1BB7A6A2A2A20183FBF9E1C605FDD4FD282EA9D332F1CEB37C74AD9233CB94102A850C1CE56118D2D10DA0A1322374CAF0204C1C1E28F7A70385A50D3ADEE8D1A462047A39A24E941453E32F046C2D292D2B53D260AB88CF394686622DC5E658068959932526FE7B4749EFC62F07BBE5DF7BD79FF1F4937F4540803F8AC535A1EBCEE106BE5CF6B528E365C62DCF8FA28C4AD99759C4EDDAC7C4DEEDECB91D3D870B6998339E086DA02848AF30AE393F4CD9D468C3E1C96D3962B1D81D9BFCE540AC299D4439FC20EEC584CB07E877ED5299B79BB2B615A391B39930218A2422166E224C492A61EE7EAF210128C828456D65A3924CA618CF00914ABBD726E2D8DE6C5C7CE3102513C628CA8BAB71FF0BB3502424B5ED87C41FBBEE1A5A650C6569935ADCDDDD1E975E33043B36A760E2E4484C9DD95B9487A7D4C6459871CB5078048A1210E324380072F689526CF9E408EEBB6F9C1CC29038969C528C90401725167BB95E2A8BA30985F86A550296AF49C298C101B87FD17084FA3B69AC84528F6549CAAC90BF4D10E0E928FB59A94B43E2600CC3C1D61A2FDC3D0AE181AE3896528A2FD625238E5339C87AE66E84C8B102BDEDD575BA10A4A6A7A3B4A44449835DA5274E9E685C73660CECD74F5B6BF8C23112CFDE9EDDF8CF41BFE868BCFBD6BF70E7ED37EBF3A68BE1E4E488D7DF780B79F9EC397D6ED063483B92AFF6D82236D86F620FED437636F845B88B7DDBFF58D1A7C7757DE43753361FAA0F6F30553A0CCA09CCA560B771CE7770684312A245C63333D4A49D244183E6468CC08A93A1BBCABE721CFAF011D17E38B63F5B0393661626282BA84695D4E8034787E284D4C0DBBE4BC084397DE1E5EB8C88BE7E88ECE78B4DDFC5EBCC6B8651A0581E39243FE43CEC421F332E14B93995080876C34D778FC6D5370CC3ED42081C04C725D809E3456D340A01B25C6C6DE0540AABDF3B085771A3E6CC8E467E7E2D32B32A101AE26A28BB94952D3296B29D9D101573393E581A8BAF57272042B699383C5849C4C3C55AC8A34DF335C60FF597ED9AB58F4B656D232EBB28024FDF3142DC8F627C2E84C8D6160645D9A396E5E6F1796CED9A7F81E0C8E324015E8B95B5158EC6C6E29B15DFE1ABE5CB65F9E6A7E5EBE558F9FDF7481192E1B817DC9E2FC1B1F87F4FE7B26EFCB6983F6F9E0E88545D53AB158093A323967DF58D71EDD951535E8FC2CC4A7539F8EEB3C3DA9A77F6E3DB5777FD6C59F18F5DD8F6459C0805434F769A5BE6B1628D2D7605A694EE6CC6645E01FF913668549A192AFF5970BA199E81CEFA1D5B334C384AB06CA3C627309A3838E3975F30272A6A5077A1B3431893BBB67D770C03C6F68083938D065E37AF8843589437FEFCF4547DC9BFFBE4006CAD2DF5B86421CDCC947F3CBA9DB8043BB7A4E1A15B97E1D13BBFC1BD8B96E1BE9B97E1DE5B64B9F56B2CFBEC10AE7C688C468D7F6C491125C131128F6E4AC14D8B862127AF123672FCA3C70A10DDDB5BBBBCB3FC1A8A95FF9672B399365E55DB84EFB7A462F7E15C1416D761D4403FDC7EE5202109A6B39BE1D93B47A177A80B5EBD7F9CB82C4EF8DBC787B0666786AE77B4B352A2E03D6339388A57567E159284AC2E14F1274E68649D65A454FDECF3A5F8F0A34FF0F1A79FCBB2E4A7E5B3CFF1EEFB8BB166ED3A1DA487E7668A704ECED99B7A0DF7B56BE0F81094CC1C8794A35E75827EF34FE8FAF10C3D8BFFC030BED3178E9FEEC12F3D4227664C9B8A9E11E1A238E49D13A599939BA7CFE15C28CDAD464D5983D4E326B0167B8BDD9C8EC5FFB71E4B9EDAF2B3E5B327B6E08BA7B7EA40C10C3990688A33CBD54BE80A4CFB8882182FEE0787FFD2F13B694672E3A812B42399D47625F2E2536A734224E10CD9C4D8642ABFAB3010A3E7AD62EFD369570FD6002883A1541DDC486B4BA971F74B6D3D6C4298BEB4D515F5483E96877031E0379F5A8FFABA4698B269942FBD1C8BC76F2741C93FC6591A1B9BD022EE446B738B2A1E76086BD79EACED58F9751C6A65DBB9778D447589B12545F6E7B066FFBC7535AC85EC82839CB5DFCC8103391832C01FEDA21E38D298216E21D7A9D740F210E5214CCD818953B2CA7532A42FD724E05F0F4D4044B00BA2C33DB0F8E969784FCEF9D06BBB74B268E67970391924A5882017A4E5566A30F54271F8D0E11FC7BBD0B89180B930675B884E12E7D81709423AECFDFA230C8F563FB4AF5017F1F77FBE81F1932FC28CD997E0C65B6F377E2BC791676AA8643ACBD7B56372F01B92DAAF35ACDF0B1C6782D765FCEBA4DFCF0DDE03DE0B425EA71FC151DBA3070DC5C0A131183966220A8BBA1670E4A8E91CB087A4C18E881C55FD5C483B9CA7E3E0680F7516597EB0572B33B8CFB4A87D69A7B60E4D6FC84FAD40614AD75C5A534EA9D8536A53CE92C64E657A93E4803459551642240C0C166494212CDA57FB91E8CD64A1C4C6F57D919BC40998A3470623E14096DE3C164A098672C558B0A29C72588A02E0A44AECBA3E536A709E6FD7BA24383A1A460AE3B979D19DF79D464DF2E09804ACC5C98A3AC51C2F5C162A25E698ACFDEE38163C3C46FBA8D09D20AC44A1E4A596E1E0EA645C76697FA9B90DA33B151454C1DBC7116D1D0CC692FC486C72CD525E9687F79C44C5291939C749B9B8565FAEFD6956AAACBC2A1C4F2B83A7AB8DBA477AADA7A15594928F9B1D0A4AEBE1E57EE66900CE869CBC3C343637C9359A89E1B78203F0B05584CAC3D6EE0C8B7CCFF51CA087DB731C8ABCBC7C1DF4A5133A7E279FAB2C8CD2333FA72B607ABF7F4000BCBD3C11141068FC167075711165D962385E5D9D066EBB8292B252AD80FEA8B0B3B5F98904E5B1F25E7505159595FADE12EC02CF1EDB849B9B1B02FDFC34B9CBCBDB531B00BA829A9A6A2566123C9FA799E9B95DDC13FB7235B99121022EECDD7AB6854998EC326FEB64C81CA51D5557D6212FFDB47968CE02531BF1F9930FE5E222510864A956AD15A50611A3616D4EB140D97F58247BDFD1A172435928F9928662346E1A1E47F10A087347F2913C0D721AEF1FDF3A250F1EA7A1AE1935158D70F77680A7AF232E12435EFAF61EA989D9E1CB50FBE8D080DC4DFE19F238A42C727C133929D790C4F82DB7D36EEDB295958D39562C3B8A7629C3FCFB63502F464E704B5B7B2B2C7D7EBBFC06EDE9CA099D2BAB9B0C83F2880B61A89D0DE7309CCB703D1A9F91752437C635DC9D6DB1F5500E12D2CBB0725B1AAE9ADE4B5D1236959D0E9EAB455E0E1F4F079455D623A6DF9993B2CE866371C775AC07AA3C1AE5FDF7DE83575E7C0E2F3DFF0C5E7AEE0C8B7CFFEACB2FE0964537FDE80B9F3E423913C3CC85184944CC484C4AE95A16E0AE3D7BB5BF0BC7D3080BFB692C8FE0C040796686347F9E335194CDF9C0E9127440602A23C363FEC3C1C2C20A9E9E46E3960779E4E851E39A73233E21514D82DDDF3DDCDD748E152258C8822A966A9BC316242777EDBEEF3F74489526DF2F573717D8D99FBBE239B42E453B85D6D73463C49C9E7879C78D787ADDC2332ECF70F9E15A3CB7E13AB8F9396843839585250EAFEBDA708E1AD31832B9273E7F79132EBD638CD6B0CDF5AD70F5B64779A1B01D6B76B9199C6D7DFBB7719830BF9F14CC3031924E0B205293FD51DCBD9D34A6515956A76A8037DCC0D7F276F0006280249F435B5310DADB1757DC3E4AB7FDE1AB233ACC5F3BEFB8323C771283E501480CF2A9E792DF4822BACE786E1D514CD650113088FAE9E27DB8445C144F7145D83243D83A5822F9601E762D3D8E5973FBA81B51284AC3CBD35E4981C76302998EF921903368994972754DCD70177299240AAAB4BC16474F94E0AB0DC9F8E0DBE33AD6C68D17B3AB78C78F430276822D2775A2DA4843574EEB85C1515D9BA1BB13CCEA646DC7C5D1C911D17DFAC0C7DB1B01FEFE675D38D667AFC8087848CD462264EDCF7E2B9D888C0C878BA883565122EC3CF5F2DFFE6E5C73762CF972A98E5942894C793C6ECC58E31AC0D3CB4B0726E67C2224EF4F3EFB5CC7DB3C17962FFF56D50F0DE88F0A2AB211C386E9FD638C68CBB66D421C71C6B567C6E123B13878E8883677F399F5EDD3D730AF8F20383858542087D86B5512F8F093CFF4FB7361EBB6EDC8C9310CBCD4228A93CDB20C729F0B59E5C53A921DFB8BF51D1FAA9D39D94272B6C537CC4D47F38F1CEEAF95B99DA88E1DCBE28D473B37F4E9C5CCEE83E1D322717C6F16864CE9A9BD533DFC9CB52F8A8EAA25352F3B6BA51E2BD06EF29438ECD36130E676D9BE19BD0607203BA9C4207B69D86230AA066886ACB5655B1A24E550716E39C6CF89C6AA4F0FEAC44794AB6C62E5365AC3CB86DC9FBF185E2F2A1EFE4697C8401C9AF7A0E7D1CDE026AEC277CBE26029AA20E6E2DEDAFCCA6311ECCCB6EADDFDF076B1434C4C30F272AB35B8AA2D353C8CA194FCC5B08FFCA72209957B103328003FECC84474B82736EFCD86AB8395CE4EBF715F0E9232CB7199DC2F3B5B73ED1E4FF0A5610AFAD5337A6340A40716CE8ED2EFBB8A26794972F3F38CAE491B0244DA1A5A94CE0F66147A7B7B8942E460BB1D48CFCC32AEA13BE18A0913C669976C1A0695C3934F3F7B4A70B313725BB16ACD1A2CFB6A39DCDD5C512B12BD57644FF489328C4D4AB09BF784F163B4C2E0580F59D93978F99557751CD2D34137E69F6FBEA5031B53FEFFD13169FC58706A0682D7F7AF37DE4262D29953AD3945E3ABAFBDAEC4C967EF24CF60A2DC979371D51597EA044F2495E2A2623CF5CCF3670D6C1E3A74186FBCF39EDE5F1E8FCF72F6AC99C6B567C6A1F529B083B855627BECDF151875E6F4F133217C903F9A1B9B6126EF6C517DD73243F56D64C0E4FAC7A78B4F648EF0817E08EDE32335B4853695AA918A66679E013B9115E757232852E41B7D211AB9487C4E6F10DAC70B2744BE33804AA353A3979F6A8CD4FC84F049B3B822A3C5A0483A3BD7246AEE3B41C3D7FD68C4F283718AD2C21A21AE2A9415F1B31A25F2C9EF4AE5B3443F6BF5772EE525F528CAAFC23B6FEEC482BF8ED3B66A553902BA4BC9FBF270684D126EBB7524B2732B35DF42E76311E3523747889165E6B93938F1005107FD7B7963F9FA2444043AA3A8B45ED58521B80B384AB90F1C2FC49E6385B8E2A2489D74A95ECE49CE614D7AF3BCBEF076BFB069120906BDF272F3953438C176787898F62BE90A6CC42003FCFDF4771DA13C2DED94CE6BD72DBC5A0CDC4A0983C3E9D3F5B8FFA147F0F5B72B703C3E5E0D63EFFE0378FCA9A7F0C69BEFE8C3A06A69696952D7E774CC9E3153550E87C82361ED97DAF69E071EC4A79F7FAE83F3EE93637DB362251E78F8117CBB6215382CDF1F59657482031B0DECDF4FE3191C60989D0639C114A73B88157785F795E9DE1F7CF4311E7BF269255E2A810A515A13268CD75EC72763EEEC590811C541F562B8EF7BF0E0238F61FD864DEA4272F024BA776FBFF73E9E78F6397068463E738EC171F97C4E2179EE2107F7AF4A82BDB85574339C3DEC11D4BBEB534486F6F796774D14BBBCB876B042E2DEF377B0FC31BAC2D60E670F3B1CDF9D89DB5E9C85C29C4A94FE7D3B9C7D1CC0742B1AA08D9D15920E6461D0A4089C607F0A21010ED9B7F0FF26E1CBBF6F3510006B7F1ABE18A1928DC18AF41C4CD5EED9DF1F638434BE7E772F8AC54D7072B553A3A5356A70553E2BCBEA3145DC20E66F68CC408EA5E6AF0C64000FCB2011D54E87B8C83C678B7824765206067AC65CDE073BBE4A80935C135D2C96FFAB9777E3852DD763EEDC286CD8948298618158B5EE84A6BE931B9BDBDAB483D99431A1DA0D7FE58624396E07FACB43D8B23F476A7C294A1B0D89E733D1795FD3B22B7440E22BA6F7C2AA2DA93A695249533D9E7E771F5EB96FAC3C90930ADD05B069939319A9DF2FF017A5D155D0B50C0D09C6D6ED3BF4A54B4FCB503F9A815282B4F8CA0BCFE3C147FFAA64C2F12FCB4ACBF0DEFB1FEAF36259194761F77BC31C22ADA8961AF1BA85D760C8A0817A8C93C111B6FFF6D2F39877D9023508D68E35D5D558F2F952AD25F97C34A02C04E6E6EAA25DF6CDF89D5C1B9FD71F1574B9FFFAC843B8EA9AEB9408D8E4CD7773E9B2AFF0E5D265EAAE711C535E1B49850BA7B21C36648890EBCF4750E7F11E79E87E3CF0D05F75A63706ADE982BEFCEA6B4AA40C74733065B531516D266295548423860DC5CD37FDC97894B32337A9545C130B6DB0F00CB1D5F86257D163901FAC39F1BA54FED61652117E9F845EC3CFDC9BBA13A71CFD4F8F4F4573430B5EFFCB4A78FA3A63E845BDE013E40A8EE8C52EF17CA94A447D70EED4E09E5EDA8E1C18E6AE69E295A575F2B21903A07293A828749C42F993B33355091188A7838B6FE4E8CE2658FAC64E4D19570B145E2068884C170FEAE18E9BEE1B8F11E3C231606810068E08C26059060DE7673006CA2753CA675ED2176326C93603033072540F8C1DD703FDFAF9A9AB70FB5B73B4F5847116C256DC8A235B5370786D326EBE79848E72CE4994B4CBBD180C035896F2325C3CAD9794B705AB44F2F1A58F08729732B523471416F98B1DE9D83242854270C0E2CAAA267CFC5D3CC60D0D44BF084F6DBD49CFA9405ED1858FCE94949CA44A802F2967E3EA9CE3A4AB080A0C82995C07F7E7485E1C9CF664F4E9D31BAFFFE35584F508155553A1D7C8DACFD1D15E89C2C9C949FD71CE2BCA87F7D003F76BAFCCB381FD24967EFE29060E1820954283BE139DC7E1EC641CF897E0E0C4ECC2EFE9E1AE711212C8E92D092C73E7A227EF0AE4F1F1BD3979E90A0CDB1A9A1ECF94ADCB9C9CCF3EF950E31B3A676D63A31A3B1515631D8E0E8E62F076DAE18CD73C67F64CEDC17A36848785E395979E5352E7B8AF8493B383D894A912B5AD9D0D1CE4BE3536362801733472CE4B73BE314F8B332B509455295E82A9A64D746552E793C1F003E743610308BB7F7465CCD09F4DCB386862381C9C6DF08F3BBF86BDB32D82C5151934210279A925282FAE5557860F2A6C801FE2F76469A6684176B9CE2A4D52A1BB4217A2471F6FF41B1D8AFD9B9231784218068D0B130272C1BC453158F6F62E1CDB9BA9FDFE69B0ACE6492F7C88ECE13AF38A81E83B2C08775CF2117E5811872DDF27602397EF8ECB673C36AC3A8ECD3F9C407A4A99B82CB53828C77AEDF94D58BFE604D6CAFA43077230636EB4DED0E403F986D4747939A84AD20E17E0F2FB462129B51469E9A5F2825B2135BD0C2EE25E5C3CB3378E9D28466C62B1BC14E27F0A11DE75C3507CB93A0135F52DB85AD65F33BBB7908B09F61D37B44C903BF89ED637B6E28410D188BEDEE2AAD8E9C03DECE41626AECD8560DD0F1B919C9CA24AC1D9C901D75C75E505497A1AC096AD3BB409942ACD4B8C748048ED934163E6140116E616C8CDCB4392B825242AB68270F46B1B2B6B796927E1969B6ED0C980CE07D6B49CFC2730D05F95526A4AAA48EE2254881F5F2D06E2EDEDA3D348DEBAE8464D3ACBCACE52A3F4F5F5C6A489138C4701FEF1FA9BE2F636699F9B98E1237406F5F38123757FFEE5328DA5D0B59B3C792202859CCE07B66230598E6AAA54D4D69FAE5DA83187934125312A66A4AABD4271218E27C4A3DA38323B9545AD10EB6859BF48D4C0FC8BE71AF73A3BD84C1D337284E6D1C4279CD0B14FD8558144C1C1798AA51C51BD7A61D10D7FC282CBE7FF184C3D17328F1763C34747947C2A6A6B70E3F353E1117061EF5C567C1112F7E4AA1B4F5BE488FFD6C6B001F9FBF469194D84D5CF48E9B1DBD2F0F7BB966BFF11F6629D76ED10ED0D7760638ACE123FE1D2FED8B3F604068D0FC3AEB589689603D2FE59F871F3A371D363D35057D3888DCB8E222DBE0015A5F578E0F58BB5167FE8AA4F74EA0253710118EE603095E383729E14B61DBFB5F2267CF9F61E2C7D6F9761A01D3930678FD7CA87AA5DC8852D142DB2C8AF888CF2C5485119BB7666205B082025A5046F2CBE12FE2EB67868CA6234D5B66A6A2D512DE57870C9A570EAE781D7FFB90BFF77FF387CF5ED71F8FAD863F5C65454D43408C958EAA85FE346896F6AD681551BD3A4E6B4C6BA0F2F37C478044FBCB90719F99CEF94B107B906294B93288C1AD96FECA00084073AC1CED60A13879EFF053E19372CBA0545620094F7C3870FC5630F3D685CD375DC7EE73D2A7FD93B3632A227FEF1B7178D6BCE8C86FA46A4A4A7A901F9FAF8C0DB537C62C365FE22B0E6A4EA68E96885A39D83925EA702E8541252BF6B4571322132E8C7BFB9DEE0C29CBF10DC873912DC962D602ECE2E6A94E7836116F932254E96F7E4796ACF06AA8DDCFC7C550A6CAD62D099FBFF52F058B1B171AA5438E136E780E5B4141782556FECC5470F6F04C7E26516F6E2CCFBE0EED7B569173A11B72D1D778D7B073E5E2E6A6B8F7D770522871B72729896704BD46B2A0A9841FAC0A7F34F754F4E46FFB13DF0F69EBBB1E899E9DA99EDBD27D662DB37C7102E0A234A5440A330CF9839D1422AF57072B5C1D46B8660D153D3F0ECD26B953008469EE3F766A9B1370A8130857C87D4DA745538A319BF37280C060B20C4528B990B06A97FC5161AAA1AB22D0740E55817ECD7C10995D89AC098839DF87136E2129D905AFF9DD7B68BEF698911A26EA832D67E2F4410E18E81E2BE90213BC1710656BF770091216EF8DBCBD31112EC8207EE198D5DFBB2919EC597C84C034A541A21FE8E58BF3503D1911E1831D00FA5E2A6119C28DADCC204413E8EF0F37480AF879D2C0E08F37746FF9E9EC82BAE4190AF1396AE4D425965D7679267F43B39254D836A7C910644471BD75C18428383757F4EE0CC0C440654CF051B5B6BF4955A9DC13F2671FD1AC22068F0F6E296B8383AFFCCF855F19144847C4F5750868184E4F9CA33EF0A6110DC8706C719D3BC3C3CBB441804EF8DAF2820EED715C220E89670C0A3C103076A00F8D71006E1EFEB8B99D3A762DEC5737494F90B250C2223AE5087C264BF91F021BEDA747AA17074B38713BB2C48E5D7D2D4725E17E59CBA973D5D99F4F5D4B2EBF1D28A1B31EBC661FAA07B0F0DC645570DC2FCDB6370F1AD3178EEABEB71ED4313B50B7D70AF9F1E80A38B9DF84966F861E9617171C2A550EDD8FC350796F9A9E661B32C0BC1D803DD8839A268BEFE600F7233C475B0B712792BFE3D7D8076D624861A9D39186CC9A9AD6D1235D3A4DFB393D8813D9938202495256EC7A25B47E9F1E7FFDF281D4A908C4930269172300F8736A4C0CEE6A71B3C636A4FCC99162935A3A5D4D0ED080970D159E22F9F1585406F27A46654E0FE97B6E0B3550978EBCB58AC1676DE7E384F3BA9ED389287DD4773B12B2E1FFB8F152036A90471C9A5F2029B8ADBD2B50C4022252D55DC0AC358911C6BB577EFDEFAFB85222666B8DC9B7A35BEA2C2229414772DD3AF1BFF59A8AF6E425E5299E645913442FB79E37CB3C09F092E5E7608EAE5A1EF1C6D2B33FEDC93629D93343AE1EC6E873E234230FBA691B8ED85999875C3308408397034E390DE3EB0170571368C9D172D4AC416972C1A81551F1F405672B148294B250B064059E3B4494DC85C8F85F71A92872A8A6A1110EA2A6ECA0D98BB70B02A0506CD982549C5C13960FB0E0EC00431F28BE6F4C1745966CDED8B05B2ED1C21AE71137B225B4887F00B77C7E8CB7A8B7433D4F89C82817D58963D6798BFB3BAB6116BD625E1D57FEE444E5E35268FEFA1C1D01993C2E0266A67BD90C3CE83D9AA2EB265FDD6FDD93A0607550E7BB072FE562E36425A9CA18D04E6CF56A89452F878DAC2435CA4AE62CBB6ADDAA24137C1D3D3FD825A4E4EC6B061C3447E372AC153B227249E3F5BB31BFF7928C9AD448E9006BB68507987F6BFB0CCE34EB0853128DA5BFB74B11B46C69142B1B9B3770BE81269FC1A440D0EC45D2FCFD63E221F3EB74147F832382572724E712656C65EB67E212E9879C560BCFDEC7A24C6E662F69583E1244AE5BABBC6E2D29B8663F61503B140486BFAFCFE8888F2D666BCA2FC6A51156548901A7EFB96547CF3E511BCFFE60E7C2A4AE5D9277EC0F2A547B41975C123E361290A824C4AD0F5D9BF2B055922ED92D2CA5052560B1B295F5656053E5A7204ABD69F406D5D0BD66E4943430365BE19D88A65239F1C48884153114BAA9C7E822172CF5884AFA73D0AC4D5AAAC6ED6D695AE62F79E7D7A5F2AABAA743E13ED2FF20B400DC77E22F4BD793C1EB71BFF7D284CAB40B6284956AA8CED0544BA19D75C3882A23C34219236727C5B262A0A8CC96752B973C8090ED5590F4E37D9F6F3D693DF1A4C180B0CF7C0AAC5FB10BB3313B6F686082DC9828954FCC75EA093850CFA8F0846FCFE1CF885BA232CCA47833BE525B5F8E2AD5DD8BF231DC70E6423510822536AF182BC4A9496D4E9D48DB5E2A270B83F364F31026C6B6FA9C65227EE4B4E76A52A92C2D47224EDCF85B5A8232D57BB39D28F16E0DA07C7A1548EC1418539DD818383B5BA27CC300D0A70425246A5AA9B0E792A2C76A3105C9F080FA4E6541A5C7FFAE77A44DEDF0E6D8E1D35C05FE74519D1D71723BBC8FE6D6DAD484E4D838F97B712C6C8E1C3D1BB57A471ED85A34194065B0342434234159D6DFEDDF8EF425662319A4A9B7552E7F0813E187559F42F724F08CEED5A5DDA28C4E3AE794E232FE90D07171B55AAD90986A131BCBC5D307466CFB3B79EFC96600EC7D3377C89A2DC0A5508AA6F8430A83728E739C8CE927DF760DBEA04BCF9F85A38893B34EB1A511AE2D65455D463D907FBB4B9D4D482E6C95610A9E1A5AA67C169E034544B210BED15C86F59E38B298F9ED0035B36A6E0ED8FAE40656A251E9EF6B1F67F610B0F150107567D76ED4258063961F386147CF1F55138898A68956344F5F602F3483834E0816385B0B7B7469B1CB55DC863E2C820EC3C92A70462222E49A75C63E7B6405F7B784AB9B71DCAC3E72F4C47B04FD726FCE56360993A633DA707092F143C5EE7A3E527038CDDF8EFC28F3D95B5F2950F63CBDE2F058F6750CBF2BEC87BDD093D0FDF4B798FD838F1EBDECC2E62C3B223C8482CD20B6312155501A3B42DCDED282FAAC1C5370CD3C140367E15ABBE59CCE49E58BFFC285EBC6F05F66E4EC5A8493DC5CFE70D22D1C885D1A0C41E1807F1F275C4CC79FDF5780C9872E6341A092F8C199BCC5578E78DDDE8393200E31744A34AD409E516C7FE681417E4A3BF6E42A89F13A2FA78C2C3C3FEC7D1C639F6C6A61D19888AF094DADF5EDBD3CDE4A88C379495D523C0DB41632C1A9B11F0A3555899FD55E2D3CA71FDECA82E1306C18745C32659FC5AC22078BCCE637513C67F27D480B90859FC5AC220782C1EE764C2203ACFC14FFD5B7FFE8EA8A96CC09EB509DA2C6BEB680D3B59989D692B6E000730F60974C1823B4661EBCAE3B0B435C7DC1B86EBD080A585B5F0F67541765A29EC1DADE0EA61A7FE166F0D0DB4AABC1E4E2EB678F0B999B86AD17078783A68162A099142C44248884DB7BC4066BBB1DFC8C5F7C6207CB02F027A792030CA1311F23BB35D930FE461C4902084063133AECD7002F9EF2EF26CC50F27306A70A02A9D36F9C76629E663B0795789DEB0A91295159B6B65F71E4242375CFCCB9A4BBBD18D3F3A7E77F784929B4921741FD4BA3A21C6CD7C0B0ECBC7AEB90B635E5337E5E9C557E2E8DE4C6C59755C13B8B80BE310532F1D80CFDFDA21BF5B81B3BF47447BE3FE6767C237C030ACFFD60D27F0FCC3E2DAE808CCA67076B3D51696B5ABE2316E5284C6396EBF734CA785EB3E945D9462ECF64F6CDF9581C79ED90807676B0C88F6436A56B9E6668C1E1E846A295BACA8252689798BF288E8E18EF5BB3285F82C741EDB7A59EFED618BD9637BE09249E1BF685CD06E74E33F01BF7B20943299C119B69E309ED0B950E6337FE3C4913C6C13C33EBA3B13B73C3E056F3FB55E8D7AFCAC28241CCE57E5C04E710D421481E19EA8AE6EC00DF78EC3ED8F4CD164B14E048B11B3D973F7D634915880978F231C9DAC909F5785BEFDFCF0DD8A63484F2FC3F163F9D8BD371B3BC4E05DDD6DB176433212840CBE5F93A0EE0C07182E29AD87AFAF834E1ACDF94C720B6B103324007945B53A7646496523268F0CC6A1F822ED6CC48C42073B2BDC77ED604C1F15AA64D88D6EFCB7E277278DB38135B6A3932DAA2B840C22DC5122C6DD50D7826431EAC2EC0A9D2680533CC6EEC9D06DD971EEF2452330EB8A811830FCCC3347F51672A03F76787F964EB844C5502C6E4E5884078EC515A020B74A08A204A9C9C538129BAF81CED8238699F2BF5F73029C152D44CE939E5E0E5F219DDAFA66B0031D83ADB50DAD1831D81FC7924A8448DA1133D01F87138AC0FE369CCB756A4C302E9D72619D85BAD18DFF44FC5B5A4FBA024E0F59905589F88359A8969A9CB3D68F9C14090F76CDB7B280A30BBB10772DA0979D518655DFC4A9CAA0C2E1644699A2323A5B6E74DC53B96C27671B8C1063DF2BCA63842887152BE371E55503F0E55771888EF64171591D0AC5B5E25CB0354228532786EBDF7B8FE663DCC8203470DE9494523409A9DCB37030E6895BD28D6EFCB7E30F431ABF0798F895975B89679F58077B7191D84D8AF1070D6C88BAE04CF0D3A6478AEA2880BBB82A2666667070B0425E418DBA50B50DCDC82FAED5EEC36DE22771E0A0CBE74663A5B834754D2DB8E692BE78E38B23B011B7E6A367A722F0025A4BBAD18DFF54FC573BDF41A16EDA52C33142080EA843BED01616015B44E2138A316448000E1ECE852B9359841882039D35B5DD446E0F9B54C9AB1C5E902D27FB8FE422667080E668B03F0B6769EB27EE55376174E37F05FFF511BBFE03FCD1B3B70FAAAA0C23940B0B0871086BC887B9A50952928AB5F9D4CFD719078438CCCCCDD0BB1747A366A28B6104746D02975F2C2C4C90262E948D85B99084233272AA7454F3FBAF3BFF9813DDE8C67F0BFE27C2FCCFFE6D16BC4509D45437EB781E1C48954DC166F28FB922DFAD3A8EB9B3A390935581FCC22A9DCB64D8C0001D7884DD63D4ADE9304C914802D9B8271DE3449D5454D5E38DC726C3CFFBC2C62FE84637FE93F15F1DD338194585D5D8BB2B13E9E9A548882FD2690C6AEB5B60EF60ADAEC6C409E1422C0E183A2C10FEBE4E282CAEC57D0FAF41AD900CBBECB3058789951DF283718E6103FDF1C89F4769E7B46E74E37F09FF33A4D1095E6E4D75132ACAEB70F46801F6EFCF425A6639FCFC9DF1E273D3D53D216A6A9B448124205BC885638032C9ABACAA11CD6D1D183AC00F57CF8B4678B0AB6EDB8D6EFCEF00F87F9ED91B4B4AFAE0D90000000049454E44AE426082 WHERE `app_id`='11' and `app_name` = 'LF Acumos Marketplace'; diff --git a/kubernetes/portal/components/portal-mariadb/templates/NOTES.txt b/kubernetes/portal/components/portal-mariadb/templates/NOTES.txt deleted file mode 100644 index ee7a285cc0..0000000000 --- a/kubernetes/portal/components/portal-mariadb/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/portal/components/portal-mariadb/templates/configmap.yaml b/kubernetes/portal/components/portal-mariadb/templates/configmap.yaml deleted file mode 100644 index eaa0cfb259..0000000000 --- a/kubernetes/portal/components/portal-mariadb/templates/configmap.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-mariadb - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/mariadb/*").AsConfig . | indent 2 }} - diff --git a/kubernetes/portal/components/portal-mariadb/templates/deployment.yaml b/kubernetes/portal/components/portal-mariadb/templates/deployment.yaml deleted file mode 100644 index 1d0d5bc5e5..0000000000 --- a/kubernetes/portal/components/portal-mariadb/templates/deployment.yaml +++ /dev/null @@ -1,122 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: volume-permissions - image: {{ include "repositoryGenerator.image.busybox" . }} - command: ['sh', '-c', 'chmod -R 777 /var/lib/mysql'] - volumeMounts: - - mountPath: /var/lib/mysql - name: mariadb-data - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: MYSQL_HOST - value: "{{ include "common.servicename" . }}" - - name: MYSQL_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }} - key: db-root-password - - name: MYSQL_USER - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }} - key: backend-db-user - - name: MYSQL_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }} - key: backend-db-password - - name: PORTAL_DB_TABLES - value: {{ .Values.config.backend_portal_tables }} - volumeMounts: - - mountPath: /var/lib/mysql - name: mariadb-data - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /usr/local/bin/docker-entrypoint.sh - subPath: docker-entrypoint.sh - name: docker-entry - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - {{- if .Values.persistence.enabled }} - - name: mariadb-data - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - {{- else }} - emptyDir: {} - {{- end }} - - name: localtime - hostPath: - path: /etc/localtime - - name: docker-entry - configMap: - name: {{ include "common.fullname" . }}-mariadb - defaultMode: 0755 - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/portal/components/portal-mariadb/templates/job.yaml b/kubernetes/portal/components/portal-mariadb/templates/job.yaml deleted file mode 100644 index 5a66bb96bd..0000000000 --- a/kubernetes/portal/components/portal-mariadb/templates/job.yaml +++ /dev/null @@ -1,95 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-config - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-job - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - template: - metadata: - labels: - app: {{ include "common.name" . }}-job - release: {{ include "common.release" . }} - spec: - restartPolicy: Never - initContainers: - - name: {{ include "common.name" . }}-init-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - {{ include "common.name" . }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - name: {{ include "common.name" . }}-job - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.mariadbInitImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - env: - - name: DB_HOST - value: "{{ include "common.servicename" . }}" - - name: DB_USER - value: {{ .Values.config.mariadbUser }} - - name: DB_PASS - valueFrom: - secretKeyRef: {name: {{ include "common.fullname" . }}, key: db-root-password} - - name: SQL_SRC_DIR - value: {{ .Values.config.sqlSourceDirectory }} - - name: {{ include "common.name" . }}-oom-update-job - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.mariadbInitImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - env: - - name: DB_HOST - value: "{{ include "common.servicename" . }}" - - name: DB_USER - value: {{ .Values.config.mariadbUser }} - - name: DB_PORT - value: "{{ .Values.service.internalPort }}" - - name: DB_PASS - valueFrom: - secretKeyRef: - name: {{ include "common.fullname" . }} - key: db-root-password - command: - - /bin/sh - - -x - - -c - - "mysql -vv --user=$DB_USER --password=$DB_PASS --host=$DB_HOST --port=$DB_PORT < /tmp/oom_updates.sql" - volumeMounts: - - name: portal-mariadb-sql - mountPath: /tmp/oom_updates.sql - subPath: oom_updates.sql - volumes: - - name: portal-mariadb-sql - configMap: - name: {{ include "common.fullname" . }}-mariadb - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Never diff --git a/kubernetes/portal/components/portal-mariadb/templates/pv.yaml b/kubernetes/portal/components/portal-mariadb/templates/pv.yaml deleted file mode 100644 index e10b003570..0000000000 --- a/kubernetes/portal/components/portal-mariadb/templates/pv.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -{{- if eq "True" (include "common.needPV" .) -}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.persistence.size}} - accessModes: - - {{ .Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" . }}-data" - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/portal/components/portal-mariadb/templates/pvc.yaml b/kubernetes/portal/components/portal-mariadb/templates/pvc.yaml deleted file mode 100644 index 1cadcc51d5..0000000000 --- a/kubernetes/portal/components/portal-mariadb/templates/pvc.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -{{- if .Values.persistence.annotations }} - annotations: -{{ toYaml .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size }} -{{- end -}} diff --git a/kubernetes/portal/components/portal-mariadb/templates/secrets.yaml b/kubernetes/portal/components/portal-mariadb/templates/secrets.yaml deleted file mode 100644 index c0800e0275..0000000000 --- a/kubernetes/portal/components/portal-mariadb/templates/secrets.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: - db-root-password: {{ .Values.config.mariadbRootPassword | b64enc | quote }} -stringData: - backend-db-user: {{ .Values.config.backendDbUser }} - backend-db-password: {{ .Values.config.backendDbPassword }} diff --git a/kubernetes/portal/components/portal-mariadb/templates/service.yaml b/kubernetes/portal/components/portal-mariadb/templates/service.yaml deleted file mode 100644 index 7b9ef91900..0000000000 --- a/kubernetes/portal/components/portal-mariadb/templates/service.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.externalPort }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - {{- end}} - name: {{ .Values.service.portName }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/portal/components/portal-mariadb/values.yaml b/kubernetes/portal/components/portal-mariadb/values.yaml deleted file mode 100644 index a7fdb54d78..0000000000 --- a/kubernetes/portal/components/portal-mariadb/values.yaml +++ /dev/null @@ -1,153 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Default values for mariadb. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. -global: # global defaults - nodePortPrefix: 302 - persistence: {} - -# application image -image: onap/portal-db:3.4.1 -pullPolicy: Always -mariadbInitImage: oomk8s/mariadb-client-init:3.0.0 - -# application configuration -config: - mariadbUser: root - mariadbRootPassword: Aa123456 - backendDbUser: portal - backendDbPassword: portal - #backend_portal_tables is a comma delimited string listing back-end tables - #that backendDbUser needs access to, such as to portal and ecomp_sdk tables - backend_portal_tables: portal,ecomp_sdk - #The directory where sql files are found in the projects gerrit repo. - sqlSourceDirectory: portal/deliveries - # sdc frontend assignment for port 9443 - sdcFePort: "30207" - # application's front end hostname. Must be resolvable on the client side environment - sdcFeHostName: "sdc.api.fe.simpledemo.onap.org" - # policy pap ui assignment for port 8443 - papPort: "30219" - # application's front end hostname. Must be resolvable on the client side environment - papHostName: "policy.api.simpledemo.onap.org" - # vid ui assignment for port 8443 - vidPort: "30200" - # application's front end hostname. Must be resolvable on the client side environment - vidHostName: "vid.api.simpledemo.onap.org" - # aai sparky ui assignment for port 8080 - aaiSparkyPort: "30220" - # application's front end hostname. Must be resolvable on the client side environment - aaiSparkyHostName: "aai.ui.simpledemo.onap.org" - # cli ui assignment for port 8080 - cliPort: "30260" - # application's front end hostname. Must be resolvable on the client side environment - cliHostName: "cli.api.simpledemo.onap.org" - # portal sdk (demo app) ui assignment for port 8990 - portalSdkPort: "30212" - # application's front end hostname. Must be resolvable on the client side environment - portalSdkHostName: "portal-sdk.simpledemo.onap.org" - # dmaap bus controller ui assignment for port ? - dmaapBcPort: "" # TODO: populate with - # application's front end hostname. Must be resolvable on the client side environment - dmaapBcHostName: "dmaap-bc.simpledemo.onap.org" - # msb IAG ui assignment for port 80 - msbPort: "30283" - # application's front end hostname. Must be resolvable on the client side environment - msbHostName: "msb.api.simpledemo.onap.org" - # SO Monitoring assignment for port 30224 - soMonitoringPort: "30224" - # application's front end hostname. Must be resolvable on the client side environment - soMonitoringHostName: "so-monitoring" - - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 450 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 450 - periodSeconds: 10 - -## Persist data to a persitent volume -persistence: - enabled: true - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - volumeReclaimPolicy: Retain - - ## database data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: "-" - accessMode: ReadWriteOnce - size: 2Gi - mountPath: /dockerdata-nfs - mountSubPath: portal/mariadb/data - -service: - type: ClusterIP - name: portal-db - portName: portal-db - externalPort: 3306 - internalPort: 3306 - -ingress: - enabled: false - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 460m - memory: 175Mi - requests: - cpu: 10m - memory: 100Mi - large: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 800m - memory: 1Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: portal-db - roles: - - read diff --git a/kubernetes/portal/components/portal-sdk/.helmignore b/kubernetes/portal/components/portal-sdk/.helmignore deleted file mode 100644 index daebc7da77..0000000000 --- a/kubernetes/portal/components/portal-sdk/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/portal/components/portal-sdk/Chart.yaml b/kubernetes/portal/components/portal-sdk/Chart.yaml deleted file mode 100644 index bfc41f0b73..0000000000 --- a/kubernetes/portal/components/portal-sdk/Chart.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Portal software development kit -name: portal-sdk -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: certInitializer - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/fusion.properties b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/fusion.properties deleted file mode 100644 index 895de10a4f..0000000000 --- a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/fusion.properties +++ /dev/null @@ -1,51 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -# login settings -login_method_backdoor = backdoor -login_method_attribute_name = login_method - -# These properties will be removed after SingleSignOnController is cleaned -authentication_mechanism = BOTH -login_method_csp = csp -login_method_web_junction = web_junction - -#login message -login.error.hrid.empty = Login failed, please contact system administrator. -login.error.hrid.not-found = User not found, please contact system administrator. -login.error.user.inactive = Account is disabled, please contact system administrator. - -# User Session settings -user_attribute_name = user -roles_attribute_name = roles -role_function_list = role_function_list -role_functions_attribute_name = role_functions - -# Import-user LDAP settings -post_initial_context_factory = com.sun.jndi.ldap.LdapCtxFactory -post_provider_url = ldap://ldap.mycompany.com:389 -post_security_principal = ou=people,o=mycompany,c=us -post_max_result_size = 499 - -# menu settings -menu_query_name = menuData -application_menu_set_name = APP -application_menu_attribute_name = applicationMenuData -business_direct_menu_set_name = BD -business_direct_menu_attribute_name = businessDirectMenuData - -# Role settings -sys_admin_role_id = 1 diff --git a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/key.properties b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/key.properties deleted file mode 100644 index a5160457ec..0000000000 --- a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/key.properties +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -### -# ============LICENSE_START========================================== -# ONAP Portal SDK -# =================================================================== -# Copyright © 2017 AT&T Intellectual Property. All rights reserved. -# =================================================================== -# -# Unless otherwise specified, all software contained herein is licensed -# under the Apache License, Version 2.0 (the “License”); -# you may not use this software except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# Unless otherwise specified, all documentation contained herein is licensed -# under the Creative Commons License, Attribution 4.0 Intl. (the “License”); -# you may not use this documentation except in compliance with the License. -# You may obtain a copy of the License at -# -# https://creativecommons.org/licenses/by/4.0/ -# -# Unless required by applicable law or agreed to in writing, documentation -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# ============LICENSE_END============================================ -# -# -### -*/}} - -# Properties read by the ECOMP Framework library (epsdk-fw) -cipher.enc.key = ${CIPHER_ENC_KEY} diff --git a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/logback.xml b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/logback.xml deleted file mode 100644 index 2c2cd00f1c..0000000000 --- a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/logback.xml +++ /dev/null @@ -1,225 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ${defaultLoggerPattern} - - - - - - - - ${logDirectory}/${generalLogName}.log - - - ${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.log.zip - - 30 - 3GB - - - ${applicationLoggerPattern} - - - - - 256 - - true - - - - - - - - - - - - - ${logDirectory}/${auditLogName}.log - - - ${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.log.zip - - 30 - 3GB - - - ${auditLoggerPattern} - - - - 256 - - - - ${logDirectory}/${metricsLogName}.log - - - ${logDirectory}/${metricsLogName}.%d{yyyy-MM-dd}.log.zip - - 30 - 3GB - - - ${metricsLoggerPattern} - - - - 256 - - - - ${logDirectory}/${errorLogName}.log - - - ${logDirectory}/${errorLogName}.%d{yyyy-MM-dd}.log.zip - - 30 - 3GB - - - ${errorLoggerPattern} - - - - 256 - - - - ${debugLogDirectory}/${debugLogName}.log - - - ${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.log.zip - - 30 - 3GB - - - ${defaultLoggerPattern} - - - - 256 - - - - - - - - - - - - - - - - - - - - - - diff --git a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/music.properties b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/music.properties deleted file mode 100644 index 3e215647e5..0000000000 --- a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/music.properties +++ /dev/null @@ -1,36 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - - -music.version = v2 -music.keyspace = keyspaces -music.session.keyspace = portalsdk -music.tables = tables -music.session.attr.tables = spring_session_attributes -music.session.meta.tables = spring_session -music.consistency.info = type -music.consistency.info.value = eventual -music.cache = false -music.session.max.inactive.interval.seconds = 1800 -music.serialize.compress = true - -#By default it's eventual -music.atomic.get = false -music.atomic.put = false - -cassandra.host={{.Values.cassandra.service.name}} -cassandra.user=${CASSA_USER} -cassandra.password=${CASSA_PASSWORD} diff --git a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/portal.properties b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/portal.properties deleted file mode 100755 index 4d26240be4..0000000000 --- a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/portal.properties +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - - -# Properties read by ECOMP Framework library, ecompFW.jar - -########################################################################## -# The following properties should NOT be changed by partner applications. -########################################################################## - -portal.api.prefix = /api -max.idle.time = 5 -user.attribute.name = user_attribute - -#Use REST API instead of UEB to fetch the functional menu data -use_rest_for_functional_menu=true - -########################################################################## -# The following properties MUST be changed by partner applications. -########################################################################## - -# Name of java class that implements the OnBoardingApiService interface. -# epsdk 1.3 uses org.onap prefix -portal.api.impl.class = org.onap.portalapp.service.OnBoardingApiServiceImpl - -# CSP Global Log On for single sign on -ecomp_redirect_url = http://{{.Values.global.portalHostName}}:{{.Values.global.portalFEPort}}/ONAPPORTAL/login.htm - -# URL of the ECOMP Portal REST API - -ecomp_rest_url = http://{{.Values.global.portalHostName}}:{{.Values.global.portalPort}}/ONAPPORTAL/auxapi - -# Applications do not need to run a UEB listener in 1610. -ueb_listeners_enable = false - -# UEB Configuration -ueb_url_list = message-router -# ECOMP Portal listens on this UEB topic -ecomp_portal_inbox_name = ECOMP-PORTAL-INBOX -# Replace these 3 default values with the ones for your specific App, -# as shown on the on-boarding page on the ECOMP Portal web application. -ueb_app_key = jQd4a9zVNi4ePyBp -ueb_app_secret = P0HpqEBhKJvxjRYdw2sCTUll -ueb_app_mailbox_name = ECOMP-PORTAL-OUTBOX-APP1 -# Consumer group name for UEB topic. -# Use the special tag '{UUID}' to generate a unique one for each sdk-app server. -ueb_app_consumer_group_name = {UUID} - -decryption_key = AGLDdG4D04BKm2IxIWEr8o== diff --git a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties deleted file mode 100755 index 3873da13a9..0000000000 --- a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties +++ /dev/null @@ -1,95 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - - -# Properties read by ECOMP Core library, ecompSDK-core.jar - -########################################################################## -# The following properties should NOT be changed by partner applications. -########################################################################## - -application_user_id = 30000 -post_default_role_id = 16 -clustered = true - -#Enable Fusion Mobile capabilities for the application -mobile_enable = false - -# Cache config file is needed on the classpath -cache_config_file_path = /WEB-INF/classes/cache.ccf -cache_switch = 199 -cache_load_on_startup = false - -user_name = fullName -decryption_key = AGLDdG4D04BKm2IxIWEr8o== - -########################################################################## -# The following properties MAY require changes by partner applications. -########################################################################## - -db.driver = org.mariadb.jdbc.Driver -db.connectionURL = jdbc:mariadb://portal-db:3306/ecomp_sdk -db.userName =${PORTAL_DB_USER} -db.password =${PORTAL_DB_PASSWORD} -db.min_pool_size = 5 -db.max_pool_size = 10 -hb.dialect = org.hibernate.dialect.MySQLDialect -# SQL statements are logged to stdout -hb.show_sql = true -hb.idle_connection_test_period = 3600 - -app_display_name = Demo App -files_path = /tmp - -#element map files -element_map_file_path = /tmp -element_map_icon_path = app/fusionapp/icons/ - -#Cron Schedules -log_cron = 0 0/1 * * * ?; -mylogins_feed_cron = 0 0/60 * * * ?; -#sessiontimeout_feed_cron = 0 * * * * ? * -my_login_feed_output_dir = /tmp/MyLogins - -# Link shown in Help menu -contact_us_link = https://todo_contact_us_link.com - -# An Unique 128-bit value defined to identify a specific version -# of an application deployed on a specific virtual machine. -# This value must be generated and updated by the application -# which is using the ECOMP SDK at the time of its deployment. -# Online Unique UUID generator - https://www.uuidgenerator.net/ -instance_uuid=8da691c9-987d-43ed-a358-00ac2f35685d - -# R Cloud feature - configure this property to enable notebook feature - for more details on RCloud please visit https://rcloud.social/index.html -guard_notebook_url= - -#authenticate user server -#TODO: what is this URL supposed to be pointing to? Nothing in portal opens 8383 -authenticate_user_server=http://{{.Values.global.portalHostName}}:8383/openid-connect-server-webapp/allUsers - -#cookie domain -cookie_domain = onap.org - -# External Central Auth system access -remote_centralized_system_access = {{.Values.global.aafEnabled}} - -# External Access System Basic Auth Credentials & Rest endpoint -# External Access System Basic Auth Credentials & Rest endpoint -ext_central_access_user_name = aaf_admin@people.osaaf.org -ext_central_access_password = demo123456! -ext_central_access_url = {{.Values.aafURL}} -ext_central_access_user_domain = @people.osaaf.org diff --git a/kubernetes/portal/components/portal-sdk/resources/server/server.xml b/kubernetes/portal/components/portal-sdk/resources/server/server.xml deleted file mode 100644 index 1cea5ab8f8..0000000000 --- a/kubernetes/portal/components/portal-sdk/resources/server/server.xml +++ /dev/null @@ -1,155 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - {{ if .Values.global.aafEnabled }} - - {{ end }} - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/kubernetes/portal/components/portal-sdk/templates/NOTES.txt b/kubernetes/portal/components/portal-sdk/templates/NOTES.txt deleted file mode 100644 index 496dd8d1a5..0000000000 --- a/kubernetes/portal/components/portal-sdk/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/portal/components/portal-sdk/templates/configmap.yaml b/kubernetes/portal/components/portal-sdk/templates/configmap.yaml deleted file mode 100644 index 30d2009c3e..0000000000 --- a/kubernetes/portal/components/portal-sdk/templates/configmap.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018, 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onapportalsdk - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/deliveries/properties/ONAPPORTALSDK/*").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/server/*").AsConfig . | indent 2 }} diff --git a/kubernetes/portal/components/portal-sdk/templates/deployment.yaml b/kubernetes/portal/components/portal-sdk/templates/deployment.yaml deleted file mode 100644 index 66e80651c3..0000000000 --- a/kubernetes/portal/components/portal-sdk/templates/deployment.yaml +++ /dev/null @@ -1,183 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018,2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - "portal-db" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: {{ include "common.name" . }}-portalsdk-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - args: - - "-c" - - | - cd /config-input && \ - for PFILE in `ls -1 *.xml` - do - cp ${PFILE} /config - chmod 0755 /config/${PFILE} - done - cd /config-input && \ - for PFILE in `ls -1 *.properties` - do - envsubst <${PFILE} >/config/${PFILE} - chmod 0755 /config/${PFILE} - done - env: - - name: CASSA_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "login") | indent 12 }} - - name: CASSA_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "password") | indent 12 }} - - name: CIPHER_ENC_KEY - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cipher-enc-key" "key" "password") | indent 12 }} - - name: PORTAL_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "login") | indent 12 }} - - name: PORTAL_DB_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "password") | indent 12 }} - volumeMounts: - - mountPath: /config-input - name: properties-onapportalsdk-scrubbed - - mountPath: /config - name: properties-onapportalsdk -{{ include "common.certInitializer.initContainer" . | indent 6 }} - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["bash","-c"] - {{- if .Values.global.aafEnabled }} - args: ["export $(grep '^c' {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0);\ - export _JAVA_OPTIONS=\"-Djavax.net.ssl.trustStorePassword=$cadi_truststore_password \ - -Djavax.net.ssl.keyStorePassword=$cadi_keystore_password_p12\";\ - /start-apache-tomcat.sh -b {{ .Values.global.env.tomcatDir }}"] - env: - - name: CATALINA_OPTS - value: > - -Djavax.net.ssl.keyStore="{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.keystoreFile }}" - -Djavax.net.ssl.trustStore="{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.truststoreFile }}" - {{- else }} - args: ["/start-apache-tomcat.sh -b {{ .Values.global.env.tomcatDir }}"] - {{- end }} - ports: - - containerPort: {{ .Values.service.internalPort }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 8 }} - - name: properties-onapportalsdk - mountPath: "{{ .Values.global.env.tomcatDir }}/conf/server.xml" - subPath: server.xml - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: properties-onapportalsdk - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTALSDK/WEB-INF/fusion/conf/fusion.properties" - subPath: fusion.properties - - name: properties-onapportalsdk - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTALSDK/WEB-INF/conf/system.properties" - subPath: system.properties - - name: properties-onapportalsdk - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTALSDK/WEB-INF/classes/portal.properties" - subPath: portal.properties - - name: properties-onapportalsdk - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/key.properties" - subPath: key.properties - - name: properties-onapportalsdk - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTALSDK/WEB-INF/classes/music.properties" - subPath: music.properties - - name: properties-onapportalsdk - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTALSDK/WEB-INF/classes/logback.xml" - subPath: logback.xml - - name: portal-tomcat-logs - mountPath: "{{ .Values.global.env.tomcatDir }}/logs" - - name: var-log-onap - mountPath: "{{ .Values.log.path }}" - resources: -{{ include "common.resources" . }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - {{ include "common.log.sidecar" . | nindent 6 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: properties-onapportalsdk - emptyDir: - medium: Memory - - name: properties-onapportalsdk-scrubbed - configMap: - name: {{ include "common.fullname" . }}-onapportalsdk - defaultMode: 0755 - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 8 }} - - name: var-log-onap - emptyDir: {} - - name: portal-tomcat-logs - emptyDir: {} -{{ include "common.certInitializer.volumes" . | indent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/portal/components/portal-sdk/templates/ingress.yaml b/kubernetes/portal/components/portal-sdk/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/portal/components/portal-sdk/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/portal/components/portal-sdk/templates/secrets.yaml b/kubernetes/portal/components/portal-sdk/templates/secrets.yaml deleted file mode 100644 index 06a17b4009..0000000000 --- a/kubernetes/portal/components/portal-sdk/templates/secrets.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/portal/components/portal-sdk/templates/service.yaml b/kubernetes/portal/components/portal-sdk/templates/service.yaml deleted file mode 100644 index f3007a4c46..0000000000 --- a/kubernetes/portal/components/portal-sdk/templates/service.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/portal/components/portal-sdk/values.yaml b/kubernetes/portal/components/portal-sdk/values.yaml deleted file mode 100644 index 617ed100ef..0000000000 --- a/kubernetes/portal/components/portal-sdk/values.yaml +++ /dev/null @@ -1,173 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018, 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - env: - tomcatDir: "/usr/local/tomcat" - nodePortPrefix: 302 - persistence: {} - #AAF service - aafEnabled: true - -################################################################ -# Secrets metaconfig -################################################################# - -secrets: - - uid: portal-cass - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.cassandra.config.cassandraExternalSecret) . }}' - login: '{{ .Values.cassandra.config.cassandraUsername }}' - password: '{{ .Values.cassandra.config.cassandraPassword }}' - passwordPolicy: required - - uid: portal-backend-db - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.mariadb.config.backendDbExternalSecret) . }}' - login: '{{ .Values.mariadb.config.backendUserName }}' - password: '{{ .Values.mariadb.config.backendPassword }}' - passwordPolicy: required - - uid: cipher-enc-key - type: password - externalSecret: '{{ .Values.config.cipherEncKeyExternalSecret}}' - password: '{{ .Values.config.cipherEncKey }}' - passwordPolicy: required - -################################################################# -# Application configuration defaults. -################################################################# - -# application image -image: onap/portal-sdk:3.4.2 -pullPolicy: Always - -# application configuration -config: - # cipherEncKeyExternalSecret: some secret - cipherEncKey: AGLDdG4D04BKm2IxIWEr8o== - - -#AAF local config -aafURL: https://aaf-service:8100/authz/ -certInitializer: - nameOverride: portal-sdk-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: portal - fqi: portal@portal.onap.org - public_fqdn: portal.onap.org - cadi_latitude: "38.0" - cadi_longitude: "-72.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - permission_user: 1000 - permission_group: 999 - keystoreFile: "org.onap.portal.p12" - truststoreFile: "org.onap.portal.trust.jks" - aaf_add_config: | - echo "cadi_truststore_password=$cadi_truststore_password" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" >> {{ .Values.credsPath }}/mycreds.prop - -# flag to enable debugging - application support required -debugEnabled: false - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: NodePort - name: portal-sdk - portName: portal-sdk - internalPort: 8443 - externalPort: 8443 - nodePort: 12 - -mariadb: - service: - name: portal-db - config: - # backendDbExternalSecret: some secret - backendUserName: portal - backendPassword: portal -widget: - service: - name: portal-widget -cassandra: - service: - name: portal-cassandra - config: - # cassandraExternalSecret: some secret - cassandraUsername: root - cassandraPassword: Aa123456 -messageRouter: - service: - name: message-router - -ingress: - enabled: false - service: - - baseaddr: portal-sdk - name: "portal-sdk" - port: 8443 - config: - ssl: "redirect" - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 600m - memory: 1.6Gi - requests: - cpu: 10m - memory: 1.3Gi - large: - limits: - cpu: 8 - memory: 20Gi - requests: - cpu: 4 - memory: 10Gi - unlimited: {} - -# Log configuration -log: - path: /var/log/onap -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -#Pods Service Account -serviceAccount: - nameOverride: portal-sdk - roles: - - read diff --git a/kubernetes/portal/components/portal-widget/.helmignore b/kubernetes/portal/components/portal-widget/.helmignore deleted file mode 100644 index daebc7da77..0000000000 --- a/kubernetes/portal/components/portal-widget/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/portal/components/portal-widget/Chart.yaml b/kubernetes/portal/components/portal-widget/Chart.yaml deleted file mode 100644 index 205922616d..0000000000 --- a/kubernetes/portal/components/portal-widget/Chart.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Portal widgets micro service application -name: portal-widget -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/portal/components/portal-widget/resources/config/deliveries/properties/ONAPWIDGETMS/application.properties b/kubernetes/portal/components/portal-widget/resources/config/deliveries/properties/ONAPWIDGETMS/application.properties deleted file mode 100644 index f5a900e8ce..0000000000 --- a/kubernetes/portal/components/portal-widget/resources/config/deliveries/properties/ONAPWIDGETMS/application.properties +++ /dev/null @@ -1,32 +0,0 @@ -## General App Properties -server.contextPath=/widget -server.port=8082 -spring.http.multipart.max-file-size=128MB -spring.http.multipart.max-request-size=128MB -microservice.widget.location=/tmp - -## App DB Properties -spring.datasource.url=jdbc:mysql://portal-db:3306/portal -spring.datasource.username=${PORTAL_DB_USER} -spring.datasource.password=${PORTAL_DB_PASSWORD} -spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.MySQLDialect -spring.database.driver.classname=org.mariadb.jdbc.Driver -spring.jpa.show-sql=false -spring.jpa.properties.hibernate.format_sql=false - -## Basic Authentication Properties -security.user.name=${WIDGET_USER} -security.user.password=${WIDGET_PASSWORD} - -initialization.default.widgets=true -initialization.widgetData.url=http://portal-app:{{.Values.global.portalPort}}/ONAPPORTAL/commonWidgets - -## Account Basic Authentication Properties -account.user.name=${ACC_USER} -account.user.password=${ACC_PASSWORD} - -## Certificate Properties -#server.ssl.key-store=classpath:widget-keystore.p12 -#server.ssl.key-store-password=ENC(DiIYnAMab4u7rEW2yKhF9zBL00uU55q8) -#server.ssl.keyStoreType=PKCS12 -#server.ssl.keyAlias=widget-microservice diff --git a/kubernetes/portal/components/portal-widget/resources/config/deliveries/properties/ONAPWIDGETMS/application.yml b/kubernetes/portal/components/portal-widget/resources/config/deliveries/properties/ONAPWIDGETMS/application.yml deleted file mode 100644 index f3da66f882..0000000000 --- a/kubernetes/portal/components/portal-widget/resources/config/deliveries/properties/ONAPWIDGETMS/application.yml +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -jasypt: - encryptor: - password: ${JASYPT_ENC_KEY} diff --git a/kubernetes/portal/components/portal-widget/templates/NOTES.txt b/kubernetes/portal/components/portal-widget/templates/NOTES.txt deleted file mode 100644 index 496dd8d1a5..0000000000 --- a/kubernetes/portal/components/portal-widget/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/portal/components/portal-widget/templates/configmap.yaml b/kubernetes/portal/components/portal-widget/templates/configmap.yaml deleted file mode 100644 index 58acd42a69..0000000000 --- a/kubernetes/portal/components/portal-widget/templates/configmap.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onapwidgetms - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/deliveries/properties/ONAPWIDGETMS/*").AsConfig . | indent 2 }} diff --git a/kubernetes/portal/components/portal-widget/templates/deployment.yaml b/kubernetes/portal/components/portal-widget/templates/deployment.yaml deleted file mode 100644 index e9ecece41e..0000000000 --- a/kubernetes/portal/components/portal-widget/templates/deployment.yaml +++ /dev/null @@ -1,141 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - "portal-db" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: {{ include "common.name" . }}-portal-widget-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - args: - - "-c" - - | - cd /config-input && \ - for PFILE in `ls -1 *.*` - do - envsubst <${PFILE} >/config/${PFILE} - chmod 0755 /config/${PFILE} - done - env: - - name: PORTAL_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "login") | indent 12 }} - - name: PORTAL_DB_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "password") | indent 12 }} - - name: WIDGET_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-widget" "key" "login") | indent 12 }} - - name: WIDGET_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-widget" "key" "password") | indent 12 }} - - name: ACC_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-account" "key" "login") | indent 12 }} - - name: ACC_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-account" "key" "password") | indent 12 }} - - name: JASYPT_ENC_KEY - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "jasypt-enc-key" "key" "password") | indent 12 }} - volumeMounts: - - mountPath: /config-input - name: properties-onapwidgetms-scrubbed - - mountPath: /config - name: properties-onapwidgetms - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /start-wms.sh - ports: - - containerPort: {{ .Values.service.internalPort }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: properties-onapwidgetms - mountPath: "/application.properties" - subPath: application.properties - - name: properties-onapwidgetms - mountPath: "/application.yml" - subPath: application.yml - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: properties-onapwidgetms - emptyDir: - medium: Memory - - name: properties-onapwidgetms-scrubbed - configMap: - name: {{ include "common.fullname" . }}-onapwidgetms - defaultMode: 0755 - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/portal/components/portal-widget/templates/secret.yaml b/kubernetes/portal/components/portal-widget/templates/secret.yaml deleted file mode 100644 index 9a3f011e80..0000000000 --- a/kubernetes/portal/components/portal-widget/templates/secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/portal/components/portal-widget/templates/service.yaml b/kubernetes/portal/components/portal-widget/templates/service.yaml deleted file mode 100644 index 5197841189..0000000000 --- a/kubernetes/portal/components/portal-widget/templates/service.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/portal/components/portal-widget/values.yaml b/kubernetes/portal/components/portal-widget/values.yaml deleted file mode 100644 index dfa51d8c7b..0000000000 --- a/kubernetes/portal/components/portal-widget/values.yaml +++ /dev/null @@ -1,132 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - -################################################################ -# Secrets metaconfig -################################################################# - -secrets: - - uid: portal-backend-db - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.mariadb.config.backendDbExternalSecret) . }}' - login: '{{ .Values.mariadb.config.backendUserName }}' - password: '{{ .Values.mariadb.config.backendPassword }}' - passwordPolicy: required - - uid: portal-widget - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.widgetCredsExternalSecret) . }}' - login: '{{ .Values.config.widgetUsername }}' - password: '{{ .Values.config.widgetPassword }}' - passwordPolicy: required - - uid: portal-account - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.accountCredsExternalSecret) . }}' - login: '{{ .Values.config.accountUsername }}' - password: '{{ .Values.config.accountPassword }}' - passwordPolicy: required - - uid: jasypt-enc-key - type: password - externalSecret: '{{ .Values.config.jasyptEncKeyExternalSecret}}' - password: '{{ .Values.config.jasyptEncKey }}' - passwordPolicy: required - -config: - widgetUsername: widget_user - widgetPassword: widget_pass -# widgetCredsExternalSecret: some secret - accountUsername: portal - accountPassword: portal -# accountCredsExternalSecret: some secret - jasyptEncKey: EncryptionKey - # jasyptEncKeyExternalSecret: some secret - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/portal-wms:3.4.2 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -mariadb: - service: - name: portal-db - config: - # backendDbExternalSecret: some secret - backendUserName: portal - backendPassword: portal - -service: - type: ClusterIP - name: portal-widget - portName: portal-widget - externalPort: 8082 - internalPort: 8082 - -ingress: - enabled: false - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 1 - memory: 430Mi - requests: - cpu: 1m - memory: 360Mi - large: - limits: - cpu: 2 - memory: 8Gi - requests: - cpu: 1 - memory: 4Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: portal-widget - roles: - - read \ No newline at end of file diff --git a/kubernetes/portal/docker/init/mariadb-client/Dockerfile b/kubernetes/portal/docker/init/mariadb-client/Dockerfile deleted file mode 100644 index 72f60d35ad..0000000000 --- a/kubernetes/portal/docker/init/mariadb-client/Dockerfile +++ /dev/null @@ -1,54 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM boxfuse/flyway:5.0.7-alpine - -ARG branch=3.0.0-ONAP -ENV no_proxy "localhost,127.0.0.1,.cluster.local,$KUBERNETES_SERVICE_HOST" -# Setup Corporate proxy -ENV https_proxy ${HTTP_PROXY} -ENV http_proxy ${HTTPS_PROXY} - -RUN apk add --update \ - mariadb-client=10.1.32-r0 \ - git \ - && rm -rf /var/cache/apk/* - -ENV so_branch=$branch -#ENV policy_branch: $branch -ENV portal_branch=$branch -#ENV sdnc_branch: $branch -#ENV vid_branch: $branch -#ENV clamp_branch: $branch - -#ENV appc_repo: http://gerrit.onap.org/r/appc/deployment.git -ENV so_repo=http://gerrit.onap.org/r/so/docker-config.git -#ENV policy_repo: http://gerrit.onap.org/r/policy/docker.git -ENV portal_repo=http://gerrit.onap.org/r/portal.git -#ENV sdnc_repo: http://gerrit.onap.org/r/sdnc/oam.git -#ENV vid_repo: http://gerrit.onap.org/r/vid.git -#ENV clamp_repo: http://gerrit.onap.org/r/clamp.git - -RUN mkdir -p /onap-sources -WORKDIR /onap-sources - -RUN git clone -b $branch $portal_repo && cd portal && git checkout HEAD -RUN git clone -b $branch $so_repo && cd docker-config && git checkout HEAD - -VOLUME /onap-sources - -COPY db_migrate.sh /root - -RUN chmod a+x /root/db_migrate.sh -ENTRYPOINT /root/db_migrate.sh diff --git a/kubernetes/portal/docker/init/mariadb-client/db_migrate.sh b/kubernetes/portal/docker/init/mariadb-client/db_migrate.sh deleted file mode 100644 index 2b90a994c3..0000000000 --- a/kubernetes/portal/docker/init/mariadb-client/db_migrate.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/sh -x - -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -SQL_DEST_DIR=${SQL_DEST_DIR:-/tmp/sql} -DB_PORT=${DB_PORT:-3306} - -[ -z "$SQL_SRC_DIR" ] && { echo "Error: SQL_SRC_DIR must be provided as an environment variable"; exit 1; } -[ -z "$DB_USER" ] && { echo "Error: DB_USER must be provided as an environment variable"; exit 1; } -[ -z "$DB_PASS" ] && { echo "Error: DB_PASS must be provided as an environment variable"; exit 1; } -[ -z "$DB_HOST" ] && { echo "Error: DB_HOST must be provided as an environment variable"; exit 1; } - -mkdir -p $SQL_DEST_DIR - -#Find all sql files and copy them to the destination directory -find "/onap-sources/$SQL_SRC_DIR" -type f -iname "*.sql" | awk -v dest="$SQL_DEST_DIR" '{n=split($1,a,"/"); system(sprintf( "cp %s %s", $1, dest"/"a[n])) }' - - -#Not needed right now? -#--database=$DB_NAME - -#--force to deal with duplicate records in absense of "insert ignore" -##ERROR 1062 (23000) at line 382: Duplicate entry '2' for key 'PRIMARY' - -cd $SQL_DEST_DIR -cat *.sql | mysql -vv --user=$DB_USER --password=$DB_PASS --host=$DB_HOST --port=$DB_PORT --force diff --git a/kubernetes/portal/resources/config/log/filebeat/filebeat.yml b/kubernetes/portal/resources/config/log/filebeat/filebeat.yml deleted file mode 100644 index 56ed10a50c..0000000000 --- a/kubernetes/portal/resources/config/log/filebeat/filebeat.yml +++ /dev/null @@ -1,57 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -filebeat.prospectors: -#it is mandatory, in our case it's log -- input_type: log - #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. - paths: - - /var/log/onap/*/*/*/*.log - - /var/log/onap/*/*/*.log - - /var/log/onap/*/*.log - #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive - ignore_older: 48h - # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit - clean_inactive: 96h - - -# Name of the registry file. If a relative path is used, it is considered relative to the -# data path. Else full qualified file name. -#filebeat.registry_file: ${path.data}/registry - - -output.logstash: - #List of logstash server ip addresses with port number. - #But, in our case, this will be the loadbalancer IP address. - #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. - hosts: ["{{.Values.config.logstashServiceName}}:{{.Values.config.logstashPort}}"] - #If enable will do load balancing among availabe Logstash, automatically. - loadbalance: true - - #The list of root certificates for server verifications. - #If certificate_authorities is empty or not set, the trusted - #certificate authorities of the host system are used. - #ssl.certificate_authorities: $ssl.certificate_authorities - - #The path to the certificate for SSL client authentication. If the certificate is not specified, - #client authentication is not available. - #ssl.certificate: $ssl.certificate - - #The client certificate key used for client authentication. - #ssl.key: $ssl.key - - #The passphrase used to decrypt an encrypted key stored in the configured key file - #ssl.key_passphrase: $ssl.key_passphrase diff --git a/kubernetes/portal/templates/configmap.yaml b/kubernetes/portal/templates/configmap.yaml deleted file mode 100644 index 681f24eff3..0000000000 --- a/kubernetes/portal/templates/configmap.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.log.configMap" . }} diff --git a/kubernetes/portal/templates/secrets.yaml b/kubernetes/portal/templates/secrets.yaml deleted file mode 100644 index 34932b713d..0000000000 --- a/kubernetes/portal/templates/secrets.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/portal/values.yaml b/kubernetes/portal/values.yaml deleted file mode 100644 index 0e6c9d63f5..0000000000 --- a/kubernetes/portal/values.yaml +++ /dev/null @@ -1,90 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018, 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - env: - tomcatDir: "/usr/local/tomcat" - # portal frontend port - portalPort: "8989" - portalFEPort: "30225" - # application's front end hostname. Must be resolvable on the client side environment - portalHostName: "portal.api.simpledemo.onap.org" - - centralizedLoggingEnabled: true - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: portal-cass - name: &dbSecretName '{{ include "common.release" . }}-portal-cass-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.casandraCredsExternalSecret) . }}' - login: '{{ .Values.config.cassandraUsername }}' - password: '{{ .Values.config.cassandraPassword }}' - - uid: portal-backend-db - name: &backendDbSecretName '{{ include "common.release" . }}-portal-backend-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.mariadb.config.backendDbExternalSecret) . }}' - login: '{{ .Values.mariadb.config.backendUserName }}' - password: '{{ .Values.mariadb.config.backendPassword }}' - passwordPolicy: required - -config: - logstashServiceName: log-ls - logstashPort: 5044 - cassandraUsername: root - cassandraPassword: Aa123456 -# casandraCredsExternalSecret: some secret - -portal-mariadb: - nameOverride: portal-db -mariadb: - service: - name: portal-db - config: -# backendDbExternalSecret: some secret - backendUserName: portal - backendPassword: portal - -widget: - service: - name: portal-widget -cassandra: - service: - name: portal-cassandra - config: - cassandraExternalSecret: *dbSecretName -portal-app: - mariadb: - config: - backendDbExternalSecret: *backendDbSecretName - cassandra: - config: - cassandraExternalSecret: *dbSecretName - logConfigMapNamePrefix: '{{ include "common.release" . }}-portal' -portal-sdk: - mariadb: - config: - backendDbExternalSecret: *backendDbSecretName - cassandra: - config: - cassandraExternalSecret: *dbSecretName - logConfigMapNamePrefix: '{{ include "common.release" . }}-portal' -messageRouter: - service: - name: message-router -ingress: - enabled: false diff --git a/kubernetes/robot/Chart.yaml b/kubernetes/robot/Chart.yaml index fcc3de3e47..d1f835342b 100644 --- a/kubernetes/robot/Chart.yaml +++ b/kubernetes/robot/Chart.yaml @@ -17,18 +17,18 @@ apiVersion: v2 description: A helm Chart for kubernetes-ONAP Robot name: robot -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/robot/demo-k8s.sh b/kubernetes/robot/demo-k8s.sh index 3f8ac9deec..0e8f11afcc 100755 --- a/kubernetes/robot/demo-k8s.sh +++ b/kubernetes/robot/demo-k8s.sh @@ -55,9 +55,6 @@ usage () echo " demo-k8s.sh preload " echo " - Preload data for VNF for the " echo " " - echo " demo-k8s.sh appc " - echo " - provide APPC with vFW module mount point for closed loop" - echo " " echo " demo-k8s.sh init_robot [ ]" echo " - Initialize robot after all ONAP VMs have started" echo " " @@ -168,16 +165,6 @@ do VARIABLES="$VARIABLES -v MODULE_NAME:$1" shift ;; - appc) - TAG="APPCMountPointDemo" - shift - if [ $# -ne 1 ];then - echo "Usage: demo-k8s.sh appc " - exit - fi - VARIABLES="$VARIABLES -v MODULE_NAME:$1" - shift - ;; instantiateVFW) TAG="instantiateVFW" VARIABLES="$VARIABLES -v GLOBAL_BUILD_NUMBER:$$" diff --git a/kubernetes/robot/ete-k8s.sh b/kubernetes/robot/ete-k8s.sh index 82bf836ade..aa02e17867 100755 --- a/kubernetes/robot/ete-k8s.sh +++ b/kubernetes/robot/ete-k8s.sh @@ -31,7 +31,7 @@ if [ "$1" = "" ] || [ "$2" = "" ]; then echo " InitDistribution, PreloadDemo, deleteVNF, instantiateDemoVFWCL, instantiateVFW, " echo " instantiateVFWCL, instantiateVFWDT, instantiateVFWCLDN" echo "" - echo " health-check.robot: health, core, small, medium, 3rdparty, api, datarouter, externalapi, health-aaf, health-aai, health-appc," + echo " health-check.robot: health, core, small, medium, 3rdparty, api, datarouter, externalapi, health-aaf, health-aai," echo " health-clamp, health-cli, health-dcae, health-dmaap, health-log, health-modeling, health-msb," echo " health-multicloud, health-oof, health-policy, health-pomba, health-portal, health-sdc, health-sdnc," echo " health-so, health-uui, health-vfc, health-vid, health-vnfsdk, healthdist, healthlogin, healthmr," diff --git a/kubernetes/robot/resources/config/eteshare/config/robot_properties.py b/kubernetes/robot/resources/config/eteshare/config/robot_properties.py index 3c5f9ce73a..e52e48c548 100644 --- a/kubernetes/robot/resources/config/eteshare/config/robot_properties.py +++ b/kubernetes/robot/resources/config/eteshare/config/robot_properties.py @@ -16,8 +16,6 @@ GLOBAL_INJECTED_AAF_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "aaf-service") }}' GLOBAL_INJECTED_AAI_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "aai") }}' -GLOBAL_INJECTED_APPC_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "appc") }}' -GLOBAL_INJECTED_APPC_CDT_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "appc-cdt") }}' GLOBAL_INJECTED_ARTIFACTS_VERSION = '{{.Values.demoArtifactsVersion}}' GLOBAL_INJECTED_ARTIFACTS_REPO_URL = "{{ .Values.demoArtifactsRepoUrl }}" GLOBAL_INJECTED_CLAMP_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "policy-gui") }}' @@ -27,11 +25,11 @@ GLOBAL_INJECTED_DCAE_COLLECTOR_IP = "{{ .Values.dcaeCollectorIp }}" GLOBAL_INJECTED_DCAE_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dcae-healthcheck") }}' GLOBAL_INJECTED_DCAE_MS_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dcae-ms-healthcheck") }}' GLOBAL_INJECTED_DCAE_VES_HOST = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dcae-ves-collector") }}' -GLOBAL_INJECTED_DMAAP_DR_PROV_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dmaap-dr-prov") }}' -GLOBAL_INJECTED_DMAAP_DR_NODE_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dmaap-dr-node") }}' GLOBAL_INJECTED_DNS_IP_ADDR = 'N/A' GLOBAL_INJECTED_DOCKER_VERSION = '1.2-STAGING-latest' GLOBAL_INJECTED_EXTERNAL_DNS = 'N/A' +GLOBAL_INJECTED_HOLMES_ENGINE_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "holmes-engine-mgmt") }}' +GLOBAL_INJECTED_HOLMES_RULE_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "holmes-rule-mgmt") }}' GLOBAL_INJECTED_LOG_ELASTICSEARCH_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "log-es") }}' GLOBAL_INJECTED_LOG_KIBANA_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "log-kibana") }}' GLOBAL_INJECTED_LOG_LOGSTASH_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "log-ls-http") }}' @@ -46,8 +44,6 @@ GLOBAL_INJECTED_POMBA_KIBANA_IP_ADDR = '{{include "robot.ingress.svchost" (dict GLOBAL_INJECTED_POMBA_ELASTIC_SEARCH_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "pomba-es") }}' GLOBAL_INJECTED_POMBA_CONTEX_TAGGREGATOR_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "pomba-contextaggregator") }}' GLOBAL_INJECTED_KEYSTONE = '{{ .Values.openStackKeyStoneUrl }}' -GLOBAL_INJECTED_MR_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "message-router") }}' -GLOBAL_INJECTED_BC_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dmaap-bc") }}' GLOBAL_INJECTED_MUSIC_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "music") }}' GLOBAL_INJECTED_NBI_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "nbi") }}' GLOBAL_INJECTED_NETWORK = '{{ .Values.openStackPrivateNetId }}' @@ -60,6 +56,14 @@ GLOBAL_INJECTED_OOF_HOMING_IP_ADDR = '{{include "robot.ingress.svchost" (dict "r GLOBAL_INJECTED_OOF_SNIRO_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "oof-osdf") }}' GLOBAL_INJECTED_OOF_CMSO_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "oof-cmso") }}' GLOBAL_INJECTED_MSB_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "msb-iag") }}' +GLOBAL_INJECTED_MC_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "multicloud") }}' +GLOBAL_INJECTED_MC_PIKE_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "multicloud-pike") }}' +GLOBAL_INJECTED_MC_PROMETHEUS_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "multicloud-prometheus") }}' +GLOBAL_INJECTED_MC_STARLINGX_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "multicloud-starlingx") }}' +GLOBAL_INJECTED_MC_TC_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "multicloud-titaniumcloud") }}' +GLOBAL_INJECTED_MC_VIO_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "multicloud-vio") }}' +GLOBAL_INJECTED_MC_K8S_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "multicloud-k8s") }}' +GLOBAL_INJECTED_MC_FCAPS_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "multicloud-fcaps") }}' GLOBAL_INJECTED_OPENSTACK_API_KEY = '{{ .Values.config.openStackEncryptedPasswordHere}}' GLOBAL_INJECTED_OPENSTACK_TENANT_ID = '{{ .Values.openStackTenantId }}' GLOBAL_INJECTED_OPENSTACK_USERNAME = '{{ .Values.openStackUserName }}' @@ -69,6 +73,7 @@ GLOBAL_INJECTED_OPENSTACK_USER_DOMAIN = '{{ .Values.openStackUserDomain }}' GLOBAL_INJECTED_OPENSTACK_KEYSTONE_API_VERSION = '{{ .Values.openStackKeystoneAPIVersion }}' GLOBAL_INJECTED_REGION_THREE = '{{ .Values.openStackRegionRegionThree }}' GLOBAL_INJECTED_KEYSTONE_REGION_THREE = '{{ .Values.openStackKeyStoneUrlRegionThree }}' +GLOBAL_INJECTED_MODEL_PARSER_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "modeling-etsicatalog") }}' GLOBAL_INJECTED_OPENSTACK_KEYSTONE_API_VERSION_REGION_THREE = '{{ .Values.openStackKeystoneAPIVersionRegionThree }}' GLOBAL_INJECTED_OPENSTACK_USERNAME_REGION_THREE = '{{ .Values.openStackUserNameRegionThree }}' GLOBAL_INJECTED_OPENSTACK_SO_ENCRYPTED_PASSWORD_REGION_THREE = '{{ .Values.openSackMsoEncryptdPasswordRegionThree }}' @@ -114,6 +119,14 @@ GLOBAL_INJECTED_SO_VNFM_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root GLOBAL_INJECTED_SO_NSSMF_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "so-nssmf-adapter") }}' GLOBAL_INJECTED_UBUNTU_1404_IMAGE = '{{ .Values.ubuntu14Image }}' GLOBAL_INJECTED_UBUNTU_1604_IMAGE = '{{ .Values.ubuntu16Image }}' +GLOBAL_INJECTED_UUI_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "uui-server") }}' +GLOBAL_INJECTED_VFC_GVNFMDRIVER_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "vfc-generic-vnfm-driver") }}' +GLOBAL_INJECTED_VFC_HUAWEIVNFMDRIVER_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "vfc-huawei-vnfm-driver") }}' +GLOBAL_INJECTED_VFC_NSLCM_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "vfc-nslcm") }}' +GLOBAL_INJECTED_VFC_VNFLCM_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "vfc-vnflcm") }}' +GLOBAL_INJECTED_VFC_VNFMGR_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "vfc-vnfmgr") }}' +GLOBAL_INJECTED_VFC_VNFRES_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "vfc-vnfres") }}' +GLOBAL_INJECTED_VFC_ZTEVNFDRIVER_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "vfc-zte-vnfm-driver") }}' GLOBAL_INJECTED_VM_IMAGE_NAME = '{{ .Values.ubuntu14Image }}' GLOBAL_INJECTED_DANOS_IMAGE_NAME = '{{ .Values.danosImage }}' GLOBAL_INJECTED_DANOS_FLAVOR = '{{ .Values.danosFlavor }}' @@ -129,37 +142,28 @@ GLOBAL_AAF_PASSWORD = '{{ .Values.aafPassword }}' GLOBAL_AAF_AUTHENTICATION = [GLOBAL_AAF_USERNAME, GLOBAL_AAF_PASSWORD] # aai info - everything is from the private oam network (also called onap private network) GLOBAL_AAI_SERVER_PROTOCOL = '{{ include "common.scheme" . }}' -GLOBAL_AAI_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "aai" "port" ( ternary 8443 80 (eq "true" (include "common.needTLS" . )))) }}' +GLOBAL_AAI_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "aai" "port" 80 ) }}' GLOBAL_AAI_USERNAME = '{{ .Values.aaiUsername }}' GLOBAL_AAI_PASSWORD = '{{ .Values.aaiPassword}}' GLOBAL_AAI_AUTHENTICATION = [GLOBAL_AAI_USERNAME, GLOBAL_AAI_PASSWORD] -# appc info - everything is from the private oam network (also called onap private network) -GLOBAL_APPC_SERVER_PROTOCOL = "https" -GLOBAL_APPC_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "appc" "port" 8443) }}' -GLOBAL_APPC_USERNAME = '{{ .Values.appcUsername }}' -GLOBAL_APPC_PASSWORD = '{{ .Values.appcPassword }}' -GLOBAL_APPC_AUTHENTICATION = [GLOBAL_APPC_USERNAME, GLOBAL_APPC_PASSWORD] -GLOBAL_APPC_CDT_SERVER_PROTOCOL = "https" -GLOBAL_APPC_CDT_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "appc-cdt" "port" 18080) }}' -GLOBAL_APPC_CDT_USERNAME = "demo" # sdc info - everything is from the private oam network (also called onap private network) -GLOBAL_SDC_SERVER_PROTOCOL = 'http{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}' -GLOBAL_SDC_FE_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdc-fe" "port" ( ternary 9443 8181 (eq "true" (include "common.needTLS" . )))) }}' -GLOBAL_SDC_BE_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdc-be" "port" ( ternary 8443 8080 (eq "true" (include "common.needTLS" . )))) }}' -GLOBAL_SDC_BE_ONBOARD_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdc-onboarding-be" "port" ( ternary 8445 8081 (eq "true" (include "common.needTLS" . )))) }}' +GLOBAL_SDC_SERVER_PROTOCOL = 'http' +GLOBAL_SDC_FE_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdc-fe" "port" 8181) }}' +GLOBAL_SDC_BE_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdc-be" "port" 8080) }}' +GLOBAL_SDC_BE_ONBOARD_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdc-onboarding-be" "port" 8081) }}' GLOBAL_SDC_DCAE_BE_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdc-dcae-be" "port" 8444) }}' GLOBAL_SDC_USERNAME = '{{ .Values.sdcUsername }}' GLOBAL_SDC_PASSWORD = '{{ .Values.sdcPassword }}' GLOBAL_SDC_AUTHENTICATION = [GLOBAL_SDC_USERNAME, GLOBAL_SDC_PASSWORD] # clamp info - everything is from the private oam network (also called onap private network) -GLOBAL_CLAMP_SERVER_PROTOCOL = "https" +GLOBAL_CLAMP_SERVER_PROTOCOL = 'http' GLOBAL_CLAMP_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "policy-gui" "port" 2443) }}' # nbi info - everything is from the private oam network (also called onap private network) -GLOBAL_NBI_SERVER_PROTOCOL = "https" -GLOBAL_NBI_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "nbi" "port" 8443) }}' +GLOBAL_NBI_SERVER_PROTOCOL = 'http' +GLOBAL_NBI_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "nbi" "port" 8080) }}' # cli info - everything is from the private oam network (also called onap private network) -GLOBAL_CLI_SERVER_PROTOCOL = "https" -GLOBAL_CLI_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "cli" "port" 443) }}' +GLOBAL_CLI_SERVER_PROTOCOL = "http" +GLOBAL_CLI_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "cli" "port" 8080) }}' # dcae info - everything is from the private oam network (also called onap private network) GLOBAL_DCAE_SERVER_PROTOCOL = "http" GLOBAL_DCAE_HEALTH_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dcae-healthcheck" "port" 80) }}' @@ -175,27 +179,44 @@ GLOBAL_DCAE_AUTHENTICATION = [GLOBAL_DCAE_USERNAME, GLOBAL_DCAE_PASSWORD] # dcae hv-ves info GLOBAL_DCAE_HVVES_SERVER_NAME = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dcae-hv-ves-collector") }}' GLOBAL_DCAE_HVVES_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dcae-hv-ves-collector" "port" 6061) }}' -# data router info - everything is from the private oam network (also called onap private network) -GLOBAL_DMAAP_DR_PROV_SERVER_PROTOCOL = "https" -GLOBAL_DMAAP_DR_PROV_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dmaap-dr-prov" "port" 443) }}' -GLOBAL_DMAAP_DR_NODE_SERVER_PROTOCOL = "https" -GLOBAL_DMAAP_DR_NODE_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dmapp-dr-node" "port" 8443) }}' -# dmaap message router info + +#DMAAP +# message router info - everything is from the private oam network (also called onap private network) +GLOBAL_MR_SERVER_PROTOCOL = "http" +GLOBAL_MR_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "message-router" "port" 3904) }}' +GLOBAL_INJECTED_MR_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "message-router") }}' GLOBAL_DMAAP_MESSAGE_ROUTER_SERVER_NAME = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "message-router") }}' GLOBAL_DMAAP_MESSAGE_ROUTER_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "message-router" "port" 3904) }}' -# dmaap kafka info -GLOBAL_DMAAP_KAFKA_SERVER_NAME = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "message-router-kafka") }}' -GLOBAL_DMAAP_KAFKA_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "message-router-kafka" "port" 9092) }}' -GLOBAL_DMAAP_KAFKA_JAAS_USERNAME = '{{ .Values.kafkaJaasUsername }}' -GLOBAL_DMAAP_KAFKA_JAAS_PASSWORD = '{{ .Values.kafkaJaasPassword }}' +# bus controller info +GLOBAL_INJECTED_BC_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dmaap-bc") }}' +GLOBAL_BC_SERVER_PROTOCOL = 'http' +GLOBAL_BC_HTTPS_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dmaap-bc" "port" 8080) }}' +GLOBAL_BC_USERNAME = '{{ .Values.bcUsername }}' +GLOBAL_BC_PASSWORD = '{{ .Values.bcPassword }}' +# data router info - everything is from the private oam network (also called onap private network) +GLOBAL_DMAAP_DR_PROV_SERVER_PROTOCOL = 'http' +GLOBAL_DMAAP_DR_PROV_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dmaap-dr-prov" "port" 8080) }}' +GLOBAL_INJECTED_DMAAP_DR_PROV_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dmaap-dr-prov") }}' +GLOBAL_DMAAP_DR_NODE_SERVER_PROTOCOL = 'http' +GLOBAL_DMAAP_DR_NODE_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dmapp-dr-node" "port" 8080) }}' +GLOBAL_INJECTED_DMAAP_DR_NODE_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dmaap-dr-node") }}' + # strimzi kafka GLOBAL_KAFKA_BOOTSTRAP_SERVICE = '{{ include "common.release" . }}-strimzi-kafka-bootstrap:9092' -GLOBAL_KAFKA_USER = '{{ .Values.strimziKafkaJaasUsername }}' +GLOBAL_KAFKA_USER = '{{ .Values.strimziKafkaUsername }}' + # DROOL server port and credentials GLOBAL_DROOLS_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "policy-drools-pdp" "port" 9696) }}' GLOBAL_DROOLS_USERNAME = '{{ .Values.droolsUsername }}' GLOBAL_DROOLS_PASSWORD = '{{ .Values.droolsPassword }}' GLOBAL_DROOLS_AUTHENTICATION = [GLOBAL_DROOLS_USERNAME, GLOBAL_DROOLS_PASSWORD] + +# holmes info +GLOBAL_HOLMES_ENGINE_SERVER_PROTOCOL = 'http' +GLOBAL_HOLMES_ENGINE_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "holmes-engine-mgmt" "port" 9102) }}' +GLOBAL_HOLMES_RULE_SERVER_PROTOCOL = 'http' +GLOBAL_HOLMES_RULE_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "holmes-rule-mgmt" "port" 9101) }}' + # log server config - NOTE: no log server is run in HEAT; only on OOM GLOBAL_LOG_SERVER_PROTOCOL = "http" GLOBAL_LOG_ELASTICSEARCH_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "log-es" "port" 9200) }}' @@ -216,16 +237,27 @@ GLOBAL_POMBA_ELASTICSEARCH_PORT = '{{include "robot.ingress.port" (dict "root" . GLOBAL_POMBA_CONTEXTAGGREGATOR_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "pomba-contextaggregator" "port" 9529) }}' # microservice bus info - everything is from the private oam network (also called onap private network) -GLOBAL_MSB_SERVER_PROTOCOL = "https" -GLOBAL_MSB_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "clamp" "port" 443) }}' -# message router info - everything is from the private oam network (also called onap private network) -GLOBAL_MR_SERVER_PROTOCOL = "http" -GLOBAL_MR_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "message-router" "port" 3904) }}' -# bus controller info -GLOBAL_BC_SERVER_PROTOCOL = "https" -GLOBAL_BC_HTTPS_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dmaap-bc" "port" 8443) }}' -GLOBAL_BC_USERNAME = '{{ .Values.bcUsername }}' -GLOBAL_BC_PASSWORD = '{{ .Values.bcPassword }}' +GLOBAL_MSB_SERVER_PROTOCOL = 'http' +GLOBAL_MSB_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "msb-iag" "port" 80) }}' + +# multicloud info +GLOBAL_MC_SERVER_PROTOCOL = 'http' +GLOBAL_MC_PIKE_SERVER_PROTOCOL = 'http' +GLOBAL_MC_PROMETHEUS_SERVER_PROTOCOL = 'http' +GLOBAL_MC_STARLINGX_SERVER_PROTOCOL = 'http' +GLOBAL_MC_TC_SERVER_PROTOCOL = 'http' +GLOBAL_MC_VIO_SERVER_PROTOCOL = 'http' +GLOBAL_MC_K8S_SERVER_PROTOCOL = 'http' +GLOBAL_MC_FCAPS_SERVER_PROTOCOL = 'http' +GLOBAL_MC_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "multicloud" "port" 9001) }}' +GLOBAL_MC_PIKE_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "multicloud-pike" "port" 9007) }}' +GLOBAL_MC_PROMETHEUS_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "multicloud-prometheus" "port" 9090) }}' +GLOBAL_MC_STARLINGX_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "multicloud-starlingx" "port" 9009) }}' +GLOBAL_MC_TC_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "multicloud-titaniumcloud" "port" 9005) }}' +GLOBAL_MC_VIO_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "multicloud-vio" "port" 9004) }}' +GLOBAL_MC_K8S_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "multicloud-k8s" "port" 9015) }}' +GLOBAL_MC_FCAPS_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "multicloud-fcaps" "port" 9011) }}' + # dcae inventory and deployment handler info GLOBAL_INVENTORY_SERVER_NAME = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "inventory") }}' GLOBAL_INVENTORY_SERVER_PROTOCOL = "https" @@ -286,11 +318,14 @@ GLOBAL_SO_VFC_ENDPOINT = 'http://' + GLOBAL_INJECTED_SO_VFC_IP_ADDR + ':' + GLOB GLOBAL_SO_VNFM_ENDPOINT = 'http://' + GLOBAL_INJECTED_SO_VNFM_IP_ADDR + ':' + GLOBAL_SO_VNFM_SERVER_PORT GLOBAL_SO_NSSMF_ENDPOINT = 'http://' + GLOBAL_INJECTED_SO_NSSMF_IP_ADDR + ':' + GLOBAL_SO_NSSMF_SERVER_PORT #GLOBAL_SO_VNFM_ENDPOINT = 'http://' + GLOBAL_INJECTED_SO_VNFM_IP_ADDR + ':' + GLOBAL_SO_VNFM_SERVER_PORT +# modeling info +GLOBAL_MODEL_PARSER_SERVER_PROTOCOL = "http" +GLOBAL_MODEL_PARSER_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "modeling-etsicatalog" "port" 8806) }}' # music info - everything is from the private oam network (also called onap private network) GLOBAL_MUSIC_SERVER_PROTOCOL = "https" GLOBAL_MUSIC_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "music" "port" 8443) }}' # oof global info - everything is from the private oam network (also called onap private network) -GLOBAL_OOF_SERVER_PROTOCOL = "https" +GLOBAL_OOF_SERVER_PROTOCOL = 'http' # oof-homing info - everything is from the private oam network (also called onap private network) GLOBAL_OOF_HOMING_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "oof-has-api" "port" 8091) }}' GLOBAL_OOF_HOMING_USERNAME="{{ .Values.oofHomingUsername }}" @@ -304,7 +339,7 @@ GLOBAL_OOF_OSDF_PASSWORD="{{ .Values.oofPassword }}" GLOBAL_OOF_PCI_USERNAME="{{ .Values.oofOsdfPciOptUsername }}" GLOBAL_OOF_PCI_PASSWORD="{{ .Values.oofOsdfPciOptPassword }}" # oof cmso global info - everything is from the private oam network (also called onap private network) -GLOBAL_OOF_CMSO_PROTOCOL = "https" +GLOBAL_OOF_CMSO_PROTOCOL = "http" GLOBAL_OOF_CMSO_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "oof-cmso" "port" 8080) }}' GLOBAL_OOF_CMSO_USERNAME = "{{ .Values.oofCmsoUsername }}" GLOBAL_OOF_CMSO_PASSWORD = "{{ .Values.oofCmsoPassword }}" @@ -315,7 +350,7 @@ GLOBAL_PACKET_GENERATOR_USERNAME = "admin" GLOBAL_PACKET_GENERATOR_PASSWORD = "admin" GLOBAL_PGN_PORT = "2831" # policy info - everything is from the private oam network (also called onap private network) -GLOBAL_POLICY_SERVER_PROTOCOL = "https" +GLOBAL_POLICY_SERVER_PROTOCOL = 'http' GLOBAL_POLICY_SERVER_PORT = "8081" GLOBAL_POLICY_HEALTHCHECK_PORT = "6969" GLOBAL_POLICY_AUTH = '{{ .Values.policyAuth}}' @@ -332,9 +367,9 @@ GLOBAL_PORTAL_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "host GLOBAL_PORTAL_USERNAME = '{{ .Values.portalUsername }}' GLOBAL_PORTAL_PASSWORD = '{{ .Values.portalPassword }}' # sdnc info - everything is from the private oam network (also called onap private network) -GLOBAL_SDNC_SERVER_PROTOCOL = "https" -GLOBAL_SDNC_REST_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdnc" "port" 8443) }}' -GLOBAL_SDNC_ADMIN_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdnc-portal" "port" 8443) }}' +GLOBAL_SDNC_SERVER_PROTOCOL = 'http' +GLOBAL_SDNC_REST_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdnc" "port" 8282) }}' +GLOBAL_SDNC_ADMIN_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdnc-portal" "port" 8080) }}' GLOBAL_SDNC_USERNAME = '{{ .Values.sdncUsername }}' GLOBAL_SDNC_PASSWORD = '{{ .Values.sdncPassword }}' GLOBAL_SDNC_AUTHENTICATION = [GLOBAL_SDNC_USERNAME, GLOBAL_SDNC_PASSWORD] @@ -342,6 +377,24 @@ GLOBAL_SDNC_AUTHENTICATION = [GLOBAL_SDNC_USERNAME, GLOBAL_SDNC_PASSWORD] GLOBAL_SMS_SERVER_PROTOCOL = "https" GLOBAL_SMS_SERVER_NAME = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "aaf-sms") }}' GLOBAL_SMS_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "aaf-sms" "port" 10443) }}' +# uui info +GLOBAL_UUI_SERVER_PROTOCOL = "http" +GLOBAL_UUI_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "uui-server" "port" 8082) }}' +# vfc info +GLOBAL_VFC_GVNFMDRIVER_SERVER_PROTOCOL = 'http' +GLOBAL_VFC_GVNFMDRIVER_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "vfc-generic-vnfm-driver" "port" 8484) }}' +GLOBAL_VFC_HUAWEIVNFMDRIVER_SERVER_PROTOCOL = 'http' +GLOBAL_VFC_HUAWEIVNFMDRIVER_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "vfc-huawei-vnfm-driver" "port" 8482) }}' +GLOBAL_VFC_NSLCM_SERVER_PROTOCOL = 'http' +GLOBAL_VFC_NSLCM_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "vfc-nslcm" "port" 8403) }}' +GLOBAL_VFC_VNFLCM_SERVER_PROTOCOL = 'http' +GLOBAL_VFC_VNFLCM_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "vfc-vnflcm" "port" 8801) }}' +GLOBAL_VFC_VNFMGR_SERVER_PROTOCOL = 'http' +GLOBAL_VFC_VNFMGR_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "vfc-vnfmgr" "port" 8803) }}' +GLOBAL_VFC_VNFRES_SERVER_PROTOCOL = 'http' +GLOBAL_VFC_VNFRES_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "vfc-vnfres" "port" 8802) }}' +GLOBAL_VFC_ZTEVNFDRIVER_SERVER_PROTOCOL = 'http' +GLOBAL_VFC_ZTEVNFDRIVER_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "vfc-zte-vnfm-driver" "port" 8410) }}' # vid info - everything is from the private oam network (also called onap private network) GLOBAL_VID_SERVER_PROTOCOL = '{{ .Values.vidServerProtocol }}' GLOBAL_VID_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "clamp" "port" (.Values.vidServerPort | default 0 | int)) }}' @@ -350,13 +403,13 @@ GLOBAL_VID_PASSWORD = '{{ .Values.vidPassword}}' GLOBAL_VID_HEALTH_USERNAME = '{{ .Values.vidHealthUsername }}' GLOBAL_VID_HEALTH_PASSWORD = '{{ .Values.vidHealthPassword }}' # vnfsdk info - everything is from the private oam network (also called onap private network) -GLOBAL_VNFSDK_SERVER_PROTOCOL = "https" +GLOBAL_VNFSDK_SERVER_PROTOCOL = 'http' GLOBAL_VNFSDK_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "refrepo" "port" 8703) }}' GLOBAL_DCAE_VES_PROTOCOL = "http" GLOBAL_DCAE_VES_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dcae-ves-collector" "port" 8080) }}' -GLOBAL_DCAE_VES_HTTPS_PROTOCOL = "https" -GLOBAL_DCAE_VES_HTTPS_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dcae-ves-collector-https" "port" 8443) }}' +GLOBAL_DCAE_VES_HTTPS_PROTOCOL = 'http{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}' +GLOBAL_DCAE_VES_HTTPS_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dcae-ves-collector-https" "port" 8080) }}' GLOBAL_DCAE_VES_USERNAME = 'sample1' GLOBAL_DCAE_VES_PASSWORD = 'sample1' diff --git a/kubernetes/robot/templates/deployment.yaml b/kubernetes/robot/templates/deployment.yaml index 7d588e4de4..4736d6d00a 100644 --- a/kubernetes/robot/templates/deployment.yaml +++ b/kubernetes/robot/templates/deployment.yaml @@ -66,9 +66,6 @@ spec: volumeMounts: - name: dshm mountPath: /dev/shm - - name: localtime - mountPath: /etc/localtime - readOnly: true - name: robot-eteshare mountPath: /share/config - name: robot-lighttpd @@ -77,8 +74,7 @@ spec: mountPath: /etc/lighttpd/ssl - name: robot-logs mountPath: /share/logs - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} @@ -98,9 +94,6 @@ spec: - name: dshm emptyDir: medium: Memory - - name: localtime - hostPath: - path: /etc/localtime - name: robot-eteshare configMap: name: {{ include "common.fullname" . }}-eteshare-configmap @@ -113,5 +106,4 @@ spec: configMap: name: {{ include "common.fullname" . }}-lighttpd-ssl-configmap defaultMode: 0600 - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/robot/values.yaml b/kubernetes/robot/values.yaml index 0b1aa0e71d..6025462649 100644 --- a/kubernetes/robot/values.yaml +++ b/kubernetes/robot/values.yaml @@ -22,7 +22,7 @@ global: # global defaults # application image repository: nexus3.onap.org:10001 -image: onap/testsuite:1.8.0 +image: onap/testsuite:1.12.2 pullPolicy: Always ubuntuInitImage: oomk8s/ubuntu-init:2.0.0 @@ -44,14 +44,6 @@ config: enabled: true https: true hostname: aai.api.sparky - appc: - enabled: true - https: true - hostname: appc.api - appc_cdt: - enabled: true - https: true - hostname: appccdt clamp: enabled: true https: true @@ -65,13 +57,20 @@ config: dcae_ves_colector_https: enabled: false https: true + message_router: + enabled: false + https: false + dmaap_bc: + enabled: true + https: false + hostname: dmaapbc dmaap_dr_prov: enabled: true - https: true + https: false hostname: dmaapdrprov dmaap_dr_node: enabled: true - https: true + https: false hostname: dmaapdrnode log_es: enabled: false @@ -99,13 +98,6 @@ config: enabled: false pomba_contextaggregator: enabled: false - message_router: - enabled: false - https: true - dmaap_bc: - enabled: true - https: true - hostname: dmaapbc music: enabled: false https: true @@ -138,8 +130,6 @@ config: enabled: false policy_apex_pdp: enabled: false - policy_distribution: - enabled: false portal_app: enabled: false https: true @@ -194,8 +184,6 @@ config: hostname: blueprintsprocessorhttp dcae_hv_ves_collector: enabled: false - message_router_kafka: - enabled: false inventory: enabled: false https: true @@ -319,9 +307,6 @@ aafPassword: "demo123456!" # AAI aaiUsername: "aai@aai.onap.org" aaiPassword: "demo123456!" -# APPC -appcUsername: "appc@appc.onap.org" -appcPassword: "demo123456!" # SDC sdcUsername: "beep" sdcPassword: "boop" @@ -361,16 +346,13 @@ vidUsername: "demo" vidPassword: "Kp8bJ4SXszM0WX" vidHealthUsername: "Default" vidHealthPassword: "AppPassword!1" + # DMAAP BC bcUsername: "dmaap-bc@dmaap-bc.onap.org" bcPassword: "demo123456!" -# DMAAP KAFKA JAAS -kafkaJaasUsername: "admin" -kafkaJaasPassword: "admin_secret" - -# STRIMZI KAFKA JAAS -strimziKafkaJaasUsername: "strimzi-kafka-admin" +# STRIMZI KAFKA +strimziKafkaUsername: "strimzi-kafka-admin" #OOF oofUsername: "oof@oof.onap.org" @@ -400,18 +382,18 @@ flavor: small resources: small: limits: - cpu: 2000m - memory: 4Gi + cpu: "2000m" + memory: "4Gi" requests: - cpu: 500m - memory: 1Gi + cpu: "500m" + memory: "1Gi" large: limits: - cpu: 4000m - memory: 8Gi + cpu: "4000m" + memory: "8Gi" requests: - cpu: 1000m - memory: 2Gi + cpu: "1000m" + memory: "2Gi" unlimited: {} # probe configuration parameters @@ -437,7 +419,7 @@ service: ingress: enabled: false service: - - baseaddr: "robot.api" + - baseaddr: "robot-api" name: "robot" port: 443 config: @@ -471,4 +453,4 @@ persistence: serviceAccount: nameOverride: robot roles: - - read \ No newline at end of file + - read diff --git a/kubernetes/sdc/Chart.yaml b/kubernetes/sdc/Chart.yaml index d2acf1b392..86d3408f0e 100644 --- a/kubernetes/sdc/Chart.yaml +++ b/kubernetes/sdc/Chart.yaml @@ -18,30 +18,33 @@ apiVersion: v2 description: Service Design and Creation Umbrella Helm charts name: sdc -version: 11.0.0 +version: 13.0.1 dependencies: + - name: common + version: ~13.x-0 + repository: '@local' - name: sdc-be - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/sdc-be' - name: sdc-cs - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/sdc-cs' - name: sdc-fe - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/sdc-fe' - name: sdc-onboarding-be - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/sdc-onboarding-be' - name: sdc-wfd-be - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/sdc-wfd-be' condition: sdc-wfd.enabled - name: sdc-wfd-fe - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/sdc-wfd-fe' condition: sdc-wfd.enabled - name: sdc-helm-validator - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/sdc-helm-validator' condition: sdcHelmValidator.enabled diff --git a/kubernetes/sdc/Makefile b/kubernetes/sdc/Makefile index 192fc01a75..d0b2b1fef6 100644 --- a/kubernetes/sdc/Makefile +++ b/kubernetes/sdc/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := dist resources templates charts docker HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") @@ -38,17 +44,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) -ifeq "$(findstring v3,$(HELM_VER))" "v3" - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) push -f $$PACKAGE_NAME local; fi -else - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi -endif - - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/sdc/components/Makefile b/kubernetes/sdc/components/Makefile index 7be14135bb..497e2b4cf9 100644 --- a/kubernetes/sdc/components/Makefile +++ b/kubernetes/sdc/components/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") @@ -37,16 +43,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) -ifeq "$(findstring v3,$(HELM_VER))" "v3" - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) push -f $$PACKAGE_NAME local; fi -else - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi -endif - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/sdc/components/sdc-be/Chart.yaml b/kubernetes/sdc/components/sdc-be/Chart.yaml index 4620c679bd..e93607c017 100644 --- a/kubernetes/sdc/components/sdc-be/Chart.yaml +++ b/kubernetes/sdc/components/sdc-be/Chart.yaml @@ -18,15 +18,15 @@ apiVersion: v2 description: ONAP Service Design and Creation Backend API name: sdc-be -version: 11.0.0 +version: 13.0.0 dependencies: - - name: certInitializer - version: ~11.x-0 + - name: common + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdc/components/sdc-be/templates/authorizationpolicy.yaml b/kubernetes/sdc/components/sdc-be/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/sdc/components/sdc-be/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-be/templates/configmap.yaml b/kubernetes/sdc/components/sdc-be/templates/configmap.yaml index aa632f33f4..332cd74661 100644 --- a/kubernetes/sdc/components/sdc-be/templates/configmap.yaml +++ b/kubernetes/sdc/components/sdc-be/templates/configmap.yaml @@ -27,3 +27,5 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/logging/*").AsConfig . | indent 2 }} + + diff --git a/kubernetes/sdc/components/sdc-be/templates/deployment.yaml b/kubernetes/sdc/components/sdc-be/templates/deployment.yaml index 24f169a5b9..229d4233cc 100644 --- a/kubernetes/sdc/components/sdc-be/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-be/templates/deployment.yaml @@ -24,15 +24,17 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: - name: {{ include "common.name" . }}-readiness command: - /app/ready.py args: - - --container-name - - "sdc-onboarding-be" - - --container-name - - "message-router" + - --service-name + - sdc-onboarding-be + {{- if not .Values.global.kafka.useKafka }} + - --service-name + - message-router + {{- end }} env: - name: NAMESPACE valueFrom: @@ -43,11 +45,11 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} resources: limits: - cpu: 100m - memory: 100Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 3m - memory: 20Mi + cpu: "3m" + memory: "20Mi" - name: {{ include "common.name" . }}-job-completion image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: "{{ .Values.global.pullPolicy | default .Values.pullPolicy }}" @@ -55,7 +57,7 @@ spec: - /app/ready.py args: - --job-name - - {{ include "common.release" . }}-sdc-onboarding-be-cassandra-init + - {{ include "common.release" . }}-sdc-onboarding-be env: - name: NAMESPACE valueFrom: @@ -64,59 +66,16 @@ spec: fieldPath: metadata.namespace resources: limits: - cpu: 100m - memory: 100Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 3m - memory: 20Mi - {{- if .Values.global.aafEnabled }} - - name: {{ include "common.name" . }}-update-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - args: - - "-c" - - | - export $(grep '^c' {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export KEYSTORE_PASS=$cadi_keystore_password_p12 - export KEYMANAGER_PASS=$cadi_keystore_password_p12 - export TRUSTSTORE_PASS=$cadi_truststore_password - cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.keystoreFile }} /config-output - cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.truststoreFile }} /config-output - cd /config-input && \ - for PFILE in `find . -not -type d | grep -v -F ..` - do - envsubst <${PFILE} >/config-output/${PFILE} - chmod 0755 /config-output/${PFILE} - done - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - name: sdc-environments-input - mountPath: /config-input/ - - name: sdc-environments - mountPath: /config-output/ - {{- end }} + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - "-c" - - | - sed -i '/trustStorePassword/d' ${JETTY_BASE}/startup.sh - ${JETTY_BASE}/startup.sh - {{- end }} - ports: {{ include "common.containerPorts" . | nindent 10 }} + ports: {{ include "common.containerPorts" . | nindent 12 }} {{ if eq .Values.liveness.enabled true }} livenessProbe: httpGet: @@ -137,7 +96,6 @@ spec: timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} successThreshold: {{ .Values.readiness.successThreshold }} failureThreshold: {{ .Values.readiness.failureThreshold }} - resources: {{ include "common.resources" . | nindent 12 }} startupProbe: httpGet: path: /sdc2/rest/healthCheck @@ -159,20 +117,18 @@ spec: valueFrom: fieldRef: fieldPath: status.podIP + {{- if .Values.global.kafka.useKafka }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + - name: USE_KAFKA + value: {{ .Values.global.kafka.useKafka | quote }} + {{- end }} volumeMounts: - name: sdc-environments mountPath: /app/jetty/chef-solo/environments/ - {{- if .Values.global.aafEnabled }} - - name: sdc-environments - mountPath: /app/jetty/chef-solo/cookbooks/sdc-catalog-be/files/default/org.onap.sdc.p12 - subPath: org.onap.sdc.p12 - - name: sdc-environments - mountPath: /app/jetty/chef-solo/cookbooks/sdc-catalog-be/files/default/org.onap.sdc.trust.jks - subPath: org.onap.sdc.trust.jks - {{- end }} - - name: localtime - mountPath: /etc/localtime - readOnly: true - name: logs mountPath: /var/log/onap - name: logback @@ -185,23 +141,15 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 8 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: logback configMap: name : {{ include "common.fullname" . }}-logging-configmap - name: sdc-environments - {{- if .Values.global.aafEnabled }} - emptyDir: { medium: "Memory" } - - name: sdc-environments-input - {{- end }} configMap: name: {{ include "common.release" . }}-sdc-environments-configmap defaultMode: 0755 - name: logs emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdc/components/sdc-be/templates/ingress.yaml b/kubernetes/sdc/components/sdc-be/templates/ingress.yaml index 8f87c68f1e..90875ab5cc 100644 --- a/kubernetes/sdc/components/sdc-be/templates/ingress.yaml +++ b/kubernetes/sdc/components/sdc-be/templates/ingress.yaml @@ -1 +1,18 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/sdc/components/sdc-be/templates/job.yaml b/kubernetes/sdc/components/sdc-be/templates/job.yaml index 5f70991e6f..30400a80b7 100644 --- a/kubernetes/sdc/components/sdc-be/templates/job.yaml +++ b/kubernetes/sdc/components/sdc-be/templates/job.yaml @@ -17,10 +17,7 @@ apiVersion: batch/v1 kind: Job -metadata: - name: {{ include "common.fullname" . }}-config-backend - namespace: {{ include "common.namespace" . }} - labels: {{- include "common.labels" . | nindent 4 }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: backoffLimit: 20 template: @@ -39,7 +36,7 @@ spec: command: - /app/ready.py args: - - --container-name + - --service-name - sdc-be - "-t" - "35" @@ -51,11 +48,11 @@ spec: fieldPath: metadata.namespace resources: limits: - cpu: 100m - memory: 100Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 3m - memory: 20Mi + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }}-job image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.backendInitImage }} @@ -74,12 +71,13 @@ spec: fieldPath: status.podIP resources: limits: - cpu: 800m - memory: 1024Mi + cpu: "800m" + memory: "1Gi" requests: - cpu: 200m - memory: 200Mi + cpu: "200m" + memory: "200Mi" {{ include "common.waitForJobContainer" . | indent 6 | trim }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: {{ include "common.fullname" . }}-environments configMap: @@ -87,6 +85,4 @@ spec: defaultMode: 0755 - name: sdc-logs emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Never + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdc/components/sdc-be/templates/kafkauser.yaml b/kubernetes/sdc/components/sdc-be/templates/kafkauser.yaml new file mode 100644 index 0000000000..5033d9d9aa --- /dev/null +++ b/kubernetes/sdc/components/sdc-be/templates/kafkauser.yaml @@ -0,0 +1,18 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{- if .Values.global.kafka.useKafka }} +{{ include "common.kafkauser" . }} +{{- end }} diff --git a/kubernetes/sdc/components/sdc-be/values.yaml b/kubernetes/sdc/components/sdc-be/values.yaml index fb6682bf28..7f914d4bdf 100644 --- a/kubernetes/sdc/components/sdc-be/values.yaml +++ b/kubernetes/sdc/components/sdc-be/values.yaml @@ -1,5 +1,6 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T, ZTE +# Modifications Copyright © 2022 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,7 +19,6 @@ ################################################################# global: nodePortPrefix: 302 - aafEnabled: true sdc_cassandra: #This flag allows SDC to instantiate its own cluster, serviceName #should be sdc-cs if this flag is enabled @@ -30,13 +30,17 @@ global: replicaCount: 3 clusterName: cassandra dataCenter: Pod + # Global Strimzi kafka config overridden + # from parent values.yaml + kafka: + useKafka: overridden-from-parent-values-yaml ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/sdc-backend-all-plugins:1.11.4 -backendInitImage: onap/sdc-backend-init:1.11.4 +image: onap/sdc-backend-all-plugins:1.13.6 +backendInitImage: onap/sdc-backend-init:1.13.6 pullPolicy: Always @@ -45,27 +49,7 @@ debugEnabled: false #environment file env: - name: AUTO - -certInitializer: - nameOverride: sdc-be-cert-init - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: sdc - fqi: sdc@sdc.onap.org - public_fqdn: sdc.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - addconfig: true - keystoreFile: "org.onap.sdc.p12" - truststoreFile: "org.onap.sdc.trust.jks" - permission_user: 352070 - permission_group: 35953 - aaf_add_config: | - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop + name: &env AUTO ################################################################# # SDC Config part @@ -74,6 +58,18 @@ config: javaOptions: "-Xmx1536m -Xms1536m" cassandraSslEnabled: "false" +kafkaUser: + acls: + - name: sdc + suffix: *env + type: group + operations: [Read] + - name: SDC-DISTR + type: topic + patternType: prefix + operations: [Read, Write] + + # default number of instances replicaCount: 1 @@ -109,38 +105,49 @@ startup: service: type: NodePort name: sdc-be - both_tls_and_plain: true internalPort: 8080 - msb: - - port: 8443 - url: "/sdc/v1" - version: "v1" - protocol: "REST" - visualRange: "1" - serviceName: sdc - enable_ssl: true - - port: 8080 - url: "/sdc/v1" - version: "v1" - protocol: "REST" - visualRange: "1" - serviceName: sdc-deprecated ports: - name: tcp-api - port: 8443 - plain_port: 8080 + port: 8080 port_protocol: http nodePort: '04' + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "sdc-be", + "version": "v1", + "url": "/sdc/v1", + "path":"/sdc/v1", + "protocol": "REST", + "visualRange":"1", + "port": "{{ .Values.service.internalPort }}", + } + ]{{ end }} ingress: enabled: false service: - - baseaddr: "sdc.api.be" + - baseaddr: "sdc-be-api" name: "sdc-be" - port: 8443 + port: 8080 config: ssl: "redirect" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: consul-read + - serviceAccount: consul-server-read + - serviceAccount: modeling-etsicatalog-read + - serviceAccount: nbi-read + - serviceAccount: oof-has-read + - serviceAccount: portal-db-read + - serviceAccount: so-cnfm-lcm-read + - serviceAccount: so-etsi-sol003-adapter-read + - serviceAccount: so-read + - serviceAccount: istio-ingress + namespace: istio-ingress # Resource Limit flavor -By Default using small flavor: small @@ -148,18 +155,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "3Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "3Gi" large: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "6Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "6Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/sdc/components/sdc-cs/Chart.yaml b/kubernetes/sdc/components/sdc-cs/Chart.yaml index 1ef26a69f0..f0bbbca1d9 100644 --- a/kubernetes/sdc/components/sdc-cs/Chart.yaml +++ b/kubernetes/sdc/components/sdc-cs/Chart.yaml @@ -18,20 +18,20 @@ apiVersion: v2 description: ONAP Service Design and Creation Cassandra name: sdc-cs -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: cassandra - version: ~11.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) diff --git a/kubernetes/sdc/components/sdc-cs/templates/job.yaml b/kubernetes/sdc/components/sdc-cs/templates/job.yaml index 0eeeff52da..c715342d5e 100644 --- a/kubernetes/sdc/components/sdc-cs/templates/job.yaml +++ b/kubernetes/sdc/components/sdc-cs/templates/job.yaml @@ -17,14 +17,7 @@ apiVersion: batch/v1 kind: Job -metadata: - name: {{ include "common.fullname" . }}-config-cassandra - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-job - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: backoffLimit: 20 template: @@ -41,12 +34,8 @@ spec: command: - /app/ready.py args: - - --container-name - {{- if .Values.global.sdc_cassandra.localCluster }} - - sdc-cs - {{- else }} - - cassandra - {{- end }} + - --service-name + - {{ .Values.global.sdc_cassandra.serviceName }} - "-t" - "15" env: @@ -57,11 +46,11 @@ spec: fieldPath: metadata.namespace resources: limits: - cpu: 100m - memory: 100Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 3m - memory: 20Mi + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }}-job image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.cassandraInitImage }} @@ -71,6 +60,8 @@ spec: mountPath: /home/sdc/chef-solo/environments/ - name: {{ include "common.fullname" . }}-chef-cache mountPath: /home/sdc/chef-solo/cache + - name: {{ include "common.fullname" . }}-cqlshrc + mountPath: /home/sdc/.cassandra env: - name: ENVNAME value: {{ .Values.env.name }} @@ -91,11 +82,11 @@ spec: fieldPath: status.podIP resources: limits: - cpu: 800m - memory: 1024Mi + cpu: "800m" + memory: "1Gi" requests: - cpu: 200m - memory: 300Mi + cpu: "200m" + memory: "300Mi" {{ include "common.waitForJobContainer" . | indent 6 | trim }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: @@ -105,6 +96,7 @@ spec: defaultMode: 0755 - name: {{ include "common.fullname" . }}-chef-cache emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Never + - name: {{ include "common.fullname" . }}-cqlshrc + configMap: + name: {{ include "common.release" . }}-sdc-cqlshrc + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdc/components/sdc-cs/values.yaml b/kubernetes/sdc/components/sdc-cs/values.yaml index 1e182ed3ee..b8986ee104 100644 --- a/kubernetes/sdc/components/sdc-cs/values.yaml +++ b/kubernetes/sdc/components/sdc-cs/values.yaml @@ -18,20 +18,39 @@ ################################################################# global: nodePortPrefix: 302 - readinessImage: onap/oom/readiness:3.0.1 + readinessImage: onap/oom/readiness:6.0.3 loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 sdc_cassandra: #This flag allows SDC to instantiate its own cluster, serviceName #should be sdc-cs if this flag is enabled localCluster: false + + # in case of a local cassandra cluster + # flag to enable the DB creation via k8ssandra-operator + useOperator: true + # if useOperator set to "true", set "enableServiceAccount to "false" + # as the SA is created by the Operator + enableServiceAccount: false + #The cassandra service name to connect to (default: shared cassandra service) - serviceName: cassandra + #in case of using k8ssandra-operator in the common cassandra installation + #the service name is: + serviceName: cassandra-dc1-service + #in case of local k8ssandra-operator instance it is + #serviceName: sdc-cs-dc1-service + #in case the older cassandra installation is used: + #serviceName: cassandra + #Shared cassandra cluster replicaCount, should be changed if localCluster is enabled #to match with its own cluster replica replicaCount: 3 clusterName: cassandra - dataCenter: Pod + #datacenter name (use "dc1" in case of k8ssandra-operator, otherwise "Pod") + dataCenter: dc1 + #cqlVersion for cassandra 3.11.* must be "3.4.4" and cassandra 4.0.* must be "3.4.5" + #and cassandra 4.1.* must be "3.4.6" + cqlVersion: "3.4.6" ################################################################# # Application configuration defaults. @@ -48,11 +67,14 @@ cassandra: persistence: mountSubPath: sdc/sdc-cs/CS enabled: true + k8ssandraOperator: + config: + clusterName: sdc-cs # application image repository: nexus3.onap.org:10001 -image: onap/sdc-cassandra:1.11.4 -cassandraInitImage: onap/sdc-cassandra-init:1.11.4 +image: onap/sdc-cassandra:1.13.6 +cassandraInitImage: onap/sdc-cassandra-init:1.13.6 pullPolicy: Always config: diff --git a/kubernetes/sdc/components/sdc-fe/Chart.yaml b/kubernetes/sdc/components/sdc-fe/Chart.yaml index 2250947e85..5c05fdaba6 100644 --- a/kubernetes/sdc/components/sdc-fe/Chart.yaml +++ b/kubernetes/sdc/components/sdc-fe/Chart.yaml @@ -18,15 +18,12 @@ apiVersion: v2 description: ONAP Service Design and Creation Front End name: sdc-fe -version: 11.0.0 +version: 13.0.0 dependencies: - - name: certInitializer - version: ~11.x-0 - repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdc/components/sdc-fe/resources/config/plugins/plugins-configuration.yaml b/kubernetes/sdc/components/sdc-fe/resources/config/plugins/plugins-configuration.yaml index cc91960dbf..1648555ffc 100644 --- a/kubernetes/sdc/components/sdc-fe/resources/config/plugins/plugins-configuration.yaml +++ b/kubernetes/sdc/components/sdc-fe/resources/config/plugins/plugins-configuration.yaml @@ -1,10 +1,6 @@ pluginsList: - pluginId: WORKFLOW - {{- if (include "common.needTLS" .) }} - pluginDiscoveryUrl: "{{ .Values.config.plugins.workflow_discovery_url.https }}" - {{- else }} pluginDiscoveryUrl: "{{ .Values.config.plugins.workflow_discovery_url.http }}" - {{- end }} pluginSourceUrl: "{{ .Values.config.plugins.workflow_source_url }}" pluginStateUrl: "workflowDesigner" pluginDisplayOptions: diff --git a/kubernetes/sdc/components/sdc-fe/templates/authorizationpolicy.yaml b/kubernetes/sdc/components/sdc-fe/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/sdc/components/sdc-fe/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-fe/templates/deployment.yaml b/kubernetes/sdc/components/sdc-fe/templates/deployment.yaml index 599e32e175..bfdf547ac1 100644 --- a/kubernetes/sdc/components/sdc-fe/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-fe/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T, ZTE +# Modifications Copyright © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,26 +18,14 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: - name: {{ include "common.name" . }}-job-completion image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: "{{ .Values.global.pullPolicy | default .Values.pullPolicy }}" @@ -44,7 +33,7 @@ spec: - /app/ready.py args: - --job-name - - {{ include "common.release" . }}-sdc-be-config-backend + - {{ include "common.release" . }}-sdc-be - "-t" - "35" env: @@ -55,65 +44,20 @@ spec: fieldPath: metadata.namespace resources: limits: - cpu: 100m - memory: 100Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 3m - memory: 20Mi - {{- if .Values.global.aafEnabled }} - - name: {{ include "common.name" . }}-update-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - args: - - "-c" - - | - export $(grep '^c' {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export KEYSTORE_PASS=$cadi_keystore_password_p12 - export KEYMANAGER_PASS=$cadi_keystore_password_p12 - export TRUSTSTORE_PASS=$cadi_truststore_password - cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.keystoreFile }} /config-output - cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.truststoreFile }} /config-output - cd /config-input && \ - for PFILE in `find . -not -type d | grep -v -F ..` - do - envsubst <${PFILE} >/config-output/${PFILE} - chmod 0755 /config-output/${PFILE} - done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - name: sdc-environments-input - mountPath: /config-input/ - - name: sdc-environments - mountPath: /config-output/ - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi - {{- end }} + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - "-c" - - | - sed -i '/trustStorePassword/d' ${JETTY_BASE}/startup.sh - ${JETTY_BASE}/startup.sh - {{- end }} - ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPort2 }} + ports: {{ include "common.containerPorts" . | nindent 12 }} {{ if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: - port: {{ .Values.service.internalPort2 }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} @@ -122,7 +66,7 @@ spec: {{ end }} readinessProbe: tcpSocket: - port: {{ .Values.service.internalPort2 }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} @@ -130,7 +74,7 @@ spec: failureThreshold: {{ .Values.readiness.failureThreshold }} startupProbe: tcpSocket: - port: {{ .Values.service.internalPort2 }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }} periodSeconds: {{ .Values.startup.periodSeconds }} timeoutSeconds: {{ .Values.startup.timeoutSeconds }} @@ -149,17 +93,6 @@ spec: volumeMounts: - name: sdc-environments mountPath: /app/jetty/chef-solo/environments/ - {{- if .Values.global.aafEnabled }} - - name: sdc-environments - mountPath: /app/jetty/chef-solo/cookbooks/sdc-catalog-fe/files/default/org.onap.sdc.p12 - subPath: org.onap.sdc.p12 - - name: sdc-environments - mountPath: /app/jetty/chef-solo/cookbooks/sdc-catalog-fe/files/default/org.onap.sdc.trust.jks - subPath: org.onap.sdc.trust.jks - {{- end }} - - name: localtime - mountPath: /etc/localtime - readOnly: true - name: logs mountPath: /var/log/onap - name: configs @@ -175,10 +108,7 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 8 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 8 }} - name: configs configMap: @@ -197,5 +127,4 @@ spec: defaultMode: 0755 - name: logs emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdc/components/sdc-fe/templates/ingress.yaml b/kubernetes/sdc/components/sdc-fe/templates/ingress.yaml index 8f87c68f1e..90875ab5cc 100644 --- a/kubernetes/sdc/components/sdc-fe/templates/ingress.yaml +++ b/kubernetes/sdc/components/sdc-fe/templates/ingress.yaml @@ -1 +1,18 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/sdc/components/sdc-fe/templates/service.yaml b/kubernetes/sdc/components/sdc-fe/templates/service.yaml index 30c3d1122f..0a349834b4 100644 --- a/kubernetes/sdc/components/sdc-fe/templates/service.yaml +++ b/kubernetes/sdc/components/sdc-fe/templates/service.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T, ZTE +# Modifications Copyright © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,39 +16,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "sdc-gui", - "version": "v1", - "url": "/sdc1", - "protocol": "UI", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0|1" - } - ]' -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- else -}} - - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.externalPort2 .Values.service.externalPort }} - targetPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-fe/values.yaml b/kubernetes/sdc/components/sdc-fe/values.yaml index 05ac50d432..5745f06be2 100644 --- a/kubernetes/sdc/components/sdc-fe/values.yaml +++ b/kubernetes/sdc/components/sdc-fe/values.yaml @@ -18,51 +18,24 @@ ################################################################# global: nodePortPrefix: 302 - aafEnabled: true - -################################################################# -# AAF Part -################################################################# -certInitializer: - nameOverride: sdc-fe-cert-init - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: sdc - fqi: sdc@sdc.onap.org - public_fqdn: sdc.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - addconfig: true - keystoreFile: "org.onap.sdc.p12" - truststoreFile: "org.onap.sdc.trust.jks" - permission_user: 352070 - permission_group: 35953 - aaf_add_config: | - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/sdc-frontend:1.11.4 +image: onap/sdc-frontend:1.13.6 pullPolicy: Always config: javaOptions: "-Xmx256m -Xms256m" plugins: dcae_discovery_url: - https: "https://sdc-dcae-fe:9444/dcaed/#/home" http: "http://sdc-dcae-fe:8183/dcaed/#/home" dcae_source_url: "https://sdc.dcae.plugin.simpledemo.onap.org:30264/dcaed/#/home" dcae_dt_discovery_url: - https: "https://sdc-dcae-dt:9446/dcae/#/dcae/home" http: "http://sdc-dcae-dt:8186/dcae/#/dcae/home" dcae_dt_source_url: "https://sdc.dcae.plugin.simpledemo.onap.org:30266/dcae/#/dcae/home" workflow_discovery_url: - https: "https://sdc-wfd-fe:8443/workflows" http: "http://sdc-wfd-fe:8080/workflows" workflow_source_url: "https://sdc.workflow.plugin.simpledemo.onap.org:30256/workflows/" @@ -106,46 +79,61 @@ startup: failureThreshold: 60 service: - #Example service definition with external, internal and node ports. - #Services may use any combination of ports depending on the 'type' of - #service being defined. type: NodePort name: sdc-fe - portName: http internalPort: 8181 - externalPort: 8181 - internalPort2: 9443 - externalPort2: 9443 - nodePort: "07" - + ports: + - name: http + port: 8181 + nodePort: '07' + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "sdc-ui", + "version": "v1", + "url": "/sdc1", + "protocol": "UI", + "visualRange":"0|1", + "port": "{{ .Values.service.internalPort }}", + } + ]{{ end }} ingress: enabled: false service: - - baseaddr: "sdc.api.fe" + - baseaddr: "sdc-fe-ui" name: "sdc-fe" - port: 9443 + port: 8181 config: ssl: "redirect" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: consul-read + - serviceAccount: consul-server-read + - serviceAccount: istio-ingress + namespace: istio-ingress + # Resource Limit flavor -By Default using small flavor: small # Segregation for Different environment (Small and Large) resources: small: limits: - cpu: 500m - memory: 2Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 40m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 1 - memory: 4Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 80m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/sdc/components/sdc-helm-validator/Chart.yaml b/kubernetes/sdc/components/sdc-helm-validator/Chart.yaml index 771bfbf7db..d114dc892e 100644 --- a/kubernetes/sdc/components/sdc-helm-validator/Chart.yaml +++ b/kubernetes/sdc/components/sdc-helm-validator/Chart.yaml @@ -19,12 +19,12 @@ apiVersion: v2 description: ONAP Service Design and Creation Helm Validator name: sdc-helm-validator -version: 11.0.0 +version: 13.0.0 dependencies: - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdc/components/sdc-helm-validator/templates/authorizationpolicy.yaml b/kubernetes/sdc/components/sdc-helm-validator/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/sdc/components/sdc-helm-validator/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-helm-validator/templates/deployment.yaml b/kubernetes/sdc/components/sdc-helm-validator/templates/deployment.yaml index f736a174db..f3572ca902 100644 --- a/kubernetes/sdc/components/sdc-helm-validator/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-helm-validator/templates/deployment.yaml @@ -50,5 +50,4 @@ spec: periodSeconds: {{ .Values.startup.periodSeconds }} successThreshold: {{ .Values.startup.successThreshold }} failureThreshold: {{ .Values.startup.failureThreshold }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdc/components/sdc-helm-validator/values.yaml b/kubernetes/sdc/components/sdc-helm-validator/values.yaml index 363a05934d..3470770ac6 100644 --- a/kubernetes/sdc/components/sdc-helm-validator/values.yaml +++ b/kubernetes/sdc/components/sdc-helm-validator/values.yaml @@ -30,6 +30,11 @@ service: - name: &port http port: *svc_port +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: sdc-be-read + liveness: initialDelaySeconds: 1 periodSeconds: 10 @@ -53,16 +58,16 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 256Mi + cpu: "1" + memory: "500Mi" requests: - cpu: 1 - memory: 256Mi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 2 - memory: 1Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 256Mi + cpu: "1" + memory: "1Gi" unlimited: {} diff --git a/kubernetes/sdc/components/sdc-onboarding-be/Chart.yaml b/kubernetes/sdc/components/sdc-onboarding-be/Chart.yaml index e2ff602dd6..0e998b7765 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/Chart.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/Chart.yaml @@ -18,15 +18,12 @@ apiVersion: v2 description: ONAP Service Design and Creation Onboarding API name: sdc-onboarding-be -version: 11.0.0 +version: 13.0.0 dependencies: - - name: certInitializer - version: ~11.x-0 - repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/authorizationpolicy.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml index 8180cc79f1..24715bcaec 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml @@ -18,26 +18,14 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: - name: {{ include "common.name" . }}-job-completion image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: "{{ .Values.global.pullPolicy | default .Values.pullPolicy }}" @@ -45,7 +33,7 @@ spec: - /app/ready.py args: - --job-name - - {{ include "common.release" . }}-sdc-onboarding-be-cassandra-init + - {{ include "common.release" . }}-sdc-onboarding-be env: - name: NAMESPACE valueFrom: @@ -54,78 +42,21 @@ spec: fieldPath: metadata.namespace resources: limits: - cpu: 100m - memory: 100Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 3m - memory: 20Mi - {{- if .Values.global.aafEnabled }} - - name: {{ include "common.name" . }}-update-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - args: - - "-c" - - | - export $(grep '^c' {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export KEYSTORE_PASS=$cadi_keystore_password_p12 - export KEYMANAGER_PASS=$cadi_keystore_password_p12 - export TRUSTSTORE_PASS=$cadi_truststore_password - cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.keystoreFile }} /config-output - cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.truststoreFile }} /config-output - cd /config-input && \ - for PFILE in `find . -not -type d | grep -v -F ..` - do - envsubst <${PFILE} >/config-output/${PFILE} - chmod 0755 /config-output/${PFILE} - done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - name: sdc-environments-input - mountPath: /config-input/ - - name: sdc-environments - mountPath: /config-output/ - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi - {{- end }} - - name: volume-permissions - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - args: - - "-c" - - | - chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} //onboard/cert - securityContext: - runAsUser: 0 - volumeMounts: - - name: cert-storage - mountPath: "/onboard/cert" - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPort2 }} + ports: {{ include "common.containerPorts" . | nindent 12 }} {{ if eq .Values.liveness.enabled true }} livenessProbe: httpGet: path: /onboarding-api/v1.0/healthcheck - port: {{ .Values.service.internalPort2 }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} @@ -135,7 +66,7 @@ spec: readinessProbe: httpGet: path: /onboarding-api/v1.0/healthcheck - port: {{ .Values.service.internalPort2 }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} @@ -144,7 +75,7 @@ spec: startupProbe: httpGet: path: /onboarding-api/v1.0/healthcheck - port: {{ .Values.service.internalPort2 }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }} periodSeconds: {{ .Values.startup.periodSeconds }} timeoutSeconds: {{ .Values.startup.timeoutSeconds }} @@ -171,25 +102,12 @@ spec: valueFrom: secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: sdc_password} - name: SDC_CERT_DIR - value: {{ .Values.cert.certDir }} + value: "" volumeMounts: - name: sdc-environments mountPath: /app/jetty/chef-solo/environments/ - {{- if .Values.global.aafEnabled }} - - name: sdc-environments - mountPath: /app/jetty/chef-solo/cookbooks/sdc-onboard-backend/files/default/org.onap.sdc.p12 - subPath: org.onap.sdc.p12 - - name: sdc-environments - mountPath: /app/jetty/chef-solo/cookbooks/sdc-onboard-backend/files/default/org.onap.sdc.trust.jks - subPath: org.onap.sdc.trust.jks - {{- end }} - - name: localtime - mountPath: /etc/localtime - readOnly: true - name: logs mountPath: /var/log/onap - - name: cert-storage - mountPath: "{{ .Values.cert.certDir }}" - name: logback mountPath: /tmp/logback.xml subPath: logback.xml @@ -200,27 +118,15 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 8 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime - + volumes: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: logback configMap: name : {{ include "common.fullname" . }}-logging-configmap - name: sdc-environments - {{- if .Values.global.aafEnabled }} - emptyDir: { medium: "Memory" } - - name: sdc-environments-input - {{- end }} configMap: name: {{ include "common.release" . }}-sdc-environments-configmap defaultMode: 0755 - name: logs emptyDir: {} - - name: cert-storage - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }}-cert - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml index bfc1ef8e7b..8ceca385a4 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml @@ -17,14 +17,7 @@ apiVersion: batch/v1 kind: Job -metadata: - name: {{ include "common.fullname" . }}-cassandra-init - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-job - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: backoffLimit: 20 template: @@ -42,7 +35,7 @@ spec: - /app/ready.py args: - --job-name - - {{ include "common.release" . }}-sdc-cs-config-cassandra + - {{ include "common.release" . }}-sdc-cs - "-t" - "20" env: @@ -53,11 +46,11 @@ spec: fieldPath: metadata.namespace resources: limits: - cpu: 100m - memory: 100Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 3m - memory: 20Mi + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }}-job image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.onboardingInitImage }} @@ -72,6 +65,8 @@ spec: volumeMounts: - name: {{ include "common.fullname" . }}-environments mountPath: /home/sdc/chef-solo/environments/ + - name: {{ include "common.fullname" . }}-cqlshrc + mountPath: /home/sdc/.cassandra env: - name: ENVNAME value: {{ .Values.env.name }} @@ -92,17 +87,19 @@ spec: value: "{{ .Values.global.sdc_cassandra.serviceName }}" resources: limits: - cpu: 800m - memory: 1024Mi + cpu: "800m" + memory: "1Gi" requests: - cpu: 200m - memory: 200Mi + cpu: "200m" + memory: "200Mi" {{ include "common.waitForJobContainer" . | indent 6 | trim }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: {{ include "common.fullname" . }}-environments configMap: name: {{ include "common.release" . }}-sdc-environments-configmap defaultMode: 0755 - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Never + - name: {{ include "common.fullname" . }}-cqlshrc + configMap: + name: {{ include "common.release" . }}-sdc-cqlshrc + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/pv.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/pv.yaml deleted file mode 100644 index bc110c3b0f..0000000000 --- a/kubernetes/sdc/components/sdc-onboarding-be/templates/pv.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{/* -# ================================================================================ -# Copyright (C) 2019, Nordix Foundation. All rights reserved. -# ================================================================================ -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- if and .Values.persistence.enabled (not .Values.cert.persistence.existingClaim) -}} -{{- if eq "True" (include "common.needPV" .) -}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.cert.persistence.size}} - accessModes: - - {{ .Values.cert.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.cert.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" . }}-data" - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.cert.persistence.mountSubPath }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/pvc.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/pvc.yaml deleted file mode 100644 index 006d736b63..0000000000 --- a/kubernetes/sdc/components/sdc-onboarding-be/templates/pvc.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -# ================================================================================ -# Copyright (C) 2019, Nordix Foundation. All rights reserved. -# ================================================================================ -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- if and .Values.cert.persistence.enabled (not .Values.cert.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }}-cert - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -{{- if .Values.cert.persistence.annotations }} - annotations: -{{ toYaml .Values.cert.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.cert.persistence.accessMode }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.cert.persistence.size }} -{{- end -}} diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/service.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/service.yaml index ece5a439a3..0a349834b4 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/templates/service.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/service.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T, ZTE +# Modifications Copyright © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,35 +16,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName | default "http" }}s - - - port: {{ .Values.service.externalPort2 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} - name: {{ .Values.service.portName | default "http" }}} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName | default "http" }}s - - port: {{ .Values.service.externalPort2 }} - targetPort: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.portName | default "http" }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-onboarding-be/values.yaml b/kubernetes/sdc/components/sdc-onboarding-be/values.yaml index 5a1c6643e6..a55565676c 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/values.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/values.yaml @@ -18,7 +18,6 @@ ################################################################# global: nodePortPrefix: 302 - aafEnabled: true persistence: {} sdc_cassandra: #This flag allows SDC to instantiate its own cluster, serviceName @@ -32,35 +31,12 @@ global: clusterName: cassandra dataCenter: Pod -################################################################# -# AAF Part -################################################################# -certInitializer: - nameOverride: sdc-onboarding-be-cert-init - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: sdc - fqi: sdc@sdc.onap.org - public_fqdn: sdc.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - addconfig: true - keystoreFile: "org.onap.sdc.p12" - truststoreFile: "org.onap.sdc.trust.jks" - permission_user: 352070 - permission_group: 35953 - aaf_add_config: | - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/sdc-onboard-backend:1.11.4 -onboardingInitImage: onap/sdc-onboard-cassandra-init:1.11.4 +image: onap/sdc-onboard-backend:1.13.6 +onboardingInitImage: onap/sdc-onboard-cassandra-init:1.13.6 pullPolicy: Always # flag to enable debugging - application support required @@ -109,12 +85,15 @@ startup: service: type: ClusterIP name: sdc-onboarding-be - portName: http - internalPort: 8445 - externalPort: 8445 + internalPort: 8081 + ports: + - name: http + port: 8081 - internalPort2: 8081 - externalPort2: 8081 +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: sdc-be-read ## Persist data to a persitent volume persistence: @@ -139,17 +118,6 @@ persistence: mountPath: /dockerdata-nfs mountSubPath: /sdc/sdc-cs/CS -##Certificate storage persistence -##This is temporary solution for SDC-1980 -cert: - certDir: /app/jetty/cert - persistence: - enabled: true - size: 10Mi - accessMode: ReadWriteOnce - volumeReclaimPolicy: Retain - mountSubPath: /sdc/onbaording/cert - securityContext: fsGroup: 35953 runAsUser: 352070 @@ -163,18 +131,18 @@ flavor: small resources: small: limits: - cpu: 500m - memory: 2Gi + cpu: "1" + memory: "1.5Gi" requests: - cpu: 40m - memory: 1Gi + cpu: "0.5" + memory: "1.5Gi" large: limits: - cpu: 1 - memory: 4Gi + cpu: "2" + memory: "3Gi" requests: - cpu: 80m - memory: 2Gi + cpu: "1" + memory: "3Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/sdc/components/sdc-wfd-be/Chart.yaml b/kubernetes/sdc/components/sdc-wfd-be/Chart.yaml index 6992f6b9ab..8a1a8b34b9 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/Chart.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/Chart.yaml @@ -17,15 +17,12 @@ apiVersion: v2 description: ONAP Service Design and Creation Workflow Designer backend name: sdc-wfd-be -version: 11.0.0 +version: 13.0.0 dependencies: - - name: certInitializer - version: ~11.x-0 - repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/authorizationpolicy.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/sdc/components/sdc-wfd-be/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml index a187e19a75..59ebb02675 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, AT&T, Bell Canada # Modifications Copyright © 2018 ZTE +# Modifications Copyright © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,26 +18,14 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: {{- if .Values.initJob.enabled }} - name: {{ include "common.name" . }}-job-completion image: {{ include "repositoryGenerator.image.readiness" . }} @@ -45,7 +34,7 @@ spec: - /app/ready.py args: - --job-name - - {{ include "common.fullname" . }}-workflow-init + - {{ include "common.fullname" . }} env: - name: NAMESPACE valueFrom: @@ -54,38 +43,23 @@ spec: fieldPath: metadata.namespace resources: limits: - cpu: 100m - memory: 100Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 3m - memory: 20Mi + cpu: "3m" + memory: "20Mi" {{ end }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - "-c" - - | - export $(grep '^c' {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export SERVER_SSL_KEY_PASSWORD=$cadi_keystore_password_p12 - export KEYMANAGER_PASS=$cadi_keystore_password_p12 - export SERVER_SSL_TRUST_PASSWORD=$cadi_truststore_password - export SERVER_SSL_KEYSTORE_PATH={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.keystoreFile }} - export SERVER_SSL_TRUSTSTORE_PATH={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.truststoreFile }} - ./startup.sh - {{- end }} - ports: - - containerPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{ if .Values.liveness.enabled }} livenessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} successThreshold: {{ .Values.liveness.successThreshold }} @@ -93,14 +67,14 @@ spec: {{ end }} readinessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} successThreshold: {{ .Values.readiness.successThreshold }} failureThreshold: {{ .Values.readiness.failureThreshold }} startupProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }} periodSeconds: {{ .Values.startup.periodSeconds }} successThreshold: {{ .Values.startup.successThreshold }} @@ -128,28 +102,16 @@ spec: valueFrom: secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: cs_truststore_password} - name: SDC_PROTOCOL - value: "{{ (eq "true" (include "common.needTLS" .)) | ternary "HTTPS" "HTTP" }}" + value: "HTTP" - name: SDC_ENDPOINT - value: "{{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.sdcEndpoint.https .Values.config.sdcEndpoint.http }}" + value: "{{ .Values.config.sdcEndpoint.http }}" - name: SDC_USER value: "{{ .Values.config.sdcExternalUser }}" - name: SDC_PASSWORD valueFrom: secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: wf_external_user_password} - {{- if (include "common.needTLS" .) }} - - name: SERVER_SSL_ENABLED - value: "true" - - name: SERVER_SSL_KEYSTORE_TYPE - value: "{{ .Values.config.serverSSLKeyStoreType }}" - - name: SERVER_SSL_TRUSTSTORE_TYPE - value: "{{ .Values.config.serverSSLTrustStoreType }}" - {{- else }} - name: SERVER_SSL_ENABLED value: "false" - {{- end }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} resources: {{ include "common.resources" . | nindent 12 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/ingress.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/ingress.yaml index 171442dfdc..e9e5fcf1d1 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/templates/ingress.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/templates/ingress.yaml @@ -1 +1,18 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{include "common.ingress" .}} diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml index 2e5826d229..5b6762b78f 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml @@ -18,14 +18,7 @@ {{ if .Values.initJob.enabled }} apiVersion: batch/v1 kind: Job -metadata: - name: {{ include "common.fullname" . }}-workflow-init - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-job - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: backoffLimit: 20 template: @@ -43,7 +36,7 @@ spec: - /app/ready.py args: - --job-name - - {{ include "common.release" . }}-sdc-cs-config-cassandra + - {{ include "common.release" . }}-sdc-cs - "-t" - "20" env: @@ -54,11 +47,11 @@ spec: fieldPath: metadata.namespace resources: limits: - cpu: 100m - memory: 100Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 3m - memory: 20Mi + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }}-job image: @@ -72,6 +65,9 @@ spec: - /bin/sh - -c {{- end }} + volumeMounts: + - name: {{ include "common.fullname" . }}-cqlshrc + mountPath: /home/sdc/.cassandra env: - name: CS_HOST value: "{{ .Values.global.sdc_cassandra.serviceName }}" @@ -83,8 +79,12 @@ spec: valueFrom: {secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: sdc_user}} - name: CS_PASSWORD valueFrom: {secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: sdc_password}} - resources: {{ include "common.resources" . | nindent 12 }} + resources: {{ include "common.resources" . | nindent 10 }} {{ include "common.waitForJobContainer" . | indent 6 | trim }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: {{ include "common.fullname" . }}-cqlshrc + configMap: + name: {{ include "common.release" . }}-sdc-cqlshrc + {{- include "common.imagePullSecrets" . | nindent 6 }} {{ end }} diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/service.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/service.yaml index 2f4129b03f..895eac1794 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/templates/service.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/templates/service.yaml @@ -2,6 +2,7 @@ # Copyright © 2018 Amdocs, Bell Canada # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T, ZTE +# Modifications Copyright © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,28 +17,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- else -}} - - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.externalPort2 .Values.service.externalPort }} - targetPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-wfd-be/values.yaml b/kubernetes/sdc/components/sdc-wfd-be/values.yaml index 828283ec76..cc85176748 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/values.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/values.yaml @@ -18,7 +18,6 @@ ################################################################# global: nodePortPrefix: 302 - aafEnabled: true sdc_cassandra: # This flag allows SDC to instantiate its own cluster, serviceName # should be sdc-cs if this flag is enabled @@ -32,35 +31,12 @@ global: clusterName: cassandra dataCenter: Pod -################################################################# -# AAF Part -################################################################# -certInitializer: - nameOverride: sdc-wfd-be-cert-init - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: sdc - fqi: sdc@sdc.onap.org - public_fqdn: sdc.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - addconfig: true - keystoreFile: "org.onap.sdc.p12" - truststoreFile: "org.onap.sdc.trust.jks" - permission_user: 352070 - permission_group: 35953 - aaf_add_config: | - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/sdc-workflow-backend:1.11.1 -configInitImage: onap/sdc-workflow-init:1.11.1 +image: onap/sdc-workflow-backend:1.12.0 +configInitImage: onap/sdc-workflow-init:1.12.0 pullPolicy: Always initJob: @@ -71,7 +47,6 @@ config: cassandraAuthenticationEnabled: true cassandraClientPort: 9042 sdcEndpoint: - https: sdc-be:8443 http: sdc-be:8080 sdcExternalUser: workflow serverSSLKeyStoreType: jks @@ -126,40 +101,47 @@ startup: service: type: NodePort - portName: http internalPort: 8080 - externalPort: 8080 - internalPort2: 8443 - externalPort2: 8443 - nodePort: "57" # only one node port. set to http or https port depending on isHttpsEnabled property + ports: + - name: http + port: 8080 + nodePort: "57" ingress: enabled: false service: - - baseaddr: "sdcwfdbe" + - baseaddr: "sdc-wfd-be-api" name: "sdc-wfd-be" - port: 8443 + port: 8080 config: ssl: "redirect" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: sdc-wfd-fe-read + - serviceAccount: so-sdc-controller-read + - serviceAccount: istio-ingress + namespace: istio-ingress + # Resource Limit flavor -By Default using small # Segregation for Different environment (Small and Large) flavor: small resources: small: limits: - cpu: 500m - memory: 2Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 40m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 1 - memory: 4Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 80m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/sdc/components/sdc-wfd-fe/Chart.yaml b/kubernetes/sdc/components/sdc-wfd-fe/Chart.yaml index 45f13a04b1..79ff34a906 100644 --- a/kubernetes/sdc/components/sdc-wfd-fe/Chart.yaml +++ b/kubernetes/sdc/components/sdc-wfd-fe/Chart.yaml @@ -17,15 +17,12 @@ apiVersion: v2 description: ONAP Service Design and Creation Workflow Designer frontend name: sdc-wfd-fe -version: 11.0.0 +version: 13.0.0 dependencies: - - name: certInitializer - version: ~11.x-0 - repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdc/components/sdc-wfd-fe/templates/authorizationpolicy.yaml b/kubernetes/sdc/components/sdc-wfd-fe/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/sdc/components/sdc-wfd-fe/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-wfd-fe/templates/deployment.yaml b/kubernetes/sdc/components/sdc-wfd-fe/templates/deployment.yaml index d57309004d..ad031dabf9 100644 --- a/kubernetes/sdc/components/sdc-wfd-fe/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-wfd-fe/templates/deployment.yaml @@ -16,32 +16,20 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: - name: {{ include "common.name" . }}-readiness command: - /app/ready.py args: - - --container-name - - "sdc-wfd-be" + - --service-name + - sdc-wfd-be env: - name: NAMESPACE valueFrom: @@ -52,57 +40,20 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} resources: limits: - cpu: 100m - memory: 100Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 3m - memory: 20Mi - {{- if .Values.global.aafEnabled }} - - name: {{ include "common.fullname" . }}-move-cert - command: - - /bin/sh - args: - - -c - - | - cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.keystoreFile }} /sdc-certs/{{ .Values.certInitializer.keystoreFile }} - cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.truststoreFile }} /sdc-certs/{{ .Values.certInitializer.truststoreFile }} - cp {{ .Values.certInitializer.credsPath }}/mycreds.prop /sdc-certs/mycreds.prop - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - name: sdc-certs - mountPath: /sdc-certs - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi - {{- end }} + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - "-c" - - | - export $(grep '^c' /sdc-certs/mycreds.prop | xargs -0) - export KEYSTORE_PASS=$cadi_keystore_password_p12 - export TRUSTSTORE_PASS=$cadi_truststore_password - export KEYSTORE_PATH=/etc/{{ .Values.certInitializer.keystoreFile }} - export TRUSTSTORE_PATH=/etc/{{ .Values.certInitializer.truststoreFile }} - ./startup.sh - {{- end }} - ports: - - containerPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} {{ if .Values.liveness.enabled }} livenessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} successThreshold: {{ .Values.liveness.successThreshold }} @@ -110,14 +61,14 @@ spec: {{ end }} readinessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} successThreshold: {{ .Values.readiness.successThreshold }} failureThreshold: {{ .Values.readiness.failureThreshold }} startupProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }} periodSeconds: {{ .Values.startup.periodSeconds }} successThreshold: {{ .Values.startup.successThreshold }} @@ -128,28 +79,9 @@ spec: - name: JAVA_OPTIONS value: {{ .Values.config.javaOptions }} - name: BACKEND - value: "{{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.backendServerURL.https .Values.config.backendServerURL.http }}" + value: "{{ .Values.config.backendServerURL.http }}" - name: IS_HTTPS - value: "{{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }}" - {{- if and (include "common.needTLS" .) (eq .Values.security.isDefaultStore false) }} - - name: TRUST_ALL - value: "{{ .Values.config.isTrustAll}}" - {{- end }} - volumeMounts: - - name: {{ include "common.fullname" . }}-localtime - mountPath: /etc/localtime - readOnly: true - {{- if .Values.global.aafEnabled }} - - name: sdc-certs - mountPath: /sdc-certs/mycreds.prop - subPath: mycreds.prop - - name: sdc-certs - mountPath: /var/lib/jetty/etc/{{ .Values.certInitializer.keystoreFile }} - subPath: {{ .Values.certInitializer.keystoreFile }} - - name: sdc-certs - mountPath: /var/lib/jetty/etc/{{ .Values.certInitializer.truststoreFile }} - subPath: {{ .Values.certInitializer.truststoreFile }} - {{ end }} + value: "false" resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: @@ -162,17 +94,8 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 8 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: {{ include "common.fullname" . }}-localtime - hostPath: - path: /etc/localtime - {{- if .Values.global.aafEnabled }} - - name: sdc-certs - emptyDir: - medium: "Memory" - {{- end }} + volumes: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - name: logs emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdc/components/sdc-wfd-fe/templates/ingress.yaml b/kubernetes/sdc/components/sdc-wfd-fe/templates/ingress.yaml index 8f87c68f1e..90875ab5cc 100644 --- a/kubernetes/sdc/components/sdc-wfd-fe/templates/ingress.yaml +++ b/kubernetes/sdc/components/sdc-wfd-fe/templates/ingress.yaml @@ -1 +1,18 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/sdc/components/sdc-wfd-fe/templates/service.yaml b/kubernetes/sdc/components/sdc-wfd-fe/templates/service.yaml index 08feb5a6ed..f6b302776c 100644 --- a/kubernetes/sdc/components/sdc-wfd-fe/templates/service.yaml +++ b/kubernetes/sdc/components/sdc-wfd-fe/templates/service.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2018 ZTE # Modifications Copyright © 2018 AT&T, Amdocs, Bell Canada +# Modifications Copyright © 2023 Deutsche Telekom # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -14,39 +15,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "wf-gui", - "version": "v1", - "url": "/", - "protocol": "UI", - "port": "{{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }}", - "visualRange":"0|1" - } - ]' -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- else -}} - - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.externalPort2 .Values.service.externalPort }} - targetPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-wfd-fe/values.yaml b/kubernetes/sdc/components/sdc-wfd-fe/values.yaml index fd6f713655..e33cf4827d 100644 --- a/kubernetes/sdc/components/sdc-wfd-fe/values.yaml +++ b/kubernetes/sdc/components/sdc-wfd-fe/values.yaml @@ -18,36 +18,12 @@ global: nodePortPrefix: 302 nodePortPrefixExt: 304 - aafEnabled: true - -################################################################# -# AAF Part -################################################################# -certInitializer: - nameOverride: sdc-wfd-fe-cert-init - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: sdc - fqi: sdc@sdc.onap.org - public_fqdn: sdc.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - addconfig: true - keystoreFile: "org.onap.sdc.p12" - truststoreFile: "org.onap.sdc.trust.jks" - permission_user: 352070 - permission_group: 35953 - aaf_add_config: | - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/sdc-workflow-frontend:1.11.1 +image: onap/sdc-workflow-frontend:1.12.0 pullPolicy: Always # flag to enable debugging - application support required @@ -56,7 +32,6 @@ debugEnabled: false config: javaOptions: "-Xmx256m -Xms256m" backendServerURL: - https: "https://sdc-wfd-be:8443" http: "http://sdc-wfd-be:8080" # following flag decides whether to check the certificate on the outgoing proxy request or whether to trust all parties isTrustAll: true @@ -101,25 +76,37 @@ startup: service: type: NodePort internalPort: 8080 - externalPort: 8080 - internalPort2: 8443 - externalPort2: 8443 - portName: sdc-wfd-fe - nodePort: "56" # only one node port. set to http or https port depending on isHttpsEnabled property + ports: + - name: http + port: 8080 + port_protocol: http + nodePort: '56' + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "wf-gui", + "version": "v1", + "url": "/", + "protocol": "UI", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0|1" + } + ]{{ end }} ingress: enabled: false service: - - baseaddr: "sdcwfdfe" + - baseaddr: "sdc-wfd-fe-ui" name: "sdc-wfd-fe" - port: 8443 - annotations: - ingress.kubernetes.io/secure-backends: "false" - nginx.ingress.kubernetes.io/secure-backends: "false" - nginx.ingress.kubernetes.io/proxy-body-size: "0" - nginx.ingress.kubernetes.io/ssl-redirect: "true" - nginx.ingress.kubernetes.io/backend-protocol: "HTTP" - nginx.ingress.kubernetes.io/rewrite-target: "/workflows/" + port: 8080 + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: sdc-fe-read + - serviceAccount: istio-ingress + namespace: istio-ingress # Resource Limit flavor -By Default using small # Segregation for Different environment (Small and Large) @@ -127,18 +114,18 @@ flavor: small resources: small: limits: - cpu: 500m - memory: 2Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 40m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 1 - memory: 4Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 80m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/sdc/resources/config/cqlshrc b/kubernetes/sdc/resources/config/cqlshrc new file mode 100644 index 0000000000..cb6df94880 --- /dev/null +++ b/kubernetes/sdc/resources/config/cqlshrc @@ -0,0 +1,2 @@ +[cql] +version={{.Values.global.sdc_cassandra.cqlVersion}} \ No newline at end of file diff --git a/kubernetes/sdc/resources/config/environments/AUTO.json b/kubernetes/sdc/resources/config/environments/AUTO.json index c9535592d8..59cb8655b9 100755 --- a/kubernetes/sdc/resources/config/environments/AUTO.json +++ b/kubernetes/sdc/resources/config/environments/AUTO.json @@ -8,7 +8,7 @@ "chef_type": "environment", "default_attributes": { - "disableHttp": {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }}, + "disableHttp": false, "CS_VIP": "{{.Values.global.sdc_cassandra.serviceName}}.{{include "common.namespace" .}}", "BE_VIP": "sdc-be.{{include "common.namespace" .}}", "ONBOARDING_BE_VIP": "sdc-onboarding-be.{{include "common.namespace" .}}", @@ -19,7 +19,11 @@ }, "ECompP": { "ecomp_rest_url": "https://portal-app.{{include "common.namespace" .}}:8443/ONAPPORTAL/auxapi", + {{- if .Values.global.kafka.useKafka }} + "ueb_url_list": "no-message-router.{{include "common.namespace" .}}, message-router.{{include "common.namespace" .}}", + {{- else }} "ueb_url_list": "message-router.{{include "common.namespace" .}}, message-router.{{include "common.namespace" .}}", + {{- end }} "app_secret": "XftIATw9Jr3VzAcPqt3NnJOu", "app_key": "x9UfO7JsDn8BESVX", "inbox_name": "ECOMP-PORTAL-INBOX", @@ -31,10 +35,24 @@ "PublicKey": "iPIxkpAMI8qTcQj8", "SecretKey": "Ehq3WyT4bkif4zwgEbvshGal", "fqdn": [ + {{- if .Values.global.kafka.useKafka }} + "no-message-router.{{include "common.namespace" .}}", + "no-message-router.{{include "common.namespace" .}}" + {{- else }} "message-router.{{include "common.namespace" .}}", "message-router.{{include "common.namespace" .}}" + {{- end }} ] }, + "Kafka": { + "bootstrap": "{{ include "common.release" . }}-strimzi-kafka-bootstrap:9092" + }, + {{- if .Values.global.kafka.useKafka }} + "DistributionTopics": { + "notificationTopicName": "{{ .Values.global.kafka.topics.sdcDistNotifTopic }}", + "statusTopicName": "{{ .Values.global.kafka.topics.sdcDistStatusTopic }}" + }, + {{- end }} "Nodes": { "CS": [ "{{.Values.global.sdc_cassandra.serviceName}}.{{include "common.namespace" .}}" @@ -112,13 +130,6 @@ "username": "user1@sdc.com", "password": "password==" } - {{- if .Values.global.aafEnabled }} - }, - "jetty": { - "keystore_pwd": "${KEYSTORE_PASS}", - "truststore_pwd": "${TRUSTSTORE_PASS}", - "keymanager_pwd": "${KEYMANAGER_PASS}" - {{- end }} } } } diff --git a/kubernetes/sdc/templates/configmap.yaml b/kubernetes/sdc/templates/configmap.yaml index 712f2ecc61..dee73ba711 100644 --- a/kubernetes/sdc/templates/configmap.yaml +++ b/kubernetes/sdc/templates/configmap.yaml @@ -28,4 +28,17 @@ metadata: data: {{ tpl (.Files.Glob "resources/config/environments/*").AsConfig . | indent 2 }} --- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-sdc-cqlshrc + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/cqlshrc").AsConfig . | indent 2 }} +--- {{ include "common.log.configMap" . }} diff --git a/kubernetes/sdc/templates/kafkatopic.yaml b/kubernetes/sdc/templates/kafkatopic.yaml new file mode 100644 index 0000000000..53352c4e56 --- /dev/null +++ b/kubernetes/sdc/templates/kafkatopic.yaml @@ -0,0 +1,18 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{- if .Values.global.kafka.useKafka }} +{{ include "common.kafkatopic" . }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/sdc/values.yaml b/kubernetes/sdc/values.yaml index e7643069bf..9cfae6ac66 100644 --- a/kubernetes/sdc/values.yaml +++ b/kubernetes/sdc/values.yaml @@ -1,5 +1,6 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T, ZTE +# Modifications Copyright © 2021 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -24,23 +25,48 @@ global: truststore_password: eitLRWo7dCssS05eaWltU2lTODllI3Aw keystore_password: PyhrUCFZdXIhWyohWTUhRV5mKFpLYzMx wf_external_user_password: S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ== - aafEnabled: true sdc_cassandra: - #This flag allows SDC to instantiate its own cluster, serviceName - #should be "sdc-cs" if this flag is enabled - localCluster: false - #The cassandra service name to connect to (default: shared cassandra service) - serviceName: cassandra - #Shared cassandra cluster replicaCount, should be changed if localCluster is enabled - #to match with its own cluster replica - #see "cassandra: replicaCount" in file sdc-cs/values.yaml) - replicaCount: 3 - dbCache: true - readConsistencyLevel: ONE - writeConsistencyLevel: ALL - clusterName: cassandra - dataCenter: Pod + #This flag allows SDC to instantiate its own cluster, serviceName + #should be "sdc-cs" if this flag is enabled + localCluster: false + #The cassandra service name to connect to (default: shared cassandra service) + #in case of using k8ssandra-operator in the common cassandra installation + #the service name is: + serviceName: cassandra-dc1-service + #in case the older cassandra installation is used: + #serviceName: cassandra + #Shared cassandra cluster replicaCount, should be changed if localCluster is enabled + #to match with its own cluster replica + #see "cassandra: replicaCount" in file sdc-cs/values.yaml) + replicaCount: 3 + dbCache: true + readConsistencyLevel: ONE + writeConsistencyLevel: ALL + clusterName: cassandra + #datacenter name (use "dc1" in case of k8ssandra-operator, otherwise "Pod") + dataCenter: dc1 + #cqlVersion for cassandra 3.11.* must be "3.4.4" and cassandra 4.0.* must be "3.4.5" + #and cassandra 4.1.* must be "3.4.6" + cqlVersion: "3.4.6" + centralizedLoggingEnabled: true + # global Kafka config passed to sdc-be chart + kafka: + # If true, the following Strimzi KafkaTopics will be created + useKafka: true + topics: + sdcDistNotifTopic: ¬if-topic-name SDC-DISTR-NOTIF-TOPIC + sdcDistStatusTopic: &status-topic-name SDC-DISTR-STATUS-TOPIC + +# Environment file +env: + name: &env AUTO + +kafkaTopic: + - name: *notif-topic-name + suffix: *env + - name: *status-topic-name + suffix: *env sdc-be: logConfigMapNamePrefix: '{{ include "common.release" . }}-sdc' @@ -51,10 +77,6 @@ sdc-onboarding-be: sdc-wfd-fe: logConfigMapNamePrefix: '{{ include "common.release" . }}-sdc' -# Environment file -env: - name: AUTO - config: logstashServiceName: log-ls logstashPort: 5044 diff --git a/kubernetes/sdnc/Chart.yaml b/kubernetes/sdnc/Chart.yaml index cc2148453b..f98bc4e12d 100644 --- a/kubernetes/sdnc/Chart.yaml +++ b/kubernetes/sdnc/Chart.yaml @@ -1,6 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,61 +18,61 @@ apiVersion: v2 description: SDN Controller name: sdnc -version: 11.0.0 +version: 13.0.2 dependencies: - name: common - version: ~11.x-0 - repository: '@local' - - name: certInitializer - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: certManagerCertificate - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: logConfiguration - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: network-name-gen - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: network-name-gen.enabled - name: dgbuilder - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: dgbuilder.enabled - name: sdnc-prom - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: config.geoEnabled - name: mariadb-galera - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: global.mariadbGalera.localCluster - name: elasticsearch - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - condition: config.sdnr.enabled + condition: sdnc.elasticsearch.enabled,elasticsearch.enabled # conditions for sdnc-subcharts - name: dmaap-listener - version: ~11.x-0 - repository: 'file://components/dmaap-listener/' + version: ~13.x-0 + repository: '@local' condition: sdnc.dmaap-listener.enabled,dmaap-listener.enabled - name: ueb-listener - version: ~11.x-0 - repository: 'file://components/ueb-listener/' + version: ~13.x-0 + repository: '@local' condition: sdnc.ueb-listener.enabled,ueb-listener.enabled - name: sdnc-ansible-server - version: ~11.x-0 - repository: 'file://components/sdnc-ansible-server/' + version: ~13.x-0 + repository: '@local' condition: sdnc.sdnc-ansible-server.enabled,sdnc-ansible-server.enabled - name: sdnc-web - version: ~11.x-0 - repository: 'file://components/sdnc-web/' + version: ~13.x-0 + repository: '@local' condition: sdnc.sdnc-web.enabled,sdnc-web.enabled - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdnc/Makefile b/kubernetes/sdnc/Makefile index 88bcb82057..47f9c9f109 100644 --- a/kubernetes/sdnc/Makefile +++ b/kubernetes/sdnc/Makefile @@ -20,6 +20,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := dist resources templates charts HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") @@ -38,16 +44,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) -ifeq "$(findstring v3,$(HELM_VER))" "v3" - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) push -f $$PACKAGE_NAME local; fi -else - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi -endif - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/sdnc/components/Makefile b/kubernetes/sdnc/components/Makefile index 7604b56342..4938b2ec26 100644 --- a/kubernetes/sdnc/components/Makefile +++ b/kubernetes/sdnc/components/Makefile @@ -20,6 +20,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") @@ -38,16 +44,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) -ifeq "$(findstring v3,$(HELM_VER))" "v3" - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) push -f $$PACKAGE_NAME local; fi -else - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi -endif - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/aaf/components/aaf-fs/.helmignore b/kubernetes/sdnc/components/dgbuilder/.helmignore similarity index 100% rename from kubernetes/aaf/components/aaf-fs/.helmignore rename to kubernetes/sdnc/components/dgbuilder/.helmignore diff --git a/kubernetes/sdnc/components/dgbuilder/Chart.yaml b/kubernetes/sdnc/components/dgbuilder/Chart.yaml new file mode 100644 index 0000000000..ff32f4e8a2 --- /dev/null +++ b/kubernetes/sdnc/components/dgbuilder/Chart.yaml @@ -0,0 +1,31 @@ +# Copyright © 2018 AT&T, Amdocs, Bell Canada +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: D.G. Builder application +name: dgbuilder +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/sdnc/components/dgbuilder/resources/config/customSettings.js b/kubernetes/sdnc/components/dgbuilder/resources/config/customSettings.js new file mode 100644 index 0000000000..abaab57254 --- /dev/null +++ b/kubernetes/sdnc/components/dgbuilder/resources/config/customSettings.js @@ -0,0 +1,58 @@ +/* Copyright © 2017 AT&T, Amdocs, Bell Canada +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +module.exports={ + "name": "Release sdnc1.0", + "emailAddress": "dguser@onap.org", + "uiPort": 3100, + "mqttReconnectTime": 15000, + "serialReconnectTime": 15000, + "debugMaxLength": 1000, + "htmlPath": "releases/sdnc1.0/html/", + "xmlPath": "releases/sdnc1.0/xml/", + "flowFile": "releases/sdnc1.0/flows/flows.json", + "sharedDir": "releases/sdnc1.0/flows/shared", + "userDir": "releases/sdnc1.0", + "httpAuth": { + "user": "${HTTP_USER}", + "pass": "${HTTP_PASSWORD}" + }, + "dbHost": "{{.Values.config.dbServiceName}}.{{ include "common.namespace" . }}", + "dbPort": "3306", + "dbName": "{{.Values.config.db.dbName}}", + "dbUser": "${DB_USER}", + "dbPassword": "${DB_PASSWORD}", + "gitLocalRepository": "", + "restConfUrl": "http://localhost:8181/restconf/operations/SLI-API:execute-graph", + "restConfUser": "${REST_CONF_USER}", + "restConfPassword": "${REST_CONF_PASSWORD}", + "formatXML": "Y", + "formatJSON": "Y", + "httpRoot": "/", + "disableEditor": false, + "httpAdminRoot": "/", + "httpAdminAuth": { + "user": "${HTTP_ADMIN_USER}", + "pass": "${HTTP_ADMIN_PASSWORD}" + }, + "httpNodeRoot": "/", + "httpNodeAuth": { + "user": "${HTTP_NODE_USER}", + "pass": "${HTTP_NODE_PASSWORD}" + }, + "uiHost": "0.0.0.0", + "version": "0.9.1", + "performGitPull": "N" +} diff --git a/kubernetes/common/dgbuilder/resources/config/svclogic.properties b/kubernetes/sdnc/components/dgbuilder/resources/config/svclogic.properties similarity index 100% rename from kubernetes/common/dgbuilder/resources/config/svclogic.properties rename to kubernetes/sdnc/components/dgbuilder/resources/config/svclogic.properties diff --git a/kubernetes/common/dgbuilder/templates/NOTES.txt b/kubernetes/sdnc/components/dgbuilder/templates/NOTES.txt similarity index 100% rename from kubernetes/common/dgbuilder/templates/NOTES.txt rename to kubernetes/sdnc/components/dgbuilder/templates/NOTES.txt diff --git a/kubernetes/common/dgbuilder/templates/configmap.yaml b/kubernetes/sdnc/components/dgbuilder/templates/configmap.yaml similarity index 100% rename from kubernetes/common/dgbuilder/templates/configmap.yaml rename to kubernetes/sdnc/components/dgbuilder/templates/configmap.yaml diff --git a/kubernetes/sdnc/components/dgbuilder/templates/deployment.yaml b/kubernetes/sdnc/components/dgbuilder/templates/deployment.yaml new file mode 100644 index 0000000000..a89941d3d7 --- /dev/null +++ b/kubernetes/sdnc/components/dgbuilder/templates/deployment.yaml @@ -0,0 +1,127 @@ +{{/* +# Copyright © 2018 AT&T, Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: DB_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "login") | indent 10 }} + - name: DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "password") | indent 10 }} + - name: HTTP_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "http-user-creds" "key" "login") | indent 10 }} + - name: HTTP_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "http-user-creds" "key" "password") | indent 10 }} + - name: HTTP_ADMIN_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "admin-creds" "key" "login") | indent 10 }} + - name: HTTP_ADMIN_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "admin-creds" "key" "password") | indent 10 }} + - name: HTTP_NODE_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "node-creds" "key" "login") | indent 10 }} + - name: HTTP_NODE_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "node-creds" "key" "password") | indent 10 }} + - name: REST_CONF_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restconf-creds" "key" "login") | indent 10 }} + - name: REST_CONF_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restconf-creds" "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /config-input + name: config-input + - mountPath: /config + name: config + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + - command: + - /app/ready.py + args: + - --service-name + - {{ .Values.config.dbServiceName }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: ["/bin/bash"] + args: ["-c", "cd /opt/onap/ccsdk/dgbuilder/ && ./start.sh sdnc1.0 && wait"] + ports: {{- include "common.containerPorts" . | indent 10 }} + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: + - name: SDNC_CONFIG_DIR + value: /opt/onap/sdnc/data/properties + volumeMounts: + - name: config + mountPath: /opt/app/application.properties + subPath: application.properties + - name: config + mountPath: /opt/onap/ccsdk/dgbuilder/releases/sdnc1.0/conf/svclogic.properties + subPath: svclogic.properties + - name: config + mountPath: /opt/onap/ccsdk/dgbuilder/svclogic/svclogic.properties + subPath: svclogic.properties + - name: config + mountPath: /opt/onap/ccsdk/dgbuilder/releases/sdnc1.0/customSettings.js + subPath: customSettings.js + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: config-input + configMap: + name: {{ include "common.fullname" . }}-config + - name: config + emptyDir: + medium: Memory + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/common/dgbuilder/templates/ingress.yaml b/kubernetes/sdnc/components/dgbuilder/templates/ingress.yaml similarity index 100% rename from kubernetes/common/dgbuilder/templates/ingress.yaml rename to kubernetes/sdnc/components/dgbuilder/templates/ingress.yaml diff --git a/kubernetes/common/dgbuilder/templates/secrets.yaml b/kubernetes/sdnc/components/dgbuilder/templates/secrets.yaml similarity index 100% rename from kubernetes/common/dgbuilder/templates/secrets.yaml rename to kubernetes/sdnc/components/dgbuilder/templates/secrets.yaml diff --git a/kubernetes/sdnc/components/dgbuilder/templates/service.yaml b/kubernetes/sdnc/components/dgbuilder/templates/service.yaml new file mode 100644 index 0000000000..53f04104d9 --- /dev/null +++ b/kubernetes/sdnc/components/dgbuilder/templates/service.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2018 AT&T, Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/sdnc/components/dgbuilder/values.yaml b/kubernetes/sdnc/components/dgbuilder/values.yaml new file mode 100644 index 0000000000..68cb86bd7e --- /dev/null +++ b/kubernetes/sdnc/components/dgbuilder/values.yaml @@ -0,0 +1,180 @@ +# Copyright © 2018 AT&T, Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Global configuration default values that can be inherited by +# all subcharts. +################################################################# +global: + # Change to an unused port prefix range to prevent port conflicts + # with other instances running within the same k8s cluster + nodePortPrefix: 302 + + # image pull policy + pullPolicy: Always + + # default mount path root directory referenced + # by persistent volumes and log files + persistence: + mountPath: /dockerdata-nfs + + # flag to enable debugging - application support required + debugEnabled: true + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: 'db-root-password' + type: password + externalSecret: '{{ tpl (default "" .Values.config.db.rootPasswordExternalSecret) . }}' + password: '{{ .Values.config.db.rootPassword }}' + - uid: 'db-user-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' + login: '{{ .Values.config.db.userName }}' + password: '{{ .Values.config.db.userPassword }}' + - uid: 'http-user-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.httpCredsExternalSecret) . }}' + login: '{{ .Values.config.httpUser }}' + password: '{{ .Values.config.dgUserPassword }}' + - uid: 'admin-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.adminCredsExternalSecret) . }}' + login: '{{ .Values.config.adminUser }}' + password: '{{ .Values.config.dgUserPassword }}' + - uid: 'node-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.nodeCredsExternalSecret) . }}' + login: '{{ .Values.config.nodeUser }}' + password: '{{ .Values.config.dgUserPassword }}' + - uid: 'restconf-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.restconfCredsExternalSecret) . }}' + login: '{{ .Values.config.restconfUser }}' + password: '{{ .Values.config.restconfPassword }}' + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/ccsdk-dgbuilder-image:1.5.1 +pullPolicy: Always + +# flag to enable debugging - application support required +debugEnabled: false + +# application configuration +config: + db: + dbName: sdnctl + # unused for now to preserve the API + rootPassword: openECOMP1.0 + # rootPasswordExternalSecret: some secret + userName: sdnctl + # unused for now to preserve the API + userPassword: gamma + # userCredentialsExternalSecret: some secret + httpUser: dguser + # unused for now to preserve the API + httpPassword: cc03e747a6afbbcbf8be7668acfebee5 + # httpCredsExternalSecret: some secret + adminUser: dguser + # unused for now to preserve the API + adminPassword: cc03e747a6afbbcbf8be7668acfebee5 + # adminCredsExternalSecret: some secret + nodeUser: dguser + # unused for now to preserve the API + nodePassword: cc03e747a6afbbcbf8be7668acfebee5 + # nodeCredsExternalSecret: some secret + restconfUser: admin + # unused for now to preserve the API + restconfPassword: admin + # restconfCredsExternalSecret: some secret + + dbPodName: mysql-db + dbServiceName: sdnc-dbhost + # MD5 hash of dguser password ( default: test123 ) + dgUserPassword: cc03e747a6afbbcbf8be7668acfebee5 + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 10 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + +service: + type: NodePort + name: dgbuilder + internalPort: 3100 + ports: + - name: http + port: 3100 + nodePort: 28 + +ingress: + enabled: false + service: + - baseaddr: "dgbuilder" + name: "dgbuilder" + port: 3100 + config: + ssl: "redirect" + +#Resource Limit flavor -By Default using small +flavor: small +#segregation for different envionment (Small and Large) + +resources: + small: + limits: + cpu: "2" + memory: "4Gi" + requests: + cpu: "1" + memory: "2Gi" + large: + limits: + cpu: "4" + memory: "8Gi" + requests: + cpu: "2" + memory: "4Gi" + unlimited: {} + +podAnnotations: + # Workarround to exclude K8S API from istio communication + # as init-container (readinessCheck) does not work with the + # Istio CNI plugin, see: + # (https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers) + traffic.sidecar.istio.io/excludeOutboundPorts: "443" + +#Pods Service Account +serviceAccount: + nameOverride: dgbuilder + roles: + - read diff --git a/kubernetes/sdnc/components/dmaap-listener/Chart.yaml b/kubernetes/sdnc/components/dmaap-listener/Chart.yaml index 3737cb7d89..0fdddec268 100644 --- a/kubernetes/sdnc/components/dmaap-listener/Chart.yaml +++ b/kubernetes/sdnc/components/dmaap-listener/Chart.yaml @@ -16,15 +16,15 @@ apiVersion: v2 description: SDNC DMaaP Listener name: dmaap-listener -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdnc/components/dmaap-listener/templates/authorizationpolicy.yaml b/kubernetes/sdnc/components/dmaap-listener/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/sdnc/components/dmaap-listener/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdnc/components/dmaap-listener/templates/deployment.yaml b/kubernetes/sdnc/components/dmaap-listener/templates/deployment.yaml index b788a36248..110001a6a6 100644 --- a/kubernetes/sdnc/components/dmaap-listener/templates/deployment.yaml +++ b/kubernetes/sdnc/components/dmaap-listener/templates/deployment.yaml @@ -18,9 +18,6 @@ apiVersion: apps/v1 kind: Deployment metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} replicas: {{ .Values.replicaCount }} selector: {{- include "common.selectors" . | nindent 4 }} template: @@ -53,11 +50,11 @@ spec: - command: - /app/ready.py args: - - --container-name + - --service-name - {{ include "common.mariadbService" . }} - - --container-name + - --service-name - {{ .Values.config.sdncChartName }} - - --container-name + - --service-name - {{ .Values.config.msgRouterContainerName }} env: - name: NAMESPACE @@ -68,6 +65,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - command: - /opt/onap/sdnc/dmaap-listener/bin/start-dmaap-listener.sh @@ -82,9 +86,6 @@ spec: - name: LOG4J_FORMAT_MSG_NO_LOOKUPS value: "true" volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: {{ .Values.config.configDir }}/dblib.properties name: properties subPath: dblib.properties @@ -110,6 +111,7 @@ spec: name: properties subPath: dmaap-consumer-RANSlice.properties resources: {{ include "common.resources" . | nindent 10 }} + ports: {{ include "common.containerPorts" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} {{- end }} @@ -118,9 +120,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: config-input configMap: name: {{ include "common.fullname" . }} @@ -128,5 +127,4 @@ spec: - name: properties emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdnc/components/dmaap-listener/templates/service.yaml b/kubernetes/sdnc/components/dmaap-listener/templates/service.yaml index 728ba05046..77b0d878c1 100644 --- a/kubernetes/sdnc/components/dmaap-listener/templates/service.yaml +++ b/kubernetes/sdnc/components/dmaap-listener/templates/service.yaml @@ -14,17 +14,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: ClusterIP - clusterIP: None +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/sdnc/components/dmaap-listener/values.yaml b/kubernetes/sdnc/components/dmaap-listener/values.yaml index 5094b6eb52..084afa18cb 100644 --- a/kubernetes/sdnc/components/dmaap-listener/values.yaml +++ b/kubernetes/sdnc/components/dmaap-listener/values.yaml @@ -18,6 +18,8 @@ global: nodePortPrefix: 302 mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true #This flag allows SO to instantiate its own mariadb-galera cluster #If shared instance is used, this chart assumes that DB already exists localCluster: false @@ -49,7 +51,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/sdnc-dmaap-listener-image:2.3.2 +image: onap/sdnc-dmaap-listener-image:2.5.5 pullPolicy: Always # flag to enable debugging - application support required @@ -81,6 +83,9 @@ mariadb-galera: persistence: enabled: true mountSubPath: dmaap-listener/maria/data + mariadbOperator: + galera: + enabled: false # default number of instances replicaCount: 1 @@ -105,7 +110,17 @@ ingress: enabled: false service: + type: ClusterIP name: sdnc-dmaap-listener + internalPort: 80 + ports: + - name: http + port: 80 + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read #Resource limit flavor -By default using small flavor: small @@ -114,18 +129,18 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 2Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/sdnc/components/network-name-gen/Chart.yaml b/kubernetes/sdnc/components/network-name-gen/Chart.yaml new file mode 100644 index 0000000000..e998a64ecc --- /dev/null +++ b/kubernetes/sdnc/components/network-name-gen/Chart.yaml @@ -0,0 +1,34 @@ +# Copyright (C) 2018 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: Name Generation Micro Service +name: network-name-gen +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: mariadb-init + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/common/network-name-gen/resources/config/aai_keystore b/kubernetes/sdnc/components/network-name-gen/resources/config/aai_keystore similarity index 100% rename from kubernetes/common/network-name-gen/resources/config/aai_keystore rename to kubernetes/sdnc/components/network-name-gen/resources/config/aai_keystore diff --git a/kubernetes/sdnc/components/network-name-gen/templates/deployment.yaml b/kubernetes/sdnc/components/network-name-gen/templates/deployment.yaml new file mode 100644 index 0000000000..e1fcd235c5 --- /dev/null +++ b/kubernetes/sdnc/components/network-name-gen/templates/deployment.yaml @@ -0,0 +1,120 @@ +{{/* +# Copyright (C) 2018 AT&T Intellectual Property. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + - name: {{ include "common.name" . }}-readiness + command: + - /app/ready.py + args: +{{- if .Values.global.mariadbGalera.localCluster }} + - --service-name + - {{ include "common.mariadbService" . }} +{{- else }} + - --job-name + - {{ include "common.release" . }}-{{ index .Values "mariadb-init" "nameOverride" }}-config-job +{{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + containers: + - name: {{ include "common.name" . }} + command: + - bash + args: + - '-c' + - 'export POL_BASIC_AUTH=`echo -n $POL_BASIC_AUTH_USER:$POL_BASIC_AUTH_PASSWORD | base64`; /startService.sh' + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + env: + - name: SPRING_PROFILE + value: "{{ .Values.config.springProfile }}" + - name: NENG_DB_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "neng-db-secret" "key" "login") | indent 10}} + - name: NENG_DB_PASS + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "neng-db-secret" "key" "password") | indent 10}} + - name: NENG_DB_URL + value: jdbc:mysql://{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}/{{ index .Values "mariadb-init" "config" "mysqlDatabase" }} + - name: POL_CLIENT_AUTH + value: "{{ .Values.config.polClientAuth }}" + - name: POL_BASIC_AUTH_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pol-basic-auth-secret" "key" "login") | indent 10}} + - name: POL_BASIC_AUTH_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pol-basic-auth-secret" "key" "password") | indent 10}} + - name: POL_URL + {{- if (include "common.needTLS" .) }} + value: "{{ .Values.config.polUrl.https }}" + {{- else }} + value: "{{ .Values.config.polUrl.http }}" + {{- end }} + - name: POL_ENV + value: "{{ .Values.config.polEnv }}" + - name: POL_REQ_ID + value: "{{ .Values.config.polReqId }}" + - name: AAI_CERT_PASS + value: "{{ .Values.config.aaiCertPass }}" + - name: AAI_CERT_PATH + value: "{{ .Values.config.aaiCertPath }}" + - name: AAI_URI + {{- if (include "common.needTLS" .) }} + value: "{{ .Values.config.aaiUri.https }}" + {{- else }} + value: "{{ .Values.config.aaiUri.http }}" + {{- end }} + - name: AAI_AUTH + value: "{{ .Values.config.aaiAuth }}" + - name: DISABLE_HOST_VERIFICATION + value: "{{ .Values.config.disableHostVerification }}" + volumeMounts: + - name: certs + mountPath: /opt/etc/config/aai_keystore + subPath: aai_keystore + readOnly: true + resources: {{ include "common.resources" . | nindent 10 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: certs + secret: + secretName: {{ include "common.release" . }}-aai-keystore + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/common/network-name-gen/templates/secrets.yaml b/kubernetes/sdnc/components/network-name-gen/templates/secrets.yaml similarity index 100% rename from kubernetes/common/network-name-gen/templates/secrets.yaml rename to kubernetes/sdnc/components/network-name-gen/templates/secrets.yaml diff --git a/kubernetes/sdnc/components/network-name-gen/templates/service.yaml b/kubernetes/sdnc/components/network-name-gen/templates/service.yaml new file mode 100644 index 0000000000..aac71f7eb3 --- /dev/null +++ b/kubernetes/sdnc/components/network-name-gen/templates/service.yaml @@ -0,0 +1,43 @@ +{{/* +# Copyright (C) 2018 AT&T Intellectual Property. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ include "common.servicename" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + type: {{ .Values.service.type }} + ports: + {{if eq .Values.service.type "NodePort" -}} + - port: {{ .Values.service.externalPort }} + targetPort: {{ .Values.service.internalPort }} + nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} + name: {{ .Values.service.portName }} + {{- else -}} + - port: {{ .Values.service.externalPort }} + targetPort: {{ .Values.service.internalPort }} + name: {{ .Values.service.portName }} + {{- end}} + selector: + app.kubernetes.io/name: {{ include "common.name" . }} + app.kubernetes.io/instance: {{ include "common.release" . }} + diff --git a/kubernetes/sdnc/components/network-name-gen/values.yaml b/kubernetes/sdnc/components/network-name-gen/values.yaml new file mode 100644 index 0000000000..9d6a0aef5c --- /dev/null +++ b/kubernetes/sdnc/components/network-name-gen/values.yaml @@ -0,0 +1,136 @@ +# Copyright (C) 2018 AT&T Intellectual Property. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Global configuration default values that can be inherited by +# all subcharts. +################################################################# +global: + + # Change to an unused port prefix range to prevent port conflicts + # with other instances running within the same k8s cluster + nodePortPrefix: 302 + + # image pull policy + pullPolicy: IfNotPresent + + mariadbGalera: &mariadbGalera + # flag to enable the DB creation via mariadb-operator + useOperator: true + localCluster: false + service: &dbService mariadb-galera + internalPort: &dbPort 3306 + nameOverride: mariadb-galera + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: neng-db-secret + name: &dbUserSecretName '{{ include "common.release" . }}-neng-db-secret' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.db.externalSecret) . }}' + login: '{{ .Values.config.db.userName }}' + password: '{{ .Values.config.db.userPassword }}' + - uid: pol-basic-auth-secret + name: '{{ include "common.release" . }}-pol-basic-auth-secret' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.polBasicAuthSecret) . }}' + login: '{{ .Values.config.polBasicAuthUser }}' + password: '{{ .Values.config.polBasicAuthPassword }}' + +mariadb-init: + config: + userCredentialsExternalSecret: *dbUserSecretName + mysqlDatabase: nengdb + nameOverride: nengdb-init + mariadb-galera: + nameOverride: *dbService + service: + internalPort: *dbPort + serviceAccount: + nameOverride: nengdb-init + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/ccsdk-apps-ms-neng:1.4.0 +pullPolicy: IfNotPresent + +# application configuration +config: + db: + userName: nenguser + # userPassword: password + # userCredentialsExternalSecret: some-secret + springProfile: live + polClientAuth: cHl0aG9uOnRlc3Q= + polBasicAuthUser: healthcheck + polBasicAuthPassword: zb!XztG34 + polUrl: + https: https://policy-xacml-pdp:6969/policy/pdpx/v1/decision + http: http://policy-xacml-pdp:6969/policy/pdpx/v1/decision + polEnv: TEST + polReqId: xx + disableHostVerification: true + aaiCertPass: changeit + aaiCertPath: /opt/etc/config/aai_keystore + aaiAuth: QUFJOkFBSQ== + aaiUri: + https: https://aai:8443/aai/v14/ + http: http://aai:80/aai/v14/ + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 10 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: false + +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + +service: + type: ClusterIP + name: neng-serv + portName: http + internalPort: 8080 + externalPort: 8080 + +ingress: + enabled: false + +resources: {} + +podAnnotations: + # Workarround to exclude K8S API from istio communication + # as init-container (readinessCheck) does not work with the + # Istio CNI plugin, see: + # (https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers) + traffic.sidecar.istio.io/excludeOutboundPorts: "443" + +#Pods Service Account +serviceAccount: + nameOverride: network-name-gen + roles: + - read diff --git a/kubernetes/sdnc/components/sdnc-ansible-server/Chart.yaml b/kubernetes/sdnc/components/sdnc-ansible-server/Chart.yaml index c2c119888b..e7342b10e0 100644 --- a/kubernetes/sdnc/components/sdnc-ansible-server/Chart.yaml +++ b/kubernetes/sdnc/components/sdnc-ansible-server/Chart.yaml @@ -17,15 +17,15 @@ apiVersion: v2 description: SDN-C Ansible Server name: sdnc-ansible-server -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdnc/components/sdnc-ansible-server/templates/authorizationpolicy.yaml b/kubernetes/sdnc/components/sdnc-ansible-server/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/sdnc/components/sdnc-ansible-server/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdnc/components/sdnc-ansible-server/templates/deployment.yaml b/kubernetes/sdnc/components/sdnc-ansible-server/templates/deployment.yaml index 51263cf410..f558b71125 100644 --- a/kubernetes/sdnc/components/sdnc-ansible-server/templates/deployment.yaml +++ b/kubernetes/sdnc/components/sdnc-ansible-server/templates/deployment.yaml @@ -18,9 +18,6 @@ apiVersion: apps/v1 kind: Deployment metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} replicas: {{ .Values.replicaCount }} selector: {{- include "common.selectors" . | nindent 4 }} template: @@ -53,7 +50,7 @@ spec: - command: - /app/ready.py args: - - --container-name + - --service-name - {{ .Values.config.sdncChartName }} env: - name: NAMESPACE @@ -64,6 +61,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} command: ["/bin/bash"] @@ -71,8 +75,7 @@ spec: image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{ if .Values.liveness.enabled }} @@ -88,9 +91,6 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: {{ .Values.config.configDir }}/RestServer_config name: config subPath: RestServer_config @@ -103,9 +103,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: config-input configMap: name: {{ include "common.fullname" . }} @@ -113,5 +110,4 @@ spec: - name: config emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdnc/components/sdnc-ansible-server/templates/service.yaml b/kubernetes/sdnc/components/sdnc-ansible-server/templates/service.yaml index 3543044eaf..fe45159c64 100644 --- a/kubernetes/sdnc/components/sdnc-ansible-server/templates/service.yaml +++ b/kubernetes/sdnc/components/sdnc-ansible-server/templates/service.yaml @@ -14,22 +14,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - selector: - app.kubernetes.io/name: {{ include "common.name" . }} - app.kubernetes.io/instance: {{ include "common.release" . }} +{{ include "common.service" . }} diff --git a/kubernetes/sdnc/components/sdnc-ansible-server/values.yaml b/kubernetes/sdnc/components/sdnc-ansible-server/values.yaml index 7689dcc5e9..a1c90071b0 100644 --- a/kubernetes/sdnc/components/sdnc-ansible-server/values.yaml +++ b/kubernetes/sdnc/components/sdnc-ansible-server/values.yaml @@ -18,6 +18,8 @@ global: nodePortPrefix: 302 mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true #This flag allows SO to instantiate its own mariadb-galera cluster #If shared instance is used, this chart assumes that DB already exists localCluster: false @@ -49,7 +51,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/sdnc-ansible-server-image:2.3.2 +image: onap/sdnc-ansible-server-image:2.5.5 pullPolicy: Always # flag to enable debugging - application support required @@ -78,6 +80,9 @@ mariadb-galera: persistence: enabled: true mountSubPath: ansible-server/maria/data + mariadbOperator: + galera: + enabled: false # default number of instances replicaCount: 1 @@ -101,13 +106,18 @@ readiness: service: type: ClusterIP name: sdnc-ansible-server - portName: http internalPort: 8000 - externalPort: 8000 + ports: + - name: http + port: 8000 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: [] + #Resource Limit flavor -By default using small flavor: small @@ -116,18 +126,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "500Mi" requests: - cpu: 0.5 - memory: 500Mi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/sdnc/components/sdnc-prom/Chart.yaml b/kubernetes/sdnc/components/sdnc-prom/Chart.yaml index b7da488b7c..85bfb265b1 100644 --- a/kubernetes/sdnc/components/sdnc-prom/Chart.yaml +++ b/kubernetes/sdnc/components/sdnc-prom/Chart.yaml @@ -17,15 +17,15 @@ apiVersion: v2 description: ONAP SDNC Policy Driven Ownership Management name: sdnc-prom -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdnc/components/sdnc-prom/templates/deployment.yaml b/kubernetes/sdnc/components/sdnc-prom/templates/deployment.yaml index 803434cf09..7562a97929 100644 --- a/kubernetes/sdnc/components/sdnc-prom/templates/deployment.yaml +++ b/kubernetes/sdnc/components/sdnc-prom/templates/deployment.yaml @@ -18,9 +18,6 @@ apiVersion: apps/v1 kind: Deployment metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} replicas: 1 selector: {{- include "common.selectors" . | nindent 4 }} template: @@ -30,9 +27,9 @@ spec: - command: - /app/ready.py args: - - --container-name + - --service-name - sdnc - - --container-name + - --service-name - consul env: - name: NAMESPACE @@ -43,6 +40,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -53,9 +57,6 @@ spec: workingDir: "/app" command: [ "bin/prom.sh" ] volumeMounts: - - name: localtime - mountPath: /etc/localtime - readOnly: true - name: prom-config mountPath: /app/config - name: prom-scripts @@ -71,9 +72,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: prom-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -88,5 +86,4 @@ spec: {{- else }} emptyDir: {} {{- end }} - imagePullSecrets: - - name: {{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdnc/components/sdnc-prom/values.yaml b/kubernetes/sdnc/components/sdnc-prom/values.yaml index eb11d646b3..e52bc24a2d 100644 --- a/kubernetes/sdnc/components/sdnc-prom/values.yaml +++ b/kubernetes/sdnc/components/sdnc-prom/values.yaml @@ -93,7 +93,22 @@ persistence: ingress: enabled: false -resources: {} +resources: + small: + limits: + cpu: "1" + memory: "500Mi" + requests: + cpu: "0.5" + memory: "500Mi" + large: + limits: + cpu: "2" + memory: "1Gi" + requests: + cpu: "1" + memory: "1Gi" + unlimited: {} #Pods Service Account serviceAccount: diff --git a/kubernetes/sdnc/components/sdnc-web/Chart.yaml b/kubernetes/sdnc/components/sdnc-web/Chart.yaml index 6dc772376d..db331e19f5 100644 --- a/kubernetes/sdnc/components/sdnc-web/Chart.yaml +++ b/kubernetes/sdnc/components/sdnc-web/Chart.yaml @@ -16,18 +16,15 @@ apiVersion: v2 description: SDN-C Web Server name: sdnc-web -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 - repository: '@local' - - name: certInitializer - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdnc/components/sdnc-web/templates/authorizationpolicy.yaml b/kubernetes/sdnc/components/sdnc-web/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/sdnc/components/sdnc-web/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdnc/components/sdnc-web/templates/deployment.yaml b/kubernetes/sdnc/components/sdnc-web/templates/deployment.yaml index 03432d3b63..90632820e7 100644 --- a/kubernetes/sdnc/components/sdnc-web/templates/deployment.yaml +++ b/kubernetes/sdnc/components/sdnc-web/templates/deployment.yaml @@ -23,14 +23,14 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | indent 6 }} + initContainers: - name: {{ include "common.name" . }}-readiness image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: - /app/ready.py args: - - --container-name + - --service-name - {{ .Values.config.sdncChartName }} env: - name: NAMESPACE @@ -38,6 +38,13 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} @@ -49,34 +56,26 @@ spec: {{ if .Values.liveness.enabled }} livenessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end }} readinessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: - name: WEBPROTOCOL - value: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.webProtocol .Values.config.webPlainProtocol }} + value: {{ .Values.config.webProtocol }} - name: WEBPORT - value : {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.webPort .Values.config.webPlainPort | quote }} + value : {{ .Values.config.webPort | quote }} - name: SDNRPROTOCOL - value : {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.sdnrProtocol .Values.config.sdnrPlainProtocol }} + value : {{ .Values.config.sdnrProtocol }} - name: SDNRHOST - value : {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.sdnrHost .Values.config.sdnrPlainHost }}.{{ include "common.namespace" . }} + value : {{ .Values.config.sdnrHost }}.{{ include "common.namespace" . }} - name: SDNRPORT - value : {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.sdnrPort .Values.config.sdnrPlainPort | quote }} - {{ if (include "common.needTLS" .) }} - - name: SSL_CERT_DIR - value: {{ .Values.config.sslCertDir }} - - name: SSL_CERTIFICATE - value: {{ .Values.config.sslCertiticate }} - - name: SSL_CERTIFICATE_KEY - value: {{ .Values.config.sslCertKey }} - {{ end }} + value : {{ .Values.config.sdnrPort | quote }} {{ if .Values.config.transportpce.enabled }} - name: TRPCEURL value: {{ .Values.config.transportpce.transportpceUrl }} @@ -91,11 +90,8 @@ spec: value: "{{ .Values.config.oauth.enabled | default "false" }}" - name: ENABLE_ODLUX_RBAC value: "{{ .Values.config.oauth.odluxRbac.enabled | default "false" }}" - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - + - name: SDNRWEBSOCKETPORT + value: "{{ .Values.sdnrWebsocketPort | default "8182" }}" resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} @@ -104,10 +100,4 @@ spec: affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime - - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdnc/components/sdnc-web/templates/ingress.yaml b/kubernetes/sdnc/components/sdnc-web/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/kubernetes/sdnc/components/sdnc-web/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/sdnc/components/sdnc-web/templates/service.yaml b/kubernetes/sdnc/components/sdnc-web/templates/service.yaml index 216073eee6..b4b437ccfe 100644 --- a/kubernetes/sdnc/components/sdnc-web/templates/service.yaml +++ b/kubernetes/sdnc/components/sdnc-web/templates/service.yaml @@ -13,5 +13,5 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -{{- include "common.service" . -}} +{{ include "common.service" . }} diff --git a/kubernetes/sdnc/components/sdnc-web/values.yaml b/kubernetes/sdnc/components/sdnc-web/values.yaml index ecc5573f28..98e44d02ab 100644 --- a/kubernetes/sdnc/components/sdnc-web/values.yaml +++ b/kubernetes/sdnc/components/sdnc-web/values.yaml @@ -16,31 +16,22 @@ # Global configuration defaults. ################################################################# global: - aafEnabled: true nodePortPrefix: 322 - k8scluster: svc.cluster.local + ################################################################# # Application configuration defaults. ################################################################# # application image -image: "onap/sdnc-web-image:2.3.2" +image: "onap/sdnc-web-image:2.5.5" pullPolicy: Always config: sdncChartName: sdnc - webProtocol: HTTPS - webPlainProtocol: HTTP - webPort: 8443 - webPlainPort: 8080 - sdnrProtocol: https - sdnrPlainProtocol: http + webProtocol: HTTP + webPort: 8080 + sdnrProtocol: http sdnrHost: "sdnc" - sdnrPlainHost: "sdnc" - sdnrPort: "8443" - sdnrPlainPort : "8080" - sslCertDir: "/opt/app/osaaf/local/certs" - sslCertiticate: "cert.pem" - sslCertKey: "key.pem" + sdnrPort: "8282" oauth: enabled: false odluxRbac: @@ -53,31 +44,6 @@ config: topologyserverUrl: http://toplogy-api-service.topology:3001 tileserverUrl: https://tile.openstreetmap.org - -################################################################# -# aaf configuration defaults. -################################################################# -certInitializer: - nameOverride: sdnc-web-cert-initializer - fqdn: "sdnc" - app_ns: "org.osaaf.aaf" - fqi: "sdnc@sdnc.onap.org" - fqi_namespace: "org.onap.sdnc" - public_fqdn: "sdnc.onap.org" - aafDeployFqi: "deployer@people.osaaf.org" - aafDeployPass: demo123456! - cadi_latitude: "38.0" - cadi_longitude: "-72.0" - credsPath: /opt/app/osaaf/local - aaf_add_config: > - cd /opt/app/osaaf/local; - mkdir -p certs; - export $(/opt/app/aaf_config/bin/agent.sh local showpass | grep '^c' | xargs -0); - keytool -exportcert -rfc -file certs/cacert.pem -keystore {{ .Values.fqi_namespace }}.trust.jks -alias ca_local_0 -storepass $cadi_truststore_password; - openssl pkcs12 -in {{ .Values.fqi_namespace }}.p12 -out certs/cert.pem -passin pass:$cadi_keystore_password_p12 -passout pass:$cadi_keystore_password_p12; - cp {{ .Values.fqi_namespace }}.key certs/key.pem; - chmod -R 755 certs; - # default number of instances replicaCount: 1 @@ -99,22 +65,27 @@ readiness: service: name: sdnc-web - suffix: service type: NodePort - sessionAffinity: ClientIP # for liveness and readiness probe only # internalPort: - internalPort: 8443 - internalPlainPort: 8080 + internalPort: 8080 ports: - - name: http-sdnc-web - port: "8443" - plain_port: "8080" - port_protocol: http + - name: http + port: "8080" nodePort: "05" -#ingress: -# enabled: false +ingress: + enabled: false + service: + - baseaddr: "sdnc-web-ui" + name: "sdnc-web" + port: 8080 + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: istio-ingress + namespace: istio-ingress #Resource limit flavor -By default using small flavor: small @@ -122,18 +93,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "500Mi" requests: - cpu: 0.5 - memory: 500Mi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/sdnc/components/ueb-listener/Chart.yaml b/kubernetes/sdnc/components/ueb-listener/Chart.yaml index d9df7aff85..a7dff1364b 100644 --- a/kubernetes/sdnc/components/ueb-listener/Chart.yaml +++ b/kubernetes/sdnc/components/ueb-listener/Chart.yaml @@ -17,15 +17,15 @@ apiVersion: v2 description: SDNC UEB Listener name: ueb-listener -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdnc/components/ueb-listener/resources/config/log4j2.xml b/kubernetes/sdnc/components/ueb-listener/resources/config/log4j2.xml new file mode 100644 index 0000000000..d0c1f718b5 --- /dev/null +++ b/kubernetes/sdnc/components/ueb-listener/resources/config/log4j2.xml @@ -0,0 +1,25 @@ + + + + $${env:LOGDIR:-logs} + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/kubernetes/sdnc/components/ueb-listener/resources/config/ueb-listener.properties b/kubernetes/sdnc/components/ueb-listener/resources/config/ueb-listener.properties index 45a80af8a6..e27ef36bee 100644 --- a/kubernetes/sdnc/components/ueb-listener/resources/config/ueb-listener.properties +++ b/kubernetes/sdnc/components/ueb-listener/resources/config/ueb-listener.properties @@ -1,11 +1,9 @@ -{{- if (include "common.needTLS" .) }} -org.onap.ccsdk.sli.northbound.uebclient.asdc-address=sdc-be.{{.Release.Namespace}}:8443 -{{- else }} -org.onap.ccsdk.sli.northbound.uebclient.asdc-address=sdc-be.{{.Release.Namespace}}:8080 +org.onap.ccsdk.sli.northbound.uebclient.sdc-address=sdc-be.{{.Release.Namespace}}:8080 org.onap.ccsdk.sli.northbound.uebclient.use-https=false +{{- with (first .Values.kafkaUser.acls) }} +org.onap.ccsdk.sli.northbound.uebclient.consumer-group={{ .name }} +org.onap.ccsdk.sli.northbound.uebclient.consumer-id={{ .name }}-sdc-listener {{- end }} -org.onap.ccsdk.sli.northbound.uebclient.consumer-group=sdc-OpenSource-Env1-sdnc-dockero -org.onap.ccsdk.sli.northbound.uebclient.consumer-id=sdc-COpenSource-Env11-sdnc-dockero org.onap.ccsdk.sli.northbound.uebclient.environment-name=AUTO org.onap.ccsdk.sli.northbound.uebclient.password=${UEB_PASSWORD} org.onap.ccsdk.sli.northbound.uebclient.user=${UEB_USER} @@ -24,4 +22,3 @@ org.onap.ccsdk.sli.northbound.uebclient.keystore-path= org.onap.ccsdk.sli.northbound.uebclient.keystore-password= org.onap.ccsdk.sli.northbound.uebclient.xslt-path-list=/opt/onap/sdnc/ueb-listener/lib/normalizeTagNames.xslt,/opt/onap/sdnc/ueb-listener/lib/removeNs.xslt org.onap.ccsdk.sli.northbound.uebclient.artifact-map=/opt/onap/sdnc/data/properties/artifact.map -org.onap.ccsdk.sli.northbound.uebclient.msg-bus-address=message-router.{{.Release.Namespace}},message-router.{{.Release.Namespace}} diff --git a/kubernetes/sdnc/components/ueb-listener/templates/authorizationpolicy.yaml b/kubernetes/sdnc/components/ueb-listener/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/sdnc/components/ueb-listener/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdnc/components/ueb-listener/templates/deployment.yaml b/kubernetes/sdnc/components/ueb-listener/templates/deployment.yaml index a23a6af460..1a6efe4c41 100644 --- a/kubernetes/sdnc/components/ueb-listener/templates/deployment.yaml +++ b/kubernetes/sdnc/components/ueb-listener/templates/deployment.yaml @@ -18,9 +18,6 @@ apiVersion: apps/v1 kind: Deployment metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} replicas: {{ .Values.replicaCount }} selector: {{- include "common.selectors" . | nindent 4 }} template: @@ -56,14 +53,12 @@ spec: - command: - /app/ready.py args: - - --container-name + - --service-name - {{ include "common.mariadbService" . }} - - --container-name + - --service-name - {{ .Values.config.sdncChartName }} - - --container-name + - --service-name - {{ .Values.config.sdcbeChartName }} - - --container-name - - {{ .Values.config.msgRouterContainerName }} env: - name: NAMESPACE valueFrom: @@ -73,6 +68,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - command: - /opt/onap/sdnc/ueb-listener/bin/start-ueb-listener.sh @@ -86,17 +88,23 @@ spec: value: "{{ .Values.config.configDir }}" - name: LOG4J_FORMAT_MSG_NO_LOOKUPS value: "true" + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: {{ .Values.config.configDir }}/dblib.properties name: properties subPath: dblib.properties - mountPath: {{ .Values.config.configDir }}/ueb-listener.properties name: properties subPath: ueb-listener.properties + - mountPath: {{ .Values.config.configDir }}/log4j2.xml + name: properties + subPath: log4j2.xml resources: {{ include "common.resources" . | nindent 10 }} + ports: {{ include "common.containerPorts" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} {{- end }} @@ -105,9 +113,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: config-input configMap: name: {{ include "common.fullname" . }} @@ -115,5 +120,4 @@ spec: - name: properties emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdnc/components/ueb-listener/templates/kafkauser.yaml b/kubernetes/sdnc/components/ueb-listener/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/sdnc/components/ueb-listener/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/sdnc/components/ueb-listener/templates/service.yaml b/kubernetes/sdnc/components/ueb-listener/templates/service.yaml index 728ba05046..77b0d878c1 100644 --- a/kubernetes/sdnc/components/ueb-listener/templates/service.yaml +++ b/kubernetes/sdnc/components/ueb-listener/templates/service.yaml @@ -14,17 +14,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: ClusterIP - clusterIP: None +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/sdnc/components/ueb-listener/values.yaml b/kubernetes/sdnc/components/ueb-listener/values.yaml index 4d3cce7076..bccb1d7af6 100644 --- a/kubernetes/sdnc/components/ueb-listener/values.yaml +++ b/kubernetes/sdnc/components/ueb-listener/values.yaml @@ -18,6 +18,8 @@ global: nodePortPrefix: 302 mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true #This flag allows SO to instantiate its own mariadb-galera cluster #If shared instance is used, this chart assumes that DB already exists localCluster: false @@ -55,7 +57,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/sdnc-ueb-listener-image:2.3.2 +image: onap/sdnc-ueb-listener-image:2.5.5 pullPolicy: Always # flag to enable debugging - application support required @@ -92,6 +94,9 @@ mariadb-galera: persistence: enabled: true mountSubPath: ueb-listener/maria/data + mariadbOperator: + galera: + enabled: false # default number of instances replicaCount: 1 @@ -113,29 +118,49 @@ readiness: periodSeconds: 10 service: + type: ClusterIP name: sdnc-ueb-listener + internalPort: 80 + ports: + - name: http + port: 80 + +# Strimzi KafkaUser definition +kafkaUser: + acls: + - name: sdnc + type: group + operations: [Read] + - name: SDC-DISTR + type: topic + patternType: prefix + operations: [Read, Write] ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: [] + #Resource limit flavor -By default using small flavor: small #Segregation for different environment (small and large) resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 0.5 - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/sdnc/resources/config/bin/createSdnrDb.sh b/kubernetes/sdnc/resources/config/bin/createSdnrDb.sh new file mode 100644 index 0000000000..28c703b1bd --- /dev/null +++ b/kubernetes/sdnc/resources/config/bin/createSdnrDb.sh @@ -0,0 +1,30 @@ +#!/bin/sh + +### +# ============LICENSE_START======================================================= +# ONAP : SDN-C +# ================================================================================ +# Copyright (C) 2023 highstreet technologies Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +### + +echo "Create '${SDNRDBDATABASE}' and user '${SDNRDBUSERNAME}' within maria-galera database cluster" +root_user=root +mysql -v -v -u $root_user -p${MYSQL_ROOT_PASSWORD} -Bse "\ +CREATE DATABASE IF NOT EXISTS ${SDNRDBDATABASE}; \ +CREATE USER IF NOT EXISTS ${SDNRDBUSERNAME}@'%' IDENTIFIED BY '${SDNRDBPASSWORD}'; \ +GRANT ALL PRIVILEGES ON ${SDNRDBDATABASE}.* TO '${SDNRDBUSERNAME}'@'%'; \ +FLUSH PRIVILEGES; " + diff --git a/kubernetes/sdnc/resources/config/conf/aaiclient.properties b/kubernetes/sdnc/resources/config/conf/aaiclient.properties index 5108a9d005..971a446d64 100755 --- a/kubernetes/sdnc/resources/config/conf/aaiclient.properties +++ b/kubernetes/sdnc/resources/config/conf/aaiclient.properties @@ -38,11 +38,7 @@ org.onap.ccsdk.sli.adaptors.aai.application=openECOMP # # Configuration file for A&AI Client # -{{- if (include "common.needTLS" .) }} -org.onap.ccsdk.sli.adaptors.aai.uri=https://aai.{{.Release.Namespace}}:8443 -{{- else }} org.onap.ccsdk.sli.adaptors.aai.uri=http://aai.{{.Release.Namespace}}:80 -{{- end }} connection.timeout=60000 read.timeout=60000 diff --git a/kubernetes/sdnc/resources/config/conf/mountpoint-registrar.properties b/kubernetes/sdnc/resources/config/conf/mountpoint-registrar.properties index 303e504aa9..9e5e25443f 100644 --- a/kubernetes/sdnc/resources/config/conf/mountpoint-registrar.properties +++ b/kubernetes/sdnc/resources/config/conf/mountpoint-registrar.properties @@ -1,43 +1,43 @@ [general] -dmaapEnabled={{.Values.config.sdnr.mountpointRegistrarEnabled | default "false"}} -{{ if .Values.global.aafEnabled }} -baseUrl=https://localhost:{{.Values.service.internalPort4}} -{{- else }} -baseUrl=http://localhost:{{.Values.service.internalPort}} -{{- end }} +baseUrl=http://{{.Values.service.name}}.{{.Release.Namespace}}:{{.Values.service.externalPort}} sdnrUser=${ODL_ADMIN_USERNAME} sdnrPasswd=${ODL_ADMIN_PASSWORD} +[strimzi-kafka] +strimziEnabled=${SDNR_KAFKA_ENABLED} +bootstrapServers=${SDNR_KAFKA_BOOTSTRAP_SERVERS} +securityProtocol=${SDNR_KAFKA_SECURITY_PROTOCOL} +saslMechanism=${SDNR_KAFKA_SASL_MECHANISM} +saslJaasConfig=${SDNR_KAFKA_SASL_JASS_CONFIG} + [fault] -faultConsumerClass=org.onap.ccsdk.features.sdnr.wt.mountpointregistrar.impl.DMaaPFaultVESMsgConsumer -TransportType=HTTPNOAUTH -host=message-router.{{.Release.Namespace}}:{{.Values.config.dmaapPort | default "3904"}} -{{- if .Values.config.sdnr.dmaapProxy.enabled }} -{{- if .Values.config.sdnr.dmaapProxy.usepwd }} -jersey.config.client.proxy.username=${DMAAP_HTTP_PROXY_USERNAME} -jersey.config.client.proxy.password=${DMAAP_HTTP_PROXY_PASSWORD} -{{- end }} -jersey.config.client.proxy.uri={{ .Values.config.sdnr.dmaapProxy.url }} -{{- end }} topic=unauthenticated.SEC_FAULT_OUTPUT -contenttype=application/json -group=myG -id=C1 +consumerGroup={{.Values.config.sdnr.kafka.consumerGroupPrefix}} +consumerID=C1 +timeout=20000 +limit=10000 +fetchPause=5000 + +[provisioning] +topic=unauthenticated.SEC_3GPP_PROVISIONING_OUTPUT +consumerGroup={{.Values.config.sdnr.kafka.consumerGroupPrefix}} +consumerID=C1 +timeout=20000 limit=10000 +fetchPause=5000 [pnfRegistration] -pnfRegConsumerClass=org.onap.ccsdk.features.sdnr.wt.mountpointregistrar.impl.DMaaPPNFRegVESMsgConsumer -TransportType=HTTPNOAUTH -host=message-router.{{.Release.Namespace}}:{{.Values.config.dmaapPort | default "3904"}} -{{- if .Values.config.sdnr.dmaapProxy.enabled }} -{{- if .Values.config.sdnr.dmaapProxy.usepwd }} -jersey.config.client.proxy.username=${DMAAP_HTTP_PROXY_USERNAME} -jersey.config.client.proxy.password=${DMAAP_HTTP_PROXY_PASSWORD} -{{- end }} -jersey.config.client.proxy.uri={{ .Values.config.sdnr.dmaapProxy.url }} -{{- end }} topic=unauthenticated.VES_PNFREG_OUTPUT -contenttype=application/json -group=myG -id=C1 +consumerGroup={{.Values.config.sdnr.kafka.consumerGroupPrefix}} +consumerID=C1 +timeout=20000 +limit=10000 +fetchPause=5000 + +[stndDefinedFault] +topic=unauthenticated.SEC_3GPP_FAULTSUPERVISION_OUTPUT +consumerGroup={{.Values.config.sdnr.kafka.consumerGroupPrefix}} +consumerID=C1 +timeout=20000 limit=10000 +fetchPause=5000 diff --git a/kubernetes/sdnc/resources/env.yaml b/kubernetes/sdnc/resources/env.yaml index f02f8aef16..d1eec9b189 100644 --- a/kubernetes/sdnc/resources/env.yaml +++ b/kubernetes/sdnc/resources/env.yaml @@ -14,7 +14,7 @@ # limitations under the License. */}} -SDNC_AAF_ENABLED: "{{ .Values.global.aafEnabled }}" +SDNC_AAF_ENABLED: "false" SDNC_GEO_ENABLED: "{{ .Values.config.geoEnabled }}" SDNC_IS_PRIMARY_CLUSTER: "{{ .Values.config.isPrimaryCluster }}" SDNC_ODL_COUNT: "{{ .Values.replicaCount }}" diff --git a/kubernetes/sdnc/templates/authorizationpolicy.yaml b/kubernetes/sdnc/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..672ddf0b2f --- /dev/null +++ b/kubernetes/sdnc/templates/authorizationpolicy.yaml @@ -0,0 +1,61 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsSdnHosts := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsSdnHosts -}} +{{- $defaultOperationMethods := list "GET" "POST" "PUT" "PATCH" "DELETE" -}} +{{- $relName := include "common.release" . -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: sdnhost-{{ include "common.servicename" . }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: sdnhost-{{ include "common.name" . }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsSdnHosts }} +{{- range $principal := $authorizedPrincipalsSdnHosts }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + methods: +{{- if $principal.allowedOperationMethods }} +{{- range $method := $principal.allowedOperationMethods }} + - {{ $method }} +{{- end }} +{{- else }} +{{- range $method := $defaultOperationMethods }} + - {{ $method }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/sdnc/templates/job.yaml b/kubernetes/sdnc/templates/job.yaml index b6dc32b096..ffd578f3f1 100755 --- a/kubernetes/sdnc/templates/job.yaml +++ b/kubernetes/sdnc/templates/job.yaml @@ -34,7 +34,7 @@ spec: release: {{ include "common.release" . }} name: {{ include "common.name" . }} spec: - initContainers: + initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }} - command: - sh args: @@ -75,21 +75,6 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config - - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --container-name - - {{ include "common.mariadbService" . }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -159,10 +144,8 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: docker-entrypoint-initdb-d emptyDir: {} - name: bin @@ -177,6 +160,5 @@ spec: emptyDir: medium: Memory restartPolicy: Never - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} {{- end -}} diff --git a/kubernetes/sdnc/templates/kafkauser.yaml b/kubernetes/sdnc/templates/kafkauser.yaml new file mode 100644 index 0000000000..48c4754db8 --- /dev/null +++ b/kubernetes/sdnc/templates/kafkauser.yaml @@ -0,0 +1,18 @@ +{{/* +# Copyright © 2023 highstreet technologies GmbH +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ if .Values.config.sdnr.kafka.enabled }} +{{ include "common.kafkauser" . }} +{{ end }} diff --git a/kubernetes/sdnc/templates/sdnrdb-init-job.yaml b/kubernetes/sdnc/templates/sdnrdb-init-job.yaml index 665e16c9f8..1845f6cc9f 100755 --- a/kubernetes/sdnc/templates/sdnrdb-init-job.yaml +++ b/kubernetes/sdnc/templates/sdnrdb-init-job.yaml @@ -23,23 +23,21 @@ spec: metadata: {{ include "common.templateMetadata" . | indent 6}} spec: initContainers: - {{ include "common.certInitializer.initContainer" . | indent 6 }} - {{ if .Values.global.aafEnabled }} - - name: {{ include "common.name" . }}-chown - image: {{ include "repositoryGenerator.image.busybox" . }} - command: ["sh", "-c", "chown -R {{ .Values.config.odlUid }}:{{ .Values.config.odlGid}} {{ .Values.certInitializer.credsPath }}"] - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - {{ end }} - name: {{ include "common.name" . }}-readiness command: - /app/ready.py args: + {{- if .Values.config.sdnr.mariadb.enabled }} + - --service-name + - {{ include "common.mariadbService" . }} + {{- else }} - --container-name - {{.Values.elasticsearch.nameOverride}}-elasticsearch - --container-name - {{.Values.elasticsearch.nameOverride}}-nginx - --container-name - {{.Values.elasticsearch.nameOverride}}-master + {{- end }} env: - name: NAMESPACE valueFrom: @@ -48,6 +46,13 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }}-sdnrdb-init-job image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -56,10 +61,13 @@ spec: args: - -c - | + {{- if .Values.config.sdnr.mariadb.enabled }} + "{{ .Values.config.binDir }}/createSdnrDb.sh"; + {{- end }} sleep 90; "{{ .Values.config.binDir }}/startODL.sh" env: - name: SDNC_AAF_ENABLED - value: "{{ .Values.global.aafEnabled}}" + value: "false" - name: SDNC_HOME value: "{{.Values.config.sdncHome}}" - name: ETC_DIR @@ -69,16 +77,34 @@ spec: ## start sdnrdb parameter - name: SDNRINIT value: "true" + {{- if .Values.config.sdnr.mariadb.enabled }} + - name: SDNRDBTYPE + value: MARIADB + - name: MYSQL_HOST + value: {{ include "common.mariadbService" . }} + - name: MYSQL_ROOT_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-password" "key" "password") | indent 12 }} + - name: SDNRDBURL + value: "jdbc:mysql://{{ include "common.mariadbService" . }}:3306/{{ .Values.config.sdnr.mariadb.databaseName }}" + - name: SDNRDBDATABASE + value: "{{ .Values.config.sdnr.mariadb.databaseName }}" + - name: SDNRDBUSERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnrdb-secret" "key" "login") | indent 12 }} + - name: SDNRDBPASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnrdb-secret" "key" "password") | indent 12 }} + {{- else }} - name: SDNRDBURL - {{ if .Values.global.aafEnabled -}} - value: "https://{{ .Values.elasticsearch.service.name | default "sdnrdb"}}.{{.Release.Namespace}}:{{.Values.elasticsearch.service.port | default "9200"}}" - {{- else -}} value: "http://{{ .Values.elasticsearch.service.name | default "sdnrdb"}}.{{.Release.Namespace}}:{{.Values.elasticsearch.service.port | default "9200"}}" - {{- end }} - name: SDNRDBPARAMETER value: "-k" - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - resources: {{ include "common.resources" . | nindent 12 }} + {{- end }} + {{- if .Values.config.sdnr.mariadb.enabled }} + volumeMounts: + - mountPath: {{ .Values.config.binDir }}/createSdnrDb.sh + name: bin + subPath: createSdnrDb.sh + {{- end }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if include "common.onServiceMesh" . }} - name: sdnrdb-service-mesh-wait-for-job-container image: {{ include "repositoryGenerator.image.quitQuit" . }} @@ -103,10 +129,8 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 10 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: docker-entrypoint-initdb-d emptyDir: {} - name: bin @@ -117,9 +141,6 @@ spec: configMap: name: {{ include "common.fullname" . }}-properties defaultMode: 0644 -{{ include "common.certInitializer.volumes" . | nindent 6 }} restartPolicy: Never - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - + {{- include "common.imagePullSecrets" . | nindent 6 }} {{ end -}} diff --git a/kubernetes/sdnc/templates/service.yaml b/kubernetes/sdnc/templates/service.yaml index d2482eab56..052cfe16ad 100644 --- a/kubernetes/sdnc/templates/service.yaml +++ b/kubernetes/sdnc/templates/service.yaml @@ -38,18 +38,18 @@ metadata: } ]' spec: - type: NodePort + type: {{ if (include "common.ingressEnabled" .) }}ClusterIP{{ else }}NodePort{{ end }} ports: - name: "{{ .Values.service.portName }}-restconf" - {{ if not .Values.global.aafEnabled }} port: {{ .Values.service.externalPort }} targetPort: {{ .Values.service.internalPort }} - {{- else -}} - port: {{ .Values.service.externalPort4 }} - targetPort: {{ .Values.service.internalPort4 }} - {{ end }} + {{ if not (include "common.ingressEnabled" .) }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort4 }} + {{ end }} {{ if .Values.config.sdnr.enabled }} + - name: "{{ .Values.service.portName }}-sdnrwebsocket" + port: {{ .Values.service.sdnrWebsocketPort | default "8182" }} + targetPort: {{ .Values.service.sdnrWebsocketPort }} sessionAffinity: ClientIP {{ end }} selector: @@ -70,13 +70,8 @@ spec: type: ClusterIP ports: - name: "{{ .Values.service.portName }}-restconf-alt" - {{ if .Values.global.aafEnabled }} port: {{ .Values.service.externalPort }} targetPort: {{ .Values.service.internalPort }} - {{- else -}} - port: {{ .Values.service.internalPort4 }} - targetPort: {{ .Values.service.internalPort4 }} - {{ end }} - name: "{{ .Values.service.portName }}-karaf" port: {{ .Values.service.externalPort2 }} targetPort: {{ .Values.service.internalPort2 }} @@ -113,18 +108,17 @@ metadata: name: sdnhost-{{ include "common.servicename" . }}-0 namespace: {{ .Release.Namespace }} labels: + app: sdnhost-{{ include "common.name" . }} statefulset.kubernetes.io/pod-name: {{ include "common.fullname" . }}-0 spec: ports: - - name: {{ .Values.service.portName }}-0-port-{{ .Values.service.internalPort4 }} - port: {{ .Values.service.clusterPort2 }} - targetPort: {{ .Values.service.internalPort4 }} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.geoNodePort4 }} - name: {{ .Values.service.portName }}-0-port-{{ .Values.service.internalPort }} port: {{ .Values.service.clusterPort3 }} targetPort: {{ .Values.service.internalPort }} + {{ if not (include "common.ingressEnabled" .) }} nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.geoNodePort1 }} - type: NodePort + {{ end }} + type: {{ if (include "common.ingressEnabled" .) }}ClusterIP{{ else }}NodePort{{ end }} selector: statefulset.kubernetes.io/pod-name: {{ include "common.fullname" . }}-0 {{ end }} @@ -136,18 +130,17 @@ metadata: name: sdnhost-{{ include "common.servicename" . }}-1 namespace: {{ .Release.Namespace }} labels: + app: sdnhost-{{ include "common.name" . }} statefulset.kubernetes.io/pod-name: {{ include "common.fullname" . }}-1 spec: ports: - - name: {{ .Values.service.portName }}-1-port-{{ .Values.service.internalPort4 }} - port: {{ .Values.service.clusterPort2 }} - targetPort: {{ .Values.service.internalPort4 }} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.geoNodePort5 }} - name: {{ .Values.service.portName }}-1-port-{{ .Values.service.internalPort }} port: {{ .Values.service.clusterPort3 }} targetPort: {{ .Values.service.internalPort }} + {{ if not (include "common.ingressEnabled" .) }} nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.geoNodePort2 }} - type: NodePort + {{ end }} + type: {{ if (include "common.ingressEnabled" .) }}ClusterIP{{ else }}NodePort{{ end }} selector: statefulset.kubernetes.io/pod-name: {{ include "common.fullname" . }}-1 {{ end }} @@ -159,18 +152,17 @@ metadata: name: sdnhost-{{ include "common.servicename" . }}-2 namespace: {{ .Release.Namespace }} labels: + app: sdnhost-{{ include "common.name" . }} statefulset.kubernetes.io/pod-name: {{ include "common.fullname" . }}-2 spec: ports: - - name: {{ .Values.service.portName }}-2-port-{{ .Values.service.internalPort4 }} - port: {{ .Values.service.clusterPort2 }} - targetPort: {{ .Values.service.internalPort4 }} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.geoNodePort6 }} - name: {{ .Values.service.portName }}-2-port-{{ .Values.service.internalPort }} port: {{ .Values.service.clusterPort3 }} targetPort: {{ .Values.service.internalPort }} + {{ if not (include "common.ingressEnabled" .) }} nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.geoNodePort3 }} - type: NodePort + {{ end }} + type: {{ if (include "common.ingressEnabled" .) }}ClusterIP{{ else }}NodePort{{ end }} selector: statefulset.kubernetes.io/pod-name: {{ include "common.fullname" . }}-2 {{ end }} @@ -188,12 +180,14 @@ metadata: release: {{ include "common.release" . }} heritage: {{ .Release.Service }} spec: - type: NodePort + type: {{ if (include "common.ingressEnabled" .) }}ClusterIP{{ else }}NodePort{{ end }} ports: - name: "{{ .Values.service.portName }}-callhome" port: {{ .Values.service.callHomePort }} targetPort: {{ .Values.service.callHomePort }} + {{ if not (include "common.ingressEnabled" .) }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.callHomeNodePort }} + {{ end }} selector: app.kubernetes.io/name: {{ include "common.name" . }} app.kubernetes.io/instance: {{ include "common.release" . }} diff --git a/kubernetes/sdnc/templates/statefulset.yaml b/kubernetes/sdnc/templates/statefulset.yaml index d252c9a3fb..666a8ada12 100644 --- a/kubernetes/sdnc/templates/statefulset.yaml +++ b/kubernetes/sdnc/templates/statefulset.yaml @@ -20,13 +20,10 @@ apiVersion: apps/v1 kind: StatefulSet metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - serviceName: {{ include "common.servicename" . }}-cluster - replicas: {{ .Values.replicaCount }} selector: {{- include "common.selectors" . | nindent 4 }} + serviceName: {{ include "common.servicename" . }}-cluster podManagementPolicy: Parallel + replicas: {{ .Values.replicaCount }} template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: @@ -105,22 +102,29 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "odl-creds" "key" "password") | indent 10 }} - name: ODL_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "odl-creds" "key" "password") | indent 10 }} - {{ if and .Values.config.sdnr.dmaapProxy.enabled .Values.config.sdnr.dmaapProxy.usepwd }} - - name: DMAAP_HTTP_PROXY_USERNAME - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmaap-proxy-creds" "key" "login") | indent 10 }} - - name: DMAAP_HTTP_PROXY_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmaap-proxy-creds" "key" "password") | indent 10 }} - {{- end }} {{ if .Values.config.sdnr.oauth.enabled }} - name: OAUTH_TOKEN_SECRET {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "oauth-token-secret" "key" "password") | indent 10 }} - name: KEYCLOAK_SECRET {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keycloak-secret" "key" "password") | indent 10 }} - - name: ENABLE_ODLUX_RBAC value: "{{ .Values.config.sdnr.oauth.odluxRbac.enabled | default "true" }}" {{ end }} - + - name: SDNR_KAFKA_ENABLED + value: "{{ .Values.config.sdnr.kafka.enabled | default "false" }}" + {{ if .Values.config.sdnr.kafka.enabled }} + - name: SDNR_KAFKA_BOOTSTRAP_SERVERS + value: "{{ .Values.config.sdnr.kafka.bootstrapServers | default (include "common.release" .) }}-strimzi-kafka-bootstrap.{{.Release.Namespace}}:9092" + - name: SDNR_KAFKA_SECURITY_PROTOCOL + value: "{{ .Values.config.sdnr.kafka.securityProtocol | default "SASL_PLAINTEXT" }}" + - name: SDNR_KAFKA_SASL_MECHANISM + value: "{{ .Values.config.sdnr.kafka.saslMechanism | default "SCRAM-SHA-512" }}" + - name: SDNR_KAFKA_SASL_JASS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + {{ end }} volumeMounts: - mountPath: /config-input name: config-input @@ -134,7 +138,7 @@ spec: - /app/ready.py args: {{ if .Values.dgbuilder.enabled -}} - - --container-name + - --service-name - {{ include "common.mariadbService" . }} - --job-name - {{ include "common.fullname" . }}-dbinit-job @@ -152,8 +156,14 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness - {{ end -}} -{{ include "common.certInitializer.initContainer" . | indent 6 }} + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + {{ end }} - name: {{ include "common.name" . }}-chown image: {{ include "repositoryGenerator.image.busybox" . }} command: @@ -165,11 +175,7 @@ spec: mkdir {{ .Values.persistence.mdsalPath }}/snapshots mkdir {{ .Values.persistence.mdsalPath }}/daexim chown -R {{ .Values.config.odlUid }}:{{ .Values.config.odlGid}} {{ .Values.persistence.mdsalPath }} -{{- if .Values.global.aafEnabled }} - chown -R {{ .Values.config.odlUid }}:{{ .Values.config.odlGid}} {{ .Values.certInitializer.credsPath }} -{{- end }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - mountPath: {{ .Values.persistence.mdsalPath }} name: {{ include "common.fullname" . }}-data containers: @@ -268,7 +274,7 @@ spec: - name: GEO_ENABLED value: "{{ .Values.config.geoEnabled}}" - name: SDNC_AAF_ENABLED - value: "{{ .Values.global.aafEnabled}}" + value: "false" - name: SDNC_REPLICAS value: "{{ .Values.replicaCount }}" - name: MYSQL_HOST @@ -297,13 +303,31 @@ spec: {{- end }} - name: SDNRONLY value: "{{ .Values.config.sdnr.sdnronly | default "false" }}" + {{- if .Values.config.sdnr.mariadb.enabled }} + - name: SDNRCONTROLLERID + value: {{ uuidv4 }} + - name: SDNRDBTYPE + value: MARIADB + - name: SDNRDBURL + value: "jdbc:mysql://{{ include "common.mariadbService" . }}:3306/{{ .Values.config.sdnr.mariadb.databaseName}}" + - name: SDNR_DB_DATABASE + value: {{ .Values.config.sdnr.mariadb.databaseName }} + - name: SDNRDBUSERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnrdb-secret" "key" "login") | indent 12 }} + - name: SDNRDBPASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnrdb-secret" "key" "password") | indent 12 }} + - name: SDNR_ASYNC_HANDLING + value: {{ .Values.config.sdnr.mariadb.asyncHandling | default "false" | quote }} + - name: SDNR_ASYNC_POOLSIZE + value: {{ .Values.config.sdnr.mariadb.asyncPoolSize | default 200 | quote }} + {{- else }} - name: SDNRDBURL - {{- $prefix := ternary "https" "http" .Values.global.aafEnabled}} - value: "{{$prefix}}://{{ .Values.elasticsearch.service.name | default "sdnrdb"}}.{{.Release.Namespace}}:{{.Values.elasticsearch.service.port | default "9200"}}" + value: "http://{{ .Values.elasticsearch.service.name | default "sdnrdb"}}.{{.Release.Namespace}}:{{.Values.elasticsearch.service.port | default "9200"}}" {{- if .Values.config.sdnr.sdnrdbTrustAllCerts }} - name: SDNRDBTRUSTALLCERTS value: "true" {{- end }} + {{- end }} {{- if .Values.global.cmpv2Enabled }} - name: ODL_CERT_DIR value: {{ (mustFirst (.Values.certificates)).mountPath }} @@ -332,15 +356,26 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "ves-collector-secret" "key" "login") | indent 12 }} - name: SDNR_VES_COLLECTOR_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "ves-collector-secret" "key" "password") | indent 12 }} + - name: SDNR_WEBSOCKET_PORT + value: "{{ .Values.sdnrWebsocketPort | default "8182"}}" + - name: SDNR_KAFKA_ENABLED + value: "{{ .Values.config.sdnr.kafka.enabled | default "false" }}" + {{ if .Values.config.sdnr.kafka.enabled }} + - name: SDNR_KAFKA_BOOTSTRAP_SERVERS + value: "{{ .Values.config.sdnr.kafka.bootstrapServers | default (include "common.release" .) }}-strimzi-kafka-bootstrap.{{.Release.Namespace}}:9092" + - name: SDNR_KAFKA_SECURITY_PROTOCOL + value: "{{ .Values.config.sdnr.kafka.securityProtocol | default "PLAINTEXT" }}" + - name: SDNR_KAFKA_SASL_MECHANISM + value: "{{ .Values.config.sdnr.kafka.saslMechanism | default "PLAIN" }}" + - name: SDNR_KAFKA_SASL_JASS_CONFIG + value: "{{ .Values.config.sdnr.kafka.saslJassConfig | default "PLAIN" }}" + {{ end }} + volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} {{- if .Values.global.cmpv2Enabled }} {{ include "common.certManager.volumeMounts" . | indent 10 }} {{- end }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/opendaylight/current/etc/org.ops4j.pax.logging.cfg name: sdnc-logging-cfg-config subPath: org.ops4j.pax.logging.cfg @@ -413,13 +448,9 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: logs emptyDir: {} {{ include "common.log.volumes" . | nindent 8 }} @@ -441,7 +472,6 @@ spec: - name: {{ include "common.fullname" . }}-data emptyDir: {} {{ else }} -{{ include "common.certInitializer.volumes" . | nindent 8 }} {{- if .Values.global.cmpv2Enabled }} {{ include "common.certManager.volumes" . | nindent 8 }} {{- end }} diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml index 83a30caadf..dc5fe7469c 100644 --- a/kubernetes/sdnc/values.yaml +++ b/kubernetes/sdnc/values.yaml @@ -22,15 +22,19 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - aafEnabled: true centralizedLoggingEnabled: true mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true #This flag allows SO to instantiate its own mariadb-galera cluster #If shared instance is used, this chart assumes that DB already exists localCluster: false - service: mariadb-galera + service: &mariadbService mariadb-galera internalPort: 3306 - nameOverride: mariadb-galera + nameOverride: &mariadbName mariadb-galera + # (optional) if localCluster=false and an external secret is used set this variable + #userRootSecret: + ################################################################# # Secrets metaconfig @@ -45,13 +49,18 @@ secrets: # override this secret using external one with the same field that is used # to pass this to subchart. externalSecret: '{{ .Values.global.mariadbGalera.localCluster | - ternary ((hasSuffix "sdnc-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret")) | - ternary - "" - (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .)) - (include "common.mariadb.secret.rootPassSecretName" - (dict "dot" . - "chartName" .Values.global.mariadbGalera.nameOverride)) }}' + ternary (( hasSuffix "sdnc-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret")) | + ternary + "" + (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .) + ) + ( (not (empty (default "" .Values.global.mariadbGalera.userRootSecret))) | + ternary + .Values.global.mariadbGalera.userRootSecret + (include "common.mariadb.secret.rootPassSecretName" + (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride) + ) + ) }}' password: '{{ (index .Values "mariadb-galera" "rootUser" "password") }}' - uid: db-secret name: &dbSecretName '{{ include "common.release" . }}-sdnc-db-secret' @@ -72,14 +81,6 @@ secrets: password: '{{ .Values.config.odlPassword }}' # For now this is left hardcoded but should be revisited in a future passwordPolicy: required - - uid: dmaap-proxy-creds - name: &dmaapProxyCredsSecretName '{{ include "common.release" . }}-sdnc-dmaap-proxy-creds' - type: basicAuth - externalSecret: '{{ .Values.config.dmaapProxyCredsExternalSecret }}' - login: '{{ .Values.config.sdnr.dmaapProxy.user }}' - password: '{{ .Values.config.sdnr.dmaapProxy.password }}' - # For now this is left hardcoded but should be revisited in a future - passwordPolicy: required - uid: netbox-apikey type: password externalSecret: '{{ .Values.config.netboxApikeyExternalSecret }}' @@ -185,6 +186,11 @@ secrets: type: basicAuth login: '{{ .Values.config.sdnr.vesCollector.username }}' password: '{{ .Values.config.sdnr.vesCollector.password }}' + - uid: sdnrdb-secret + name: &sdnrdbSecretName '{{ include "common.release" . }}-sdnc-sdnrdb-secret' + type: basicAuth + login: '{{ index .Values "config" "sdnr" "mariadb" "user" }}' + password: '{{ index .Values "config" "sdnr" "mariadb" "password" }}' ################################################################# # Certificates ################################################################# @@ -210,7 +216,7 @@ certificates: # application images pullPolicy: Always -image: onap/sdnc-image:2.3.2 +image: onap/sdnc-image:2.5.5 # flag to enable debugging - application support required debugEnabled: false @@ -324,18 +330,50 @@ config: # sdnronly: true starts sdnc container with odl and sdnrwt features only sdnronly: false sdnrdbTrustAllCerts: true - mountpointRegistrarEnabled: false + elasticsearch: + ## for legacy eleasticsearch database + enabled: &esdbenabled true + # enabled: &esdbenabled false + mariadb: + ## for legacy eleasticsearch database + enabled: false + # enabled: true + databaseName: sdnrdb + user: sdnrdb + externalSecret: *sdnrdbSecretName + asyncHandling: true + asyncPoolSize: 200 + kafka: + enabled: false + consumerGroupPrefix: &consumerGroupPrefix sdnr + # Strimzi KafkaUser config see configuration below + kafkaUser: &kafkaUser + acls: + - name: unauthenticated.SEC_ + type: topic + patternType: prefix + operations: [Read] + - name: unauthenticated.VES_PNFREG_OUTPUT + type: topic + patternType: literal + operations: [Read] + - name: *consumerGroupPrefix + type: group + patternType: prefix + operations: [Read] + ## set if bootstrap server is not OOM standard + # bootstrapServers: [] + ## set connection parameters if not default + # securityProtocol: PLAINTEXT + # saslMechanism: SCRAM-SHA-512 + ## saslJassConfig: provided by secret + + mountpointStateProviderEnabled: false netconfCallHome: enabled: true - # - # enable and set dmaap-proxy for mountpointRegistrar - dmaapProxy: - enabled: false - usepwd: true - user: addUserHere - password: addPasswordHere - url: addProxyUrlHere + + oauth: enabled: false tokenIssuer: ONAP SDNC @@ -366,32 +404,19 @@ config: username: sample1 password: sample1 address: dcae-ves-collector.onap - port: 8443 + port: 8080 version: v7 reportingEntityName: ONAP SDN-R eventLogMsgDetail: SHORT -# dependency / sub-chart configuration -certInitializer: - nameOverride: sdnc-cert-initializer - truststoreMountpath: /opt/onap/sdnc/data/stores - fqdn: "sdnc" - app_ns: "org.osaaf.aaf" - fqi: "sdnc@sdnc.onap.org" - fqi_namespace: org.onap.sdnc - public_fqdn: "sdnc.onap.org" - aafDeployFqi: "deployer@people.osaaf.org" - aafDeployPass: demo123456! - cadi_latitude: "38.0" - cadi_longitude: "-72.0" - credsPath: /opt/app/osaaf/local - aaf_add_config: > - cd /opt/app/osaaf/local; - /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} | grep cadi_keystore_password= | cut -d= -f 2 > {{ .Values.credsPath }}/.pass 2>&1 +# Strimzi KafkaUser/Topic config on top level +kafkaUser: *kafkaUser + # dependency / sub-chart configuration network-name-gen: enabled: true + mariadb-galera: &mariadbGalera nameOverride: &sdnc-db sdnc-db config: &mariadbGaleraConfig @@ -401,15 +426,19 @@ mariadb-galera: &mariadbGalera rootUser: externalSecret: *rootDbSecret db: + name: *sdncDbName user: *dbUser externalSecret: *dbSecretName service: - name: sdnc-dbhost + name: sdnc-db sdnctlPrefix: sdnc persistence: mountSubPath: sdnc/mariadb-galera enabled: true replicaCount: 1 + mariadbOperator: + galera: + enabled: false serviceAccount: nameOverride: *sdnc-db @@ -461,8 +490,6 @@ sdnc-ansible-server: dgbuilder: enabled: true nameOverride: sdnc-dgbuilder - certInitializer: - nameOverride: sdnc-dgbuilder-cert-initializer config: db: dbName: *sdncDbName @@ -472,8 +499,8 @@ dgbuilder: (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" "mariadb-galera")) }}' userCredentialsExternalSecret: *dbSecretName - dbPodName: mariadb-galera - dbServiceName: mariadb-galera + dbPodName: *mariadbName + dbServiceName: *mariadbService # This should be revisited and changed to plain text dgUserPassword: cc03e747a6afbbcbf8be7668acfebee5 serviceAccount: @@ -481,17 +508,17 @@ dgbuilder: mariadb-galera: service: name: sdnc-dgbuilder - nodePort: "03" + ports: + - name: http + port: 3100 + nodePort: "03" ingress: enabled: false service: - - baseaddr: "sdnc-dgbuilder" + - baseaddr: "sdnc-dgbuilder-ui" name: "sdnc-dgbuilder" - port: 3000 - - baseaddr: "sdnc-web-service" - name: "sdnc-web-service" - port: 8443 + port: 3100 config: ssl: "redirect" @@ -500,12 +527,9 @@ dgbuilder: # local elasticsearch cluster localElasticCluster: true elasticsearch: + enabled: *esdbenabled nameOverride: &elasticSearchName sdnrdb name: sdnrdb-cluster - certInitializer: - fqdn: "sdnc" - fqi_namespace: org.onap.sdnc - fqi: "sdnc@sdnc.onap.org" service: name: *elasticSearchName master: @@ -521,6 +545,8 @@ elasticsearch: # enable sdnc-web: enabled: true + ## set if web socket port should not be default + # sdnrWebsocketPort: *sdnrWebsocketPort # default number of instances replicaCount: 1 @@ -547,7 +573,6 @@ service: internalPort: 8181 internalPort2: 8101 internalPort3: 8080 - internalPort4: 8443 #port externalPort: 8282 @@ -556,7 +581,6 @@ service: externalPort3: 8280 - externalPort4: 8443 nodePort4: 67 clusterPort: 2550 @@ -570,8 +594,12 @@ service: geoNodePort5: 65 geoNodePort6: 66 - callHomePort: 6666 + callHomePort: &chport 4334 callHomeNodePort: 66 + ## set if web socket port should not be default + ## change in sdnc-web section as well + # sdnrWebsocketPort: &sdnrWebsocketPort 8182 + ## Persist data to a persitent volume persistence: @@ -598,31 +626,41 @@ persistence: journalPath: /opt/opendaylight/segmented-journal snapshotsPath: /opt/opendaylight/snapshots -certpersistence: - enabled: true - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - size: 50Mi - mountPath: /dockerdata-nfs - mountSubPath: sdnc/certs - certPath: /opt/app/osaaf - ##storageClass: "manual" - ingress: enabled: false service: - - baseaddr: "sdnc.api" - name: "sdnc" - port: 8443 + - baseaddr: "sdnc-api" + name: "sdnc" + port: 8282 + - baseaddr: "sdnc-callhome" + name: "sdnc-callhome" + port: *chport + protocol: tcp + exposedPort: *chport + exposedProtocol: TCP config: ssl: "redirect" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: a1policymanagement-read + - serviceAccount: cds-blueprints-processor-read + - serviceAccount: consul-read + - serviceAccount: ncmp-dmi-plugin-read + - serviceAccount: policy-drools-pdp-read + - serviceAccount: robot-read + - serviceAccount: sdnc-ansible-server-read + - serviceAccount: sdnc-dmaap-listener-read + - serviceAccount: sdnc-prom-read + - serviceAccount: sdnc-ueb-listener-read + - serviceAccount: sdnc-web-read + - serviceAccount: so-sdnc-adapter-read + - serviceAccount: istio-ingress + namespace: istio-ingress + authorizedPrincipalsSdnHosts: + - serviceAccount: sdnc-read + #Resource Limit flavor -By Default using small flavor: small #segregation for different envionment (Small and Large) @@ -630,18 +668,18 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4.7Gi" requests: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "4.7Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "4" + memory: "9.4Gi" requests: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "9.4Gi" unlimited: {} #Pods Service Account @@ -653,3 +691,8 @@ serviceAccount: #Log configuration log: path: /var/log/onap + +readinessCheck: + wait_for: + services: + - '{{ include "common.mariadbService" . }}' diff --git a/kubernetes/sniro-emulator/.helmignore b/kubernetes/sniro-emulator/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/sniro-emulator/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/sniro-emulator/Chart.yaml b/kubernetes/sniro-emulator/Chart.yaml deleted file mode 100644 index d155d5e8cc..0000000000 --- a/kubernetes/sniro-emulator/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Mock Sniro Emulator -name: sniro-emulator -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/sniro-emulator/templates/NOTES.txt b/kubernetes/sniro-emulator/templates/NOTES.txt deleted file mode 100644 index c233cade6b..0000000000 --- a/kubernetes/sniro-emulator/templates/NOTES.txt +++ /dev/null @@ -1,34 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, AT&T, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ .Chart.Name }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/sniro-emulator/templates/deployment.yaml b/kubernetes/sniro-emulator/templates/deployment.yaml deleted file mode 100644 index 0dff4eb7be..0000000000 --- a/kubernetes/sniro-emulator/templates/deployment.yaml +++ /dev/null @@ -1,68 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - {{ if .Values.liveness.enabled }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/sniro-emulator/templates/service.yaml b/kubernetes/sniro-emulator/templates/service.yaml deleted file mode 100644 index 9119071ab2..0000000000 --- a/kubernetes/sniro-emulator/templates/service.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName | default "http" }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName | default "http" }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/sniro-emulator/values.yaml b/kubernetes/sniro-emulator/values.yaml deleted file mode 100644 index 8f43a4f46b..0000000000 --- a/kubernetes/sniro-emulator/values.yaml +++ /dev/null @@ -1,75 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: # global defaults - nodePortPrefix: 302 - -# application image -image: onap/sniroemulator:1.0.0 -pullPolicy: IfNotPresent - -# flag to enable debugging - application support required -debugEnabled: false - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: NodePort - name: sniro-emulator - internalPort: 9999 - externalPort: 80 - nodePort: 88 - portName: http - -ingress: - enabled: false - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # - # Example: - # Configure resource requests and limits - # ref: http://kubernetes.io/docs/user-guide/compute-resources/ - # Minimum memory for development is 2 CPU cores and 4GB memory - # Minimum memory for production is 4 CPU cores and 8GB memory -#resources: -# limits: -# cpu: 2 -# memory: 4Gi -# requests: -# cpu: 2 -# memory: 4Gi diff --git a/kubernetes/so/Chart.yaml b/kubernetes/so/Chart.yaml index acb536852d..83419673fe 100755 --- a/kubernetes/so/Chart.yaml +++ b/kubernetes/so/Chart.yaml @@ -1,6 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom Intellectual Property. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,92 +17,88 @@ apiVersion: v2 description: ONAP Service Orchestrator name: so -version: 11.0.0 +version: 13.0.2 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - - name: certInitializer - version: ~11.x-0 - repository: '@local' - condition: global.aafEnabled - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: mariadb-galera - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: global.mariadbGalera.localCluster - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/soHelpers' - name: so-admin-cockpit - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/so-admin-cockpit' condition: so-admin-cockpit.enabled - - name: so-appc-orchestrator - version: ~11.x-0 - repository: 'file://components/so-appc-orchestrator' - condition: so-appc-orchestrator.enabled - name: so-bpmn-infra - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/so-bpmn-infra' - name: so-catalog-db-adapter - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/so-catalog-db-adapter' condition: so-catalog-db-adapter.enabled - name: so-cnf-adapter - version: ~11.x-0 + version: ~13.x-0 repository: "file://components/so-cnf-adapter" condition: so-cnf-adapter.enabled + - name: so-cnfm-lcm + version: ~13.x-0 + repository: 'file://components/so-cnfm-lcm' + condition: so-cnfm-lcm.enabled - name: so-etsi-nfvo-ns-lcm - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/so-etsi-nfvo-ns-lcm' condition: so-etsi-nfvo-ns-lcm.enabled - name: so-etsi-sol003-adapter - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/so-etsi-sol003-adapter' condition: so-etsi-sol003-adapter.enabled - name: so-mariadb - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/so-mariadb' - name: so-nssmf-adapter - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/so-nssmf-adapter' condition: so-nssmf-adapter.enabled - name: so-oof-adapter - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/so-oof-adapter' condition: so-oof-adapter.enabled - name: so-openstack-adapter - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/so-openstack-adapter' condition: so-openstack-adapter.enabled - name: so-request-db-adapter - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/so-request-db-adapter' - name: so-sdc-controller - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/so-sdc-controller' - name: so-sdnc-adapter - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/so-sdnc-adapter' condition: so-sdnc-adapter.enabled - name: so-ve-vnfm-adapter - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/so-ve-vnfm-adapter' condition: so-ve-vnfm-adapter.enabled - name: so-etsi-sol005-adapter - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/so-etsi-sol005-adapter' condition: so-etsi-sol005-adapter.enabled - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/Makefile b/kubernetes/so/Makefile index 51d7de122c..08ed7cb9da 100644 --- a/kubernetes/so/Makefile +++ b/kubernetes/so/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := dist resources templates charts docker HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -36,12 +42,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/so/components/Makefile b/kubernetes/so/components/Makefile index 1ea8433a9c..d07f55ba37 100644 --- a/kubernetes/so/components/Makefile +++ b/kubernetes/so/components/Makefile @@ -19,13 +19,23 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := soHelpers HELM_BIN := helm -HELM_CHARTS := soHelpers $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + +HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) all: $(HELM_CHARTS) -$(HELM_CHARTS): +soHelpers: + @echo "\n[$@]" + @make package-$@ + +$(HELM_CHARTS): soHelpers @echo "\n[$@]" @make package-$@ @@ -36,12 +46,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/so/components/so-admin-cockpit/Chart.yaml b/kubernetes/so/components/so-admin-cockpit/Chart.yaml index 4218126d41..defd598c1c 100644 --- a/kubernetes/so/components/so-admin-cockpit/Chart.yaml +++ b/kubernetes/so/components/so-admin-cockpit/Chart.yaml @@ -21,21 +21,18 @@ apiVersion: v2 description: A Helm chart for ONAP Service Orchestration Monitoring name: so-admin-cockpit -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - - name: soHelpers - version: ~11.x-0 - repository: 'file://../soHelpers' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-admin-cockpit/resources/config/overrides/override.yaml b/kubernetes/so/components/so-admin-cockpit/resources/config/overrides/override.yaml index e1bac69fe3..7657415f98 100644 --- a/kubernetes/so/components/so-admin-cockpit/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-admin-cockpit/resources/config/overrides/override.yaml @@ -1,17 +1,13 @@ server: + {{- if include "common.onServiceMesh" . }} + forward-headers-strategy: none + {{- end }} port: {{ index .Values.containerPort }} - {{- if .Values.global.aafEnabled }} ssl: - keyStore: ${KEYSTORE} - keyStorePassword: ${KEYSTORE_PASSWORD} - trustStore: ${TRUSTSTORE} - trustStorePassword: ${TRUSTSTORE_PASSWORD} - {{- end }} + enabled: false tomcat: max-threads: 50 - {{- if not .Values.global.aafEnabled }} ssl-enable: false - {{- end }} camunda: rest: api: diff --git a/kubernetes/so/components/so-admin-cockpit/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-admin-cockpit/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-admin-cockpit/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-admin-cockpit/templates/deployment.yaml b/kubernetes/so/components/so-admin-cockpit/templates/deployment.yaml index 808c439181..372224cb2e 100644 --- a/kubernetes/so/components/so-admin-cockpit/templates/deployment.yaml +++ b/kubernetes/so/components/so-admin-cockpit/templates/deployment.yaml @@ -21,18 +21,10 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ index .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} minReadySeconds: {{ index .Values.minReadySeconds }} strategy: type: {{ index .Values.updateStrategy.type }} @@ -40,12 +32,9 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "so.certificate.container_importer" . | nindent 6 }} + initContainers: - name: so-chown image: {{ include "repositoryGenerator.image.busybox" . }} volumeMounts: @@ -57,21 +46,13 @@ spec: containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} + resources: {{ include "common.resources" . | nindent 10 }} command: - /bin/sh args: - -c - | export SO_COCKPIT_PASSWORD=`htpasswd -bnBC 10 "" $SO_COCKPIT_PASS | tr -d ':\n' | sed 's/\$2y/\$2a/'` - {{- if .Values.global.aafEnabled }} - export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/org.onap.so.cred.props | xargs -0) - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export KEYSTORE=file://$cadi_keystore - export KEYSTORE_PASSWORD=$cadi_keystore_password_p12 - export TRUSTSTORE=file://$cadi_truststore - export TRUSTSTORE_PASSWORD=$cadi_truststore_password - {{- end }} /app/start-app.sh env: - name: DB_HOST @@ -95,7 +76,7 @@ spec: - configMapRef: name: {{ include "common.fullname" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -114,16 +95,12 @@ spec: successThreshold: {{ index .Values.livenessProbe.successThreshold}} failureThreshold: {{ index .Values.livenessProbe.failureThreshold}} - ports: - - containerPort: {{ index .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + ports: {{ include "common.containerPorts" . | nindent 10 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config configMap: name: {{ include "common.fullname" . }}-app - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-admin-cockpit/templates/ingress.yaml b/kubernetes/so/components/so-admin-cockpit/templates/ingress.yaml index 8f87c68f1e..65f46c48c1 100644 --- a/kubernetes/so/components/so-admin-cockpit/templates/ingress.yaml +++ b/kubernetes/so/components/so-admin-cockpit/templates/ingress.yaml @@ -1 +1,17 @@ +{{/* +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/so/components/so-admin-cockpit/templates/service.yaml b/kubernetes/so/components/so-admin-cockpit/templates/service.yaml index b23e5ab99e..03b8df3e10 100644 --- a/kubernetes/so/components/so-admin-cockpit/templates/service.yaml +++ b/kubernetes/so/components/so-admin-cockpit/templates/service.yaml @@ -19,32 +19,5 @@ # ============LICENSE_END========================================================= # @author: gareth.roper@ericsson.com */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - {{if .Values.global.aafEnabled -}} - type: {{ .Values.service.type }} - {{- else -}} - type: ClusterIP - {{- end }} - ports: - {{if and (eq .Values.service.type "NodePort") (.Values.global.aafEnabled) -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + +{{ include "common.service" . }} diff --git a/kubernetes/so/components/so-admin-cockpit/values.yaml b/kubernetes/so/components/so-admin-cockpit/values.yaml index 6cba922571..53d185c35d 100644 --- a/kubernetes/so/components/so-admin-cockpit/values.yaml +++ b/kubernetes/so/components/so-admin-cockpit/values.yaml @@ -26,20 +26,14 @@ global: nodePortPrefix: 302 nodePortPrefixExt: 304 repository: nexus3.onap.org:10001 - readinessImage: onap/oom/readiness:3.0.1 - aafAgentImage: onap/aaf/aaf_agent:2.1.20 + readinessImage: onap/oom/readiness:6.0.3 envsubstImage: dibi/envsubst - aafEnabled: true persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: true - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= mariadbGalera: - serviceName: mariadb-galera + # flag to enable the DB creation via mariadb-operator + useOperator: true + service: mariadb-galera servicePort: '3306' ################################################################# @@ -72,9 +66,18 @@ secrets: # Application configuration defaults. ################################################################# repository: nexus3.onap.org:10001 -image: onap/so/so-admin-cockpit:1.8.2 +image: onap/so/so-admin-cockpit:1.9.0 pullPolicy: Always +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -93,12 +96,6 @@ app: so-admin-cockpit # soHelpers part ################################################################# soHelpers: - nameOverride: so-cockpit-cert-init - certInitializer: - nameOverride: so-cockpit-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.monitoringPerm containerPort: *containerPort server: @@ -108,54 +105,62 @@ server: # soMonitoringCredsExternalSecret: some secret service: -#Since this is a feature for monitoring the service type is changed to internal, users can change it to NodePort on need basis... - type: NodePort - nodePort: 24 - internalPort: *containerPort - externalPort: *containerPort - portName: http + type: NodePort + ports: + - port: *containerPort + name: http + nodePort: 24 + updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 # Resource Limit flavor -By Default using small flavor: small #Segregation for different environment (Small or large) resources: - small: - requests: - memory: 1Gi - cpu: 10m - limits: - memory: 4Gi - cpu: 1 - large: - requests: - memory: 2Gi - cpu: 20m - limits: - memory: 8Gi - cpu: 2 + small: + requests: + cpu: "0.5" + memory: "1Gi" + limits: + cpu: "1" + memory: "4Gi" + large: + requests: + cpu: "1" + memory: "2Gi" + limits: + cpu: "2" + memory: "8Gi" + unlimited: {} readinessProbe: - port: 9091 - initialDelaySeconds: 20 - periodSeconds: 10 - timeoutSeconds: 10 + port: 9091 + initialDelaySeconds: 40 + periodSeconds: 10 + timeoutSeconds: 10 livenessProbe: - port: 9091 - initialDelaySeconds: 40 - periodSeconds: 10 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + port: 9091 + initialDelaySeconds: 80 + periodSeconds: 10 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 ingress: - enabled: false - service: - - baseaddr: "soadmincockpit" - name: "so-admin-cockpit" - port: 9091 - config: - ssl: "none" + enabled: false + service: + - baseaddr: "so-admin-cockpit-ui" + name: "so-admin-cockpit" + port: 9091 + config: + ssl: "none" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: portal-app-read + - serviceAccount: so-read + - serviceAccount: istio-ingress + namespace: istio-ingress nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-appc-orchestrator/Chart.yaml b/kubernetes/so/components/so-appc-orchestrator/Chart.yaml deleted file mode 100644 index a82663f094..0000000000 --- a/kubernetes/so/components/so-appc-orchestrator/Chart.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright © 2020 AT&T USA -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: A Helm chart for so appc orchestrator -name: so-appc-orchestrator -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: soHelpers - version: ~11.x-0 - repository: 'file://../soHelpers' - - name: serviceAccount - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/so/components/so-appc-orchestrator/resources/config/overrides/override.yaml b/kubernetes/so/components/so-appc-orchestrator/resources/config/overrides/override.yaml deleted file mode 100644 index 661ed64b0e..0000000000 --- a/kubernetes/so/components/so-appc-orchestrator/resources/config/overrides/override.yaml +++ /dev/null @@ -1,59 +0,0 @@ -{{/* -# Copyright © 2020 AT&T USA -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -server: - port: {{ index .Values.containerPort }} - tomcat: - max-threads: 50 - ssl-enable: false -mso: - logPath: ./logs/soappcorch - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.auth.rest.aafEncrypted "value2" .Values.mso.auth )}} - msoKey: {{ .Values.global.app.msoKey }} - config: - {{ if .Values.global.security.aaf.enabled }} - cadi: {{ include "so.cadi.keys" . | nindent 8}} - {{- else }} - cadi: - aafId: {{ .Values.mso.basicUser }} - {{- end }} - workflow: - endpoint: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/sobpmnengine - topics: - retryMultiplier: 1000 -appc: - client: - topic: - read: - name: {{ .Values.appc.client.topic.read.name }} - timeout: {{ .Values.appc.client.topic.read.timeout }} - write: {{ .Values.appc.client.topic.write }} - sdnc: - read: {{ .Values.appc.client.topic.sdnc.read }} - write: {{ .Values.appc.client.topic.sdnc.write }} - response: - timeout: {{ .Values.appc.client.response.timeout }} - key: {{ .Values.appc.client.key }} - secret: {{ .Values.appc.client.secret }} - service: ueb - poolMembers: message-router.{{ include "common.namespace" . }}:3904,message-router.{{ include "common.namespace" . }}:3904 -spring: - security: - usercredentials: - - - username: ${ACTUATOR_USERNAME} - password: ${ACTUATOR_PASSWORD} - role: ACTUATOR diff --git a/kubernetes/so/components/so-appc-orchestrator/templates/configmap.yaml b/kubernetes/so/components/so-appc-orchestrator/templates/configmap.yaml deleted file mode 100755 index 6abb1673d5..0000000000 --- a/kubernetes/so/components/so-appc-orchestrator/templates/configmap.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{/* -# Copyright © 2020 AT&T USA -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -data: - LOG_PATH: {{ index .Values.logPath }} - APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-app-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/overrides/*").AsConfig . | indent 2 }} diff --git a/kubernetes/so/components/so-appc-orchestrator/templates/deployment.yaml b/kubernetes/so/components/so-appc-orchestrator/templates/deployment.yaml deleted file mode 100644 index d6584250e2..0000000000 --- a/kubernetes/so/components/so-appc-orchestrator/templates/deployment.yaml +++ /dev/null @@ -1,95 +0,0 @@ -{{/* -# Copyright © 2020 AT&T USA -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - replicas: {{ index .Values.replicaCount }} - minReadySeconds: {{ index .Values.minReadySeconds }} - strategy: - type: {{ index .Values.updateStrategy.type }} - rollingUpdate: - maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} - maxSurge: {{ index .Values.updateStrategy.maxSurge }} - template: - metadata: - labels: {{- include "common.labels" . | nindent 8 }} - spec: - initContainers: {{ include "so.certificate.container_importer" . | nindent 6 }} - - name: {{ include "common.name" . }}-pass-encoder - command: - - sh - args: - {{/* bcrypt plain text and convert to OpenBSD variant using sed */}} - - -c - - htpasswd -bnBC 10 "" "${ACTUATOR_PASSWORD}" | tr -d ':\n' | sed 's/\$2y/\$2a/' 1>/tmp/app/encoded; - env: - - name: ACTUATOR_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-actuator-creds" "key" "password") | indent 10 }} - image: {{ include "repositoryGenerator.image.htpasswd" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - name: encoder - mountPath: /tmp/app - containers: - - name: {{ include "common.name" . }} - command: - - sh - args: - - -c - - | - export ACTUATOR_PASSWORD="$(cat /tmp/app/encoded)" - {{- if .Values.global.aafEnabled }} - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - {{- end }} - /app/start-app.sh - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - env: - - name: ACTUATOR_USERNAME - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-actuator-creds" "key" "login") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} - envFrom: - - configMapRef: - name: {{ include "common.fullname" . }}-configmap - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{- include "common.containerPorts" . | nindent 10 }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} - - name: logs - mountPath: /app/logs - - name: encoder - mountPath: /tmp/app - - name: config - mountPath: /app/config - readOnly: true -{{ include "so.helpers.livenessProbe" .| indent 8 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} - - name: logs - emptyDir: {} - - name: encoder - emptyDir: - medium: Memory - - name: config - configMap: - name: {{ include "common.fullname" . }}-app-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/so/components/so-appc-orchestrator/templates/secret.yaml b/kubernetes/so/components/so-appc-orchestrator/templates/secret.yaml deleted file mode 100644 index 34932b713d..0000000000 --- a/kubernetes/so/components/so-appc-orchestrator/templates/secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/so/components/so-appc-orchestrator/templates/service.yaml b/kubernetes/so/components/so-appc-orchestrator/templates/service.yaml deleted file mode 100644 index 7f004cc050..0000000000 --- a/kubernetes/so/components/so-appc-orchestrator/templates/service.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 AT&T USA -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/so/components/so-appc-orchestrator/values.yaml b/kubernetes/so/components/so-appc-orchestrator/values.yaml deleted file mode 100644 index 724fcbd032..0000000000 --- a/kubernetes/so/components/so-appc-orchestrator/values.yaml +++ /dev/null @@ -1,166 +0,0 @@ -# Copyright © 2020 AT&T USA -# Copyright © 2020 Huawei -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -################################################################# -# Global configuration defaults. -################################################################# - -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - persistence: - mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - app: - msoKey: 07a7159d3bf51a0e53be7a8f89699be7 -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: db-user-creds - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}' - login: '{{ .Values.db.userName }}' - password: '{{ .Values.db.userPassword }}' - passwordPolicy: required - - uid: db-admin-creds - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}' - login: '{{ .Values.db.adminName }}' - password: '{{ .Values.db.adminPassword }}' - passwordPolicy: required - - uid: server-actuator-creds - name: '{{ include "common.release" . }}-so-appc-actuator-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.server.actuatorCredsExternalSecret) . }}' - login: '{{ .Values.server.actuator.username }}' - password: '{{ .Values.server.actuator.password }}' - passwordPolicy: required - -#secretsFilePaths: | -# - 'my file 1' -# - '{{ include "templateThatGeneratesFileName" . }}' - -################################################################# -# Application configuration defaults. -################################################################# -image: onap/so/so-appc-orchestrator:1.6.4 -pullPolicy: Always - -db: - userName: so_user - userPassword: so_User123 - # userCredsExternalSecret: some secret - adminName: so_admin - adminPassword: so_Admin123 - # adminCredsExternalSecret: some secret -server: - actuator: - username: mso_admin - password: password1$ -replicaCount: 1 -minReadySeconds: 10 -containerPort: &containerPort 8080 -logPath: ./logs/soappcorch -app: appc-orchestrator -service: - name: so-appc-orchestrator - type: ClusterIP - ports: - - port: *containerPort - name: http -updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 -# Resource Limit flavor -By Default using small -flavor: small - - -################################################################# -# soHelper part -################################################################# - -soHelpers: - nameOverride: so-appc-cert-init - certInitializer: - nameOverride: so-appc-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.openStackAdapterPerm - containerPort: *containerPort - -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - memory: 4Gi - cpu: 2000m - requests: - memory: 1Gi - cpu: 500m - large: - limits: - memory: 8Gi - cpu: 4000m - requests: - memory: 2Gi - cpu: 1000m - unlimited: {} -livenessProbe: - path: /manage/health - port: 8083 - scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 -ingress: - enabled: false -nodeSelector: {} -tolerations: [] -affinity: {} - -auth: - rest: - encrypted: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 - -mso: - auth: BEA8637716A7EB617DF472BA6552D22F68C1CB17B0D094D77DDA562F4ADAAC4457CAB848E1A4 - basicUser: poBpmn - -appc: - client: - topic: - read: - name: APPC-LCM-WRITE - timeout: 360000 - write: APPC-LCM-READ - sdnc: - read: SDNC-LCM-WRITE - write: SDNC-LCM-READ - response: - timeout: 3600000 - key: VIlbtVl6YLhNUrtU - secret: 64AG2hF4pYeG2pq7CT6XwUOT - service: ueb - -#Pods Service Account -serviceAccount: - nameOverride: so-appc-orchestrator - roles: - - read diff --git a/kubernetes/so/components/so-bpmn-infra/Chart.yaml b/kubernetes/so/components/so-bpmn-infra/Chart.yaml index 3a573b4245..6f52dfaef3 100755 --- a/kubernetes/so/components/so-bpmn-infra/Chart.yaml +++ b/kubernetes/so/components/so-bpmn-infra/Chart.yaml @@ -1,6 +1,7 @@ # Copyright © 2018 AT&T USA # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom Intellectual Property. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,24 +18,24 @@ apiVersion: v2 appVersion: "1.0" description: A Helm chart for SO Bpmn Infra name: so-bpmn-infra -version: 11.0.0 +version: 13.1.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-bpmn-infra/resources/config/overrides/override.yaml b/kubernetes/so/components/so-bpmn-infra/resources/config/overrides/override.yaml index 9feab4ddce..eebc71a11a 100755 --- a/kubernetes/so/components/so-bpmn-infra/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-bpmn-infra/resources/config/overrides/override.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2018 AT&T USA +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,14 +15,10 @@ # limitations under the License. */}} aai: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.aai.auth )}} + auth: {{ .Values.aai.auth }} dme2: timeout: '30000' - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} - endpoint: http://aai.{{ include "common.namespace" . }}:8080 - {{ end }} + endpoint: http://aai.{{ include "common.namespace" . }}:80 workflowAaiDistributionDelay: PT30S pnfEntryNotificationTimeout: P14D cds: @@ -45,14 +42,13 @@ camunda: entitymanager: packagesToScan: com pnf: - dmaap: - host: message-router - port: 3904 - protocol: http - uriPathPrefix: events - topicName: unauthenticated.PNF_READY - consumerGroup: consumerGroup - consumerId: consumerId + kafka: + pnfReadyTopicName: unauthenticated.PNF_READY + pnfUpdateTopicName: unauthenticated.PNF_UPDATE + consumerGroup: so-consumer + consumerId: so-bpmn-infra-pnfready + consumerIdUpdate: so-bpmn-infra-pnfupdate + kafkaBootstrapServers: {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 topicListenerDelayInSeconds: 5 bpelURL: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081 msb-ip: msb-iag @@ -65,18 +61,19 @@ mso: correlation: timeout: 60 logPath: logs - config: - cadi: {{ include "so.cadi.keys" . | nindent 8}} async: core-pool-size: 50 max-pool-size: 50 queue-capacity: 500 adapters: + apihandler: + endpoint: http://so.{{ include "common.namespace" . }}:8080 + auth: Basic SW5mcmFQb3J0YWxDbGllbnQ6cGFzc3dvcmQxJA== completemsoprocess: endpoint: http://so-openstack-adapter.{{ include "common.namespace" . }}:8087/CompleteMsoProcess requestDb: endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ .Values.mso.adapters.requestDb.auth }} db: auth: {{ .Values.mso.adapters.db.auth }} password: {{ .Values.mso.adapters.db.password }} @@ -128,7 +125,7 @@ mso: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ .Values.mso.adapters.requestDb.auth }} default: adapter: namespace: http://org.onap.mso @@ -162,11 +159,7 @@ mso: oof: auth: {{ .Values.mso.oof.auth }} callbackEndpoint: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/mso/WorkflowMessage - {{ if (include "common.needTLS" .) }} - endpoint: https://oof-osdf.{{ include "common.namespace" . }}:8698 - {{ else }} endpoint: http://oof-osdf.{{ include "common.namespace" . }}:8698 - {{ end }} timeout: PT30M workflow: CreateGenericVNFV1: @@ -355,6 +348,9 @@ sniro: headers.minorVersion: 1 headers.latestVersion: 2 server: + {{- if include "common.onServiceMesh" . }} + forward-headers-strategy: none + {{- end }} port: {{ index .Values.containerPort }} tomcat: max-threads: 50 @@ -398,6 +394,9 @@ so: adapter: url: http://so-etsi-sol003-adapter.{{ include "common.namespace" . }}:9092/so/vnfm-adapter/v1 auth: {{ .Values.so.sol003.adapter.auth }} +cnfm: + endpoint: + url: http://so-cnfm-lcm.{{ include "common.namespace" . }}:9888 org: onap: so: diff --git a/kubernetes/so/components/so-bpmn-infra/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-bpmn-infra/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-bpmn-infra/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-bpmn-infra/templates/configmap.yaml b/kubernetes/so/components/so-bpmn-infra/templates/configmap.yaml index 58ac6d9ab8..954f8e8b0f 100755 --- a/kubernetes/so/components/so-bpmn-infra/templates/configmap.yaml +++ b/kubernetes/so/components/so-bpmn-infra/templates/configmap.yaml @@ -14,10 +14,6 @@ # limitations under the License. */}} apiVersion: v1 -data: - LOG_PATH: {{ index .Values.logPath }} - APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap @@ -27,6 +23,10 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} +data: + LOG_PATH: {{ index .Values.logPath }} + APP: {{ index .Values.app }} + ACTIVE_PROFILE: "basic" --- apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/so/components/so-bpmn-infra/templates/deployment.yaml b/kubernetes/so/components/so-bpmn-infra/templates/deployment.yaml index 2b8b827f91..ec1932143d 100755 --- a/kubernetes/so/components/so-bpmn-infra/templates/deployment.yaml +++ b/kubernetes/so/components/so-bpmn-infra/templates/deployment.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2018 AT&T USA +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,18 +16,10 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ index .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} minReadySeconds: {{ index .Values.minReadySeconds }} strategy: type: {{ index .Values.updateStrategy.type }} @@ -34,30 +27,14 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "so.certificate.container_importer" . | indent 6 | trim }} {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - /app/start-app.sh - {{- end }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: DB_HOST value: {{ include "common.mariadbService" . }} @@ -71,12 +48,16 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} + - name: JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -85,14 +66,11 @@ spec: - name: {{ include "common.fullname" . }}-logs mountPath: {{ .Values.log.path }} {{ include "so.helpers.livenessProbe" .| indent 8 }} - ports: - - containerPort: {{ index .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + ports: {{ include "common.containerPorts" . | nindent 10 }} # Filebeat sidecar container {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config @@ -104,5 +82,4 @@ spec: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-bpmn-infra/templates/kafkatopic.yaml b/kubernetes/so/components/so-bpmn-infra/templates/kafkatopic.yaml new file mode 100644 index 0000000000..8e3ee32cb2 --- /dev/null +++ b/kubernetes/so/components/so-bpmn-infra/templates/kafkatopic.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkatopic" . }} diff --git a/kubernetes/so/components/so-bpmn-infra/templates/kafkauser.yaml b/kubernetes/so/components/so-bpmn-infra/templates/kafkauser.yaml new file mode 100644 index 0000000000..5c7edd5b19 --- /dev/null +++ b/kubernetes/so/components/so-bpmn-infra/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/so/components/so-bpmn-infra/templates/service.yaml b/kubernetes/so/components/so-bpmn-infra/templates/service.yaml index 5b8dee0774..739cb279c1 100755 --- a/kubernetes/so/components/so-bpmn-infra/templates/service.yaml +++ b/kubernetes/so/components/so-bpmn-infra/templates/service.yaml @@ -13,28 +13,5 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-bpmn-infra/values.yaml b/kubernetes/so/components/so-bpmn-infra/values.yaml index af185aeb4e..d5cee518db 100755 --- a/kubernetes/so/components/so-bpmn-infra/values.yaml +++ b/kubernetes/so/components/so-bpmn-infra/values.yaml @@ -1,5 +1,6 @@ # Copyright © 2018 AT&T USA # Copyright © 2020 Huawei +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -22,14 +23,10 @@ global: #This configuration specifies Service and port for SDNC OAM interface sdncOamService: sdnc-oam sdncOamPort: 8282 - security: - aaf: - enabled: false - aaf: - auth: - encrypted: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 mariadbGalera: - serviceName: mariadb-galera + # flag to enable the DB creation via mariadb-operator + useOperator: true + service: mariadb-galera servicePort: '3306' readinessCheck: @@ -63,9 +60,24 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/bpmn-infra:1.10.0 +image: onap/so/bpmn-infra:1.13.0 pullPolicy: Always +kafkaUser: + acls: + - name: so-consumer + type: group + patternType: literal + operations: [Read] + - name: unauthenticated.PNF_READY + type: topic + patternType: literal + operations: [Read] + - name: unauthenticated.PNF_UPDATE + type: topic + patternType: literal + operations: [Read] + bpmn: historyTTL: 14 @@ -73,6 +85,15 @@ camunda: sundayCleanupWindowStartTime: "04:00" sundayCleanupWindowEndTime: "10:00" +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -121,24 +142,18 @@ logPath: ./logs/bpmn/ app: so-bpmn-infra service: type: ClusterIP - internalPort: *containerPort - externalPort: 8081 - portName: http + ports: + - port: *containerPort + name: http updateStrategy: type: RollingUpdate maxUnavailable: 1 maxSurge: 1 ################################################################# -# soHelper part +# soHelpers part ################################################################# soHelpers: - nameOverride: so-bpmn-cert-init - certInitializer: - nameOverride: so-bpmn-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.bpmnPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -147,18 +162,18 @@ flavor: large resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "3Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "3Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "6Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "6Gi" unlimited: {} livenessProbe: path: /manage/health @@ -170,6 +185,16 @@ livenessProbe: failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-admin-cockpit-read + - serviceAccount: so-oof-adapter-read + - serviceAccount: so-openstack-adapter-read + - serviceAccount: so-read + - serviceAccount: so-sdc-controller-read + - serviceAccount: so-sdnc-adapter-read nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-catalog-db-adapter/Chart.yaml b/kubernetes/so/components/so-catalog-db-adapter/Chart.yaml index e279432923..04021f9e65 100755 --- a/kubernetes/so/components/so-catalog-db-adapter/Chart.yaml +++ b/kubernetes/so/components/so-catalog-db-adapter/Chart.yaml @@ -16,24 +16,24 @@ apiVersion: v2 description: A Helm chart for so-catalog-db-adapter name: so-catalog-db-adapter -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-catalog-db-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-catalog-db-adapter/resources/config/overrides/override.yaml index 7aa5984403..d5a3aeff44 100755 --- a/kubernetes/so/components/so-catalog-db-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-catalog-db-adapter/resources/config/overrides/override.yaml @@ -14,6 +14,9 @@ # limitations under the License. */}} server: + {{- if include "common.onServiceMesh" . }} + forward-headers-strategy: none + {{- end }} port: {{ index .Values.containerPort }} tomcat: max-threads: 50 @@ -21,14 +24,12 @@ ssl-enable: false mso: logPath: logs site-name: onapheat - config: - cadi: {{ include "so.cadi.keys" . | nindent 8}} catalog: db: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.db.auth )}} + auth: {{ .Values.mso.adapters.db.auth }} spring: datasource: hikari: diff --git a/kubernetes/so/components/so-catalog-db-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-catalog-db-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-catalog-db-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-catalog-db-adapter/templates/configmap.yaml b/kubernetes/so/components/so-catalog-db-adapter/templates/configmap.yaml index 6331656fce..c334fd7699 100755 --- a/kubernetes/so/components/so-catalog-db-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-catalog-db-adapter/templates/configmap.yaml @@ -17,7 +17,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: "basic" kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/components/so-catalog-db-adapter/templates/deployment.yaml b/kubernetes/so/components/so-catalog-db-adapter/templates/deployment.yaml index fa9d3a6a4b..e3a77de71d 100755 --- a/kubernetes/so/components/so-catalog-db-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-catalog-db-adapter/templates/deployment.yaml @@ -15,18 +15,10 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ index .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} minReadySeconds: {{ index .Values.minReadySeconds }} strategy: type: {{ index .Values.updateStrategy.type }} @@ -34,30 +26,14 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "so.certificate.container_importer" . | indent 6 | trim }} {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - /app/start-app.sh - {{- end }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: DB_HOST value: {{ include "common.mariadbService" . }} @@ -71,28 +47,23 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config mountPath: /app/config readOnly: true {{ include "so.helpers.livenessProbe" .| indent 8 }} - ports: - - containerPort: {{ index .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + ports: {{ include "common.containerPorts" . | nindent 10 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config configMap: name: {{ include "common.fullname" . }}-app-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-catalog-db-adapter/templates/service.yaml b/kubernetes/so/components/so-catalog-db-adapter/templates/service.yaml index 5b8dee0774..739cb279c1 100755 --- a/kubernetes/so/components/so-catalog-db-adapter/templates/service.yaml +++ b/kubernetes/so/components/so-catalog-db-adapter/templates/service.yaml @@ -13,28 +13,5 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-catalog-db-adapter/values.yaml b/kubernetes/so/components/so-catalog-db-adapter/values.yaml index b4360942d2..5a5325f629 100755 --- a/kubernetes/so/components/so-catalog-db-adapter/values.yaml +++ b/kubernetes/so/components/so-catalog-db-adapter/values.yaml @@ -19,16 +19,10 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= app: msoKey: 07a7159d3bf51a0e53be7a8f89699be7 mariadbGalera: - serviceName: mariadb-galera + service: mariadb-galera servicePort: '3306' readinessCheck: @@ -62,9 +56,18 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/catalog-db-adapter:1.10.0 +image: onap/so/catalog-db-adapter:1.12.2 pullPolicy: Always +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -84,25 +87,19 @@ containerPort: &containerPort 8082 logPath: ./logs/catdb/ app: catalog-db-adapter service: - type: ClusterIP - internalPort: *containerPort - externalPort: *containerPort - portName: http + type: ClusterIP + ports: + - port: *containerPort + name: http updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 ################################################################# -# soHelper part +# soHelpers part ################################################################# soHelpers: - nameOverride: so-catalogdb-cert-init - certInitializer: - nameOverride: so-catalogdb-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.catalogDbAdapterPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -111,30 +108,39 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1.5Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1.5Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "3Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "3Gi" unlimited: {} livenessProbe: - path: /manage/health - port: 8082 - scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + path: /manage/health + port: 8082 + scheme: HTTP + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-openstack-adapter-read + - serviceAccount: so-read + - serviceAccount: so-sdc-controller-read + - serviceAccount: so-sdnc-adapter-read config: openStackUserName: "vnf_user" openStackRegion: "RegionOne" @@ -154,4 +160,3 @@ serviceAccount: nameOverride: so-catalog-db-adapter roles: - read - diff --git a/kubernetes/so/components/so-cnf-adapter/Chart.yaml b/kubernetes/so/components/so-cnf-adapter/Chart.yaml index abc14e8b3a..c9bac65aa7 100755 --- a/kubernetes/so/components/so-cnf-adapter/Chart.yaml +++ b/kubernetes/so/components/so-cnf-adapter/Chart.yaml @@ -18,24 +18,24 @@ apiVersion: v2 appVersion: "1.7.1" description: A Helm chart for Kubernetes name: so-cnf-adapter -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-cnf-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-cnf-adapter/resources/config/overrides/override.yaml index 0c2f679082..a1a25be146 100755 --- a/kubernetes/so/components/so-cnf-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-cnf-adapter/resources/config/overrides/override.yaml @@ -15,12 +15,8 @@ */}} aai: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.server.aai.auth ) }} - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} - endpoint: http://aai.{{ include "common.namespace" . }}:8080 - {{ end }} + auth: {{ .Values.server.aai.auth }} + endpoint: http://aai.{{ include "common.namespace" . }}:80 enabled: {{ .Values.global.aai.enabled }} logging: path: logs @@ -31,6 +27,9 @@ spring: password: ${ACTUATOR_PASSWORD} role: ACTUATOR server: + {{- if include "common.onServiceMesh" . }} + forward-headers-strategy: none + {{- end }} port: {{ index .Values.containerPort }} tomcat: max-threads: 50 diff --git a/kubernetes/so/components/so-cnf-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-cnf-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-cnf-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-cnf-adapter/templates/configmap.yaml b/kubernetes/so/components/so-cnf-adapter/templates/configmap.yaml index c5ebec0b15..786dd83f59 100755 --- a/kubernetes/so/components/so-cnf-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-cnf-adapter/templates/configmap.yaml @@ -20,7 +20,7 @@ metadata: {{- include "common.resourceMetadata" (dict "dot" . "suffix" "env") | data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: "basic" --- apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/so/components/so-cnf-adapter/templates/deployment.yaml b/kubernetes/so/components/so-cnf-adapter/templates/deployment.yaml index 340571a59b..d8670f1c41 100755 --- a/kubernetes/so/components/so-cnf-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-cnf-adapter/templates/deployment.yaml @@ -30,7 +30,7 @@ spec: metadata: labels: {{- include "common.labels" . | nindent 8 }} spec: - initContainers: {{ include "so.certificate.container_importer" . | nindent 8 }} + initContainers: - name: {{ include "common.name" . }}-encrypter command: - sh @@ -59,39 +59,25 @@ spec: args: - -c - | - export AAF_BASE64=$(echo -n "${AAF_USERNAME}:${AAF_PASSWORD}" | base64) - export AAF_AUTH=$(echo "Basic ${AAF_BASE64}") export AAI_AUTH=$(cat /input/.aai_creds) - {{- if .Values.global.aafEnabled }} - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password}" - {{- end }} - {{- end }} ./start-app.sh resources: {{ include "common.resources" . | nindent 12 }} ports: {{- include "common.containerPorts" . | nindent 12 }} env: - - name: AAF_USERNAME - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "so-aaf-creds" "key" "login") | indent 14 }} - - name: AAF_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "so-aaf-creds" "key" "password") | indent 14 }} - name: ACTUATOR_USERNAME {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-actuator-creds" "key" "login") | indent 14 }} - name: ACTUATOR_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-actuator-creds" "key" "password") | indent 14 }} - {{ include "so.certificates.env" . | indent 12 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-env imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 12 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config mountPath: /app/config readOnly: true - readOnly: true - name: encoder mountPath: /input livenessProbe: @@ -105,7 +91,7 @@ spec: successThreshold: {{ index .Values.livenessProbe.successThreshold}} failureThreshold: {{ index .Values.livenessProbe.failureThreshold}} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 8 }} + volumes: - name: logs emptyDir: {} - name: config @@ -114,5 +100,4 @@ spec: - name: encoder emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-cnf-adapter/values.yaml b/kubernetes/so/components/so-cnf-adapter/values.yaml index 6d7eec4a64..32f87270a6 100755 --- a/kubernetes/so/components/so-cnf-adapter/values.yaml +++ b/kubernetes/so/components/so-cnf-adapter/values.yaml @@ -20,12 +20,6 @@ global: soCryptoImage: sdesbure/so_crypto:latest persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - aaf: - auth: - header: ${AAF_AUTH} aai: enabled: true ################################################################# @@ -51,13 +45,6 @@ secrets: login: '{{ .Values.server.actuator.username }}' password: '{{ .Values.server.actuator.password }}' passwordPolicy: required - - uid: so-aaf-creds - name: '{{ include "common.release" . }}-so-cnf-aaf-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.server.aafCredsExternalSecret) . }}' - login: '{{ .Values.server.aaf.username }}' - password: '{{ .Values.server.aaf.password }}' - passwordPolicy: required - uid: so-aai-creds name: '{{ include "common.release" . }}-so-cnf-aai-creds' type: basicAuth @@ -84,6 +71,15 @@ readinessCheck: jobs: - '{{ include "common.release" . }}-so-mariadb-config-job' +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -92,10 +88,6 @@ db: adminPassword: so_Admin123 # adminCredsExternalSecret: some secret server: - aaf: - username: so@so.onap.org - password: demo123456 - # aafCredsExternalSecret: some secret aai: username: aai@aai.onap.org password: demo123456! @@ -125,32 +117,31 @@ updateStrategy: type: RollingUpdate maxUnavailable: 1 maxSurge: 1 + +################################################################# +# soHelpers part +################################################################# soHelpers: - nameOverride: so-cnf-cert-init - certInitializer: - nameOverride: so-cnf-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.openStackAdapterPerm containerPort: *containerPort + # Resource Limit flavor -By Default using small flavor: small # Segregation for Different environment (Small and Large) resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "2Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} livenessProbe: path: /manage/health @@ -163,6 +154,10 @@ livenessProbe: failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: so-read nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-cnfm-lcm/Chart.yaml b/kubernetes/so/components/so-cnfm-lcm/Chart.yaml new file mode 100644 index 0000000000..df3eed7bd7 --- /dev/null +++ b/kubernetes/so/components/so-cnfm-lcm/Chart.yaml @@ -0,0 +1,38 @@ +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +name: so-cnfm-lcm +description: ONAP SO CNFM LCM +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + # local reference to common chart, as it is + # a part of this chart's package and will not + # be published independently to a repo (at this point) + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: soHelpers + version: ~13.x-0 + repository: 'file://../soHelpers' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/so/components/so-cnfm-lcm/resources/config/overrides/override.yaml b/kubernetes/so/components/so-cnfm-lcm/resources/config/overrides/override.yaml new file mode 100644 index 0000000000..411b75f0a3 --- /dev/null +++ b/kubernetes/so/components/so-cnfm-lcm/resources/config/overrides/override.yaml @@ -0,0 +1,53 @@ +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +aai: + auth: {{ .Values.aai.auth }} + version: v24 + endpoint: http://aai.{{ include "common.namespace" . }}:80 +spring: + datasource: + hikari: + camunda: + jdbcUrl: jdbc:mariadb://${DB_HOST}:${DB_PORT}/camundabpmn + username: ${DB_USERNAME} + password: ${DB_PASSWORD} + driver-class-name: org.mariadb.jdbc.Driver + pool-name: bpmn-pool + registerMbeans: true + cnfm: + jdbcUrl: jdbc:mariadb://${DB_HOST}:${DB_PORT}/cnfm + username: ${DB_ADMIN_USERNAME} + password: ${DB_ADMIN_PASSWORD} + driver-class-name: org.mariadb.jdbc.Driver + pool-name: cnfm-pool + registerMbeans: true +server: + port: {{ .Values.containerPort }} + tomcat: + max-threads: 50 +mso: + key: {{ .Values.mso.key }} +sdc: + username: {{ .Values.sdc.username }} + password: {{ .Values.sdc.password }} + key: {{ .Values.sdc.key }} + endpoint: http://sdc-be.{{ include "common.namespace" . }}:8080 +camunda: + bpm: + history-level: full + job-execution: + max-pool-size: 30 + core-pool-size: 3 + deployment-aware: true diff --git a/kubernetes/so/components/so-cnfm-lcm/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-cnfm-lcm/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-cnfm-lcm/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-cnfm-lcm/templates/configmap.yaml b/kubernetes/so/components/so-cnfm-lcm/templates/configmap.yaml new file mode 100644 index 0000000000..2d8cb1e5f5 --- /dev/null +++ b/kubernetes/so/components/so-cnfm-lcm/templates/configmap.yaml @@ -0,0 +1,43 @@ +{{/* + # Copyright © 2023 Nordix Foundation + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + */}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: + LOG_PATH: {{ index .Values.logPath }} + APP: {{ index .Values.app }} + ACTIVE_PROFILE: "basic" +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-app-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/overrides/*").AsConfig . | indent 2 }} diff --git a/kubernetes/so/components/so-cnfm-lcm/templates/deployment.yaml b/kubernetes/so/components/so-cnfm-lcm/templates/deployment.yaml new file mode 100644 index 0000000000..45572c9692 --- /dev/null +++ b/kubernetes/so/components/so-cnfm-lcm/templates/deployment.yaml @@ -0,0 +1,75 @@ +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ index .Values.replicaCount }} + minReadySeconds: {{ index .Values.minReadySeconds }} + strategy: + type: {{ index .Values.updateStrategy.type }} + rollingUpdate: + maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} + maxSurge: {{ index .Values.updateStrategy.maxSurge }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + {{ include "common.readinessCheck.waitFor" . | indent 8 | trim }} + containers: + - name: {{ include "common.name" . }} + command: [ "./start-app.sh" ] + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + resources: {{ include "common.resources" . | nindent 12 }} + env: + - name: DB_HOST + value: {{ include "common.mariadbService" . }} + - name: DB_PORT + value: {{ include "common.mariadbPort" . | quote }} + - name: DB_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "login") | indent 14 }} + - name: DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "password") | indent 14 }} + - name: DB_ADMIN_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 14 }} + - name: DB_ADMIN_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 14 }} + envFrom: + - configMapRef: + name: {{ include "common.fullname" . }}-configmap + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + volumeMounts: + - name: logs + mountPath: /app/logs + - name: config + mountPath: /app/config + readOnly: true + livenessProbe: + tcpSocket: + port: {{ index .Values.livenessProbe.port }} + initialDelaySeconds: {{ index .Values.livenessProbe.initialDelaySeconds}} + periodSeconds: {{ index .Values.livenessProbe.periodSeconds}} + successThreshold: {{ index .Values.livenessProbe.successThreshold}} + failureThreshold: {{ index .Values.livenessProbe.failureThreshold}} + ports: {{ include "common.containerPorts" . | nindent 12 }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: logs + emptyDir: {} + - name: config + configMap: + name: {{ include "common.fullname" . }}-app-configmap + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-cnfm-lcm/templates/ingress.yaml b/kubernetes/so/components/so-cnfm-lcm/templates/ingress.yaml new file mode 100644 index 0000000000..30c7b6e674 --- /dev/null +++ b/kubernetes/so/components/so-cnfm-lcm/templates/ingress.yaml @@ -0,0 +1,15 @@ +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.ingress" . }} diff --git a/kubernetes/so/components/so-cnfm-lcm/templates/secret.yaml b/kubernetes/so/components/so-cnfm-lcm/templates/secret.yaml new file mode 100644 index 0000000000..e361015b5c --- /dev/null +++ b/kubernetes/so/components/so-cnfm-lcm/templates/secret.yaml @@ -0,0 +1,15 @@ +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secretFast" . }} diff --git a/kubernetes/so/components/so-cnfm-lcm/templates/service.yaml b/kubernetes/so/components/so-cnfm-lcm/templates/service.yaml new file mode 100644 index 0000000000..72b8e4be89 --- /dev/null +++ b/kubernetes/so/components/so-cnfm-lcm/templates/service.yaml @@ -0,0 +1,15 @@ +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.service" . }} diff --git a/kubernetes/so/components/so-cnfm-lcm/values.yaml b/kubernetes/so/components/so-cnfm-lcm/values.yaml new file mode 100644 index 0000000000..9a85ec8c98 --- /dev/null +++ b/kubernetes/so/components/so-cnfm-lcm/values.yaml @@ -0,0 +1,155 @@ +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + persistence: + mountPath: /dockerdata-nfs + mariadbGalera: + service: mariadb-galera + servicePort: '3306' + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: db-user-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}' + login: '{{ .Values.db.userName }}' + password: '{{ .Values.db.userPassword }}' + passwordPolicy: required + - uid: db-admin-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}' + login: '{{ .Values.db.adminName }}' + password: '{{ .Values.db.adminPassword }}' + passwordPolicy: required + +################################################################# +# Application configuration defaults. +################################################################# +image: onap/so/so-cnfm-as-lcm:1.12.1 +pullPolicy: Always + +aai: + auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586 + +readinessCheck: + wait_for: + jobs: + - '{{ include "common.release" . }}-so-mariadb-config-job' + +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + +db: + userName: so_user + userPassword: so_User123 + # userCredsExternalSecret: some secret + adminName: so_admin + adminPassword: so_Admin123 + # adminCredsExternalSecret: some secret +mso: + key: 07a7159d3bf51a0e53be7a8f89699be7 +sdc: + username: mso + password: 76966BDD3C7414A03F7037264FF2E6C8EEC6C28F2B67F2840A1ED857C0260FEE731D73F47F828E5527125D29FD25D3E0DE39EE44C058906BF1657DE77BF897EECA93BDC07FA64F + key: 566B754875657232314F5548556D3665 + +replicaCount: 1 +minReadySeconds: 10 +containerPort: &containerPort 9888 +logPath: ./logs/so-cnfm-lcm/ +app: so-cnfm-lcm +service: + type: ClusterIP + ports: + - name: http + port: *containerPort +updateStrategy: + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 + +################################################################# +# soHelpers part +################################################################# +soHelpers: + containerPort: *containerPort + +# Resource Limit flavor -By Default using small +flavor: small +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: "2000m" + memory: "4Gi" + requests: + cpu: "500m" + memory: "1Gi" + large: + limits: + cpu: "4000m" + memory: "8Gi" + requests: + cpu: "1000m" + memory: "2Gi" + unlimited: {} + +livenessProbe: + port: *containerPort + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + +ingress: + enabled: false + service: + - baseaddr: 'so-cnfm-lcm-api' + name: 'so-cnfms-lcm' + port: *containerPort + config: + ssl: 'redirect' + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: so-read + - serviceAccount: istio-ingress + namespace: istio-ingress + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +#Pods Service Account +serviceAccount: + nameOverride: so-cnfm-lcm + roles: + - read + diff --git a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/Chart.yaml b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/Chart.yaml index 4b2fd67310..068686db48 100644 --- a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/Chart.yaml +++ b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/Chart.yaml @@ -17,21 +17,24 @@ apiVersion: v2 description: ONAP SO ETSI NFVO NS LCM name: so-etsi-nfvo-ns-lcm -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/resources/config/overrides/override.yaml b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/resources/config/overrides/override.yaml index 7c1cb1b3c4..40f97ad69f 100644 --- a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/resources/config/overrides/override.yaml @@ -15,13 +15,9 @@ */}} aai: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.aai.auth )}} + auth: {{ .Values.aai.auth }} version: v19 - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} - endpoint: http://aai.{{ include "common.namespace" . }}:8080 - {{ end }} + endpoint: http://aai.{{ include "common.namespace" . }}:80 spring: datasource: hikari: @@ -45,6 +41,9 @@ spring: password: ${ETSI_NFVO_PASSWORD} role: ETSI-NFVO-Client server: + {{- if include "common.onServiceMesh" . }} + forward-headers-strategy: none + {{- end }} port: {{ .Values.containerPort }} tomcat: max-threads: 50 @@ -58,16 +57,7 @@ so: etsi-catalog-manager: base: {{- if .Values.global.msbEnabled }} - {{ if (include "common.needTLS" .) }} - endpoint: https://msb-iag:443/api - {{ else }} - endpoint: http://msb-iag:443/api - {{ end }} - http: - client: - ssl: - trust-store: file:${TRUSTSTORE} - trust-store-password: ${TRUSTSTORE_PASSWORD} + endpoint: http://msb-iag:80/api {{- else }} endpoint: http://modeling-etsicatalog.{{ include "common.namespace" . }}:8806/api {{- end }} diff --git a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/configmap.yaml b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/configmap.yaml index add9a02cf6..6bf005c051 100644 --- a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/configmap.yaml +++ b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/configmap.yaml @@ -27,7 +27,7 @@ metadata: data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: "basic" --- apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/deployment.yaml b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/deployment.yaml index 6465af4e4a..19cf991292 100644 --- a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/deployment.yaml +++ b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/deployment.yaml @@ -29,7 +29,8 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "so.certificate.container_importer" . | nindent 8 }} + initContainers: + {{ include "common.readinessCheck.waitFor" . | indent 8 | trim }} containers: - name: {{ include "common.name" . }} command: @@ -38,12 +39,6 @@ spec: - -c - | export ETSI_NFVO_PASSWORD=`htpasswd -bnBC 10 "" $ETSI_NFVO_PASSWORD_INPUT | tr -d ':\n' | sed 's/\$2y/\$2a/'` - {{- if .Values.global.aafEnabled }} - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - {{- end }} ./start-app.sh image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} resources: {{ include "common.resources" . | nindent 12 }} @@ -64,12 +59,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 14 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 14 }} - {{ include "so.certificates.env" . | indent 12 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 12 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -84,11 +78,10 @@ spec: failureThreshold: {{ index .Values.livenessProbe.failureThreshold}} ports: {{ include "common.containerPorts" . | nindent 12 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 8 }} + volumes: - name: logs emptyDir: {} - name: config configMap: name: {{ include "common.fullname" . }}-app-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/values.yaml b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/values.yaml index 57bf2f3c17..dc6f2b74d6 100644 --- a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/values.yaml +++ b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/values.yaml @@ -19,14 +19,8 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= mariadbGalera: - serviceName: mariadb-galera + service: mariadb-galera servicePort: '3306' ################################################################# @@ -55,11 +49,26 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/so-etsi-nfvo-ns-lcm:1.8.2 +image: onap/so/so-etsi-nfvo-ns-lcm:1.9.0 pullPolicy: Always aai: auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586 + +readinessCheck: + wait_for: + jobs: + - '{{ include "common.release" . }}-so-mariadb-config-job' + +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -85,7 +94,6 @@ logPath: ./logs/so-etsi-nfvo-ns-lcm/ app: so-etsi-nfvo-ns-lcm service: type: ClusterIP - name: so-etsi-nfvo-ns-lcm annotations: service.alpha.kubernetes.io/tolerate-unready-endpoints: 'true' msb.onap.org/service-info: | @@ -111,12 +119,6 @@ updateStrategy: # soHelpers part ################################################################# soHelpers: - nameOverride: so-nfvo-cert-init - certInitializer: - nameOverride: so-nfvo-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.nfvoAdapterPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -125,18 +127,18 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "5Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} livenessProbe: @@ -150,12 +152,19 @@ livenessProbe: ingress: enabled: false service: - - baseaddr: 'soetsinfvonslcm' + - baseaddr: 'so-etsi-nfvo-ns-lcm-api' name: 'so-etsi-nfvo-ns-lcm' port: 9095 config: ssl: 'redirect' +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: so-read + - serviceAccount: istio-ingress + namespace: istio-ingress + nodeSelector: {} tolerations: [] diff --git a/kubernetes/so/components/so-etsi-sol003-adapter/Chart.yaml b/kubernetes/so/components/so-etsi-sol003-adapter/Chart.yaml index 742251a965..caa7dd9553 100755 --- a/kubernetes/so/components/so-etsi-sol003-adapter/Chart.yaml +++ b/kubernetes/so/components/so-etsi-sol003-adapter/Chart.yaml @@ -16,21 +16,21 @@ apiVersion: v2 description: ONAP SO ETSI SOL003 Adapter name: so-etsi-sol003-adapter -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-etsi-sol003-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-etsi-sol003-adapter/resources/config/overrides/override.yaml index 33b38add57..04d973a6fc 100755 --- a/kubernetes/so/components/so-etsi-sol003-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-etsi-sol003-adapter/resources/config/overrides/override.yaml @@ -14,13 +14,9 @@ # limitations under the License. */}} aai: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.aai.auth )}} + auth: {{ .Values.aai.auth }} version: v15 - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} - endpoint: http://aai.{{ include "common.namespace" . }}:8080 - {{ end }} + endpoint: http://aai.{{ include "common.namespace" . }}:80 spring: security: usercredentials: @@ -31,6 +27,9 @@ spring: password: '$2a$10$Fh9ffgPw2vnmsghsRD3ZauBL1aKXebigbq3BB1RPWtE62UDILsjke' role: ACTUATOR server: + {{- if include "common.onServiceMesh" . }} + forward-headers-strategy: none + {{- end }} port: {{ index .Values.containerPort }} ssl: enabled: false @@ -38,30 +37,19 @@ mso: key: {{ .Values.mso.key }} site-name: localSite logPath: ./logs/etsi-sol003-adapter - config: - cadi: {{ include "so.cadi.keys" . | nindent 8}} msb-ip: msb-iag msb-port: 80 sdc: - username: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.aaf.auth.username "value2" .Values.sdc.username )}} - password: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.aaf.auth.password "value2" .Values.sdc.password )}} + username: {{ .Values.sdc.username }} + password: {{ .Values.sdc.password }} key: {{ .Values.sdc.key }} - {{ if (include "common.needTLS" .) }} - endpoint: https://sdc-be.{{ include "common.namespace" . }}:8443 - {{ else }} endpoint: http://sdc-be.{{ include "common.namespace" . }}:8080 - {{ end }} vnfmadapter: endpoint: http://so-etsi-sol003-adapter.{{ include "common.namespace" . }}:9092 etsi-catalog-manager: vnfpkgm: {{- if .Values.global.msbEnabled }} - endpoint: https://msb-iag:443/api/vnfpkgm/v1 - http: - client: - ssl: - trust-store: file:${TRUSTSTORE} - trust-store-password: ${TRUSTSTORE_PASSWORD} + endpoint: http://msb-iag:80/api {{- else }} endpoint: http://modeling-etsicatalog.{{ include "common.namespace" . }}:8806/api/vnfpkgm/v1 {{- end }} diff --git a/kubernetes/so/components/so-etsi-sol003-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-etsi-sol003-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-etsi-sol003-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-etsi-sol003-adapter/templates/configmap.yaml b/kubernetes/so/components/so-etsi-sol003-adapter/templates/configmap.yaml index 6331656fce..c334fd7699 100755 --- a/kubernetes/so/components/so-etsi-sol003-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-etsi-sol003-adapter/templates/configmap.yaml @@ -17,7 +17,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: "basic" kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/components/so-etsi-sol003-adapter/templates/deployment.yaml b/kubernetes/so/components/so-etsi-sol003-adapter/templates/deployment.yaml index 7751bf4631..4067eee9bd 100755 --- a/kubernetes/so/components/so-etsi-sol003-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-etsi-sol003-adapter/templates/deployment.yaml @@ -15,18 +15,10 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ index .Values.replicaCount }} minReadySeconds: {{ .Values.minReadySeconds }} strategy: type: {{ .Values.updateStrategy.type }} @@ -34,34 +26,17 @@ spec: maxUnavailable: {{ .Values.updateStrategy.maxUnavailable }} maxSurge: {{ .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "so.certificate.container_importer" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - export KEYSTORE="{{ .Values.soHelpers.certInitializer.credsPath }}/org.onap.so.p12" - /app/start-app.sh - {{- end }} - env: - {{ include "so.certificates.env" . | indent 8 | trim }} + resources: {{ include "common.resources" . | nindent 10 }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -74,16 +49,12 @@ spec: periodSeconds: {{ .Values.livenessProbe.periodSeconds}} successThreshold: {{ .Values.livenessProbe.successThreshold}} failureThreshold: {{ .Values.livenessProbe.failureThreshold}} - ports: - - containerPort: {{ .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + ports: {{ include "common.containerPorts" . | nindent 10 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config configMap: name: {{ include "common.fullname" . }}-app-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-etsi-sol003-adapter/templates/ingress.yaml b/kubernetes/so/components/so-etsi-sol003-adapter/templates/ingress.yaml index 8f87c68f1e..f298193924 100644 --- a/kubernetes/so/components/so-etsi-sol003-adapter/templates/ingress.yaml +++ b/kubernetes/so/components/so-etsi-sol003-adapter/templates/ingress.yaml @@ -1 +1,17 @@ +{{/* +# Copyright © 2019 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/so/components/so-etsi-sol003-adapter/templates/service.yaml b/kubernetes/so/components/so-etsi-sol003-adapter/templates/service.yaml index 96a2acd3a6..3da38759a8 100755 --- a/kubernetes/so/components/so-etsi-sol003-adapter/templates/service.yaml +++ b/kubernetes/so/components/so-etsi-sol003-adapter/templates/service.yaml @@ -13,39 +13,5 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "{{ include "common.servicename" . }}", - "version": "v1", - "url": "/so/vnfm-adapter/v1", - "protocol": "REST", - "port": "{{.Values.service.externalPort}}", - "visualRange":"1" - } - ]' -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-etsi-sol003-adapter/values.yaml b/kubernetes/so/components/so-etsi-sol003-adapter/values.yaml index 42554bb5a2..bea0a28051 100755 --- a/kubernetes/so/components/so-etsi-sol003-adapter/values.yaml +++ b/kubernetes/so/components/so-etsi-sol003-adapter/values.yaml @@ -28,7 +28,7 @@ global: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/so-etsi-sol003-adapter:1.8.2 +image: onap/so/so-etsi-sol003-adapter:1.9.0 pullPolicy: Always aaf: @@ -50,26 +50,34 @@ containerPort: &containerPort 9092 logPath: ./logs/etsi-sol003-adapter/ app: etsi-sol003-adapter service: - type: NodePort - internalPort: *containerPort - externalPort: *containerPort - nodePort: "06" - portName: http + type: NodePort + annotations: + service.alpha.kubernetes.io/tolerate-unready-endpoints: 'true' + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "{{ include "common.servicename" . }}", + "version": "v1", + "url": "/so/vnfm-adapter/v1", + "protocol": "REST", + "port": "{{.Values.containerPort}}", + "visualRange":"1" + } + ]{{ end }} + ports: + - name: http + port: *containerPort + nodePort: "06" + updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 ################################################################# # soHelpers part ################################################################# soHelpers: - nameOverride: so-etsi-sol003-cert-init - certInitializer: - nameOverride: so-etsi-sol003-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.vnfmAdapterPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -78,34 +86,43 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "2Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} livenessProbe: - port: 9092 - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + port: 9092 + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 ingress: enabled: false service: - - baseaddr: "soetsisol003adapter" - name: "so-etsi-sol003-adapter" - port: 9092 + - baseaddr: "so-etsi-sol003-adapter-api" + name: "so-etsi-sol003-adapter" + port: 9092 config: ssl: "redirect" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-etsi-nfvo-ns-lcm-read + - serviceAccount: so-read + - serviceAccount: istio-ingress + namespace: istio-ingress nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-etsi-sol005-adapter/Chart.yaml b/kubernetes/so/components/so-etsi-sol005-adapter/Chart.yaml index 7c2645e183..a6c6c2e708 100755 --- a/kubernetes/so/components/so-etsi-sol005-adapter/Chart.yaml +++ b/kubernetes/so/components/so-etsi-sol005-adapter/Chart.yaml @@ -17,24 +17,24 @@ apiVersion: v2 appVersion: "1.0" description: A Helm chart for Kubernetes name: so-etsi-sol005-adapter -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-etsi-sol005-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-etsi-sol005-adapter/resources/config/overrides/override.yaml index e1e2fc23c6..c4d28c4ce9 100755 --- a/kubernetes/so/components/so-etsi-sol005-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-etsi-sol005-adapter/resources/config/overrides/override.yaml @@ -33,24 +33,21 @@ spring: password: '$2a$10$Fh9ffgPw2vnmsghsRD3ZauBL1aKXebigbq3BB1RPWtE62UDILsjke' role: ACTUATOR server: + {{- if include "common.onServiceMesh" . }} + forward-headers-strategy: none + {{- end }} port: {{ index .Values.containerPort }} tomcat: max-threads: 50 mso: site-name: localSite logPath: ./logs/etsi-sol005-adapter - config: - cadi: {{ include "so.cadi.keys" . | nindent 8}} msb-ip: msb-iag msb-port: 80 adapters: requestDb: - {{ if (include "common.needTLS" .) }} - endpoint: https://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - {{ else }} endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - {{ end }} - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ .Values.mso.adapters.requestDb.auth }} #Actuator management: security: diff --git a/kubernetes/so/components/so-etsi-sol005-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-etsi-sol005-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-etsi-sol005-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-etsi-sol005-adapter/templates/configmap.yaml b/kubernetes/so/components/so-etsi-sol005-adapter/templates/configmap.yaml index 6331656fce..c334fd7699 100755 --- a/kubernetes/so/components/so-etsi-sol005-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-etsi-sol005-adapter/templates/configmap.yaml @@ -17,7 +17,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: "basic" kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/components/so-etsi-sol005-adapter/templates/deployment.yaml b/kubernetes/so/components/so-etsi-sol005-adapter/templates/deployment.yaml index 1abf21816b..28e8709d7e 100755 --- a/kubernetes/so/components/so-etsi-sol005-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-etsi-sol005-adapter/templates/deployment.yaml @@ -15,18 +15,10 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ index .Values.replicaCount }} minReadySeconds: {{ .Values.minReadySeconds }} strategy: type: {{ .Values.updateStrategy.type }} @@ -34,30 +26,14 @@ spec: maxUnavailable: {{ .Values.updateStrategy.maxUnavailable }} maxSurge: {{ .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "so.certificate.container_importer" . | indent 6 | trim }} {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - /app/start-app.sh - {{- end }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: DB_HOST value: {{ include "common.mariadbService" . }} @@ -71,12 +47,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -92,16 +67,12 @@ spec: timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds}} successThreshold: {{ .Values.livenessProbe.successThreshold}} failureThreshold: {{ .Values.livenessProbe.failureThreshold}} - ports: - - containerPort: {{ .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + ports: {{ include "common.containerPorts" . | nindent 10 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config configMap: name: {{ include "common.fullname" . }}-app-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-etsi-sol005-adapter/templates/service.yaml b/kubernetes/so/components/so-etsi-sol005-adapter/templates/service.yaml index 5b8dee0774..21a6a77e27 100755 --- a/kubernetes/so/components/so-etsi-sol005-adapter/templates/service.yaml +++ b/kubernetes/so/components/so-etsi-sol005-adapter/templates/service.yaml @@ -13,28 +13,5 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + +{{ include "common.service" . }} diff --git a/kubernetes/so/components/so-etsi-sol005-adapter/values.yaml b/kubernetes/so/components/so-etsi-sol005-adapter/values.yaml index f32587f9c0..2b219d0595 100755 --- a/kubernetes/so/components/so-etsi-sol005-adapter/values.yaml +++ b/kubernetes/so/components/so-etsi-sol005-adapter/values.yaml @@ -19,14 +19,8 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= mariadbGalera: - serviceName: mariadb-galera + service: mariadb-galera servicePort: '3306' readinessCheck: @@ -58,9 +52,18 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/so-etsi-sol005-adapter:1.8.3 +image: onap/so/so-etsi-sol005-adapter:1.9.0 pullPolicy: Always +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -80,26 +83,19 @@ containerPort: &containerPort 8084 logPath: ./logs/etsi-sol005-adapter/ app: etsi-sol005-adapter service: - type: ClusterIP - internalPort: *containerPort - externalPort: *containerPort - portName: http + type: ClusterIP + ports: + - port: *containerPort + name: http updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 - + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 ################################################################# # soHelpers part ################################################################# soHelpers: - nameOverride: so-etsi-sol005-cert-init - certInitializer: - nameOverride: so-etsi-sol005-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.vfcAdapterPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -108,30 +104,36 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "2Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} livenessProbe: - path: /manage/health - port: 8084 - scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + path: /manage/health + port: 8084 + scheme: HTTP + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-read nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-mariadb/Chart.yaml b/kubernetes/so/components/so-mariadb/Chart.yaml index 8b6d10f476..f66f740b34 100755 --- a/kubernetes/so/components/so-mariadb/Chart.yaml +++ b/kubernetes/so/components/so-mariadb/Chart.yaml @@ -16,21 +16,21 @@ apiVersion: v2 description: MariaDB Service name: so-mariadb -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/05-create-cnfm-db.sh b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/05-create-cnfm-db.sh new file mode 100644 index 0000000000..cb343bc954 --- /dev/null +++ b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/05-create-cnfm-db.sh @@ -0,0 +1,39 @@ +#!/bin/sh +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2023 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +echo "Creating cnfm database . . ." 1>/tmp/mariadb-cnfmdb.log 2>&1 + +prepare_password() +{ + echo "$1" | sed -e "s/'/\\\\'/g; s/\"/\\\\\"/g" +} + +CNFM_DB_PASSWORD=`prepare_password $CNFM_DB_PASSWORD` + +mysql -uroot -p$MYSQL_ROOT_PASSWORD << EOF || exit 1 +CREATE DATABASE /*!32312 IF NOT EXISTS*/ cnfm /*!40100 DEFAULT CHARACTER SET latin1 */; +DROP USER IF EXISTS '${CNFM_DB_USER}'; +CREATE USER '${CNFM_DB_USER}'; +GRANT ALL on cnfm.* to '${CNFM_DB_USER}' identified by '${CNFM_DB_PASSWORD}' with GRANT OPTION; +FLUSH PRIVILEGES; +EOF + +echo "Created cnfm database . . ." 1>>/tmp/mariadb-cnfmdb.log 2>&1 \ No newline at end of file diff --git a/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/98-create-so-user.sh b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/98-create-so-user.sh index 33c4b32146..bf8ae781c0 100755 --- a/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/98-create-so-user.sh +++ b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/98-create-so-user.sh @@ -4,6 +4,7 @@ # ============LICENSE_START========================================== # =================================================================== # Copyright © 2017 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright (C) 2022/23 Nordix Foundation # =================================================================== # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -40,6 +41,7 @@ GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE, SHOW VIEW ON requestdb.* TO '${DB GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE, SHOW VIEW ON catalogdb.* TO '${DB_USER}'@'%'; GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE, SHOW VIEW ON camundabpmn.* TO '${DB_USER}'@'%'; GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE, SHOW VIEW ON nfvo.* TO '${DB_USER}'@'%'; +GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE, SHOW VIEW ON cnfm.* TO '${DB_USER}'@'%'; FLUSH PRIVILEGES; EOF diff --git a/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/99-create-so-admin.sh b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/99-create-so-admin.sh index 069556f51c..74b869cd54 100755 --- a/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/99-create-so-admin.sh +++ b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/99-create-so-admin.sh @@ -4,6 +4,7 @@ # ============LICENSE_START========================================== # =================================================================== # Copyright © 2017 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright (C) 2022/23 Nordix Foundation # =================================================================== # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -40,6 +41,7 @@ GRANT ALL PRIVILEGES ON camundabpmn.* TO '${DB_ADMIN}'@'%' WITH GRANT OPTION; GRANT ALL PRIVILEGES ON requestdb.* TO '${DB_ADMIN}'@'%' WITH GRANT OPTION; GRANT ALL PRIVILEGES ON catalogdb.* TO '${DB_ADMIN}'@'%' WITH GRANT OPTION; GRANT ALL PRIVILEGES ON nfvo.* TO '${DB_ADMIN}'@'%' WITH GRANT OPTION; +GRANT ALL PRIVILEGES ON cnfm.* TO '${DB_ADMIN}'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES; EOF diff --git a/kubernetes/so/components/so-mariadb/templates/job.yaml b/kubernetes/so/components/so-mariadb/templates/job.yaml index d9c6009c8a..20cba67a26 100644 --- a/kubernetes/so/components/so-mariadb/templates/job.yaml +++ b/kubernetes/so/components/so-mariadb/templates/job.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright (C) 2022/23 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -56,24 +57,17 @@ spec: - | {{- if include "common.onServiceMesh" . }} echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} - mysqldump -vv --user=${DB_USER} --password=${DB_PASS} --host=${DB_HOST} --port=${DB_PORT} --databases --single-transaction --quick --lock-tables=false catalogdb requestdb nfvo > /var/data/mariadb/backup-`date +%s`.sql + mysqldump -vv --user=${DB_USER} --password=${DB_PASS} --host=${DB_HOST} --port=${DB_PORT} --databases --single-transaction --quick --lock-tables=false catalogdb requestdb nfvo cnfm > /var/data/mariadb/backup-`date +%s`.sql volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - name: backup-storage mountPath: /var/data/mariadb {{ include "common.waitForJobContainer" . | indent 6 | trim }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: backup-storage persistentVolumeClaim: claimName: {{ include "common.fullname" . }}-migration - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} restartPolicy: Never --- {{- end }} @@ -149,10 +143,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "nfvo-db-creds" "key" "login") | indent 10 }} - name: NFVO_DB_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "nfvo-db-creds" "key" "password") | indent 10 }} + - name: CNFM_DB_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cnfm-db-creds" "key" "login") | indent 10 }} + - name: CNFM_DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cnfm-db-creds" "key" "password") | indent 10 }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - name: docker-entrypoint-initdb-d-sh mountPath: "/docker-entrypoint-initdb.d" - name: docker-entrypoint-initdb-d-sql @@ -161,8 +156,7 @@ spec: - name: backup-storage mountPath: /var/data/mariadb {{- end }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 10 }} {{ include "common.waitForJobContainer" . | indent 6 | trim }} {{- if .Values.nodeSelector }} nodeSelector: @@ -172,10 +166,8 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: docker-entrypoint-initdb-d-sh configMap: name: {{ include "common.fullname" . }}-mariadb-sh @@ -188,5 +180,4 @@ spec: claimName: {{ include "common.fullname" . }}-migration {{- end }} restartPolicy: Never - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-mariadb/values.yaml b/kubernetes/so/components/so-mariadb/values.yaml index 13dd0868e8..7eea6a5cf8 100755 --- a/kubernetes/so/components/so-mariadb/values.yaml +++ b/kubernetes/so/components/so-mariadb/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright (C) 2022-23 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,11 +22,13 @@ global: nodePortPrefix: 302 nodePortPrefixExt: 304 repository: nexus3.onap.org:10001 - readinessImage: onap/oom/readiness:4.1.0 + readinessImage: onap/oom/readiness:6.0.3 ubuntuInitRepository: docker.io mariadbGalera: - nameOverride: &mariadbName mariadb-galera - serviceName: mariadb-galera + # flag to enable the DB creation via mariadb-operator + useOperator: true + nameOverride: mariadb-galera + service: mariadb-galera servicePort: "3306" migration: enabled: false @@ -34,10 +37,6 @@ global: dbUser: root dbPassword: secretpassword -readinessCheck: - wait_for: - - *mariadbName - ################################################################# # Secrets metaconfig ################################################################# @@ -89,6 +88,11 @@ secrets: externalSecret: '{{ tpl (default "" .Values.db.nfvo.dbCredsExternalSecret) . }}' login: '{{ .Values.db.nfvo.userName }}' password: '{{ .Values.db.nfvo.password }}' + - uid: cnfm-db-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.db.cnfm.dbCredsExternalSecret) . }}' + login: '{{ .Values.db.cnfm.userName }}' + password: '{{ .Values.db.cnfm.password }}' ################################################################# # Application configuration defaults. @@ -99,6 +103,15 @@ image: mariadb:10.1.38 pullPolicy: Always ubuntuInitImage: oomk8s/ubuntu-init:2.0.0 +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + # db config db: rootPassword: secretpassword @@ -127,6 +140,9 @@ db: nfvo: userName: nfvouser # dbCredsExternalSecret: some secret + cnfm: + userName: cnfmuser + # dbCredsExternalSecret: some secret # application configuration config: @@ -147,18 +163,18 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" requests: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "4" + memory: "8Gi" requests: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" unlimited: {} persistence: @@ -191,3 +207,8 @@ serviceAccount: wait_for_job_container: containers: - '{{ include "common.name" . }}-config' + +readinessCheck: + wait_for: + services: + - '{{ include "common.mariadbService" . }}' diff --git a/kubernetes/so/components/so-nssmf-adapter/Chart.yaml b/kubernetes/so/components/so-nssmf-adapter/Chart.yaml index ab97237dad..0dc42e438e 100755 --- a/kubernetes/so/components/so-nssmf-adapter/Chart.yaml +++ b/kubernetes/so/components/so-nssmf-adapter/Chart.yaml @@ -17,24 +17,24 @@ apiVersion: v2 appVersion: "1.0" description: A Helm chart for Kubernetes name: so-nssmf-adapter -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-nssmf-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-nssmf-adapter/resources/config/overrides/override.yaml index 1d8a97c028..633ac7dcc1 100755 --- a/kubernetes/so/components/so-nssmf-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-nssmf-adapter/resources/config/overrides/override.yaml @@ -14,12 +14,8 @@ # limitations under the License. */}} aai: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.aai.auth )}} - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} - endpoint: http://aai.{{ include "common.namespace" . }}:8080 - {{ end }} + auth: {{ .Values.aai.auth }} + endpoint: http://aai.{{ include "common.namespace" . }}:80 logging: path: logs spring: @@ -44,6 +40,9 @@ spring: password: ${ACTUATOR_PASSWORD} role: ACTUATOR server: + {{- if include "common.onServiceMesh" . }} + forward-headers-strategy: none + {{- end }} port: {{ index .Values.containerPort }} tomcat: max-threads: 50 @@ -55,12 +54,8 @@ mso: msb-port: 80 adapters: requestDb: - {{ if (include "common.needTLS" .) }} - endpoint: https://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - {{ else }} endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - {{ end }} - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ .Values.mso.adapters.requestDb.auth }} #Actuator management: endpoints: diff --git a/kubernetes/so/components/so-nssmf-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-nssmf-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-nssmf-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-nssmf-adapter/templates/configmap.yaml b/kubernetes/so/components/so-nssmf-adapter/templates/configmap.yaml index 03a3df4163..35baef1759 100755 --- a/kubernetes/so/components/so-nssmf-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-nssmf-adapter/templates/configmap.yaml @@ -19,7 +19,7 @@ metadata: {{- include "common.resourceMetadata" (dict "dot" . "suffix" "env") | data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: "basic" --- apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/so/components/so-nssmf-adapter/templates/deployment.yaml b/kubernetes/so/components/so-nssmf-adapter/templates/deployment.yaml index f41352e63f..5aea3023aa 100755 --- a/kubernetes/so/components/so-nssmf-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-nssmf-adapter/templates/deployment.yaml @@ -26,11 +26,9 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: {{- include "common.labels" . | nindent 8 }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "so.certificate.container_importer" . | indent 6 | trim }} {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} @@ -41,12 +39,6 @@ spec: - | export BPEL_PASSWORD=`htpasswd -bnBC 10 "" $BPEL_PASSWORD_INPUT | tr -d ':\n' | sed 's/\$2y/\$2a/'` export ACTUATOR_PASSWORD=`htpasswd -bnBC 10 "" $ACTUATOR_PASSWORD_INPUT | tr -d ':\n' | sed 's/\$2y/\$2a/'` - {{- if .Values.global.aafEnabled }} - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - {{- end }} ./start-app.sh image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} resources: {{ include "common.resources" . | nindent 12 }} @@ -72,12 +64,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-actuator-creds" "key" "login") | indent 14 }} - name: ACTUATOR_PASSWORD_INPUT {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-actuator-creds" "key" "password") | indent 14 }} - {{ include "so.certificates.env" . | nindent 12 }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-env imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 12 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -94,11 +85,10 @@ spec: successThreshold: {{ index .Values.livenessProbe.successThreshold}} failureThreshold: {{ index .Values.livenessProbe.failureThreshold}} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 8 }} + volumes: - name: logs emptyDir: {} - name: config configMap: name: {{ include "common.fullname" . }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-nssmf-adapter/values.yaml b/kubernetes/so/components/so-nssmf-adapter/values.yaml index 29f9f4e24d..d45ee69401 100755 --- a/kubernetes/so/components/so-nssmf-adapter/values.yaml +++ b/kubernetes/so/components/so-nssmf-adapter/values.yaml @@ -19,14 +19,10 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= mariadbGalera: - serviceName: mariadb-galera + # flag to enable the DB creation via mariadb-operator + useOperator: true + service: mariadb-galera servicePort: '3306' readinessCheck: @@ -78,6 +74,15 @@ secrets: image: onap/so/so-nssmf-adapter:1.9.1 pullPolicy: Always +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -110,17 +115,14 @@ service: - name: http port: *containerPort updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 +################################################################# +# soHelpers part +################################################################# soHelpers: - nameOverride: so-nssmf-cert-init - certInitializer: - nameOverride: so-nssmf-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.nssmfAdapterPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -129,30 +131,36 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "2Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} livenessProbe: - path: /manage/health - port: 8088 - scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + path: /manage/health + port: 8088 + scheme: HTTP + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-read nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-oof-adapter/Chart.yaml b/kubernetes/so/components/so-oof-adapter/Chart.yaml index d5b8bbf700..08e8071f26 100755 --- a/kubernetes/so/components/so-oof-adapter/Chart.yaml +++ b/kubernetes/so/components/so-oof-adapter/Chart.yaml @@ -18,21 +18,21 @@ apiVersion: v2 appVersion: "1.0" description: A Helm chart for Kubernetes name: so-oof-adapter -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-oof-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-oof-adapter/resources/config/overrides/override.yaml index 8db5d26788..c58ba9196f 100755 --- a/kubernetes/so/components/so-oof-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-oof-adapter/resources/config/overrides/override.yaml @@ -25,6 +25,9 @@ spring: password: ${ACTUATOR_PASSWORD} role: ACTUATOR server: + {{- if include "common.onServiceMesh" . }} + forward-headers-strategy: none + {{- end }} port: {{ index .Values.containerPort }} tomcat: max-threads: 50 @@ -36,17 +39,13 @@ mso: msb-port: 80 msoKey: ${MSO_KEY} camundaURL: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081 - camundaAuth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.camundaAuth )}} + camundaAuth: {{ .Values.mso.camundaAuth }} workflow: message: endpoint: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/mso/WorkflowMessage oof: auth: ${OOF_LOGIN}:${OOF_PASSWORD} - {{ if (include "common.needTLS" .) }} - endpoint: https://oof-osdf.{{ include "common.namespace" . }}:8698 - {{ else }} endpoint: http://oof-osdf.{{ include "common.namespace" . }}:8698 - {{ end }} #Actuator management: endpoints: diff --git a/kubernetes/so/components/so-oof-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-oof-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-oof-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-oof-adapter/templates/configmap.yaml b/kubernetes/so/components/so-oof-adapter/templates/configmap.yaml index da5fda9c42..62ad76709f 100755 --- a/kubernetes/so/components/so-oof-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-oof-adapter/templates/configmap.yaml @@ -26,7 +26,7 @@ metadata: data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: "basic" --- apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/so/components/so-oof-adapter/templates/deployment.yaml b/kubernetes/so/components/so-oof-adapter/templates/deployment.yaml index f5307992d1..eef3ef4a0e 100755 --- a/kubernetes/so/components/so-oof-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-oof-adapter/templates/deployment.yaml @@ -26,15 +26,12 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: {{- include "common.labels" . | nindent 8 }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "so.certificate.container_importer" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: -{{ include "common.resources" . | indent 10 }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: DB_HOST value: {{ include "common.mariadbService" . }} @@ -54,12 +51,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "oof-auth" "key" "login") | indent 10 }} - name: OOF_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "oof-auth" "key" "password") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -68,11 +64,11 @@ spec: - name: {{ include "common.fullname" . }}-logs mountPath: /var/log/onap {{ include "so.helpers.livenessProbe" .| indent 8 }} - ports: {{- include "common.containerPorts" . | nindent 12 }} + ports: {{- include "common.containerPorts" . | nindent 10 }} # Filebeat sidecar container {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config @@ -84,5 +80,4 @@ spec: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-oof-adapter/values.yaml b/kubernetes/so/components/so-oof-adapter/values.yaml index 530c35afdd..d1b795dc2c 100755 --- a/kubernetes/so/components/so-oof-adapter/values.yaml +++ b/kubernetes/so/components/so-oof-adapter/values.yaml @@ -20,14 +20,10 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= mariadbGalera: - serviceName: mariadb-galera + # flag to enable the DB creation via mariadb-operator + useOperator: true + service: mariadb-galera servicePort: '3306' # Secrets metaconfig @@ -74,6 +70,15 @@ secrets: image: onap/so/so-oof-adapter:1.8.3 pullPolicy: Always +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + mso: msoKey: 07a7159d3bf51a0e53be7a8f89699be7 oof: @@ -87,23 +92,19 @@ containerPort: *containerPort logPath: ./logs/oof-adapter/ app: so-oof-adapter service: - type: ClusterIP - ports: - - name: http - port: *containerPort + type: ClusterIP + ports: + - name: http + port: *containerPort updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 - + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 +################################################################# +# soHelpers part +################################################################# soHelpers: - nameOverride: so-oof-adapter-cert-init - certInitializer: - nameOverride: so-oof-adapter-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.oofadapterPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -112,30 +113,35 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "2Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} livenessProbe: - path: /manage/health - port: *containerPort - scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + path: /manage/health + port: *containerPort + scheme: HTTP + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-read nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-openstack-adapter/Chart.yaml b/kubernetes/so/components/so-openstack-adapter/Chart.yaml index 22c473f5c1..1129cf23a2 100755 --- a/kubernetes/so/components/so-openstack-adapter/Chart.yaml +++ b/kubernetes/so/components/so-openstack-adapter/Chart.yaml @@ -17,24 +17,24 @@ apiVersion: v2 appVersion: "1.0" description: A Helm chart for Kubernetes name: so-openstack-adapter -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-openstack-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-openstack-adapter/resources/config/overrides/override.yaml index 487e93132d..287c9537b6 100755 --- a/kubernetes/so/components/so-openstack-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-openstack-adapter/resources/config/overrides/override.yaml @@ -14,14 +14,14 @@ # limitations under the License. */}} aai: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.aai.auth )}} - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} - endpoint: http://aai.{{ include "common.namespace" . }}:8080 - {{ end }} + auth: {{ .Values.aai.auth }} + endpoint: http://aai.{{ include "common.namespace" . }}:80 server: + {{- if include "common.onServiceMesh" . }} + forward-headers-strategy: none + {{- end }} port: {{ index .Values.containerPort }} +SW port: {{ index .Values.containerPort }} spring: datasource: hikari: @@ -68,7 +68,7 @@ org: {{- end }} default_keystone_reg_ex: "/[vV][0-9]" vnf: - bpelauth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.org.onap.so.adapters.bpelauth )}} + bpelauth: {{ .Values.org.onap.so.adapters.bpelauth }} checkRequiredParameters: true addGetFilesOnVolumeReq: false sockettimeout: 30 @@ -79,7 +79,7 @@ org: valet_enabled: false fail_requests_on_valet_failure: false network: - bpelauth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.org.onap.so.adapters.bpelauth )}} + bpelauth: {{ .Values.org.onap.so.adapters.bpelauth }} sockettimeout: 5 connecttimeout: 5 retrycount: 5 @@ -109,32 +109,30 @@ ecomp: retryCount: 3 pollTimeout: 7500 pollInterval: 15 +multicloud: + endpoint: http://multicloud-k8s.{{ include "common.namespace" . }}:9015 mso: adapters: requestDb: endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.db.auth )}} - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.aaf.auth.encrypted "value2" .Values.mso.auth )}} + auth: {{ .Values.mso.db.auth }} + auth: {{ .Values.mso.auth }} logPath: ./logs/openstack msb-ip: msb-iag - msb-port: 443 - msb-scheme: https + msb-port: 80 + msb-scheme: http workflow: endpoint: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/sobpmnengine msoKey: {{ .Values.mso.msoKey }} config: - {{ if eq .Values.global.security.aaf.enabled true }} - cadi: {{ include "so.cadi.keys" . | nindent 8}} - {{- else }} cadi: aafId: {{ .Values.mso.basicUser }} - {{- end }} catalog: db: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.db.auth )}} + auth: {{ .Values.mso.db.auth }} site-name: localDevEnv async: core-pool-size: 50 diff --git a/kubernetes/so/components/so-openstack-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-openstack-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-openstack-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-openstack-adapter/templates/configmap.yaml b/kubernetes/so/components/so-openstack-adapter/templates/configmap.yaml index 050aab9732..eeab0f72cd 100755 --- a/kubernetes/so/components/so-openstack-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-openstack-adapter/templates/configmap.yaml @@ -17,7 +17,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: "basic" kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/components/so-openstack-adapter/templates/deployment.yaml b/kubernetes/so/components/so-openstack-adapter/templates/deployment.yaml index 55493f7c42..247b8cb3b1 100755 --- a/kubernetes/so/components/so-openstack-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-openstack-adapter/templates/deployment.yaml @@ -15,17 +15,9 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ index .Values.replicaCount }} minReadySeconds: {{ index .Values.minReadySeconds }} strategy: @@ -34,30 +26,14 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "so.certificate.container_importer" . | indent 6 | trim }} {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - /app/start-app.sh - {{- end }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: DB_HOST value: {{ include "common.mariadbService" . }} @@ -71,12 +47,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -85,14 +60,11 @@ spec: - name: {{ include "common.fullname" . }}-logs mountPath: /var/log/onap {{ include "so.helpers.livenessProbe" .| indent 8 }} - ports: - - containerPort: {{ index .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + ports: {{- include "common.containerPorts" . | nindent 10 }} # Filebeat sidecar container {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config @@ -104,5 +76,4 @@ spec: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-openstack-adapter/templates/service.yaml b/kubernetes/so/components/so-openstack-adapter/templates/service.yaml index 5b8dee0774..495f828bfb 100755 --- a/kubernetes/so/components/so-openstack-adapter/templates/service.yaml +++ b/kubernetes/so/components/so-openstack-adapter/templates/service.yaml @@ -13,28 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-openstack-adapter/values.yaml b/kubernetes/so/components/so-openstack-adapter/values.yaml index 28338cfa11..15074b5712 100755 --- a/kubernetes/so/components/so-openstack-adapter/values.yaml +++ b/kubernetes/so/components/so-openstack-adapter/values.yaml @@ -19,14 +19,10 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - aaf: - auth: - encrypted: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 mariadbGalera: - serviceName: mariadb-galera + # flag to enable the DB creation via mariadb-operator + useOperator: true + service: mariadb-galera servicePort: '3306' readinessCheck: @@ -58,9 +54,18 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/openstack-adapter:1.10.0 +image: onap/so/openstack-adapter:1.12.2 pullPolicy: Always +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -71,9 +76,6 @@ db: aai: auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586 -aaf: - auth: - encrypted: 7F182B0C05D58A23A1C4966B9CDC9E0B8BC5CD53BC8C7B4083D869F8D53E9BDC3EFD55C94B1D3F org: onap: so: @@ -92,25 +94,19 @@ containerPort: &containerPort 8087 logPath: ./logs/openstack/ app: openstack-adapter service: - type: ClusterIP - internalPort: *containerPort - externalPort: *containerPort - portName: http + type: ClusterIP + ports: + - name: http + port: *containerPort updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 ################################################################# -# soHelper part +# soHelpers part ################################################################# soHelpers: - nameOverride: so-openstack-cert-init - certInitializer: - nameOverride: so-openstack-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.openStackAdapterPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -119,30 +115,36 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1.5Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1.5Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "3Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "3Gi" unlimited: {} livenessProbe: - path: /manage/health - port: 8087 - scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + path: /manage/health + port: 8087 + scheme: HTTP + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-read config: openStackUserName: "vnf_user" openStackRegion: "RegionOne" diff --git a/kubernetes/so/components/so-request-db-adapter/Chart.yaml b/kubernetes/so/components/so-request-db-adapter/Chart.yaml index db6855aa63..32095c29b7 100755 --- a/kubernetes/so/components/so-request-db-adapter/Chart.yaml +++ b/kubernetes/so/components/so-request-db-adapter/Chart.yaml @@ -16,24 +16,24 @@ apiVersion: v2 description: A Helm chart for request-db-adapter name: so-request-db-adapter -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-request-db-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-request-db-adapter/resources/config/overrides/override.yaml index 9b70ddcb5d..7ea77493d7 100755 --- a/kubernetes/so/components/so-request-db-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-request-db-adapter/resources/config/overrides/override.yaml @@ -15,6 +15,9 @@ # will be used as entry in DB to say SITE OFF/ON for healthcheck */}} server: + {{- if include "common.onServiceMesh" . }} + forward-headers-strategy: none + {{- end }} port: {{ index .Values.containerPort }} tomcat: max-threads: 50 @@ -22,11 +25,9 @@ ssl-enable: false mso: logPath: logs site-name: localSite - config: - cadi: {{- include "so.cadi.keys" . | nindent 8}} adapters: requestDb: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ .Values.mso.adapters.requestDb.auth }} endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 spring: datasource: diff --git a/kubernetes/so/components/so-request-db-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-request-db-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-request-db-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-request-db-adapter/templates/configmap.yaml b/kubernetes/so/components/so-request-db-adapter/templates/configmap.yaml index 6331656fce..3be605edf2 100755 --- a/kubernetes/so/components/so-request-db-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-request-db-adapter/templates/configmap.yaml @@ -14,10 +14,6 @@ # limitations under the License. */}} apiVersion: v1 -data: - LOG_PATH: {{ index .Values.logPath }} - APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap @@ -27,6 +23,10 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} +data: + LOG_PATH: {{ index .Values.logPath }} + APP: {{ index .Values.app }} + ACTIVE_PROFILE: "basic" --- apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/so/components/so-request-db-adapter/templates/deployment.yaml b/kubernetes/so/components/so-request-db-adapter/templates/deployment.yaml index fa9d3a6a4b..329d45e480 100755 --- a/kubernetes/so/components/so-request-db-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-request-db-adapter/templates/deployment.yaml @@ -15,17 +15,9 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ index .Values.replicaCount }} minReadySeconds: {{ index .Values.minReadySeconds }} strategy: @@ -34,30 +26,14 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "so.certificate.container_importer" . | indent 6 | trim }} {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - /app/start-app.sh - {{- end }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: DB_HOST value: {{ include "common.mariadbService" . }} @@ -71,28 +47,23 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config mountPath: /app/config readOnly: true {{ include "so.helpers.livenessProbe" .| indent 8 }} - ports: - - containerPort: {{ index .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + ports: {{- include "common.containerPorts" . | nindent 10 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config configMap: - name: {{ include "common.fullname" . }}-app-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + name: {{ include "common.fullname" . }}-app-configmap + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-request-db-adapter/templates/service.yaml b/kubernetes/so/components/so-request-db-adapter/templates/service.yaml index 5b8dee0774..495f828bfb 100755 --- a/kubernetes/so/components/so-request-db-adapter/templates/service.yaml +++ b/kubernetes/so/components/so-request-db-adapter/templates/service.yaml @@ -13,28 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-request-db-adapter/values.yaml b/kubernetes/so/components/so-request-db-adapter/values.yaml index 6bcd388b25..9eecb245c7 100755 --- a/kubernetes/so/components/so-request-db-adapter/values.yaml +++ b/kubernetes/so/components/so-request-db-adapter/values.yaml @@ -19,14 +19,10 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= mariadbGalera: - serviceName: mariadb-galera + # flag to enable the DB creation via mariadb-operator + useOperator: true + service: mariadb-galera servicePort: '3306' readinessCheck: @@ -58,9 +54,18 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/request-db-adapter:1.10.0 +image: onap/so/request-db-adapter:1.12.2 pullPolicy: Always +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -80,25 +85,19 @@ containerPort: &containerPort 8083 logPath: ./logs/reqdb/ app: request-db-adapter service: - type: ClusterIP - internalPort: *containerPort - externalPort: *containerPort - portName: http + type: ClusterIP + ports: + - name: http + port: *containerPort updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 ################################################################# # soHelpers part ################################################################# soHelpers: - nameOverride: so-requestdb-cert-init - certInitializer: - nameOverride: so-requestdb-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.requestDbAdapterPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -107,30 +106,41 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1.5Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1.5Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "3Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "3Gi" unlimited: {} livenessProbe: - path: /manage/health - port: 8083 - scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + path: /manage/health + port: 8083 + scheme: HTTP + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-admin-cockpit-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-etsi-sol005-adapter-read + - serviceAccount: so-nssmf-adapter-read + - serviceAccount: so-openstack-adapter-read + - serviceAccount: so-read + - serviceAccount: so-sdc-controller-read nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-sdc-controller/Chart.yaml b/kubernetes/so/components/so-sdc-controller/Chart.yaml index 2f7cac5cf1..fc5496cc3a 100755 --- a/kubernetes/so/components/so-sdc-controller/Chart.yaml +++ b/kubernetes/so/components/so-sdc-controller/Chart.yaml @@ -17,24 +17,24 @@ apiVersion: v2 appVersion: "1.0" description: A Helm chart for Kubernetes name: so-sdc-controller -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-sdc-controller/resources/config/overrides/override.yaml b/kubernetes/so/components/so-sdc-controller/resources/config/overrides/override.yaml index ffa66e9d78..473b1c3bcf 100755 --- a/kubernetes/so/components/so-sdc-controller/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-sdc-controller/resources/config/overrides/override.yaml @@ -16,6 +16,9 @@ aai: auth: {{.Values.aai.auth}} server: + {{- if include "common.onServiceMesh" . }} + forward-headers-strategy: none + {{- end }} port: {{ index .Values.containerPort }} spring: datasource: @@ -48,49 +51,43 @@ request: mso: msoKey: {{ index .Values.mso.msoKey }} logPath: ./logs/sdc - config: - cadi: {{ include "so.cadi.keys" . | nindent 8}} catalog: db: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.requestDb.auth )}} + auth: {{ .Values.mso.requestDb.auth }} site-name: onapheat camundaURL: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/ adapters: requestDb: endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.requestDb.auth )}} + auth: {{ .Values.mso.requestDb.auth }} aai: - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} - endpoint: http://aai.{{ include "common.namespace" . }}:8080 - {{ end }} + endpoint: http://aai.{{ include "common.namespace" . }}:80 asdc-connections: asdc-controller1: user: mso - consumerGroup: SO-OpenSource-Env11 - consumerId: SO-COpenSource-Env11 - environmentName: AUTO - {{ if (include "common.needTLS" .) }} - asdcAddress: sdc-be.{{ include "common.namespace" . }}:8443 - {{ else }} - asdcAddress: sdc-be.{{ include "common.namespace" . }}:8080 + {{ with (first .Values.kafkaUser.acls) }} + consumerId: {{ .name }}-sdc-controller + consumerGroup: {{ .name }} {{ end }} + environmentName: AUTO + sdcAddress: sdc-be.{{ include "common.namespace" . }}:8080 password: {{ index .Values "mso" "asdc-connections" "asdc-controller1" "password" }} pollingInterval: 60 pollingTimeout: 60 relevantArtifactTypes: HEAT,HEAT_ENV,HEAT_VOL - useHttpsWithDmaap: false - useHttpsWithSdc: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} + useHttpsWithSdc: false activateServerTLSAuth: false keyStorePassword: keyStorePath: watchDogTimeout: 300 isFitlerInEmptyResources: true - messageBusAddress: message-router.{{ include "common.namespace" . }},message-router.{{ include "common.namespace" . }} + httpsProxyHost: + httpProxyHost: + httpsProxyPort: 0 + httpProxyPort: 0 asdc: config: activity: diff --git a/kubernetes/so/components/so-sdc-controller/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-sdc-controller/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-sdc-controller/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-sdc-controller/templates/configmap.yaml b/kubernetes/so/components/so-sdc-controller/templates/configmap.yaml index 050aab9732..cb40c08f77 100755 --- a/kubernetes/so/components/so-sdc-controller/templates/configmap.yaml +++ b/kubernetes/so/components/so-sdc-controller/templates/configmap.yaml @@ -14,10 +14,6 @@ # limitations under the License. */}} apiVersion: v1 -data: - LOG_PATH: {{ index .Values.logPath }} - APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap @@ -27,6 +23,10 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} +data: + LOG_PATH: {{ index .Values.logPath }} + APP: {{ index .Values.app }} + ACTIVE_PROFILE: "basic" --- apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/so/components/so-sdc-controller/templates/deployment.yaml b/kubernetes/so/components/so-sdc-controller/templates/deployment.yaml index 55493f7c42..e3a0e2bec3 100755 --- a/kubernetes/so/components/so-sdc-controller/templates/deployment.yaml +++ b/kubernetes/so/components/so-sdc-controller/templates/deployment.yaml @@ -15,17 +15,9 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ index .Values.replicaCount }} minReadySeconds: {{ index .Values.minReadySeconds }} strategy: @@ -34,30 +26,14 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "so.certificate.container_importer" . | indent 6 | trim }} {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - /app/start-app.sh - {{- end }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: DB_HOST value: {{ include "common.mariadbService" . }} @@ -71,12 +47,16 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -85,14 +65,11 @@ spec: - name: {{ include "common.fullname" . }}-logs mountPath: /var/log/onap {{ include "so.helpers.livenessProbe" .| indent 8 }} - ports: - - containerPort: {{ index .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + ports: {{- include "common.containerPorts" . | nindent 10 }} # Filebeat sidecar container {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config @@ -104,5 +81,4 @@ spec: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-sdc-controller/templates/kafkauser.yaml b/kubernetes/so/components/so-sdc-controller/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/so/components/so-sdc-controller/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/so/components/so-sdc-controller/templates/service.yaml b/kubernetes/so/components/so-sdc-controller/templates/service.yaml index 5b8dee0774..495f828bfb 100755 --- a/kubernetes/so/components/so-sdc-controller/templates/service.yaml +++ b/kubernetes/so/components/so-sdc-controller/templates/service.yaml @@ -13,28 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-sdc-controller/values.yaml b/kubernetes/so/components/so-sdc-controller/values.yaml index c0e3f5088f..1fe5b50cf7 100755 --- a/kubernetes/so/components/so-sdc-controller/values.yaml +++ b/kubernetes/so/components/so-sdc-controller/values.yaml @@ -19,15 +19,12 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= mariadbGalera: - serviceName: mariadb-galera + # flag to enable the DB creation via mariadb-operator + useOperator: true + service: mariadb-galera servicePort: '3306' + soSdcListenerKafkaUser: so-sdc-list-user readinessCheck: wait_for: @@ -58,9 +55,18 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/sdc-controller:1.10.0 +image: onap/so/sdc-controller:1.12.2 pullPolicy: Always +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -87,26 +93,22 @@ minReadySeconds: 10 containerPort: &containerPort 8085 logPath: ./logs/sdc/ app: sdc-controller + service: - type: ClusterIP - internalPort: *containerPort - externalPort: *containerPort - portName: http + type: ClusterIP + ports: + - name: http + port: *containerPort + updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 ################################################################# # soHelpers part ################################################################# soHelpers: - nameOverride: so-sdc-cert-init - certInitializer: - nameOverride: so-sdc-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.sdcControllerPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -115,34 +117,54 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1.5Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1.5Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "3Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "3Gi" unlimited: {} + livenessProbe: - path: /manage/health - port: 8085 - scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + path: /manage/health + port: 8085 + scheme: HTTP + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + ingress: enabled: false + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-read + nodeSelector: {} tolerations: [] affinity: {} +# Strimzi KafkaUser config +kafkaUser: + acls: + - name: SO + type: group + operations: [Read] + - name: SDC-DISTR + type: topic + patternType: prefix + operations: [Read, Write] + #Pods Service Account serviceAccount: nameOverride: so-sdc-controller diff --git a/kubernetes/so/components/so-sdnc-adapter/Chart.yaml b/kubernetes/so/components/so-sdnc-adapter/Chart.yaml index f75662d9d3..c43cad7624 100755 --- a/kubernetes/so/components/so-sdnc-adapter/Chart.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/Chart.yaml @@ -17,21 +17,21 @@ apiVersion: v2 appVersion: "1.0" description: A Helm chart for Kubernetes name: so-sdnc-adapter -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~11.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-sdnc-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-sdnc-adapter/resources/config/overrides/override.yaml index 5c7a9af467..55dc11526d 100755 --- a/kubernetes/so/components/so-sdnc-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/resources/config/overrides/override.yaml @@ -14,23 +14,27 @@ # limitations under the License. */}} server: + {{- if include "common.onServiceMesh" . }} + forward-headers-strategy: none + {{- end }} port: {{ index .Values.containerPort }} mso: msoKey: ${MSO_KEY} - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "${AAF_AUTH}" "value2" "${MSO_AUTH}" )}} + auth: ${MSO_AUTH} async: core-pool-size: 50 max-pool-size: 50 queue-capacity: 500 logPath: ./logs/sdnc config: - cadi: {{ include "so.cadi.keys" . | nindent 14}} + cadi: + aafId: so@so.onap.org catalog: db: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ .Values.mso.adapters.requestDb.auth }} site-name: onapheat #needs to be confirmed TODO workflow: @@ -109,7 +113,7 @@ org: changedelete: POST|270000|sdncurl6|sdnc-request-header|org:onap:sdnctl:vnf delete: POST|270000|sdncurl6|sdnc-request-header|org:onap:sdnctl:vnf rollback: POST|270000|sdncurl6|sdnc-request-header|org:onap:sdnctl:vnf - bpelauth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.org.onap.so.adapters.sdnc.bpelauth )}} + bpelauth: {{ .Values.org.onap.so.adapters.sdnc.bpelauth }} bpelurl: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/mso/SDNCAdapterCallbackService opticalservice: optical-service-create: @@ -154,7 +158,7 @@ org: myurl: http://so-sdnc-adapter.{{ include "common.namespace" . }}:8086/adapters/rest/SDNCNotify rest: bpelurl: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/mso/WorkflowMessage - sdncauth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.org.onap.so.adapters.sdnc.sdncauth )}} + sdncauth: {{ .Values.org.onap.so.adapters.sdnc.sdncauth }} sdncconnecttime: 5000 sdncurl10: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/restconf/operations/GENERIC-RESOURCE-API:' sdncurl11: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/restconf/operations/VNFTOPOLOGYAIC-API:' diff --git a/kubernetes/so/components/so-sdnc-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-sdnc-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-sdnc-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-sdnc-adapter/templates/configmap.yaml b/kubernetes/so/components/so-sdnc-adapter/templates/configmap.yaml index 050aab9732..eeab0f72cd 100755 --- a/kubernetes/so/components/so-sdnc-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/templates/configmap.yaml @@ -17,7 +17,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: "basic" kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/components/so-sdnc-adapter/templates/deployment.yaml b/kubernetes/so/components/so-sdnc-adapter/templates/deployment.yaml index b95e0b58a3..e298069233 100755 --- a/kubernetes/so/components/so-sdnc-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/templates/deployment.yaml @@ -15,17 +15,9 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ index .Values.replicaCount }} minReadySeconds: {{ index .Values.minReadySeconds }} strategy: @@ -34,28 +26,12 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "so.certificate.container_importer" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - /app/start-app.sh - {{- end }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: DB_HOST value: {{ include "common.mariadbService" . }} @@ -73,14 +49,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnc-adapter-mso-key" "key" "password") | indent 10 }} - name: MSO_AUTH {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnc-adapter-mso-auth" "key" "password") | indent 10 }} - - name: AAF_AUTH - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnc-adapter-aaf-auth" "key" "password") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -89,14 +62,11 @@ spec: - name: {{ include "common.fullname" . }}-logs mountPath: /var/log/onap {{ include "so.helpers.livenessProbe" .| indent 8 }} - ports: - - containerPort: {{ index .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + ports: {{- include "common.containerPorts" . | nindent 10 }} # Filebeat sidecar container {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config @@ -108,5 +78,4 @@ spec: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-sdnc-adapter/templates/service.yaml b/kubernetes/so/components/so-sdnc-adapter/templates/service.yaml index 5b8dee0774..495f828bfb 100755 --- a/kubernetes/so/components/so-sdnc-adapter/templates/service.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/templates/service.yaml @@ -13,28 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-sdnc-adapter/values.yaml b/kubernetes/so/components/so-sdnc-adapter/values.yaml index 54fa88c7c0..61ec096111 100755 --- a/kubernetes/so/components/so-sdnc-adapter/values.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/values.yaml @@ -22,16 +22,10 @@ global: #This configuration specifies Service and port for SDNC OAM interface sdncOamService: sdnc-oam sdncOamPort: 8282 - security: - aaf: - enabled: false - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= - encrypted: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 - #encryptedSecret: some secret mariadbGalera: - serviceName: mariadb-galera + # flag to enable the DB creation via mariadb-operator + useOperator: true + service: mariadb-galera servicePort: '3306' ################################################################# @@ -55,11 +49,6 @@ secrets: type: password externalSecret: '{{ tpl (default "" .Values.mso.msoKeySecret) . }}' password: '{{ .Values.mso.msoKey }}' - - uid: sdnc-adapter-aaf-auth - name: '{{ include "common.release" . }}-so-sdnc-aaf-auth' - type: password - externalSecret: '{{ tpl (default "" .Values.global.aaf.auth.encryptedSecret) . }}' - password: '{{ .Values.global.aaf.auth.encrypted }}' - uid: sdnc-adapter-mso-auth name: '{{ include "common.release" . }}-so-sdnc-mso-auth' type: password @@ -72,7 +61,7 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/sdnc-adapter:1.10.0 +image: onap/so/sdnc-adapter:1.12.2 pullPolicy: Always org: @@ -93,6 +82,15 @@ mso: requestDb: auth: Basic YnBlbDpwYXNzd29yZDEk +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -107,26 +105,19 @@ containerPort: &containerPort 8086 logPath: ./logs/sdnc/ app: sdnc-adapter service: - type: ClusterIP - internalPort: *containerPort - externalPort: *containerPort - portName: http + type: ClusterIP + ports: + - name: http + port: *containerPort updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 - + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 ################################################################# # soHelpers part ################################################################# soHelpers: - nameOverride: so-sdnc-cert-init - certInitializer: - nameOverride: so-sdnc-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.sdncAdapterPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -135,30 +126,36 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1.5Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1.5Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "3Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "3Gi" unlimited: {} livenessProbe: - path: /manage/health - port: 8086 - scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + path: /manage/health + port: 8086 + scheme: HTTP + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-read nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-ve-vnfm-adapter/Chart.yaml b/kubernetes/so/components/so-ve-vnfm-adapter/Chart.yaml index a9f3821887..d45c89ca71 100755 --- a/kubernetes/so/components/so-ve-vnfm-adapter/Chart.yaml +++ b/kubernetes/so/components/so-ve-vnfm-adapter/Chart.yaml @@ -17,24 +17,21 @@ apiVersion: v2 description: ONAP SO VE VNFM Adapter (SOL002) name: so-ve-vnfm-adapter -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: readinessCheck - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - - name: soHelpers - version: ~11.x-0 - repository: 'file://../soHelpers' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-ve-vnfm-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-ve-vnfm-adapter/resources/config/overrides/override.yaml index 8471540011..606ceb4fcc 100755 --- a/kubernetes/so/components/so-ve-vnfm-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-ve-vnfm-adapter/resources/config/overrides/override.yaml @@ -15,21 +15,16 @@ */}} server: + {{- if include "common.onServiceMesh" . }} + forward-headers-strategy: none + {{- end }} port: {{ include "common.getPort" (dict "global" . "name" "http") }} vevnfmadapter: - {{ if (include "common.needTLS" .) }} - endpoint: https://msb-iag:30283/api/{{ include "common.servicename" . }}/v1 - {{ else }} - endpoint: http://msb-iag:30283/api/{{ include "common.servicename" . }}/v1 - {{ end }} + endpoint: http://msb-iag:80/api/{{ include "common.servicename" . }}/v1 aai: - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} - endpoint: http://aai.{{ include "common.namespace" . }}:8080 - {{ end }} + endpoint: http://aai.{{ include "common.namespace" . }}:80 dmaap: endpoint: http://message-router.{{ include "common.namespace" . }}:3904 diff --git a/kubernetes/so/components/so-ve-vnfm-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-ve-vnfm-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-ve-vnfm-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-ve-vnfm-adapter/templates/deployment.yaml b/kubernetes/so/components/so-ve-vnfm-adapter/templates/deployment.yaml index 9a6b79c440..e322b60e48 100755 --- a/kubernetes/so/components/so-ve-vnfm-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-ve-vnfm-adapter/templates/deployment.yaml @@ -24,7 +24,7 @@ spec: metadata: labels: {{- include "common.labels" . | nindent 8 }} spec: - initContainers: {{ include "so.certificate.container_importer" . | nindent 6 }} + initContainers: {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} @@ -34,7 +34,7 @@ spec: image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} resources: {{ include "common.resources" . | nindent 12 }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 12 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -47,9 +47,9 @@ spec: periodSeconds: {{ .Values.livenessProbe.periodSeconds}} successThreshold: {{ .Values.livenessProbe.successThreshold}} failureThreshold: {{ .Values.livenessProbe.failureThreshold}} - ports: {{- include "common.containerPorts" . | nindent 10 }} + ports: {{- include "common.containerPorts" . | nindent 12 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 8 }} + volumes: - name: logs emptyDir: {} - name: config diff --git a/kubernetes/so/components/so-ve-vnfm-adapter/values.yaml b/kubernetes/so/components/so-ve-vnfm-adapter/values.yaml index 8e8236cfb4..0e252ff376 100755 --- a/kubernetes/so/components/so-ve-vnfm-adapter/values.yaml +++ b/kubernetes/so/components/so-ve-vnfm-adapter/values.yaml @@ -20,8 +20,9 @@ global: readinessCheck: wait_for: - - aai - - message-router + services: + - aai + - message-router ################################################################# # Application configuration defaults. @@ -48,31 +49,22 @@ service: - name: http port: 9098 -################################################################# -# soHelpers part -################################################################# -soHelpers: - nameOverride: so-vevnfm-cert-init - certInitializer: - nameOverride: so-vevnfm-cert-init - credsPath: /opt/app/osaaf/local - flavor: small resources: small: limits: - memory: 512Mi - cpu: 500m + cpu: "1" + memory: "1Gi" requests: - memory: 256Mi - cpu: 250m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "2Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} livenessProbe: port: 9098 @@ -85,6 +77,11 @@ nodeSelector: {} tolerations: [] affinity: {} +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: so-read + #Pods Service Account serviceAccount: nameOverride: so-ve-vnfm-adapter diff --git a/kubernetes/so/components/soHelpers/Chart.yaml b/kubernetes/so/components/soHelpers/Chart.yaml index 2029d4fd8c..36ce3fae70 100755 --- a/kubernetes/so/components/soHelpers/Chart.yaml +++ b/kubernetes/so/components/soHelpers/Chart.yaml @@ -16,15 +16,12 @@ apiVersion: v2 description: A Helm chart for SO helpers name: soHelpers -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - - name: certInitializer - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/so/components/soHelpers/templates/_cadiValues.tpl b/kubernetes/so/components/soHelpers/templates/_cadiValues.tpl deleted file mode 100644 index 7e04706d4a..0000000000 --- a/kubernetes/so/components/soHelpers/templates/_cadiValues.tpl +++ /dev/null @@ -1,21 +0,0 @@ -{{- define "so.cadi.keys" -}} -{{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.soHelpers .initRoot -}} -cadiLoglevel: {{ $initRoot.cadi.logLevel }} -cadiKeyFile: {{ $initRoot.certInitializer.credsPath }}/{{ $initRoot.certInitializer.fqi_namespace }}.keyfile -cadiTrustStore: {{ $initRoot.certInitializer.credsPath }}/truststoreONAPall.jks -cadiTruststorePassword: ${TRUSTSTORE_PASSWORD} -cadiLatitude: {{ $initRoot.cadi.latitude }} -cadiLongitude: {{ $initRoot.cadi.longitude }} -aafEnv: {{ $initRoot.cadi.aafEnv }} -aafApiVersion: {{ $initRoot.cadi.aafApiVersion }} -aafRootNs: {{ $initRoot.cadi.aafRootNs }} -aafId: {{ $initRoot.cadi.aafId }} -aafPassword: {{ $initRoot.cadi.aafPassword }} -aafLocateUrl: {{ $initRoot.cadi.aafLocateUrl }} -aafUrl: {{ $initRoot.cadi.aafUrl }} -apiEnforcement: {{ $initRoot.cadi.apiEnforcement }} -{{- if ($initRoot.cadi.noAuthn) }} -noAuthn: {{ $initRoot.cadi.noAuthn }} -{{- end }} -{{- end }} diff --git a/kubernetes/so/components/soHelpers/templates/_certificates.tpl b/kubernetes/so/components/soHelpers/templates/_certificates.tpl deleted file mode 100644 index cda61b2cfa..0000000000 --- a/kubernetes/so/components/soHelpers/templates/_certificates.tpl +++ /dev/null @@ -1,34 +0,0 @@ -{{- define "so.certificate.container_importer" -}} -{{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.soHelpers .initRoot -}} -{{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }} -{{ include "common.certInitializer.initContainer" $subchartDot }} -{{- end -}} - -{{- define "so.certificate.volumes" -}} -{{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.soHelpers .initRoot -}} -{{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }} -{{ include "common.certInitializer.volumes" $subchartDot }} -{{- end -}} - -{{- define "so.certificate.volumeMount" -}} -{{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.soHelpers .initRoot -}} -{{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }} -{{ include "common.certInitializer.volumeMount" $subchartDot }} -{{- end -}} - -{{- define "so.certificates.env" -}} -{{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.soHelpers .initRoot -}} -{{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }} -{{- if $dot.Values.global.aafEnabled }} -- name: TRUSTSTORE - value: {{ $subchartDot.Values.certInitializer.credsPath }}/truststoreONAPall.jks -{{- if $dot.Values.global.security.aaf.enabled }} -- name: KEYSTORE - value: {{ $subchartDot.Values.certInitializer.credsPath }}/{{ $subchartDot.Values.certInitializer.fqi_namespace }}.p12 -{{- end }} -{{- end }} -{{- end -}} diff --git a/kubernetes/so/components/soHelpers/templates/_livenessProbe.tpl b/kubernetes/so/components/soHelpers/templates/_livenessProbe.tpl index cde94742c6..e596b806ed 100644 --- a/kubernetes/so/components/soHelpers/templates/_livenessProbe.tpl +++ b/kubernetes/so/components/soHelpers/templates/_livenessProbe.tpl @@ -7,11 +7,6 @@ livenessProbe: path: {{ $subchartDot.Values.livenessProbe.path }} port: {{ $subchartDot.Values.containerPort }} scheme: {{ $subchartDot.Values.livenessProbe.scheme }} - {{- if $subchartDot.Values.global.security.aaf.enabled }} - httpHeaders: - - name: Authorization - value: {{ $subchartDot.Values.global.aaf.auth.header }} - {{- end }} initialDelaySeconds: {{ $subchartDot.Values.livenessProbe.initialDelaySeconds }} periodSeconds: {{ $subchartDot.Values.livenessProbe.periodSeconds }} timeoutSeconds: {{ $subchartDot.Values.livenessProbe.timeoutSeconds }} diff --git a/kubernetes/so/components/soHelpers/templates/_profileProperty.tpl b/kubernetes/so/components/soHelpers/templates/_profileProperty.tpl deleted file mode 100644 index 56910ebebd..0000000000 --- a/kubernetes/so/components/soHelpers/templates/_profileProperty.tpl +++ /dev/null @@ -1,3 +0,0 @@ -{{- define "so.helpers.profileProperty" -}} - {{ if .condition }}{{ .value1 }}{{ else }}{{ .value2 }}{{ end }} -{{- end -}} diff --git a/kubernetes/so/components/soHelpers/values.yaml b/kubernetes/so/components/soHelpers/values.yaml index 2417d2553c..ec3fef2d81 100755 --- a/kubernetes/so/components/soHelpers/values.yaml +++ b/kubernetes/so/components/soHelpers/values.yaml @@ -16,38 +16,10 @@ # Global configuration defaults. ################################################################# global: - aafAgentImage: onap/aaf/aaf_agent:2.1.20 msbEnabled: true - security: - aaf: - enabled: false app: msoKey: 07a7159d3bf51a0e53be7a8f89699be7 -################################################################# -# AAF part -################################################################# -certInitializer: - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: so - fqi: so@so.onap.org - public_fqdn: so.onap.org - fqi_namespace: org.onap.so - cadi_longitude: '0.0' - cadi_latitude: '0.0' - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "cadi_truststore_password=$cadi_truststore_password" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" >> {{ .Values.credsPath }}/mycreds.prop - echo "TRUSTSTORE_PASSWORD={{ .Values.truststorePassword }}" >> {{ .Values.credsPath }}/mycreds.prop - -aafConfig: - permission_user: 1000 - permission_group: 999 - ################################################################# # Application configuration defaults. ################################################################# @@ -60,17 +32,3 @@ livenessProbe: timeoutSeconds: 10 successThreshold: 1 failureThreshold: 3 - -cadi: - logLevel: DEBUG - latitude: 38.4329 - longitude: -90.43248 - aafEnv: IST - aafApiVersion: 2.1 - aafRootNs: org.onap.so - aafLocateUrl: https://aaf-locate.onap:8095 - aafUrl: https://aaf-locate.onap:8095/locate/org.osaaf.aaf.service:2.1 - aafId: so@so.onap.org - aafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9 - apiEnforcement: org.onap.so.apihPerm - noAuthn: /manage/health diff --git a/kubernetes/so/resources/config/overrides/override.yaml b/kubernetes/so/resources/config/overrides/override.yaml index 6933607827..47fc6d3d5d 100755 --- a/kubernetes/so/resources/config/overrides/override.yaml +++ b/kubernetes/so/resources/config/overrides/override.yaml @@ -1,10 +1,6 @@ aai: - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} - endpoint: http://aai.{{ include "common.namespace" . }}:8080 - {{ end }} - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.aai.auth )}} + endpoint: http://aai.{{ include "common.namespace" . }}:80 + auth: {{ .Values.mso.aai.auth }} server: port: {{ index .Values.containerPort }} tomcat: @@ -17,16 +13,15 @@ mso: adapters: requestDb: endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ .Values.mso.adapters.requestDb.auth }} catalog: db: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ .Values.mso.adapters.requestDb.auth }} config: path: /src/main/resources/ - cadi: {{ include "so.cadi.keys" . | nindent 10}} infra: default: alacarte: @@ -38,33 +33,25 @@ mso: default: testApi: GR_API camundaURL: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/ - camundaAuth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.camundaAuth )}} + camundaAuth: {{ .Values.mso.camundaAuth }} async: core-pool-size: 50 max-pool-size: 50 queue-capacity: 500 sdc: client: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.sdc.client.auth )}} + auth: {{ .Values.mso.sdc.client.auth }} activate: instanceid: test userid: cs0008 - {{ if (include "common.needTLS" .) }} - endpoint: https://sdc-be.{{ include "common.namespace" . }}:8443 - {{ else }} endpoint: http://sdc-be.{{ include "common.namespace" . }}:8080 - {{ end }} tenant: isolation: retry: count: 3 aai: - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} - endpoint: http://aai.{{ include "common.namespace" . }}:8080 - {{ end }} - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.aai.auth )}} + endpoint: http://aai.{{ include "common.namespace" . }}:80 + auth: {{ .Values.mso.aai.auth }} extApi: endpoint: http://nbi.onap:8080/nbi/api/v3 @@ -74,11 +61,11 @@ mso: username: testuser password: VjR5NDcxSzA= host: http://dmaap-bc.{{ include "common.namespace" . }}:8080 - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.so.operationalEnv.dmaap.auth )}} + auth: {{ .Values.mso.so.operationalEnv.dmaap.auth }} publisher: topic: com.att.ecomp.mso.operationalEnvironmentEvent health: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.health.auth )}} + auth: {{ .Values.mso.health.auth }} endpoints: - subsystem: apih uri: http://so-bpmn-infra:8081 diff --git a/kubernetes/so/templates/authorizationpolicy.yaml b/kubernetes/so/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/templates/configmap.yaml b/kubernetes/so/templates/configmap.yaml index c55bf573f1..052a985387 100755 --- a/kubernetes/so/templates/configmap.yaml +++ b/kubernetes/so/templates/configmap.yaml @@ -14,10 +14,6 @@ # limitations under the License. */}} apiVersion: v1 -data: - LOG_PATH: {{ index .Values.logPath }} - APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap @@ -27,6 +23,10 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} +data: + LOG_PATH: {{ index .Values.logPath }} + APP: {{ index .Values.app }} + ACTIVE_PROFILE: "basic" --- apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/so/templates/deployment.yaml b/kubernetes/so/templates/deployment.yaml index 99a5eff0e7..dcf04b0f9a 100755 --- a/kubernetes/so/templates/deployment.yaml +++ b/kubernetes/so/templates/deployment.yaml @@ -15,18 +15,10 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ index .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} minReadySeconds: {{ index .Values.minReadySeconds }} strategy: type: {{ index .Values.updateStrategy.type }} @@ -34,30 +26,14 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "so.certificate.container_importer" . | indent 6 | trim }} {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - /app/start-app.sh - {{- end }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: DB_HOST value: {{ include "common.mariadbService" . }} @@ -71,12 +47,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -85,24 +60,20 @@ spec: - name: {{ include "common.fullname" . }}-logs mountPath: {{ .Values.log.path }} {{ include "so.helpers.livenessProbe" .| indent 8 }} - ports: - - containerPort: {{ index .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + ports: {{ include "common.containerPorts" . | nindent 10 }} # Filebeat sidecar container {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config configMap: - name: {{ include "common.fullname" . }}-app-configmap + name: {{ include "common.fullname" . }}-app-configmap - name: {{ include "common.fullname" . }}-log-conf configMap: name: {{ include "common.fullname" . }}-log {{ include "common.log.volumes" . | nindent 6 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/templates/ingress.yaml b/kubernetes/so/templates/ingress.yaml index 8f87c68f1e..9bef773eda 100644 --- a/kubernetes/so/templates/ingress.yaml +++ b/kubernetes/so/templates/ingress.yaml @@ -1 +1,17 @@ +{{/* +# Copyright © 2018 AT&T USA +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/so/templates/service.yaml b/kubernetes/so/templates/service.yaml index 5a83d566ac..21a6a77e27 100755 --- a/kubernetes/so/templates/service.yaml +++ b/kubernetes/so/templates/service.yaml @@ -13,391 +13,5 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/cloudResources/{version:[vV][1]}/operationalEnvironments", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/cloudResources/{version:[vV][1]}/operationalEnvironments/{operationalEnvironmentId}/activate", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/cloudResources/{version:[vV][1]}/operationalEnvironments/{operationalEnvironmentId}/deactivate", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/cloudResourcesRequests/{version:[vV][1]}/{requestId}/unlock", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/cloudResourcesRequests/{version:[vV][1]}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/orchestrationRequests/{version:[vV][4-7]}/{requestId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/orchestrationRequests/{version:[vV][4-7]}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/orchestrationRequests/{version:[vV][4-7]}/{requestId}/unlock", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/activate", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/deactivate", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][7]}/serviceInstances/assign", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][7]}/serviceInstances/{serviceInstanceId}/unassign", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations/{configurationInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations/{configurationInstanceId}/enablePort", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations/{configurationInstanceId}/disablePort", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations/{configurationInstanceId}/activate", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations/{configurationInstanceId}/deactivate", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][6-7]}/serviceInstances/{serviceInstanceId}/addRelationships", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][6-7]}/serviceInstances/{serviceInstanceId}/removeRelationships", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/replace", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][6-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/applyUpdatedConfig", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules/{vfmoduleInstanceId}/replace", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules/{vfmoduleInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][6-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/inPlaceSoftwareUpdate", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules/{vfmoduleInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules/{vfmoduleInstanceId}/deactivateAndCloudDelete", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules/scaleOut", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/volumeGroups", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/volumeGroups/{volumeGroupInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/volumeGroups/{volumeGroupInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/networks", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/networks/{networkInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/networks/{networkInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - } - ]' -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + +{{ include "common.service" . }} diff --git a/kubernetes/so/values.yaml b/kubernetes/so/values.yaml index 553de8c2d9..0d53ea3aa8 100755 --- a/kubernetes/so/values.yaml +++ b/kubernetes/so/values.yaml @@ -1,6 +1,8 @@ # Copyright © 2018 AT&T USA # Copyright © 2020 Huawei # Copyright © 2021 Orange +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# Modifications Copyright © 2023 Nordix Foundation # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -18,19 +20,19 @@ global: nodePortPrefix: 302 nodePortPrefixExt: 304 - aafAgentImage: onap/aaf/aaf_agent:2.1.20 centralizedLoggingEnabled: true mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true nameOverride: mariadb-galera - serviceName: mariadb-galera servicePort: '3306' service: mariadb-galera internalPort: '3306' - # mariadbRootPassword: secretpassword - # rootPasswordExternalSecret: some secret - #This flag allows SO to instantiate its own mariadb-galera cluster, - #serviceName and nameOverride should be so-mariadb-galera if this flag is enabled + # This flag allows SO to instantiate its own mariadb-galera cluster, + # serviceName and nameOverride should be so-mariadb-galera if this flag is enabled localCluster: false + # (optional) if localCluster=false and an external secret is used set this variable + #userRootSecret: persistence: mountPath: /dockerdata-nfs #This configuration specifies Service and port for SDNC OAM interface @@ -46,22 +48,11 @@ global: dbPassword: secretpassword # dbCredsExternalSecret: some secret msbEnabled: true - security: - aaf: - enabled: false - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= - encrypted: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 app: siteName: onapheat auth: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 defaultCloudOwner: onap - certificates: - path: /etc/ssl/certs - share_path: /usr/local/share/ca-certificates/ - readinessCheck: wait_for: jobs: @@ -74,11 +65,24 @@ secrets: - uid: db-root-pass name: &dbRootPassSecretName '{{ include "common.release" . }}-so-db-root-pass' type: password - externalSecret: '{{ .Values.global.mariadbGalera.localCluster | ternary - .Values.global.mariadbGalera.rootPasswordExternalSecret - (default (include "common.mariadb.secret.rootPassSecretName" - (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride)) - .Values.global.mariadbGalera.rootPasswordExternalSecret) }}' + # If we're using shared mariadb, we need to use the secret name (second + # part). + # If not, we do the same trick than for user db secret hat allows you + # override this secret using external one with the same field that is used + # to pass this to subchart. + externalSecret: '{{ .Values.global.mariadbGalera.localCluster | + ternary (( hasSuffix "so-db-root-pass" (index .Values "mariadb-galera" "rootUser" "externalSecret")) | + ternary + "" + (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .) + ) + ( (not (empty (default "" .Values.global.mariadbGalera.userRootSecret))) | + ternary + .Values.global.mariadbGalera.userRootSecret + (include "common.mariadb.secret.rootPassSecretName" + (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride) + ) + ) }}' password: '{{ .Values.global.mariadbGalera.mariadbRootpassword }}' - uid: db-backup-creds name: &dbBackupCredsSecretName '{{ include "common.release" . }}-so-db-backup-creds' @@ -129,13 +133,6 @@ secrets: login: '{{ .Values.server.bpel.username }}' password: '{{ .Values.server.bpel.password }}' passwordPolicy: required - - uid: so-aaf-creds - name: &aaf-secrets '{{ include "common.release" . }}-so-server-aaf-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.server.aafCredsExternalSecret) . }}' - login: '{{ .Values.server.aaf.username }}' - password: '{{ .Values.server.aaf.password }}' - passwordPolicy: required - uid: so-aai-creds name: &aai-secrets '{{ include "common.release" . }}-so-server-aai-creds' type: basicAuth @@ -144,32 +141,7 @@ secrets: password: '{{ .Values.server.aai.password }}' passwordPolicy: required -aafConfig: - permission_user: 1000 - permission_group: 999 - -aaf: - trustore: org.onap.so.trust.jks - -################################################################# -# AAF part for Ingress -################################################################# -certInitializer: - nameOverride: so-tls-cert - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: so - fqi: so@so.onap.org - public_fqdn: so.onap.org - fqi_namespace: org.onap.so - cadi_longitude: '0.0' - cadi_latitude: '0.0' - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - ingressTlsSecret: '{{ include "common.release" . }}-so-ingress-certs' - -################################################################# +################################################################## # Application configuration defaults. ################################################################# @@ -182,13 +154,9 @@ dbCreds: userName: so_user adminName: so_admin -image: onap/so/api-handler-infra:1.10.0 +image: onap/so/api-handler-infra:1.12.2 server: - aaf: - username: so@so.onap.org - password: demo123456 - # aafCredsExternalSecret: some secret aai: username: aai@aai.onap.org password: demo123456! @@ -210,45 +178,405 @@ logPath: ./logs/apih/ app: api-handler-infra service: type: NodePort - nodePort: 77 internalPort: *containerPort - externalPort: *containerPort - portName: http + ports: + - name: http + port: *containerPort + nodePort: '77' + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/cloudResources/{version:[vV][1]}/operationalEnvironments", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/cloudResources/{version:[vV][1]}/operationalEnvironments/{operationalEnvironmentId}/activate", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/cloudResources/{version:[vV][1]}/operationalEnvironments/{operationalEnvironmentId}/deactivate", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/cloudResourcesRequests/{version:[vV][1]}/{requestId}/unlock", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/cloudResourcesRequests/{version:[vV][1]}", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/orchestrationRequests/{version:[vV][4-7]}/{requestId}", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/orchestrationRequests/{version:[vV][4-7]}", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/orchestrationRequests/{version:[vV][4-7]}/{requestId}/unlock", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/activate", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/deactivate", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][7]}/serviceInstances/assign", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][7]}/serviceInstances/{serviceInstanceId}/unassign", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations/{configurationInstanceId}", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations/{configurationInstanceId}/enablePort", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations/{configurationInstanceId}/disablePort", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations/{configurationInstanceId}/activate", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations/{configurationInstanceId}/deactivate", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][6-7]}/serviceInstances/{serviceInstanceId}/addRelationships", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][6-7]}/serviceInstances/{serviceInstanceId}/removeRelationships", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/replace", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][6-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/applyUpdatedConfig", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules/{vfmoduleInstanceId}/replace", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules/{vfmoduleInstanceId}", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][6-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/inPlaceSoftwareUpdate", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules/{vfmoduleInstanceId}", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules/{vfmoduleInstanceId}/deactivateAndCloudDelete", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules/scaleOut", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/volumeGroups", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/volumeGroups/{volumeGroupInstanceId}", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/volumeGroups/{volumeGroupInstanceId}", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/networks", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/networks/{networkInstanceId}", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + }, + { + "serviceName": "so", + "version": "v1", + "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/networks/{networkInstanceId}", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "visualRange":"0", + "lb_policy":"ip_hash" + } + ]{{ end }} + updateStrategy: type: RollingUpdate maxUnavailable: 1 maxSurge: 1 -################################################################# +################################################################ # soHelpers part ################################################################# soHelpers: - nameOverride: so-apih-cert-init - certInitializer: - nameOverride: so-apih-cert-init - credsPath: /opt/app/osaaf/local containerPort: *containerPort # Resource Limit flavor -By Default using small flavor: small # Segregation for Different environment (Small and Large) -persistence: - certificatesPath: /certificates resources: small: limits: - cpu: 2000m - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 500m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 4000m - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 1000m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} nodeSelector: {} @@ -266,11 +594,18 @@ config: # --set so.global.mariadbGalera.localCluster=true \ # --set so.global.mariadbGalera.nameOverride=so-mariadb-galera \ # --set so.global.mariadbGalera.serviceName=so-mariadb-galera -mariadb-galera: +mariadb-galera: &mariadbGalera rootUser: externalSecret: *dbRootPassSecretName nameOverride: &so-mariadb so-mariadb-galera replicaCount: 1 + service: + name: *so-mariadb + portName: *so-mariadb + internalPort: 3306 + mariadbOperator: + galera: + enabled: false persistence: mountSubPath: so/mariadb-galera/data enabled: true @@ -280,12 +615,21 @@ mariadb-galera: ingress: enabled: false service: - - baseaddr: 'so.api' + - baseaddr: 'so-api' name: 'so' port: 8080 - config: - tls: - secret: '{{ include "common.release" . }}-so-ingress-certs' + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: consul-read + - serviceAccount: consul-server-read + - serviceAccount: nbi-read + - serviceAccount: policy-drools-pdp-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: robot-read + - serviceAccount: istio-ingress + namespace: istio-ingress mso: adapters: @@ -308,49 +652,69 @@ mso: health: auth: basic bXNvX2FkbWlufHBhc3N3b3JkMSQ= -so-appc-orchestrator: - enabled: false - server: - actuatorCredsExternalSecret: *actuator-secrets - db: - <<: *dbSecrets - so-bpmn-infra: + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets logConfigMapNamePrefix: '{{ include "common.release" . }}-so' so-catalog-db-adapter: enabled: true + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets so-cnf-adapter: enabled: true + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets server: - aafCredsExternalSecret: *aaf-secrets aaiCredsExternalSecret: *aai-secrets actuatorCredsExternalSecret: *actuator-secrets mso: msoKeySecret: *mso-key +so-cnfm-lcm: + enabled: true + mariadb-galera: + <<: *mariadbGalera + db: + <<: *dbSecrets + so-etsi-nfvo-ns-lcm: enabled: true + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets so-mariadb: + mariadb-galera: + <<: *mariadbGalera db: rootPasswordExternalSecretLocalDb: *dbRootPassSecretName - rootPasswordExternalSecret: '{{ ternary .Values.db.rootPasswordExternalSecretLocalDb (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride)) .Values.global.mariadbGalera.localCluster }}' + #rootPasswordExternalSecretLocalDb: *dbRootPassSecretName + rootPasswordExternalSecret: '{{ .Values.global.mariadbGalera.localCluster | + ternary (tpl .Values.db.rootPasswordExternalSecretLocalDb .) + ( (not (empty (default "" .Values.global.mariadbGalera.userRootSecret))) | + ternary + .Values.global.mariadbGalera.userRootSecret + (include "common.mariadb.secret.rootPassSecretName" + (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride) + ) + ) }}' backupCredsExternalSecret: *dbBackupCredsSecretName userCredsExternalSecret: *dbUserCredsSecretName adminCredsExternalSecret: *dbAdminCredsSecretName so-admin-cockpit: enabled: true + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets @@ -359,11 +723,15 @@ so-nssmf-adapter: server: actuatorCredsExternalSecret: *actuator-secrets bpelCredsExternalSecret: *bpel-secrets + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets so-oof-adapter: enabled: true + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets mso: @@ -375,21 +743,29 @@ so-oof-adapter: so-openstack-adapter: enabled: true + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets logConfigMapNamePrefix: '{{ include "common.release" . }}-so' so-request-db-adapter: + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets so-sdc-controller: + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets logConfigMapNamePrefix: '{{ include "common.release" . }}-so' so-sdnc-adapter: enabled: true + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets mso: @@ -401,6 +777,8 @@ so-ve-vnfm-adapter: so-etsi-sol005-adapter: enabled: true + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets diff --git a/kubernetes/strimzi/Chart.yaml b/kubernetes/strimzi/Chart.yaml index 17da739927..1b927d6c4d 100644 --- a/kubernetes/strimzi/Chart.yaml +++ b/kubernetes/strimzi/Chart.yaml @@ -13,21 +13,22 @@ # limitations under the License. apiVersion: v2 -description: ONAP Strimzi kafka +description: ONAP Strimzi Kafka name: strimzi -version: 11.0.0 +version: 13.0.1 dependencies: - name: common - version: ~11.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' + - name: strimzi-kafka-bridge + version: ~13.x-0 + repository: 'file://components/strimzi-kafka-bridge' + condition: strimzi-kafka-bridge.enabled diff --git a/kubernetes/strimzi/Makefile b/kubernetes/strimzi/Makefile index 51d7de122c..08ed7cb9da 100644 --- a/kubernetes/strimzi/Makefile +++ b/kubernetes/strimzi/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := dist resources templates charts docker HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -36,12 +42,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/dmaap/components/dmaap-strimzi/.helmignore b/kubernetes/strimzi/components/strimzi-kafka-bridge/.helmignore similarity index 100% rename from kubernetes/dmaap/components/dmaap-strimzi/.helmignore rename to kubernetes/strimzi/components/strimzi-kafka-bridge/.helmignore diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml new file mode 100644 index 0000000000..e254d99710 --- /dev/null +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml @@ -0,0 +1,23 @@ +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP Strimzi Kafka Bridge +name: strimzi-kafka-bridge +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/Makefile b/kubernetes/strimzi/components/strimzi-kafka-bridge/Makefile new file mode 100644 index 0000000000..ef273d0e9b --- /dev/null +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/Makefile @@ -0,0 +1,58 @@ +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) +OUTPUT_DIR := $(ROOT_DIR)/../dist +PACKAGE_DIR := $(OUTPUT_DIR)/packages +SECRET_DIR := $(OUTPUT_DIR)/secrets + +EXCLUDES := dist resources templates charts docker +HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + +HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) + +.PHONY: $(EXCLUDES) $(HELM_CHARTS) + +all: $(HELM_CHARTS) + +$(HELM_CHARTS): + @echo "\n[$@]" + @make package-$@ + +make-%: + @if [ -f $*/Makefile ]; then make -C $*; fi + +dep-%: make-% + @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi + +lint-%: dep-% + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi + +package-%: lint-% + @mkdir -p $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) + +clean: + @rm -f */Chart.lock + @rm -f *tgz */charts/*tgz + @rm -rf $(PACKAGE_DIR) +%: + @: diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/resources/config/log4j2.properties b/kubernetes/strimzi/components/strimzi-kafka-bridge/resources/config/log4j2.properties new file mode 100644 index 0000000000..e6ad8e0920 --- /dev/null +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/resources/config/log4j2.properties @@ -0,0 +1,38 @@ +name=BridgeConfig + +appender.console.type=Console +appender.console.name=STDOUT + +appender.console.layout.type = PatternLayout +appender.console.layout.pattern = [%d] %-5p <%-12.12c{1}:%L> [%-12.12t] %m%n + +# Alternate JSONLayout pattern config +#appender.console.layout.type=JSONLayout +#appender.console.layout.compact=true +#appender.console.layout.eventEol=true +#appender.console.layout.complete=true +#appender.console.layout.properties=false +#appender.console.layout.propertiesAsList=false +#appender.console.layout.locationInfo=true +#appender.console.layout.includeStacktrace=true +#appender.console.layout.stacktraceAsString=true +#appender.console.layout.includeNullDelimiter=false +#appender.console.layout.objectMessageAsJsonObject=true + +rootLogger.level=INFO +rootLogger.appenderRefs=console +rootLogger.appenderRef.console.ref=STDOUT +rootLogger.additivity=false + +logger.bridge.name=io.strimzi.kafka.bridge +logger.bridge.level=INFO +logger.bridge.appenderRefs=console +logger.bridge.appenderRef.console.ref=STDOUT +logger.bridge.additivity=false + +logger.healthy.name=http.openapi.operation.healthy +logger.healthy.level=WARN +logger.ready.name=http.openapi.operation.ready +logger.ready.level=WARN + +monitorInterval=30 diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml new file mode 100644 index 0000000000..25fbf3df77 --- /dev/null +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml @@ -0,0 +1,24 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-kb-logging-cm + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/config/log4j2.properties").AsConfig . | indent 2 }} + diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml new file mode 100644 index 0000000000..b081e290e3 --- /dev/null +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml @@ -0,0 +1,39 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaBridge +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + replicas: {{ .Values.replicaCount }} + bootstrapServers: {{ include "common.release" . }}-strimzi-kafka-bootstrap:{{ .Values.config.kafkaInternalPort }} + authentication: + type: {{ .Values.config.saslMechanism }} + username: {{ .Values.config.strimziKafkaAdminUser }} + passwordSecret: + secretName: {{ .Values.config.strimziKafkaAdminUser }} + password: password + enableMetrics: {{ .Values.config.enableMetrics }} + http: + port: {{ .Values.config.port }} + logging: + type: external + valueFrom: + configMapKeyRef: + key: log4j2.properties + name: {{ include "common.fullname" . }}-kb-logging-cm + template: + pod: + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml new file mode 100644 index 0000000000..8a4c4cdc6c --- /dev/null +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml @@ -0,0 +1,35 @@ +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + +################################################################# +# Application configuration defaults. +################################################################# +replicaCount: 1 +config: + port: 8080 + enableMetrics: false + # The following config should be set/overridden + # from parent chart kubernetes/strimzi/values.yaml + saslMechanism: parentValue + kafkaInternalPort: parentValue + strimziKafkaAdminUser: parentValue + +# nameOverride is required to avoid duplication +# in pod and service names ie ...-bridge-bridge-{random hex} +nameOverride: strimzi-kafka diff --git a/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml b/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml new file mode 100644 index 0000000000..12c742ef35 --- /dev/null +++ b/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml @@ -0,0 +1,20 @@ +{{/* +# Copyright (c) 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License.. +*/}} +lowercaseOutputName: true +rules: + - pattern: kafka.cruisecontrol<>(\w+) + name: kafka_cruisecontrol_$1_$2 + type: GAUGE \ No newline at end of file diff --git a/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml b/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml new file mode 100644 index 0000000000..7ad971fc16 --- /dev/null +++ b/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml @@ -0,0 +1,137 @@ +{{/* +# Copyright (c) 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License.. +*/}} +lowercaseOutputName: true +rules: + # Special cases and very specific rules + - pattern: kafka.server<>Value + name: kafka_server_$1_$2 + type: GAUGE + labels: + clientId: "$3" + topic: "$4" + partition: "$5" + - pattern: kafka.server<>Value + name: kafka_server_$1_$2 + type: GAUGE + labels: + clientId: "$3" + broker: "$4:$5" + - pattern: kafka.server<>connections + name: kafka_server_$1_connections_tls_info + type: GAUGE + labels: + cipher: "$2" + protocol: "$3" + listener: "$4" + networkProcessor: "$5" + - pattern: kafka.server<>connections + name: kafka_server_$1_connections_software + type: GAUGE + labels: + clientSoftwareName: "$2" + clientSoftwareVersion: "$3" + listener: "$4" + networkProcessor: "$5" + - pattern: "kafka.server<>(.+):" + name: kafka_server_$1_$4 + type: GAUGE + labels: + listener: "$2" + networkProcessor: "$3" + - pattern: kafka.server<>(.+) + name: kafka_server_$1_$4 + type: GAUGE + labels: + listener: "$2" + networkProcessor: "$3" + # Some percent metrics use MeanRate attribute + # Ex) kafka.server<>MeanRate + - pattern: kafka.(\w+)<>MeanRate + name: kafka_$1_$2_$3_percent + type: GAUGE + # Generic gauges for percents + - pattern: kafka.(\w+)<>Value + name: kafka_$1_$2_$3_percent + type: GAUGE + - pattern: kafka.(\w+)<>Value + name: kafka_$1_$2_$3_percent + type: GAUGE + labels: + "$4": "$5" + # Generic per-second counters with 0-2 key/value pairs + - pattern: kafka.(\w+)<>Count + name: kafka_$1_$2_$3_total + type: COUNTER + labels: + "$4": "$5" + "$6": "$7" + - pattern: kafka.(\w+)<>Count + name: kafka_$1_$2_$3_total + type: COUNTER + labels: + "$4": "$5" + - pattern: kafka.(\w+)<>Count + name: kafka_$1_$2_$3_total + type: COUNTER + # Generic gauges with 0-2 key/value pairs + - pattern: kafka.(\w+)<>Value + name: kafka_$1_$2_$3 + type: GAUGE + labels: + "$4": "$5" + "$6": "$7" + - pattern: kafka.(\w+)<>Value + name: kafka_$1_$2_$3 + type: GAUGE + labels: + "$4": "$5" + - pattern: kafka.(\w+)<>Value + name: kafka_$1_$2_$3 + type: GAUGE + # Emulate Prometheus 'Summary' metrics for the exported 'Histogram's. + # Note that these are missing the '_sum' metric! + - pattern: kafka.(\w+)<>Count + name: kafka_$1_$2_$3_count + type: COUNTER + labels: + "$4": "$5" + "$6": "$7" + - pattern: kafka.(\w+)<>(\d+)thPercentile + name: kafka_$1_$2_$3 + type: GAUGE + labels: + "$4": "$5" + "$6": "$7" + quantile: "0.$8" + - pattern: kafka.(\w+)<>Count + name: kafka_$1_$2_$3_count + type: COUNTER + labels: + "$4": "$5" + - pattern: kafka.(\w+)<>(\d+)thPercentile + name: kafka_$1_$2_$3 + type: GAUGE + labels: + "$4": "$5" + quantile: "0.$6" + - pattern: kafka.(\w+)<>Count + name: kafka_$1_$2_$3_count + type: COUNTER + - pattern: kafka.(\w+)<>(\d+)thPercentile + name: kafka_$1_$2_$3 + type: GAUGE + labels: + quantile: "0.$4" \ No newline at end of file diff --git a/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml b/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml new file mode 100644 index 0000000000..6a1eab7825 --- /dev/null +++ b/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml @@ -0,0 +1,44 @@ +{{/* +# Copyright (c) 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License.. +*/}} +lowercaseOutputName: true +rules: + # replicated Zookeeper + - pattern: "org.apache.ZooKeeperService<>(\\w+)" + name: "zookeeper_$2" + type: GAUGE + - pattern: "org.apache.ZooKeeperService<>(\\w+)" + name: "zookeeper_$3" + type: GAUGE + labels: + replicaId: "$2" + - pattern: "org.apache.ZooKeeperService<>(Packets\\w+)" + name: "zookeeper_$4" + type: COUNTER + labels: + replicaId: "$2" + memberType: "$3" + - pattern: "org.apache.ZooKeeperService<>(\\w+)" + name: "zookeeper_$4" + type: GAUGE + labels: + replicaId: "$2" + memberType: "$3" + - pattern: "org.apache.ZooKeeperService<>(\\w+)" + name: "zookeeper_$4_$5" + type: GAUGE + labels: + replicaId: "$2" + memberType: "$3" \ No newline at end of file diff --git a/kubernetes/strimzi/templates/configmap.yaml b/kubernetes/strimzi/templates/configmap.yaml new file mode 100644 index 0000000000..ace51f78ba --- /dev/null +++ b/kubernetes/strimzi/templates/configmap.yaml @@ -0,0 +1,21 @@ +{{/* +# Copyright (c) 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License.. +*/}} +{{- if .Values.metrics.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +data: {{ tpl (.Files.Glob "resources/metrics/*").AsConfig . | nindent 2 }} +{{ end }} diff --git a/kubernetes/strimzi/templates/ingress.yaml b/kubernetes/strimzi/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/kubernetes/strimzi/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/strimzi/templates/kafka-rebalance.yaml b/kubernetes/strimzi/templates/kafka-rebalance.yaml new file mode 100644 index 0000000000..6d5f143220 --- /dev/null +++ b/kubernetes/strimzi/templates/kafka-rebalance.yaml @@ -0,0 +1,24 @@ +{{/* +# Copyright (c) 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License.. +*/}} +{{- if .Values.cruiseControl.kafkaRebalance.enabled }} +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaRebalance +metadata: + name: {{ include "common.fullname" . }}-kafka-rebalance + labels: + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: {} +{{- end }} diff --git a/kubernetes/strimzi/templates/pod-monitor.yaml b/kubernetes/strimzi/templates/pod-monitor.yaml new file mode 100644 index 0000000000..be288a4d75 --- /dev/null +++ b/kubernetes/strimzi/templates/pod-monitor.yaml @@ -0,0 +1,45 @@ +{{/* +# Copyright (c) 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License.. +*/}} +{{- if .Values.metrics.podMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: {{ include "common.fullname" . }}-podmonitor + ## podMonitor labels for prometheus to pick up the podMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.PodMonitor + ## + # labels: + # prometheus: kube-prometheus + labels: {{- toYaml $.Values.metrics.podMonitor.labels | nindent 4 }} +spec: + selector: + matchLabels: + strimzi.io/cluster: {{ include "common.release" . }}-strimzi + podMetricsEndpoints: + - port: {{ .Values.metrics.podMonitor.port }} + {{- if .Values.metrics.podMonitor.relabelings }} + ## RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + relabelings: {{- toYaml .Values.metrics.podMonitor.relabelings | nindent 6 }} + {{- end }} + {{- if .Values.metrics.podMonitor.metricRelabelings }} + metricRelabelings: {{- toYaml .Values.metrics.podMonitor.metricRelabelings | nindent 6 }} + ## MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + {{- end }} +{{- end }} diff --git a/kubernetes/strimzi/templates/pv-kafka.yaml b/kubernetes/strimzi/templates/pv-kafka.yaml index 616f03e788..efd4902562 100644 --- a/kubernetes/strimzi/templates/pv-kafka.yaml +++ b/kubernetes/strimzi/templates/pv-kafka.yaml @@ -13,4 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -{{ include "common.replicaPV" (dict "dot" . "suffix" "kafka" "persistenceInfos" .Values.persistenceKafka) }} +{{ include "common.replicaPV" (dict "dot" . "suffix" "kafka" "persistenceInfos" .Values.persistence.kafka) }} diff --git a/kubernetes/strimzi/templates/pv-zk.yaml b/kubernetes/strimzi/templates/pv-zk.yaml index 60f4ca6e79..2c5a8e3678 100644 --- a/kubernetes/strimzi/templates/pv-zk.yaml +++ b/kubernetes/strimzi/templates/pv-zk.yaml @@ -13,5 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} - -{{ include "common.replicaPV" (dict "dot" . "suffix" "zk" "persistenceInfos" .Values.persistenceZk) }} +{{ include "common.replicaPV" (dict "dot" . "suffix" "zk" "persistenceInfos" .Values.persistence.zookeeper) }} diff --git a/kubernetes/strimzi/templates/strimzi-kafka-admin-user.yaml b/kubernetes/strimzi/templates/strimzi-kafka-admin-user.yaml index 2653c6799c..4532777f9e 100644 --- a/kubernetes/strimzi/templates/strimzi-kafka-admin-user.yaml +++ b/kubernetes/strimzi/templates/strimzi-kafka-admin-user.yaml @@ -16,16 +16,9 @@ apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaUser metadata: - name: {{ .Values.kafkaStrimziAdminUser }} + name: {{ .Values.config.strimziKafkaAdminUser }} labels: strimzi.io/cluster: {{ include "common.release" . }}-strimzi spec: authentication: - type: {{ .Values.saslMechanism }} - authorization: - type: simple - acls: - - resource: - type: group - name: onap-group - operation: Read \ No newline at end of file + type: {{ .Values.config.saslMechanism }} diff --git a/kubernetes/strimzi/templates/strimzi-kafka.yaml b/kubernetes/strimzi/templates/strimzi-kafka.yaml index 4e8779d1d2..aee4696fe0 100644 --- a/kubernetes/strimzi/templates/strimzi-kafka.yaml +++ b/kubernetes/strimzi/templates/strimzi-kafka.yaml @@ -15,25 +15,18 @@ */}} apiVersion: kafka.strimzi.io/v1beta2 kind: Kafka -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: kafka: - version: {{ .Values.version }} + version: {{ .Values.config.kafkaVersion }} replicas: {{ .Values.replicaCount }} listeners: - name: plain - port: {{ .Values.kafkaInternalPort }} + port: {{ .Values.config.kafkaInternalPort }} type: internal tls: false authentication: - type: {{ .Values.saslMechanism }} + type: {{ .Values.config.saslMechanism }} - name: tls port: 9093 type: internal @@ -42,49 +35,101 @@ spec: type: tls - name: external port: 9094 - type: nodeport - tls: true + type: {{ if (include "common.ingressEnabled" .) }}cluster-ip{{ else }}nodeport{{ end }} + tls: {{ if (include "common.ingressEnabled" .) }}false{{ else }}true{{ end }} authentication: - type: tls + type: {{ if (include "common.ingressEnabled" .) }}{{ .Values.config.saslMechanism }}{{ else }}tls{{ end }} configuration: + {{- if not (include "common.ingressEnabled" .) }} bootstrap: - nodePort: {{ .Values.global.nodePortPrefixExt }}91 + nodePort: {{ .Values.global.nodePortPrefixExt }}93 + {{- end }} brokers: - broker: 0 - nodePort: {{ .Values.global.nodePortPrefixExt }}92 + advertisedHost: {{ .Values.config.advertisedHost }} + advertisedPort: {{ .Values.config.advertizedPortBroker0 }} + {{- if not (include "common.ingressEnabled" .) }} + nodePort: {{ .Values.global.nodePortPrefixExt }}90 + {{- end }} - broker: 1 - nodePort: {{ .Values.global.nodePortPrefixExt }}93 + advertisedHost: {{ .Values.config.advertisedHost }} + advertisedPort: {{ .Values.config.advertizedPortBroker1 }} + {{- if not (include "common.ingressEnabled" .) }} + nodePort: {{ .Values.global.nodePortPrefixExt }}91 + {{- end }} + - broker: 2 + advertisedHost: {{ .Values.config.advertisedHost }} + advertisedPort: {{ .Values.config.advertizedPortBroker2 }} + {{- if not (include "common.ingressEnabled" .) }} + nodePort: {{ .Values.global.nodePortPrefixExt }}92 + {{- end }} authorization: - type: simple + type: {{ .Values.config.authType }} superUsers: - - {{ .Values.kafkaStrimziAdminUser }} + - {{ .Values.config.strimziKafkaAdminUser }} template: pod: + {{- include "common.imagePullSecrets" . | nindent 8 }} securityContext: runAsUser: 0 fsGroup: 0 + {{- if .Values.affinity.podAntiAffinity.enabled }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: strimzi.io/name + operator: In + values: + - {{ include "common.fullname" . }}-kafka + topologyKey: "kubernetes.io/hostname" + {{- end }} config: default.replication.factor: {{ .Values.replicaCount }} - min.insync.replicas: {{ .Values.replicaCount }} + min.insync.replicas: {{ (eq 1.0 (.Values.replicaCount)) | ternary 1 (sub .Values.replicaCount 1) }} offsets.topic.replication.factor: {{ .Values.replicaCount }} + num.partitions: {{ mul .Values.replicaCount 2 }} transaction.state.log.replication.factor: {{ .Values.replicaCount }} - transaction.state.log.min.isr: {{ .Values.replicaCount }} - log.message.format.version: "3.0" - inter.broker.protocol.version: "3.0" + transaction.state.log.min.isr: {{ (eq 1.0 (.Values.replicaCount)) | ternary 1 (sub .Values.replicaCount 1) }} + log.message.format.version: {{ .Values.config.kafkaVersion }} + inter.broker.protocol.version: {{ .Values.config.kafkaVersion }} + auto.create.topics.enable: {{ .Values.config.autoCreateTopics }} storage: type: jbod volumes: - id: 0 type: persistent-claim - size: {{ .Values.persistenceKafka.size }} + size: {{ .Values.persistence.kafka.size }} deleteClaim: true - class: {{ include "common.storageClass" (dict "dot" . "suffix" "kafka" "persistenceInfos" .Values.persistenceKafka) }} + class: {{ include "common.storageClass" (dict "dot" . "suffix" "kafka" "persistenceInfos" .Values.persistence.kafka) }} + {{- if .Values.metrics.kafkaExporter.enabled }} + metricsConfig: + type: {{ .Values.metrics.kafkaExporter.metricsConfig.type }} + valueFrom: + configMapKeyRef: + name: {{ include "common.fullname" . }} + key: kafka-metrics-config.yml + {{- end }} zookeeper: template: pod: + {{- include "common.imagePullSecrets" . | nindent 8 }} securityContext: runAsUser: 0 fsGroup: 0 + {{- if .Values.affinity.podAntiAffinity.enabled }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: strimzi.io/name + operator: In + values: + - {{ include "common.fullname" . }}-zookeeper + topologyKey: "kubernetes.io/hostname" + {{- end }} replicas: {{ .Values.replicaCount }} config: ssl.hostnameVerification: false @@ -94,10 +139,55 @@ spec: {{- end }} storage: type: persistent-claim - size: {{ .Values.persistenceZk.size }} + size: {{ .Values.persistence.zookeeper.size }} deleteClaim: true - class: {{ include "common.storageClass" (dict "dot" . "suffix" "zk" "persistenceInfos" .Values.persistenceZk) }} + class: {{ include "common.storageClass" (dict "dot" . "suffix" "zk" "persistenceInfos" .Values.persistence.zookeeper) }} + {{- if .Values.metrics.kafkaExporter.enabled }} + metricsConfig: + type: {{ .Values.metrics.kafkaExporter.metricsConfig.type }} + valueFrom: + configMapKeyRef: + name: {{ include "common.fullname" . }} + key: zookeeper-metrics-config.yml + {{- end }} entityOperator: + template: + pod: + {{- include "common.imagePullSecrets" . | nindent 8 }} topicOperator: {} userOperator: {} - + {{- if .Values.cruiseControl.enabled }} + cruiseControl: + template: + pod: + {{- include "common.imagePullSecrets" . | nindent 8 }} + metricsConfig: + type: {{ .Values.cruiseControl.metricsConfig.type }} + valueFrom: + configMapKeyRef: + name: {{ include "common.fullname" . }} + key: cruisecontrol-metrics-config.yml + {{- end }} + {{- if .Values.metrics.kafkaExporter.enabled }} + kafkaExporter: + template: + pod: + {{- include "common.imagePullSecrets" . | nindent 8 }} + topicRegex: {{ .Values.metrics.kafkaExporter.topicRegex }} + groupRegex: {{ .Values.metrics.kafkaExporter.groupRegex }} + resources: + requests: + cpu: {{ .Values.metrics.kafkaExporter.resources.requests.cpu }} + memory: {{ .Values.metrics.kafkaExporter.resources.requests.memory }} + limits: + cpu: {{ .Values.metrics.kafkaExporter.resources.limits.cpu }} + memory: {{ .Values.metrics.kafkaExporter.resources.limits.memory }} + logging: {{ .Values.metrics.kafkaExporter.logging }} + enableSaramaLogging: {{ .Values.metrics.kafkaExporter.enableSaramaLogging }} + readinessProbe: + initialDelaySeconds: {{ .Values.metrics.kafkaExporter.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.metrics.kafkaExporter.readinessProbe.timeoutSeconds }} + livenessProbe: + initialDelaySeconds: {{ .Values.metrics.kafkaExporter.livenessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.metrics.kafkaExporter.livenessProbe.timeoutSeconds }} + {{- end }} diff --git a/kubernetes/strimzi/values.yaml b/kubernetes/strimzi/values.yaml index 26b714a342..3cced3e41a 100644 --- a/kubernetes/strimzi/values.yaml +++ b/kubernetes/strimzi/values.yaml @@ -19,34 +19,135 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs + ingress: + virtualhost: + baseurl: &baseurl "simpledemo.onap.org" + preaddr: &preaddr "" + postaddr: &postaddr "" ################################################################# # Application configuration defaults. ################################################################# replicaCount: 3 -kafkaInternalPort: 9092 -saslMechanism: scram-sha-512 -version: 3.0.0 -kafkaStrimziAdminUser: strimzi-kafka-admin -persistence: {} +affinity: + podAntiAffinity: + enabled: true +config: + kafkaVersion: 3.7.0 + authType: simple + saslMechanism: &saslMech scram-sha-512 + kafkaInternalPort: &plainPort 9092 + strimziKafkaAdminUser: &adminUser strimzi-kafka-admin + advertisedHost: kafka-api.simpledemo.onap.org + advertizedPortBroker0: &advertizedPortBroker0 9000 + advertizedPortBroker1: &advertizedPortBroker1 9001 + advertizedPortBroker2: &advertizedPortBroker2 9002 + autoCreateTopics: true -persistenceKafka: - enabled: true - size: 2Gi - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - mountPath: /dockerdata-nfs - mountSubPath: strimzi-kafka/kafka -persistenceZk: - enabled: true - size: 2Gi - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce +persistence: + enabled: &pvenabled true mountPath: /dockerdata-nfs - mountSubPath: strimzi-kafka/zk + kafka: + enabled: *pvenabled + # default values of 2Gi for dev env. + # Production values should be dimensioned according to requirements. ie >= 10Gi + size: 2Gi + volumeReclaimPolicy: Retain + accessMode: ReadWriteOnce + mountPath: /dockerdata-nfs + mountSubPath: strimzi-kafka/kafka + zookeeper: + enabled: *pvenabled + size: 1Gi + volumeReclaimPolicy: Retain + accessMode: ReadWriteOnce + mountPath: /dockerdata-nfs + mountSubPath: strimzi-kafka/zk #Pods Service Account serviceAccount: nameOverride: strimzi-kafka roles: - read + +ingress: + enabled: false + service: + - baseaddr: "kafka-bootstrap-api" + name: "onap-strimzi-kafka-external-bootstrap" + port: 9094 + protocol: tcp + exposedPort: 9010 + exposedProtocol: TLS + - baseaddr: "kafka-api" + tcpRoutes: + - name: "onap-strimzi-kafka-0" + port: 9094 + exposedPort: *advertizedPortBroker0 + exposedProtocol: TLS + - name: "onap-strimzi-kafka-1" + port: 9094 + exposedPort: *advertizedPortBroker1 + exposedProtocol: TLS + - name: "onap-strimzi-kafka-2" + port: 9094 + exposedPort: *advertizedPortBroker2 + exposedProtocol: TLS + +# Kafka Exporter for metrics +metrics: + enabled: false + kafkaExporter: + enabled: false + metricsConfig: + type: jmxPrometheusExporter + topicRegex: ".*" + groupRegex: ".*" + resources: + requests: + cpu: "2" + memory: "600Mi" + limits: + cpu: "5" + memory: "1.5Gi" + logging: debug + enableSaramaLogging: true + readinessProbe: + initialDelaySeconds: 15 + timeoutSeconds: 5 + livenessProbe: + initialDelaySeconds: 15 + timeoutSeconds: 5 + podMonitor: + # Prometheus pre requisite. Currently an optional addon in the OOM docs + enabled: false + # default port for strimzi metrics + port: "tcp-prometheus" + # podMonitor labels for prometheus to pick up the podMonitor + # dummy value + labels: + release: dummy + relabelings: [] + metricRelabelings: [] + +cruiseControl: +## Cruise Control provides a Kafka metrics reporter implementation +## once installed into the Kafka brokers, filters and records a wide range of metrics provided by the brokers themselves. +## pre requisite is having 2 or more broker nodes + enabled: false + metricsConfig: + type: jmxPrometheusExporter + ## Custom resource for Kafka that can rebalance your cluster + # ref. https://strimzi.io/blog/2020/06/15/cruise-control/ + kafkaRebalance: + enabled: false + +###################### +# Component overrides +###################### +strimzi-kafka-bridge: + enabled: true + config: + saslMechanism: *saslMech + kafkaInternalPort: *plainPort + strimziKafkaAdminUser: *adminUser diff --git a/kubernetes/uui/Chart.yaml b/kubernetes/uui/Chart.yaml index 6a0b0c996d..7c4a5b78ca 100644 --- a/kubernetes/uui/Chart.yaml +++ b/kubernetes/uui/Chart.yaml @@ -1,6 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2022 Huawei Technologies Co., Ltd. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,24 +18,24 @@ apiVersion: v2 description: ONAP uui name: uui -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' - - name: certInitializer - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: uui-server - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/uui-server' - name: uui-nlp - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/uui-nlp' + - name: uui-intent-analysis + version: ~13.x-0 + repository: 'file://components/uui-intent-analysis' diff --git a/kubernetes/uui/Makefile b/kubernetes/uui/Makefile index 51d7de122c..08ed7cb9da 100644 --- a/kubernetes/uui/Makefile +++ b/kubernetes/uui/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := dist resources templates charts docker HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -36,12 +42,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/uui/components/Makefile b/kubernetes/uui/components/Makefile index f4c9784bc4..9544d70f33 100644 --- a/kubernetes/uui/components/Makefile +++ b/kubernetes/uui/components/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -36,12 +42,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/aaf/components/aaf-gui/.helmignore b/kubernetes/uui/components/uui-intent-analysis/.helmignore similarity index 100% rename from kubernetes/aaf/components/aaf-gui/.helmignore rename to kubernetes/uui/components/uui-intent-analysis/.helmignore diff --git a/kubernetes/uui/components/uui-intent-analysis/Chart.yaml b/kubernetes/uui/components/uui-intent-analysis/Chart.yaml new file mode 100644 index 0000000000..bd1f6eedab --- /dev/null +++ b/kubernetes/uui/components/uui-intent-analysis/Chart.yaml @@ -0,0 +1,35 @@ +# Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP uui intent analysis +name: uui-intent-analysis +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: postgres + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/uui/components/uui-intent-analysis/resources/config/intent-analysis-init.sql b/kubernetes/uui/components/uui-intent-analysis/resources/config/intent-analysis-init.sql new file mode 100644 index 0000000000..323deef209 --- /dev/null +++ b/kubernetes/uui/components/uui-intent-analysis/resources/config/intent-analysis-init.sql @@ -0,0 +1,110 @@ +/* + * ============LICENSE_START======================================================= + * Copyright (C) 2022 Huawei Technologies Co., Ltd. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; + +create table if not exists intent( + intent_id varchar(255) primary key, + intent_name varchar(255), + intent_generateType VARCHAR (225) +); + +create table if not exists expectation( + expectation_id varchar(255) primary key, + expectation_name varchar(255), + expectation_type varchar(255), + intent_id varchar(255) +); + +create table if not exists expectation_object( + object_id varchar(255) DEFAULT uuid_generate_v4 (), + primary key(object_id), + object_type varchar(255), + object_instance varchar(255), + expectation_id varchar(255) +); + +create table if not exists expectation_target( + target_id varchar(255) primary key, + target_name varchar(255), + expectation_id varchar(255) +); + +create table if not exists context( + context_id varchar(255) primary key, + context_name varchar(255), + parent_id varchar(255) +); + +create table if not exists context_mapping( + context_id varchar(255) primary key, + parent_type varchar(255), + parent_id varchar(255) +); + +create table if not exists fulfilment_info( + fulfilment_info_id varchar(255) primary key, + fulfilment_info_status varchar(255), + not_fulfilled_state varchar(255), + not_fulfilled_reason varchar(255) +); + +create table if not exists state( + state_id varchar(255) primary key, + state_name varchar(255), + is_satisfied boolean, + condition varchar(255), + expectation_id varchar(255) +); + +create table if not exists condition( + condition_id varchar(255) primary key, + condition_name varchar(255), + operator_type varchar(255), + condition_value varchar(255), + parent_id varchar(255) + ); + +create table if not exists intent_management_function_reg_info( + imfr_info_id varchar(255) primary key, + imfr_info_description varchar(255), + support_area varchar(255), + support_model varchar(255), + support_interfaces varchar(255), + handle_name varchar(255), + intent_function_type varchar(255) + ); + +create table if not exists intent_event_record( + id varchar(255) DEFAULT uuid_generate_v4 (), + intent_id varchar(255), + intent_name varchar(255), + intent_status varchar (225), + operate_type varchar (225), + parent_id varchar(255) + ); + +-- ---------------------------- +-- Records of intent_management_function_reg_info +-- ---------------------------- + +insert into intent_management_function_reg_info(imfr_info_id, imfr_info_description, support_area, support_model, support_interfaces, handle_name, intent_function_type) select 'CLLBusinessId','CLLBusiness','CLLBUSINESS',null,'CREATE,DELETE,UPDATE,SEARCH','CLLBusinessIntentManagementFunction','INTERNALFUNCTION' where not exists(select * from intent_management_function_reg_info where imfr_info_id='CLLBusinessId' ) +insert into intent_management_function_reg_info(imfr_info_id, imfr_info_description, support_area, support_model, support_interfaces, handle_name, intent_function_type) select 'CLLDeliveryId','CLLDelivery','CLLBUSINESS,DELIVERY',null,'CREATE,DELETE,UPDATE,SEARCH','CLLDeliveryIntentManagementFunction','INTERNALFUNCTION' where not exists(select * from intent_management_function_reg_info where imfr_info_id='CLLDeliveryId' ) +insert into intent_management_function_reg_info(imfr_info_id, imfr_info_description, support_area, support_model, support_interfaces, handle_name, intent_function_type) select 'CLLAssuranceId','CLLAssurance','CLLBUSINESS,ASSURANCE',null,'CREATE,DELETE,UPDATE,SEARCH','CLLAssuranceIntentManagementFunction','INTERNALFUNCTION' where not exists(select * from intent_management_function_reg_info where imfr_info_id='CLLAssuranceId' ) + diff --git a/kubernetes/uui/components/uui-intent-analysis/resources/entrypoint/run.sh b/kubernetes/uui/components/uui-intent-analysis/resources/entrypoint/run.sh new file mode 100644 index 0000000000..cf68e7c96a --- /dev/null +++ b/kubernetes/uui/components/uui-intent-analysis/resources/entrypoint/run.sh @@ -0,0 +1,31 @@ +{{/* +# +# Copyright (C) 2022 Huawei Technologies Co., Ltd. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +*/}} + +main_path="/home/uui" +echo @main_path@ $main_path + +JAVA_PATH="$JAVA_HOME/bin/java" +JAVA_OPTS="-Xms50m -Xmx128m" +echo @JAVA_PATH@ $JAVA_PATH +echo @JAVA_OPTS@ $JAVA_OPTS + +jar_path="$main_path/usecase-ui-intent-analysis.jar" +echo @jar_path@ $jar_path + +echo "Starting usecase-ui-intent-analysis..." +$JAVA_PATH $JAVA_OPTS -classpath $jar_path -jar $jar_path $SPRING_OPTS diff --git a/kubernetes/uui/components/uui-intent-analysis/templates/configmap.yaml b/kubernetes/uui/components/uui-intent-analysis/templates/configmap.yaml new file mode 100644 index 0000000000..3583c416de --- /dev/null +++ b/kubernetes/uui/components/uui-intent-analysis/templates/configmap.yaml @@ -0,0 +1,31 @@ +{{/* +# Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-entrypoint + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/entrypoint/*").AsConfig . | indent 2 }} diff --git a/kubernetes/uui/components/uui-intent-analysis/templates/deployment.yaml b/kubernetes/uui/components/uui-intent-analysis/templates/deployment.yaml new file mode 100644 index 0000000000..d2824d1bbb --- /dev/null +++ b/kubernetes/uui/components/uui-intent-analysis/templates/deployment.yaml @@ -0,0 +1,74 @@ +{{/* +# Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }} + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.pullPolicy }} + command: ["sh", "-c"] + args: + - ". /uui/run.sh" + ports: {{ include "common.containerPorts" . | nindent 10 }} + env: + - name: POSTGRES_IP + value: {{ .Values.postgres.service.name2 }} + - name: POSTGRES_PORT + value: "{{ .Values.postgres.service.externalPort }}" + - name: POSTGRES_DB_NAME + value: {{ .Values.postgres.config.pgDatabase }} + - name: POSTGRES_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} + - name: POSTGRES_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} +{{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.liveness.port }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} +{{- end }} + readinessProbe: + tcpSocket: + port: {{ .Values.readiness.port }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + resources: {{ include "common.resources" . | nindent 10 }} +{{- if .Values.nodeSelector }} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} +{{- end }} +{{- if .Values.affinity }} + affinity: {{ toYaml .Values.affinity | nindent 10 }} +{{- end }} + volumeMounts: + - mountPath: /uui/run.sh + name: entrypoint + subPath: run.sh + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: entrypoint + configMap: + name: {{ include "common.fullname" . }}-entrypoint + defaultMode: 0755 + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/uui/components/uui-intent-analysis/templates/job.yaml b/kubernetes/uui/components/uui-intent-analysis/templates/job.yaml new file mode 100644 index 0000000000..9c499132a9 --- /dev/null +++ b/kubernetes/uui/components/uui-intent-analysis/templates/job.yaml @@ -0,0 +1,82 @@ +{{/* +# Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "common.fullname" . }}-init-postgres + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }}-job + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + backoffLimit: 20 + template: + metadata: + labels: + app: {{ include "common.name" . }}-job + release: {{ include "common.release" . }} + spec: + restartPolicy: Never + initContainers: + - command: + - /app/ready.py + args: + - --service-name + - "{{ .Values.postgres.service.name2 }}" + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.pullPolicy }} + name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + containers: + - name: {{ include "common.name" . }}-job + image: {{ include "repositoryGenerator.image.postgres" . }} + imagePullPolicy: {{ .Values.pullPolicy }} + env: + - name: PGUSER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} + - name: PGPASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} + command: + - /bin/sh + - -c + - | + psql -h $(UUI_INTENT_PG_PRIMARY_SERVICE_HOST) -f /aaa/init/intent-analysis-init.sql -d {{ .Values.postgres.config.pgDatabase }} + volumeMounts: + - name: init-data + mountPath: /aaa/init/intent-analysis-init.sql + subPath: intent-analysis-init.sql + {{ include "common.waitForJobContainer" . | indent 6 | trim }} + {{- include "common.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: init-data + configMap: + name: {{ include "common.fullname" . }} diff --git a/kubernetes/uui/components/uui-intent-analysis/templates/secrets.yaml b/kubernetes/uui/components/uui-intent-analysis/templates/secrets.yaml new file mode 100644 index 0000000000..638e02c1e5 --- /dev/null +++ b/kubernetes/uui/components/uui-intent-analysis/templates/secrets.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/uui/components/uui-intent-analysis/templates/service.yaml b/kubernetes/uui/components/uui-intent-analysis/templates/service.yaml new file mode 100644 index 0000000000..33e96ef8c4 --- /dev/null +++ b/kubernetes/uui/components/uui-intent-analysis/templates/service.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/uui/components/uui-intent-analysis/values.yaml b/kubernetes/uui/components/uui-intent-analysis/values.yaml new file mode 100644 index 0000000000..c638303d86 --- /dev/null +++ b/kubernetes/uui/components/uui-intent-analysis/values.yaml @@ -0,0 +1,126 @@ +# Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Default values for uui intent analysis. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +global: + passwordStrength: long + +#Pods Service Account +serviceAccount: + nameOverride: uui-intent-analysis + roles: + - read + +secrets: + - uid: pg-root-pass + name: &pgRootPassSecretName '{{ include "common.release" . }}-uui-intent-pg-root-pass' + type: password + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "uui-intent-pg-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret) }}' + password: '{{ .Values.postgres.config.pgRootpassword }}' + policy: generate + - uid: pg-user-creds + name: &pgUserCredsSecretName '{{ include "common.release" . }}-uui-intent-pg-user-creds' + type: basicAuth + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "uui-intent-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' + login: '{{ .Values.postgres.config.pgUserName }}' + password: '{{ .Values.postgres.config.pgUserPassword }}' + passwordPolicy: generate + +image: onap/usecase-ui-intent-analysis:5.2.4 +pullPolicy: Always + +# flag to enable debugging - application support required +debugEnabled: false +flavor: small +replicaCount: 1 +nodeSelector: {} +affinity: {} + +service: + type: ClusterIP + name: uui-intent-analysis + ports: + - name: http-rest + port: &svc_port 8083 + +liveness: + initialDelaySeconds: 120 + port: *svc_port + periodSeconds: 10 + enabled: true + +readiness: + initialDelaySeconds: 60 + port: *svc_port + periodSeconds: 10 + +# application configuration override for postgres +postgres: + nameOverride: &postgresName uui-intent-postgres + service: + name: *postgresName + name2: uui-intent-pg-primary + name3: uui-intent-pg-replica + container: + name: + primary: uui-intent-pg-primary + replica: uui-intent-pg-replica + config: + pgUserName: uui + pgDatabase: uuiintdb + pgUserExternalSecret: *pgUserCredsSecretName + pgRootPasswordExternalSecret: *pgRootPassSecretName + persistence: + mountSubPath: uui/uuiintent/data + mountInitPath: uui + +readinessCheck: + wait_for: + services: + - '{{ .Values.postgres.service.name2 }}' + +wait_for_job_container: + containers: + - '{{ include "common.name" . }}-job' + +# We usually recommend not to specify default resources and to leave this as a conscious +# choice for the user. This also increases chances charts run on environments with little +# resources, such as Minikube. If you do want to specify resources, uncomment the following +# lines, adjust them as necessary, and remove the curly braces after 'resources:'. +# +# Example: +# Configure resource requests and limits +# ref: http://kubernetes.io/docs/user-guide/compute-resources/ +# Minimum memory for development is 2 CPU cores and 4GB memory +# Minimum memory for production is 4 CPU cores and 8GB memory +resources: + small: + limits: + cpu: "2" + memory: "1Gi" + requests: + cpu: "1" + memory: "200Mi" + large: + limits: + cpu: "4" + memory: "2Gi" + requests: + cpu: "2" + memory: "1Gi" + unlimited: {} + diff --git a/kubernetes/uui/components/uui-nlp/Chart.yaml b/kubernetes/uui/components/uui-nlp/Chart.yaml index 84664dcfb5..681b7bc90c 100644 --- a/kubernetes/uui/components/uui-nlp/Chart.yaml +++ b/kubernetes/uui/components/uui-nlp/Chart.yaml @@ -20,15 +20,15 @@ apiVersion: v2 description: ONAP UUI NLP name: uui-nlp -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~11.x-0 + version: ~13.x-0 repository: '@local' \ No newline at end of file diff --git a/kubernetes/uui/components/uui-nlp/templates/deployment.yaml b/kubernetes/uui/components/uui-nlp/templates/deployment.yaml index e72ee448c6..8ef27920b6 100644 --- a/kubernetes/uui/components/uui-nlp/templates/deployment.yaml +++ b/kubernetes/uui/components/uui-nlp/templates/deployment.yaml @@ -57,6 +57,4 @@ spec: {{- else }} emptyDir: {} {{- end }} - - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/uui/components/uui-nlp/templates/ingress.yaml b/kubernetes/uui/components/uui-nlp/templates/ingress.yaml index 8f87c68f1e..1471cb1d75 100644 --- a/kubernetes/uui/components/uui-nlp/templates/ingress.yaml +++ b/kubernetes/uui/components/uui-nlp/templates/ingress.yaml @@ -1 +1,17 @@ +{{/* +# Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/uui/components/uui-nlp/values.yaml b/kubernetes/uui/components/uui-nlp/values.yaml index b8c4b2fa69..cdfa50e3c0 100644 --- a/kubernetes/uui/components/uui-nlp/values.yaml +++ b/kubernetes/uui/components/uui-nlp/values.yaml @@ -19,7 +19,7 @@ global: pullPolicy: Always persistence: {} -image: onap/usecase-ui-nlp:1.0.3 +image: onap/usecase-ui-nlp:1.0.5 uui-nlp: enabled: true @@ -81,16 +81,16 @@ securityContext: resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 0.5 - memory: 512Mi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" unlimited: {} diff --git a/kubernetes/uui/components/uui-server/Chart.yaml b/kubernetes/uui/components/uui-server/Chart.yaml index 133ebc5bf6..82e395ed45 100644 --- a/kubernetes/uui/components/uui-server/Chart.yaml +++ b/kubernetes/uui/components/uui-server/Chart.yaml @@ -1,7 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation -# +# Modifications Copyright © 2022 CMCC Corporation # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -17,18 +17,18 @@ apiVersion: v2 description: ONAP uui server name: uui-server -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: certInitializer - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' \ No newline at end of file + version: ~13.x-0 + repository: '@local' + - name: postgres + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/uui/components/uui-server/resources/config/application.properties b/kubernetes/uui/components/uui-server/resources/config/application.properties index 37f8467df1..36308c0313 100644 --- a/kubernetes/uui/components/uui-server/resources/config/application.properties +++ b/kubernetes/uui/components/uui-server/resources/config/application.properties @@ -1,5 +1,5 @@ ## -## Copyright (C) 2017 CMCC, Inc. and others. All rights reserved. +## Copyright (C) 2022 CMCC, Inc. and others. All rights reserved. ## ## Licensed under the Apache License, Version 2.0 (the "License"); ## you may not use this file except in compliance with the License. @@ -20,9 +20,9 @@ spring.http.multipart.max-file-size=128MB spring.http.multipart.max-request-size=128MB ## App DB Properties -spring.datasource.url=jdbc:postgresql://localhost:5432/uui -spring.datasource.username=uui -spring.datasource.password=uui +spring.datasource.url=jdbc:postgresql://${POSTGRES_IP:127.0.0.1}:${POSTGRES_PORT:5432}/${POSTGRES_DB_NAME:uui} +spring.datasource.username=${POSTGRES_USERNAME} +spring.datasource.password=${POSTGRES_PASSWORD} spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL9Dialect spring.database.driver.classname=org.postgresql.Driver spring.jpa.show-sql=false @@ -46,8 +46,3 @@ logging.level.*=INFO #enable shutdown endpoints.shutdown.enabled=true endpoints.shutdown.sensitive=false - -server.ssl.protocol=TLS -server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -server.ssl.key-store-password=${KEYSTORE_PASSWORD} -server.ssl.key-store-type=PKCS12 \ No newline at end of file diff --git a/kubernetes/uui/components/uui-server/resources/config/postgres.sql b/kubernetes/uui/components/uui-server/resources/config/postgres.sql new file mode 100644 index 0000000000..36c0894279 --- /dev/null +++ b/kubernetes/uui/components/uui-server/resources/config/postgres.sql @@ -0,0 +1,245 @@ +-- +-- Copyright (C) 2022 CMCC, Inc. and others. All rights reserved. +-- +-- Licensed under the Apache License, Version 2.0 (the "License"); +-- you may not use this file except in compliance with the License. +-- You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- + +-- ---------------------------- +-- Table structure for "alarms_additionalinformation" +-- ---------------------------- +DROP TABLE IF EXISTS alarms_additionalinformation; +CREATE TABLE alarms_additionalinformation( + id serial, + "header_id" varchar(50) NOT NULL, + "name" varchar(100) DEFAULT NULL, + "value" varchar(100) DEFAULT NULL, + "source_id" varchar(100) DEFAULT NULL, + "start_epoch_microsec" varchar(100) DEFAULT NULL, + "last_epoch_microsec" varchar(100) DEFAULT NULL, + CONSTRAINT alarms_additionalinformation_pk PRIMARY KEY (id) +) WITH ( OIDS = FALSE); + +-- ---------------------------- +-- Table structure for "alarms_commoneventheader" +-- ---------------------------- +DROP TABLE IF EXISTS alarms_commoneventheader; +CREATE TABLE alarms_commoneventheader ( + "id" varchar(50) NOT NULL, + "version" varchar(100) DEFAULT NULL, + "event_name" varchar(100) DEFAULT NULL, + "domain" varchar(100) DEFAULT NULL, + "event_id" varchar(100) DEFAULT NULL, + "event_type" varchar(100) DEFAULT NULL, + "nfc_naming_code" varchar(100) DEFAULT NULL, + "nf_naming_code" varchar(100) DEFAULT NULL, + "source_id" varchar(100) DEFAULT NULL, + "source_name" varchar(100) DEFAULT NULL, + "reporting_entity_id" varchar(100) DEFAULT NULL, + "reporting_entity_name" varchar(100) DEFAULT NULL, + "priority" varchar(50) DEFAULT NULL, + "start_epoch_microsec" varchar(100) DEFAULT NULL, + "last_epoch_microsec" varchar(100) DEFAULT NULL, + "start_epoch_microsec_cleared" varchar(100) DEFAULT NULL, + "last_epoch_microsec_cleared" varchar(100) DEFAULT NULL, + "sequence" varchar(100) DEFAULT NULL, + "fault_fields_version" varchar(100) DEFAULT NULL, + "event_servrity" varchar(100) DEFAULT NULL, + "event_source_type" varchar(100) DEFAULT NULL, + "event_category" varchar(100) DEFAULT NULL, + "alarm_condition" varchar(100) DEFAULT NULL, + "specific_problem" varchar(100) DEFAULT NULL, + "vf_status" varchar(100) DEFAULT NULL, + "alarm_interfacea" varchar(100) DEFAULT NULL, + "status" varchar(50) DEFAULT NULL, + CONSTRAINT alarms_commoneventheader_pk PRIMARY KEY (id) +) WITH ( OIDS = FALSE ); + +-- ---------------------------- +-- Table structure for "performance_additionalinformation" +-- ---------------------------- +DROP TABLE IF EXISTS performance_additionalinformation; +CREATE TABLE performance_additionalinformation ( + id serial, + "header_id" varchar(50) NOT NULL, + "name" varchar(100) DEFAULT NULL, + "value" varchar(100) DEFAULT NULL, + "source_id" varchar(100) DEFAULT NULL, + "start_epoch_microsec" varchar(100) DEFAULT NULL, + "last_epoch_microsec" varchar(100) DEFAULT NULL, + CONSTRAINT performance_additionalinformation_pk PRIMARY KEY (id) +) WITH ( OIDS = FALSE ); + +-- ---------------------------- +-- Table structure for "performance_commoneventheader" +-- ---------------------------- +DROP TABLE IF EXISTS performance_commoneventheader; +CREATE TABLE performance_commoneventheader ( + "id" varchar(50) NOT NULL, + "version" varchar(100) DEFAULT NULL, + "event_name" varchar(100) DEFAULT NULL, + "domain" varchar(100) DEFAULT NULL, + "event_id" varchar(100) DEFAULT NULL, + "event_type" varchar(100) DEFAULT NULL, + "nfc_naming_code" varchar(100) DEFAULT NULL, + "nf_namingcode" varchar(100) DEFAULT NULL, + "source_id" varchar(100) DEFAULT NULL, + "source_name" varchar(100) DEFAULT NULL, + "reporting_entity_id" varchar(100) DEFAULT NULL, + "reporting_entity_name" varchar(100) DEFAULT NULL, + "priority" varchar(50) DEFAULT NULL, + "start_epoch_microsec" varchar(100) DEFAULT NULL, + "last_epoch_microsec" varchar(100) DEFAULT NULL, + "sequence" varchar(100) DEFAULT NULL, + "measurements_for_vf_scaling_version" varchar(100) DEFAULT NULL, + "measurement_interval" varchar(100) DEFAULT NULL, + CONSTRAINT performance_commoneventheader_pk PRIMARY KEY (id) +) WITH (OIDS = FALSE); + +-- ---------------------------- +-- Table structure for service_instances +-- ---------------------------- +DROP TABLE IF EXISTS service_instances; +CREATE TABLE service_instances ( + "id" varchar(50) NOT NULL, + "service_instance_id" varchar(100) NOT NULL, + "customer_id" varchar(50) NOT NULL, + "service_type" varchar(50) NOT NULL, + "usecase_type" varchar(50) NOT NULL, + "uuid" varchar(100), + "invariant_uuid" varchar(100), + CONSTRAINT service_instances_pk PRIMARY KEY (service_instance_id) +); + +-- ---------------------------- +-- Table structure for service_instance_operations +-- ---------------------------- +DROP TABLE IF EXISTS service_instance_operations; +CREATE TABLE service_instance_operations ( + "service_instance_id" varchar(100) NOT NULL, + "operation_id" varchar(100) NOT NULL, + "operation_type" varchar(50) NOT NULL, + "operation_progress" varchar(50) NOT NULL, + "operation_result" varchar(100) DEFAULT NULL, + "start_time" varchar(100) NOT NULL, + "end_time" varchar(100), + CONSTRAINT service_instance_operations_pk PRIMARY KEY (service_instance_id, operation_id) +); + +-- ---------------------------- +-- Table structure for sort_master +-- ---------------------------- +DROP TABLE IF EXISTS sort_master; +CREATE TABLE sort_master ( + "sort_type" varchar(50) NOT NULL, + "sort_code" varchar(10) NOT NULL, + "sort_value" varchar(100) NOT NULL, + "language" varchar(50) NOT NULL, + CONSTRAINT sort_master_pk PRIMARY KEY (sort_type, sort_code, language) +); + +-- ---------------------------- +-- Table structure for sort_master +-- ---------------------------- +DROP TABLE IF EXISTS instance_performance; +CREATE TABLE instance_performance +( + id serial not null + constraint instance_performance_pk + primary key, + job_id varchar(36), + resource_instance_id varchar(36), + bandwidth numeric, + date timestamp, + max_bandwidth numeric +); + +-- ---------------------------- +-- Table structure for ccvpn_instance +-- ---------------------------- +DROP TABLE IF EXISTS ccvpn_instance; +CREATE TABLE ccvpn_instance +( + id serial not null + constraint ccvpn_instance_pk + primary key, + instance_id varchar(16), + job_id varchar(36), + progress integer, + status char default 0, + resource_instance_id varchar(36), + name varchar(255), + cloud_point_name varchar(255), + access_point_one_name varchar(255), + access_point_one_band_width integer, + line_num varchar(64), + delete_state integer default 0, + protect_status integer default 0, + protection_cloud_point_name varchar(255), + protection_type varchar(255) +); + +-- ---------------------------- +-- Table structure for intent_model +-- ---------------------------- +DROP TABLE IF EXISTS intent_model; +create table intent_model +( + id serial not null + constraint intent_model_pk + primary key, + model_name varchar(100) default NULL::character varying, + file_path varchar(500) default NULL::character varying, + create_time varchar(100) default NULL::character varying, + size numeric(10, 3), + active integer, + model_type integer default 0 +); + +-- ---------------------------- +-- Table structure for intent_instance +-- ---------------------------- +DROP TABLE IF EXISTS intent_instance; +create table intent_instance +( + id serial not null + constraint intent_instance_pk + primary key, + intent_name varchar(50), + intent_source integer, + customer varchar(50), + intent_content text, + intent_config text, + business_instance_id varchar(50), + business_instance varchar(255) +); + +-- ---------------------------- +-- import initial data for sort_master +-- ---------------------------- +INSERT INTO sort_master (sort_type, sort_code, sort_value, language) VALUES ('operationType', '1001', 'Creating', 'en'); +INSERT INTO sort_master (sort_type, sort_code, sort_value, language) VALUES ('operationType', '1002', 'Deleting', 'en'); +INSERT INTO sort_master (sort_type, sort_code, sort_value, language) VALUES ('operationType', '1003', 'Scaling', 'en'); +INSERT INTO sort_master (sort_type, sort_code, sort_value, language) VALUES ('operationType', '1004', 'Healing', 'en'); +INSERT INTO sort_master (sort_type, sort_code, sort_value, language) VALUES ('operationType', '1005', 'Updating', 'en'); +INSERT INTO sort_master (sort_type, sort_code, sort_value, language) VALUES ('operationType', '1001', '创建', 'cn'); +INSERT INTO sort_master (sort_type, sort_code, sort_value, language) VALUES ('operationType', '1002', '删除', 'cn'); +INSERT INTO sort_master (sort_type, sort_code, sort_value, language) VALUES ('operationType', '1003', '缩扩容', 'cn'); +INSERT INTO sort_master (sort_type, sort_code, sort_value, language) VALUES ('operationType', '1004', '自愈', 'cn'); +INSERT INTO sort_master (sort_type, sort_code, sort_value, language) VALUES ('operationType', '1005', '更新', 'cn'); +INSERT INTO sort_master (sort_type, sort_code, sort_value, language) VALUES ('operationResult', '2001', 'Successful', 'en'); +INSERT INTO sort_master (sort_type, sort_code, sort_value, language) VALUES ('operationResult', '2002', 'Failed', 'en'); +INSERT INTO sort_master (sort_type, sort_code, sort_value, language) VALUES ('operationResult', '2003', 'In Progress', 'en'); +INSERT INTO sort_master (sort_type, sort_code, sort_value, language) VALUES ('operationResult', '2001', '成功', 'cn'); +INSERT INTO sort_master (sort_type, sort_code, sort_value, language) VALUES ('operationResult', '2002', '失败', 'cn'); +INSERT INTO sort_master (sort_type, sort_code, sort_value, language) VALUES ('operationResult', '2003', '执行中', 'cn'); + diff --git a/kubernetes/uui/components/uui-server/templates/deployment.yaml b/kubernetes/uui/components/uui-server/templates/deployment.yaml index b7a385d30e..ae08054d88 100644 --- a/kubernetes/uui/components/uui-server/templates/deployment.yaml +++ b/kubernetes/uui/components/uui-server/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2018 ZTE # Modifications Copyright © 2018 AT&T, Amdocs, Bell Canada +# Modifications Copyright © 2022 CMCC Corporation # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -16,41 +17,69 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . ) }} + initContainers: + - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `find . -not -type d | grep -v -F ..`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: KEYSTORE_PASSWORD + value: "${KEYSTORE_PASSWORD}" + - name: POSTGRES_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} + - name: POSTGRES_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /config-input + name: init-data-input + - mountPath: /config + name: init-data + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + + - command: + - /app/ready.py + args: + - --service-name + - "{{ .Values.postgres.service.name2 }}" + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- if .Values.global.aafEnabled }} command: - sh args: - -c - | - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) bash /uui/run.sh - {{- end }} - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 10 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if eq .Values.liveness.enabled true }} @@ -59,7 +88,7 @@ spec: port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} + {{- end }} resources: {{ include "common.resources" . | nindent 12 }} readinessProbe: tcpSocket: @@ -71,24 +100,30 @@ spec: value: {{tpl .Values.msbaddr .}} - name: MR_ADDR value: {{tpl .Values.mraddr .}} - {{- if .Values.global.aafEnabled }} + - name: POSTGRES_IP + value: {{.Values.postgres.service.name2}} + - name: POSTGRES_PORT + value: "$(UUI_SERVER_POSTGRES_SERVICE_PORT)" - name: SPRING_OPTS value: --spring.config.location=file:/config/application.properties - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} + - name: POSTGRES_DB_NAME + value: {{ .Values.postgres.config.pgDatabase }} + volumeMounts: - mountPath: /uui/run.sh name: entrypoint subPath: run.sh - mountPath: /config/application.properties - name: config + name: init-data subPath: application.properties - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: config + volumes: + - name: init-data-input configMap: name: {{ include "common.fullname" . }} + - name: init-data + emptyDir: + medium: Memory - name: entrypoint configMap: name: {{ include "common.fullname" . }}-entrypoint defaultMode: 0755 - {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/uui/components/uui-server/templates/ingress.yaml b/kubernetes/uui/components/uui-server/templates/ingress.yaml index 8f87c68f1e..1f6ec7ab0e 100644 --- a/kubernetes/uui/components/uui-server/templates/ingress.yaml +++ b/kubernetes/uui/components/uui-server/templates/ingress.yaml @@ -1 +1,17 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/uui/components/uui-server/templates/job.yaml b/kubernetes/uui/components/uui-server/templates/job.yaml new file mode 100644 index 0000000000..e995c58a16 --- /dev/null +++ b/kubernetes/uui/components/uui-server/templates/job.yaml @@ -0,0 +1,74 @@ +# +# Copyright 2022 CMCC Corporation. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +apiVersion: batch/v1 +kind: Job +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + backoffLimit: 20 + template: + metadata: + labels: + app: {{ include "common.name" . }}-job + release: {{ include "common.release" . }} + spec: + restartPolicy: Never + initContainers: + - command: + - /app/ready.py + args: + - --service-name + - "{{ .Values.postgres.service.name2 }}" + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy}} + name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + containers: + - name: {{ include "common.name" . }}-job + image: {{ include "repositoryGenerator.image.postgres" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + env: + - name: PGUSER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} + - name: PGPASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} + command: + - /bin/sh + - -c + - | + psql -U {{ .Values.postgres.config.pgUserName }} -d {{ .Values.postgres.config.pgDatabase }} -h $(UUI_SERVER_PG_PRIMARY_SERVICE_HOST) -f /aaa/init/postgres.sql + volumeMounts: + - name: init-data + mountPath: /aaa/init/postgres.sql + subPath: postgres.sql + {{ include "common.waitForJobContainer" . | indent 6 | trim }} + {{- include "common.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: init-data + configMap: + name: {{ include "common.fullname" . }} diff --git a/kubernetes/uui/components/uui-server/templates/secrets.yaml b/kubernetes/uui/components/uui-server/templates/secrets.yaml new file mode 100644 index 0000000000..e36412bf2a --- /dev/null +++ b/kubernetes/uui/components/uui-server/templates/secrets.yaml @@ -0,0 +1,15 @@ +{{/* +# Copyright © 2022 CMCC Corporation +# # Licensed under the Apache License, Version 2.0 (the "License"); +# # you may not use this file except in compliance with the License. +# # You may obtain a copy of the License at +# # +# # http://www.apache.org/licenses/LICENSE-2.0 +# # +# # Unless required by applicable law or agreed to in writing, software +# # distributed under the License is distributed on an "AS IS" BASIS, +# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# # See the License for the specific language governing permissions and +# # limitations under the License. +*/}} +{{ include "common.secretFast" . }} diff --git a/kubernetes/uui/components/uui-server/templates/service.yaml b/kubernetes/uui/components/uui-server/templates/service.yaml index 157dac396d..fd6a25408d 100644 --- a/kubernetes/uui/components/uui-server/templates/service.yaml +++ b/kubernetes/uui/components/uui-server/templates/service.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T, ZTE # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,40 +15,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "usecaseui-server", - "version": "v1", - "url": "/api/usecaseui-server/v1", - "protocol": "REST", - "port": "{{.Values.service.internalPort}}", - "visualRange":"1", - "enable_ssl": true - } - ]' -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.uuiPortPrefix | default .Values.uuiPortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} diff --git a/kubernetes/uui/components/uui-server/values.yaml b/kubernetes/uui/components/uui-server/values.yaml index d279163690..d1bc3379d0 100644 --- a/kubernetes/uui/components/uui-server/values.yaml +++ b/kubernetes/uui/components/uui-server/values.yaml @@ -1,5 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada -# +# Modifications Copyright © 2022 CMCC Corporation # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -15,46 +15,31 @@ # Default values for uui. # This is a YAML-formatted file. # Declare variables to be passed into your templates. + +################################################################# +# Global configuration defaults. +################################################################# global: - uuiPortPrefix: 303 + nodePortPrefix: 302 + +secrets: + - uid: pg-root-pass + name: &pgRootPassSecretName '{{ include "common.release" . }}-uui-pg-root-pass' + type: password + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "uui-pg-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret) }}' + password: '{{ .Values.postgres.config.pgRootpassword }}' + policy: generate + - uid: pg-user-creds + name: &pgUserCredsSecretName '{{ include "common.release" . }}-uui-pg-user-creds' + type: basicAuth + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "uui-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' + login: '{{ .Values.postgres.config.pgUserName }}' + password: '{{ .Values.postgres.config.pgUserPassword }}' + passwordPolicy: generate ################################################################# -# AAF part +# Application configuration defaults. ################################################################# -certInitializer: - nameOverride: uui-server-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: uui - fqi: uui@uui.onap.org - fqi_namespace: org.onap.uui - public_fqdn: uui.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSORE_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** set key password as same password as keystore password" - keytool -keypasswd -new "${KEYSTORE_PASSWORD}" \ - -keystore {{ .Values.fqi_namespace }}.jks \ - -keypass "${cadi_keystore_password_p12}" \ - -storepass "${KEYSTORE_PASSWORD}" -alias {{ .Values.fqi }} - echo "*** save the generated passwords" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop - echo "TRUSTSORE_PASSWORD=${TRUSTSORE_PASSWORD}" >> mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 {{ .Values.credsPath }} subChartsOnly: enabled: true @@ -63,14 +48,36 @@ flavor: small # application image repository: nexus3.onap.org:10001 -image: onap/usecase-ui-server:4.0.7 +image: onap/usecase-ui-server:5.2.2 pullPolicy: Always # application configuration -msbaddr: msb-iag.{{include "common.namespace" .}}:443 +msbaddr: msb-iag.{{include "common.namespace" .}}:80 mraddr: message-router.{{include "common.namespace" .}}:3904 +# application configuration override for postgres +postgres: + nameOverride: &postgresName uui-server-postgres + service: + name: *postgresName + name2: uui-server-pg-primary + name3: uui-server-pg-replica + container: + name: + primary: uui-server-pg-primary + replica: uui-server-pg-replica + persistence: + mountSubPath: uui/uuiserver/data + mountInitPath: uui/uuiserver + config: + pgUserName: uui + pgDatabase: uuidb + pgUserExternalSecret: *pgUserCredsSecretName + pgRootPasswordExternalSecret: *pgRootPassSecretName + + + # flag to enable debugging - application support required debugEnabled: false @@ -96,18 +103,33 @@ readiness: service: type: NodePort name: uui-server - portName: uui-server internalPort: 8082 - nodePort: 99 + nodePortPrefixOverride: 303 + ports: + - name: http + port: 8082 + nodePort: '99' + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "usecaseui-server", + "version": "v1", + "url": "/api/usecase-server/v1", + "path":"/iui/usecaseui", + "protocol": "REST", + "visualRange":"1", + "port": "{{ include "common.getPort" (dict "global" . "name" "http" "getPlain" true) }}", + "enable_ssl": false + } + ]{{ end }} ingress: enabled: false service: - - baseaddr: uuiserver + - baseaddr: "uui-server-api" name: "uui-server" port: 8082 - config: - ssl: "redirect" # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -122,16 +144,29 @@ ingress: resources: small: limits: - cpu: 1.5 - memory: 350Mi + cpu: "1.5" + memory: "2Gi" requests: - cpu: 1 - memory: 245Mi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 2 - memory: 500Mi + cpu: "2" + memory: "4Gi" requests: - cpu: 1 - memory: 500Mi + cpu: "1" + memory: "2Gi" unlimited: {} + +serviceAccount: + nameOverride: uui-server + roles: + - read + +securityContext: + user_id: 100 + group_id: 655533 + +wait_for_job_container: + containers: + - '{{ include "common.name" . }}-job' diff --git a/kubernetes/uui/resources/config/server.xml b/kubernetes/uui/resources/config/server.xml index 2260bb8cf5..f464074769 100644 --- a/kubernetes/uui/resources/config/server.xml +++ b/kubernetes/uui/resources/config/server.xml @@ -24,7 +24,7 @@ --> - + @@ -61,11 +61,7 @@ APR (HTTP/AJP) Connector: /docs/apr.html Define a non-SSL/TLS HTTP/1.1 Connector on port 8080 --> - - + - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + default + org.apache.catalina.servlets.DefaultServlet + + debug + 0 + + + listings + false + + 1 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + jsp + org.apache.jasper.servlet.JspServlet + + fork + false + + + xpoweredBy + false + + 3 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + default + / + + + + + jsp + *.jsp + *.jspx + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 30 + + + + + + + + + + + + + 123 + application/vnd.lotus-1-2-3 + + + 3dml + text/vnd.in3d.3dml + + + 3ds + image/x-3ds + + + 3g2 + video/3gpp2 + + + 3gp + video/3gpp + + + 7z + application/x-7z-compressed + + + aab + application/x-authorware-bin + + + aac + audio/x-aac + + + aam + application/x-authorware-map + + + aas + application/x-authorware-seg + + + abs + audio/x-mpeg + + + abw + application/x-abiword + + + ac + application/pkix-attr-cert + + + acc + application/vnd.americandynamics.acc + + + ace + application/x-ace-compressed + + + acu + application/vnd.acucobol + + + acutc + application/vnd.acucorp + + + adp + audio/adpcm + + + aep + application/vnd.audiograph + + + afm + application/x-font-type1 + + + afp + application/vnd.ibm.modcap + + + ahead + application/vnd.ahead.space + + + ai + application/postscript + + + aif + audio/x-aiff + + + aifc + audio/x-aiff + + + aiff + audio/x-aiff + + + aim + application/x-aim + + + air + application/vnd.adobe.air-application-installer-package+zip + + + ait + application/vnd.dvb.ait + + + ami + application/vnd.amiga.ami + + + anx + application/annodex + + + apk + application/vnd.android.package-archive + + + appcache + text/cache-manifest + + + application + application/x-ms-application + + + apr + application/vnd.lotus-approach + + + arc + application/x-freearc + + + art + image/x-jg + + + asc + application/pgp-signature + + + asf + video/x-ms-asf + + + asm + text/x-asm + + + aso + application/vnd.accpac.simply.aso + + + asx + video/x-ms-asf + + + atc + application/vnd.acucorp + + + atom + application/atom+xml + + + atomcat + application/atomcat+xml + + + atomsvc + application/atomsvc+xml + + + atx + application/vnd.antix.game-component + + + au + audio/basic + + + avi + video/x-msvideo + + + avx + video/x-rad-screenplay + + + aw + application/applixware + + + axa + audio/annodex + + + axv + video/annodex + + + azf + application/vnd.airzip.filesecure.azf + + + azs + application/vnd.airzip.filesecure.azs + + + azw + application/vnd.amazon.ebook + + + bat + application/x-msdownload + + + bcpio + application/x-bcpio + + + bdf + application/x-font-bdf + + + bdm + application/vnd.syncml.dm+wbxml + + + bed + application/vnd.realvnc.bed + + + bh2 + application/vnd.fujitsu.oasysprs + + + bin + application/octet-stream + + + blb + application/x-blorb + + + blorb + application/x-blorb + + + bmi + application/vnd.bmi + + + bmp + image/bmp + + + body + text/html + + + book + application/vnd.framemaker + + + box + application/vnd.previewsystems.box + + + boz + application/x-bzip2 + + + bpk + application/octet-stream + + + btif + image/prs.btif + + + bz + application/x-bzip + + + bz2 + application/x-bzip2 + + + c + text/x-c + + + c11amc + application/vnd.cluetrust.cartomobile-config + + + c11amz + application/vnd.cluetrust.cartomobile-config-pkg + + + c4d + application/vnd.clonk.c4group + + + c4f + application/vnd.clonk.c4group + + + c4g + application/vnd.clonk.c4group + + + c4p + application/vnd.clonk.c4group + + + c4u + application/vnd.clonk.c4group + + + cab + application/vnd.ms-cab-compressed + + + caf + audio/x-caf + + + cap + application/vnd.tcpdump.pcap + + + car + application/vnd.curl.car + + + cat + application/vnd.ms-pki.seccat + + + cb7 + application/x-cbr + + + cba + application/x-cbr + + + cbr + application/x-cbr + + + cbt + application/x-cbr + + + cbz + application/x-cbr + + + cc + text/x-c + + + cct + application/x-director + + + ccxml + application/ccxml+xml + + + cdbcmsg + application/vnd.contact.cmsg + + + cdf + application/x-cdf + + + cdkey + application/vnd.mediastation.cdkey + + + cdmia + application/cdmi-capability + + + cdmic + application/cdmi-container + + + cdmid + application/cdmi-domain + + + cdmio + application/cdmi-object + + + cdmiq + application/cdmi-queue + + + cdx + chemical/x-cdx + + + cdxml + application/vnd.chemdraw+xml + + + cdy + application/vnd.cinderella + + + cer + application/pkix-cert + + + cfs + application/x-cfs-compressed + + + cgm + image/cgm + + + chat + application/x-chat + + + chm + application/vnd.ms-htmlhelp + + + chrt + application/vnd.kde.kchart + + + cif + chemical/x-cif + + + cii + application/vnd.anser-web-certificate-issue-initiation + + + cil + application/vnd.ms-artgalry + + + cla + application/vnd.claymore + + + class + application/java + + + clkk + application/vnd.crick.clicker.keyboard + + + clkp + application/vnd.crick.clicker.palette + + + clkt + application/vnd.crick.clicker.template + + + clkw + application/vnd.crick.clicker.wordbank + + + clkx + application/vnd.crick.clicker + + + clp + application/x-msclip + + + cmc + application/vnd.cosmocaller + + + cmdf + chemical/x-cmdf + + + cml + chemical/x-cml + + + cmp + application/vnd.yellowriver-custom-menu + + + cmx + image/x-cmx + + + cod + application/vnd.rim.cod + + + com + application/x-msdownload + + + conf + text/plain + + + cpio + application/x-cpio + + + cpp + text/x-c + + + cpt + application/mac-compactpro + + + crd + application/x-mscardfile + + + crl + application/pkix-crl + + + crt + application/x-x509-ca-cert + + + cryptonote + application/vnd.rig.cryptonote + + + csh + application/x-csh + + + csml + chemical/x-csml + + + csp + application/vnd.commonspace + + + css + text/css + + + cst + application/x-director + + + csv + text/csv + + + cu + application/cu-seeme + + + curl + text/vnd.curl + + + cww + application/prs.cww + + + cxt + application/x-director + + + cxx + text/x-c + + + dae + model/vnd.collada+xml + + + daf + application/vnd.mobius.daf + + + dart + application/vnd.dart + + + dataless + application/vnd.fdsn.seed + + + davmount + application/davmount+xml + + + dbk + application/docbook+xml + + + dcr + application/x-director + + + dcurl + text/vnd.curl.dcurl + + + dd2 + application/vnd.oma.dd2+xml + + + ddd + application/vnd.fujixerox.ddd + + + deb + application/x-debian-package + + + def + text/plain + + + deploy + application/octet-stream + + + der + application/x-x509-ca-cert + + + dfac + application/vnd.dreamfactory + + + dgc + application/x-dgc-compressed + + + dib + image/bmp + + + dic + text/x-c + + + dir + application/x-director + + + dis + application/vnd.mobius.dis + + + dist + application/octet-stream + + + distz + application/octet-stream + + + djv + image/vnd.djvu + + + djvu + image/vnd.djvu + + + dll + application/x-msdownload + + + dmg + application/x-apple-diskimage + + + dmp + application/vnd.tcpdump.pcap + + + dms + application/octet-stream + + + dna + application/vnd.dna + + + doc + application/msword + + + docm + application/vnd.ms-word.document.macroenabled.12 + + + docx + application/vnd.openxmlformats-officedocument.wordprocessingml.document + + + dot + application/msword + + + dotm + application/vnd.ms-word.template.macroenabled.12 + + + dotx + application/vnd.openxmlformats-officedocument.wordprocessingml.template + + + dp + application/vnd.osgi.dp + + + dpg + application/vnd.dpgraph + + + dra + audio/vnd.dra + + + dsc + text/prs.lines.tag + + + dssc + application/dssc+der + + + dtb + application/x-dtbook+xml + + + dtd + application/xml-dtd + + + dts + audio/vnd.dts + + + dtshd + audio/vnd.dts.hd + + + dump + application/octet-stream + + + dv + video/x-dv + + + dvb + video/vnd.dvb.file + + + dvi + application/x-dvi + + + dwf + model/vnd.dwf + + + dwg + image/vnd.dwg + + + dxf + image/vnd.dxf + + + dxp + application/vnd.spotfire.dxp + + + dxr + application/x-director + + + ecelp4800 + audio/vnd.nuera.ecelp4800 + + + ecelp7470 + audio/vnd.nuera.ecelp7470 + + + ecelp9600 + audio/vnd.nuera.ecelp9600 + + + ecma + application/ecmascript + + + edm + application/vnd.novadigm.edm + + + edx + application/vnd.novadigm.edx + + + efif + application/vnd.picsel + + + ei6 + application/vnd.pg.osasli + + + elc + application/octet-stream + + + emf + application/x-msmetafile + + + eml + message/rfc822 + + + emma + application/emma+xml + + + emz + application/x-msmetafile + + + eol + audio/vnd.digital-winds + + + eot + application/vnd.ms-fontobject + + + eps + application/postscript + + + epub + application/epub+zip + + + es3 + application/vnd.eszigno3+xml + + + esa + application/vnd.osgi.subsystem + + + esf + application/vnd.epson.esf + + + et3 + application/vnd.eszigno3+xml + + + etx + text/x-setext + + + eva + application/x-eva + + + evy + application/x-envoy + + + exe + application/octet-stream + + + exi + application/exi + + + ext + application/vnd.novadigm.ext + + + ez + application/andrew-inset + + + ez2 + application/vnd.ezpix-album + + + ez3 + application/vnd.ezpix-package + + + f + text/x-fortran + + + f4v + video/x-f4v + + + f77 + text/x-fortran + + + f90 + text/x-fortran + + + fbs + image/vnd.fastbidsheet + + + fcdt + application/vnd.adobe.formscentral.fcdt + + + fcs + application/vnd.isac.fcs + + + fdf + application/vnd.fdf + + + fe_launch + application/vnd.denovo.fcselayout-link + + + fg5 + application/vnd.fujitsu.oasysgp + + + fgd + application/x-director + + + fh + image/x-freehand + + + fh4 + image/x-freehand + + + fh5 + image/x-freehand + + + fh7 + image/x-freehand + + + fhc + image/x-freehand + + + fig + application/x-xfig + + + flac + audio/flac + + + fli + video/x-fli + + + flo + application/vnd.micrografx.flo + + + flv + video/x-flv + + + flw + application/vnd.kde.kivio + + + flx + text/vnd.fmi.flexstor + + + fly + text/vnd.fly + + + fm + application/vnd.framemaker + + + fnc + application/vnd.frogans.fnc + + + for + text/x-fortran + + + fpx + image/vnd.fpx + + + frame + application/vnd.framemaker + + + fsc + application/vnd.fsc.weblaunch + + + fst + image/vnd.fst + + + ftc + application/vnd.fluxtime.clip + + + fti + application/vnd.anser-web-funds-transfer-initiation + + + fvt + video/vnd.fvt + + + fxp + application/vnd.adobe.fxp + + + fxpl + application/vnd.adobe.fxp + + + fzs + application/vnd.fuzzysheet + + + g2w + application/vnd.geoplan + + + g3 + image/g3fax + + + g3w + application/vnd.geospace + + + gac + application/vnd.groove-account + + + gam + application/x-tads + + + gbr + application/rpki-ghostbusters + + + gca + application/x-gca-compressed + + + gdl + model/vnd.gdl + + + geo + application/vnd.dynageo + + + gex + application/vnd.geometry-explorer + + + ggb + application/vnd.geogebra.file + + + ggt + application/vnd.geogebra.tool + + + ghf + application/vnd.groove-help + + + gif + image/gif + + + gim + application/vnd.groove-identity-message + + + gml + application/gml+xml + + + gmx + application/vnd.gmx + + + gnumeric + application/x-gnumeric + + + gph + application/vnd.flographit + + + gpx + application/gpx+xml + + + gqf + application/vnd.grafeq + + + gqs + application/vnd.grafeq + + + gram + application/srgs + + + gramps + application/x-gramps-xml + + + gre + application/vnd.geometry-explorer + + + grv + application/vnd.groove-injector + + + grxml + application/srgs+xml + + + gsf + application/x-font-ghostscript + + + gtar + application/x-gtar + + + gtm + application/vnd.groove-tool-message + + + gtw + model/vnd.gtw + + + gv + text/vnd.graphviz + + + gxf + application/gxf + + + gxt + application/vnd.geonext + + + gz + application/x-gzip + + + h + text/x-c + + + h261 + video/h261 + + + h263 + video/h263 + + + h264 + video/h264 + + + hal + application/vnd.hal+xml + + + hbci + application/vnd.hbci + + + hdf + application/x-hdf + + + hh + text/x-c + + + hlp + application/winhlp + + + hpgl + application/vnd.hp-hpgl + + + hpid + application/vnd.hp-hpid + + + hps + application/vnd.hp-hps + + + hqx + application/mac-binhex40 + + + htc + text/x-component + + + htke + application/vnd.kenameaapp + + + htm + text/html + + + html + text/html + + + hvd + application/vnd.yamaha.hv-dic + + + hvp + application/vnd.yamaha.hv-voice + + + hvs + application/vnd.yamaha.hv-script + + + i2g + application/vnd.intergeo + + + icc + application/vnd.iccprofile + + + ice + x-conference/x-cooltalk + + + icm + application/vnd.iccprofile + + + ico + image/x-icon + + + ics + text/calendar + + + ief + image/ief + + + ifb + text/calendar + + + ifm + application/vnd.shana.informed.formdata + + + iges + model/iges + + + igl + application/vnd.igloader + + + igm + application/vnd.insors.igm + + + igs + model/iges + + + igx + application/vnd.micrografx.igx + + + iif + application/vnd.shana.informed.interchange + + + imp + application/vnd.accpac.simply.imp + + + ims + application/vnd.ms-ims + + + in + text/plain + + + ink + application/inkml+xml + + + inkml + application/inkml+xml + + + install + application/x-install-instructions + + + iota + application/vnd.astraea-software.iota + + + ipfix + application/ipfix + + + ipk + application/vnd.shana.informed.package + + + irm + application/vnd.ibm.rights-management + + + irp + application/vnd.irepository.package+xml + + + iso + application/x-iso9660-image + + + itp + application/vnd.shana.informed.formtemplate + + + ivp + application/vnd.immervision-ivp + + + ivu + application/vnd.immervision-ivu + + + jad + text/vnd.sun.j2me.app-descriptor + + + jam + application/vnd.jam + + + jar + application/java-archive + + + java + text/x-java-source + + + jisp + application/vnd.jisp + + + jlt + application/vnd.hp-jlyt + + + jnlp + application/x-java-jnlp-file + + + joda + application/vnd.joost.joda-archive + + + jpe + image/jpeg + + + jpeg + image/jpeg + + + jpg + image/jpeg + + + jpgm + video/jpm + + + jpgv + video/jpeg + + + jpm + video/jpm + + + js + application/javascript + + + jsf + text/plain + + + json + application/json + + + jsonml + application/jsonml+json + + + jspf + text/plain + + + kar + audio/midi + + + karbon + application/vnd.kde.karbon + + + kfo + application/vnd.kde.kformula + + + kia + application/vnd.kidspiration + + + kml + application/vnd.google-earth.kml+xml + + + kmz + application/vnd.google-earth.kmz + + + kne + application/vnd.kinar + + + knp + application/vnd.kinar + + + kon + application/vnd.kde.kontour + + + kpr + application/vnd.kde.kpresenter + + + kpt + application/vnd.kde.kpresenter + + + kpxx + application/vnd.ds-keypoint + + + ksp + application/vnd.kde.kspread + + + ktr + application/vnd.kahootz + + + ktx + image/ktx + + + ktz + application/vnd.kahootz + + + kwd + application/vnd.kde.kword + + + kwt + application/vnd.kde.kword + + + lasxml + application/vnd.las.las+xml + + + latex + application/x-latex + + + lbd + application/vnd.llamagraphics.life-balance.desktop + + + lbe + application/vnd.llamagraphics.life-balance.exchange+xml + + + les + application/vnd.hhe.lesson-player + + + lha + application/x-lzh-compressed + + + link66 + application/vnd.route66.link66+xml + + + list + text/plain + + + list3820 + application/vnd.ibm.modcap + + + listafp + application/vnd.ibm.modcap + + + lnk + application/x-ms-shortcut + + + log + text/plain + + + lostxml + application/lost+xml + + + lrf + application/octet-stream + + + lrm + application/vnd.ms-lrm + + + ltf + application/vnd.frogans.ltf + + + lvp + audio/vnd.lucent.voice + + + lwp + application/vnd.lotus-wordpro + + + lzh + application/x-lzh-compressed + + + m13 + application/x-msmediaview + + + m14 + application/x-msmediaview + + + m1v + video/mpeg + + + m21 + application/mp21 + + + m2a + audio/mpeg + + + m2v + video/mpeg + + + m3a + audio/mpeg + + + m3u + audio/x-mpegurl + + + m3u8 + application/vnd.apple.mpegurl + + + m4a + audio/mp4 + + + m4b + audio/mp4 + + + m4r + audio/mp4 + + + m4u + video/vnd.mpegurl + + + m4v + video/mp4 + + + ma + application/mathematica + + + mac + image/x-macpaint + + + mads + application/mads+xml + + + mag + application/vnd.ecowin.chart + + + maker + application/vnd.framemaker + + + man + text/troff + + + mar + application/octet-stream + + + mathml + application/mathml+xml + + + mb + application/mathematica + + + mbk + application/vnd.mobius.mbk + + + mbox + application/mbox + + + mc1 + application/vnd.medcalcdata + + + mcd + application/vnd.mcd + + + mcurl + text/vnd.curl.mcurl + + + mdb + application/x-msaccess + + + mdi + image/vnd.ms-modi + + + me + text/troff + + + mesh + model/mesh + + + meta4 + application/metalink4+xml + + + metalink + application/metalink+xml + + + mets + application/mets+xml + + + mfm + application/vnd.mfmp + + + mft + application/rpki-manifest + + + mgp + application/vnd.osgeo.mapguide.package + + + mgz + application/vnd.proteus.magazine + + + mid + audio/midi + + + midi + audio/midi + + + mie + application/x-mie + + + mif + application/x-mif + + + mime + message/rfc822 + + + mj2 + video/mj2 + + + mjp2 + video/mj2 + + + mk3d + video/x-matroska + + + mka + audio/x-matroska + + + mks + video/x-matroska + + + mkv + video/x-matroska + + + mlp + application/vnd.dolby.mlp + + + mmd + application/vnd.chipnuts.karaoke-mmd + + + mmf + application/vnd.smaf + + + mmr + image/vnd.fujixerox.edmics-mmr + + + mng + video/x-mng + + + mny + application/x-msmoney + + + mobi + application/x-mobipocket-ebook + + + mods + application/mods+xml + + + mov + video/quicktime + + + movie + video/x-sgi-movie + + + mp1 + audio/mpeg + + + mp2 + audio/mpeg + + + mp21 + application/mp21 + + + mp2a + audio/mpeg + + + mp3 + audio/mpeg + + + mp4 + video/mp4 + + + mp4a + audio/mp4 + + + mp4s + application/mp4 + + + mp4v + video/mp4 + + + mpa + audio/mpeg + + + mpc + application/vnd.mophun.certificate + + + mpe + video/mpeg + + + mpeg + video/mpeg + + + mpega + audio/x-mpeg + + + mpg + video/mpeg + + + mpg4 + video/mp4 + + + mpga + audio/mpeg + + + mpkg + application/vnd.apple.installer+xml + + + mpm + application/vnd.blueice.multipass + + + mpn + application/vnd.mophun.application + + + mpp + application/vnd.ms-project + + + mpt + application/vnd.ms-project + + + mpv2 + video/mpeg2 + + + mpy + application/vnd.ibm.minipay + + + mqy + application/vnd.mobius.mqy + + + mrc + application/marc + + + mrcx + application/marcxml+xml + + + ms + text/troff + + + mscml + application/mediaservercontrol+xml + + + mseed + application/vnd.fdsn.mseed + + + mseq + application/vnd.mseq + + + msf + application/vnd.epson.msf + + + msh + model/mesh + + + msi + application/x-msdownload + + + msl + application/vnd.mobius.msl + + + msty + application/vnd.muvee.style + + + mts + model/vnd.mts + + + mus + application/vnd.musician + + + musicxml + application/vnd.recordare.musicxml+xml + + + mvb + application/x-msmediaview + + + mwf + application/vnd.mfer + + + mxf + application/mxf + + + mxl + application/vnd.recordare.musicxml + + + mxml + application/xv+xml + + + mxs + application/vnd.triscape.mxs + + + mxu + video/vnd.mpegurl + + + n-gage + application/vnd.nokia.n-gage.symbian.install + + + n3 + text/n3 + + + nb + application/mathematica + + + nbp + application/vnd.wolfram.player + + + nc + application/x-netcdf + + + ncx + application/x-dtbncx+xml + + + nfo + text/x-nfo + + + ngdat + application/vnd.nokia.n-gage.data + + + nitf + application/vnd.nitf + + + nlu + application/vnd.neurolanguage.nlu + + + nml + application/vnd.enliven + + + nnd + application/vnd.noblenet-directory + + + nns + application/vnd.noblenet-sealer + + + nnw + application/vnd.noblenet-web + + + npx + image/vnd.net-fpx + + + nsc + application/x-conference + + + nsf + application/vnd.lotus-notes + + + ntf + application/vnd.nitf + + + nzb + application/x-nzb + + + oa2 + application/vnd.fujitsu.oasys2 + + + oa3 + application/vnd.fujitsu.oasys3 + + + oas + application/vnd.fujitsu.oasys + + + obd + application/x-msbinder + + + obj + application/x-tgif + + + oda + application/oda + + + + odb + application/vnd.oasis.opendocument.database + + + + odc + application/vnd.oasis.opendocument.chart + + + + odf + application/vnd.oasis.opendocument.formula + + + odft + application/vnd.oasis.opendocument.formula-template + + + + odg + application/vnd.oasis.opendocument.graphics + + + + odi + application/vnd.oasis.opendocument.image + + + + odm + application/vnd.oasis.opendocument.text-master + + + + odp + application/vnd.oasis.opendocument.presentation + + + + ods + application/vnd.oasis.opendocument.spreadsheet + + + + odt + application/vnd.oasis.opendocument.text + + + oga + audio/ogg + + + ogg + audio/ogg + + + ogv + video/ogg + + + + ogx + application/ogg + + + omdoc + application/omdoc+xml + + + onepkg + application/onenote + + + onetmp + application/onenote + + + onetoc + application/onenote + + + onetoc2 + application/onenote + + + opf + application/oebps-package+xml + + + opml + text/x-opml + + + oprc + application/vnd.palm + + + org + application/vnd.lotus-organizer + + + osf + application/vnd.yamaha.openscoreformat + + + osfpvg + application/vnd.yamaha.openscoreformat.osfpvg+xml + + + otc + application/vnd.oasis.opendocument.chart-template + + + otf + font/otf + + + + otg + application/vnd.oasis.opendocument.graphics-template + + + + oth + application/vnd.oasis.opendocument.text-web + + + oti + application/vnd.oasis.opendocument.image-template + + + + otp + application/vnd.oasis.opendocument.presentation-template + + + + ots + application/vnd.oasis.opendocument.spreadsheet-template + + + + ott + application/vnd.oasis.opendocument.text-template + + + oxps + application/oxps + + + oxt + application/vnd.openofficeorg.extension + + + p + text/x-pascal + + + p10 + application/pkcs10 + + + p12 + application/x-pkcs12 + + + p7b + application/x-pkcs7-certificates + + + p7c + application/pkcs7-mime + + + p7m + application/pkcs7-mime + + + p7r + application/x-pkcs7-certreqresp + + + p7s + application/pkcs7-signature + + + p8 + application/pkcs8 + + + pas + text/x-pascal + + + paw + application/vnd.pawaafile + + + pbd + application/vnd.powerbuilder6 + + + pbm + image/x-portable-bitmap + + + pcap + application/vnd.tcpdump.pcap + + + pcf + application/x-font-pcf + + + pcl + application/vnd.hp-pcl + + + pclxl + application/vnd.hp-pclxl + + + pct + image/pict + + + pcurl + application/vnd.curl.pcurl + + + pcx + image/x-pcx + + + pdb + application/vnd.palm + + + pdf + application/pdf + + + pfa + application/x-font-type1 + + + pfb + application/x-font-type1 + + + pfm + application/x-font-type1 + + + pfr + application/font-tdpfr + + + pfx + application/x-pkcs12 + + + pgm + image/x-portable-graymap + + + pgn + application/x-chess-pgn + + + pgp + application/pgp-encrypted + + + pic + image/pict + + + pict + image/pict + + + pkg + application/octet-stream + + + pki + application/pkixcmp + + + pkipath + application/pkix-pkipath + + + plb + application/vnd.3gpp.pic-bw-large + + + plc + application/vnd.mobius.plc + + + plf + application/vnd.pocketlearn + + + + pls + audio/x-scpls + + + pml + application/vnd.ctc-posml + + + png + image/png + + + pnm + image/x-portable-anymap + + + pnt + image/x-macpaint + + + portpkg + application/vnd.macports.portpkg + + + pot + application/vnd.ms-powerpoint + + + potm + application/vnd.ms-powerpoint.template.macroenabled.12 + + + potx + application/vnd.openxmlformats-officedocument.presentationml.template + + + ppam + application/vnd.ms-powerpoint.addin.macroenabled.12 + + + ppd + application/vnd.cups-ppd + + + ppm + image/x-portable-pixmap + + + pps + application/vnd.ms-powerpoint + + + ppsm + application/vnd.ms-powerpoint.slideshow.macroenabled.12 + + + ppsx + application/vnd.openxmlformats-officedocument.presentationml.slideshow + + + ppt + application/vnd.ms-powerpoint + + + pptm + application/vnd.ms-powerpoint.presentation.macroenabled.12 + + + pptx + application/vnd.openxmlformats-officedocument.presentationml.presentation + + + pqa + application/vnd.palm + + + prc + application/x-mobipocket-ebook + + + pre + application/vnd.lotus-freelance + + + prf + application/pics-rules + + + ps + application/postscript + + + psb + application/vnd.3gpp.pic-bw-small + + + psd + image/vnd.adobe.photoshop + + + psf + application/x-font-linux-psf + + + pskcxml + application/pskc+xml + + + ptid + application/vnd.pvi.ptid1 + + + pub + application/x-mspublisher + + + pvb + application/vnd.3gpp.pic-bw-var + + + pwn + application/vnd.3m.post-it-notes + + + pya + audio/vnd.ms-playready.media.pya + + + pyv + video/vnd.ms-playready.media.pyv + + + qam + application/vnd.epson.quickanime + + + qbo + application/vnd.intu.qbo + + + qfx + application/vnd.intu.qfx + + + qps + application/vnd.publishare-delta-tree + + + qt + video/quicktime + + + qti + image/x-quicktime + + + qtif + image/x-quicktime + + + qwd + application/vnd.quark.quarkxpress + + + qwt + application/vnd.quark.quarkxpress + + + qxb + application/vnd.quark.quarkxpress + + + qxd + application/vnd.quark.quarkxpress + + + qxl + application/vnd.quark.quarkxpress + + + qxt + application/vnd.quark.quarkxpress + + + ra + audio/x-pn-realaudio + + + ram + audio/x-pn-realaudio + + + rar + application/x-rar-compressed + + + ras + image/x-cmu-raster + + + rcprofile + application/vnd.ipunplugged.rcprofile + + + rdf + application/rdf+xml + + + rdz + application/vnd.data-vision.rdz + + + rep + application/vnd.businessobjects + + + res + application/x-dtbresource+xml + + + rgb + image/x-rgb + + + rif + application/reginfo+xml + + + rip + audio/vnd.rip + + + ris + application/x-research-info-systems + + + rl + application/resource-lists+xml + + + rlc + image/vnd.fujixerox.edmics-rlc + + + rld + application/resource-lists-diff+xml + + + rm + application/vnd.rn-realmedia + + + rmi + audio/midi + + + rmp + audio/x-pn-realaudio-plugin + + + rms + application/vnd.jcp.javame.midlet-rms + + + rmvb + application/vnd.rn-realmedia-vbr + + + rnc + application/relax-ng-compact-syntax + + + roa + application/rpki-roa + + + roff + text/troff + + + rp9 + application/vnd.cloanto.rp9 + + + rpss + application/vnd.nokia.radio-presets + + + rpst + application/vnd.nokia.radio-preset + + + rq + application/sparql-query + + + rs + application/rls-services+xml + + + rsd + application/rsd+xml + + + rss + application/rss+xml + + + rtf + application/rtf + + + rtx + text/richtext + + + s + text/x-asm + + + s3m + audio/s3m + + + saf + application/vnd.yamaha.smaf-audio + + + sbml + application/sbml+xml + + + sc + application/vnd.ibm.secure-container + + + scd + application/x-msschedule + + + scm + application/vnd.lotus-screencam + + + scq + application/scvp-cv-request + + + scs + application/scvp-cv-response + + + scurl + text/vnd.curl.scurl + + + sda + application/vnd.stardivision.draw + + + sdc + application/vnd.stardivision.calc + + + sdd + application/vnd.stardivision.impress + + + sdkd + application/vnd.solent.sdkm+xml + + + sdkm + application/vnd.solent.sdkm+xml + + + sdp + application/sdp + + + sdw + application/vnd.stardivision.writer + + + see + application/vnd.seemail + + + seed + application/vnd.fdsn.seed + + + sema + application/vnd.sema + + + semd + application/vnd.semd + + + semf + application/vnd.semf + + + ser + application/java-serialized-object + + + setpay + application/set-payment-initiation + + + setreg + application/set-registration-initiation + + + sfd-hdstx + application/vnd.hydrostatix.sof-data + + + sfs + application/vnd.spotfire.sfs + + + sfv + text/x-sfv + + + sgi + image/sgi + + + sgl + application/vnd.stardivision.writer-global + + + sgm + text/sgml + + + sgml + text/sgml + + + sh + application/x-sh + + + shar + application/x-shar + + + shf + application/shf+xml + + + + sid + image/x-mrsid-image + + + sig + application/pgp-signature + + + sil + audio/silk + + + silo + model/mesh + + + sis + application/vnd.symbian.install + + + sisx + application/vnd.symbian.install + + + sit + application/x-stuffit + + + sitx + application/x-stuffitx + + + skd + application/vnd.koan + + + skm + application/vnd.koan + + + skp + application/vnd.koan + + + skt + application/vnd.koan + + + sldm + application/vnd.ms-powerpoint.slide.macroenabled.12 + + + sldx + application/vnd.openxmlformats-officedocument.presentationml.slide + + + slt + application/vnd.epson.salt + + + sm + application/vnd.stepmania.stepchart + + + smf + application/vnd.stardivision.math + + + smi + application/smil+xml + + + smil + application/smil+xml + + + smv + video/x-smv + + + smzip + application/vnd.stepmania.package + + + snd + audio/basic + + + snf + application/x-font-snf + + + so + application/octet-stream + + + spc + application/x-pkcs7-certificates + + + spf + application/vnd.yamaha.smaf-phrase + + + spl + application/x-futuresplash + + + spot + text/vnd.in3d.spot + + + spp + application/scvp-vp-response + + + spq + application/scvp-vp-request + + + spx + audio/ogg + + + sql + application/x-sql + + + src + application/x-wais-source + + + srt + application/x-subrip + + + sru + application/sru+xml + + + srx + application/sparql-results+xml + + + ssdl + application/ssdl+xml + + + sse + application/vnd.kodak-descriptor + + + ssf + application/vnd.epson.ssf + + + ssml + application/ssml+xml + + + st + application/vnd.sailingtracker.track + + + stc + application/vnd.sun.xml.calc.template + + + std + application/vnd.sun.xml.draw.template + + + stf + application/vnd.wt.stf + + + sti + application/vnd.sun.xml.impress.template + + + stk + application/hyperstudio + + + stl + application/vnd.ms-pki.stl + + + str + application/vnd.pg.format + + + stw + application/vnd.sun.xml.writer.template + + + sub + text/vnd.dvb.subtitle + + + sus + application/vnd.sus-calendar + + + susp + application/vnd.sus-calendar + + + sv4cpio + application/x-sv4cpio + + + sv4crc + application/x-sv4crc + + + svc + application/vnd.dvb.service + + + svd + application/vnd.svd + + + svg + image/svg+xml + + + svgz + image/svg+xml + + + swa + application/x-director + + + swf + application/x-shockwave-flash + + + swi + application/vnd.aristanetworks.swi + + + sxc + application/vnd.sun.xml.calc + + + sxd + application/vnd.sun.xml.draw + + + sxg + application/vnd.sun.xml.writer.global + + + sxi + application/vnd.sun.xml.impress + + + sxm + application/vnd.sun.xml.math + + + sxw + application/vnd.sun.xml.writer + + + t + text/troff + + + t3 + application/x-t3vm-image + + + taglet + application/vnd.mynfc + + + tao + application/vnd.tao.intent-module-archive + + + tar + application/x-tar + + + tcap + application/vnd.3gpp2.tcap + + + tcl + application/x-tcl + + + teacher + application/vnd.smart.teacher + + + tei + application/tei+xml + + + teicorpus + application/tei+xml + + + tex + application/x-tex + + + texi + application/x-texinfo + + + texinfo + application/x-texinfo + + + text + text/plain + + + tfi + application/thraud+xml + + + tfm + application/x-tex-tfm + + + tga + image/x-tga + + + thmx + application/vnd.ms-officetheme + + + tif + image/tiff + + + tiff + image/tiff + + + tmo + application/vnd.tmobile-livetv + + + torrent + application/x-bittorrent + + + tpl + application/vnd.groove-tool-template + + + tpt + application/vnd.trid.tpt + + + tr + text/troff + + + tra + application/vnd.trueapp + + + trm + application/x-msterminal + + + tsd + application/timestamped-data + + + tsv + text/tab-separated-values + + + ttc + font/collection + + + ttf + font/ttf + + + ttl + text/turtle + + + twd + application/vnd.simtech-mindmapper + + + twds + application/vnd.simtech-mindmapper + + + txd + application/vnd.genomatix.tuxedo + + + txf + application/vnd.mobius.txf + + + txt + text/plain + + + u32 + application/x-authorware-bin + + + udeb + application/x-debian-package + + + ufd + application/vnd.ufdl + + + ufdl + application/vnd.ufdl + + + ulw + audio/basic + + + ulx + application/x-glulx + + + umj + application/vnd.umajin + + + unityweb + application/vnd.unity + + + uoml + application/vnd.uoml+xml + + + uri + text/uri-list + + + uris + text/uri-list + + + urls + text/uri-list + + + ustar + application/x-ustar + + + utz + application/vnd.uiq.theme + + + uu + text/x-uuencode + + + uva + audio/vnd.dece.audio + + + uvd + application/vnd.dece.data + + + uvf + application/vnd.dece.data + + + uvg + image/vnd.dece.graphic + + + uvh + video/vnd.dece.hd + + + uvi + image/vnd.dece.graphic + + + uvm + video/vnd.dece.mobile + + + uvp + video/vnd.dece.pd + + + uvs + video/vnd.dece.sd + + + uvt + application/vnd.dece.ttml+xml + + + uvu + video/vnd.uvvu.mp4 + + + uvv + video/vnd.dece.video + + + uvva + audio/vnd.dece.audio + + + uvvd + application/vnd.dece.data + + + uvvf + application/vnd.dece.data + + + uvvg + image/vnd.dece.graphic + + + uvvh + video/vnd.dece.hd + + + uvvi + image/vnd.dece.graphic + + + uvvm + video/vnd.dece.mobile + + + uvvp + video/vnd.dece.pd + + + uvvs + video/vnd.dece.sd + + + uvvt + application/vnd.dece.ttml+xml + + + uvvu + video/vnd.uvvu.mp4 + + + uvvv + video/vnd.dece.video + + + uvvx + application/vnd.dece.unspecified + + + uvvz + application/vnd.dece.zip + + + uvx + application/vnd.dece.unspecified + + + uvz + application/vnd.dece.zip + + + vcard + text/vcard + + + vcd + application/x-cdlink + + + vcf + text/x-vcard + + + vcg + application/vnd.groove-vcard + + + vcs + text/x-vcalendar + + + vcx + application/vnd.vcx + + + vis + application/vnd.visionary + + + viv + video/vnd.vivo + + + vob + video/x-ms-vob + + + vor + application/vnd.stardivision.writer + + + vox + + application/x-authorware-bin + + + vrml + model/vrml + + + vsd + application/vnd.visio + + + vsf + application/vnd.vsf + + + vss + application/vnd.visio + + + vst + application/vnd.visio + + + vsw + application/vnd.visio + + + vtu + model/vnd.vtu + + + vxml + application/voicexml+xml + + + w3d + application/x-director + + + wad + application/x-doom + + + wav + audio/x-wav + + + wax + audio/x-ms-wax + + + + wbmp + image/vnd.wap.wbmp + + + wbs + application/vnd.criticaltools.wbs+xml + + + wbxml + application/vnd.wap.wbxml + + + wcm + application/vnd.ms-works + + + wdb + application/vnd.ms-works + + + wdp + image/vnd.ms-photo + + + weba + audio/webm + + + webm + video/webm + + + webp + image/webp + + + wg + application/vnd.pmi.widget + + + wgt + application/widget + + + wks + application/vnd.ms-works + + + wm + video/x-ms-wm + + + wma + audio/x-ms-wma + + + wmd + application/x-ms-wmd + + + wmf + application/x-msmetafile + + + + wml + text/vnd.wap.wml + + + + wmlc + application/vnd.wap.wmlc + + + + wmls + text/vnd.wap.wmlscript + + + + wmlsc + application/vnd.wap.wmlscriptc + + + wmv + video/x-ms-wmv + + + wmx + video/x-ms-wmx + + + wmz + application/x-msmetafile + + + woff + font/woff + + + woff2 + font/woff2 + + + wpd + application/vnd.wordperfect + + + wpl + application/vnd.ms-wpl + + + wps + application/vnd.ms-works + + + wqd + application/vnd.wqd + + + wri + application/x-mswrite + + + wrl + model/vrml + + + wsdl + application/wsdl+xml + + + wspolicy + application/wspolicy+xml + + + wtb + application/vnd.webturbo + + + wvx + video/x-ms-wvx + + + x32 + application/x-authorware-bin + + + x3d + model/x3d+xml + + + x3db + model/x3d+binary + + + x3dbz + model/x3d+binary + + + x3dv + model/x3d+vrml + + + x3dvz + model/x3d+vrml + + + x3dz + model/x3d+xml + + + xaml + application/xaml+xml + + + xap + application/x-silverlight-app + + + xar + application/vnd.xara + + + xbap + application/x-ms-xbap + + + xbd + application/vnd.fujixerox.docuworks.binder + + + xbm + image/x-xbitmap + + + xdf + application/xcap-diff+xml + + + + xdm + application/vnd.syncml.dm+xml + + + xdp + application/vnd.adobe.xdp+xml + + + xdssc + application/dssc+xml + + + xdw + application/vnd.fujixerox.docuworks + + + xenc + application/xenc+xml + + + xer + application/patch-ops-error+xml + + + xfdf + application/vnd.adobe.xfdf + + + xfdl + application/vnd.xfdl + + + xht + application/xhtml+xml + + + xhtml + application/xhtml+xml + + + xhvml + application/xv+xml + + + xif + image/vnd.xiff + + + xla + application/vnd.ms-excel + + + xlam + application/vnd.ms-excel.addin.macroenabled.12 + + + xlc + application/vnd.ms-excel + + + xlf + application/x-xliff+xml + + + xlm + application/vnd.ms-excel + + + xls + application/vnd.ms-excel + + + xlsb + application/vnd.ms-excel.sheet.binary.macroenabled.12 + + + xlsm + application/vnd.ms-excel.sheet.macroenabled.12 + + + xlsx + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet + + + xlt + application/vnd.ms-excel + + + xltm + application/vnd.ms-excel.template.macroenabled.12 + + + xltx + application/vnd.openxmlformats-officedocument.spreadsheetml.template + + + xlw + application/vnd.ms-excel + + + xm + audio/xm + + + xml + application/xml + + + xo + application/vnd.olpc-sugar + + + xop + application/xop+xml + + + xpi + application/x-xpinstall + + + xpl + application/xproc+xml + + + xpm + image/x-xpixmap + + + xpr + application/vnd.is-xpr + + + xps + application/vnd.ms-xpsdocument + + + xpw + application/vnd.intercon.formnet + + + xpx + application/vnd.intercon.formnet + + + xsl + application/xml + + + xslt + application/xslt+xml + + + xsm + application/vnd.syncml+xml + + + xspf + application/xspf+xml + + + xul + application/vnd.mozilla.xul+xml + + + xvm + application/xv+xml + + + xvml + application/xv+xml + + + xwd + image/x-xwindowdump + + + xyz + chemical/x-xyz + + + xz + application/x-xz + + + yang + application/yang + + + yin + application/yin+xml + + + z + application/x-compress + + + Z + application/x-compress + + + z1 + application/x-zmachine + + + z2 + application/x-zmachine + + + z3 + application/x-zmachine + + + z4 + application/x-zmachine + + + z5 + application/x-zmachine + + + z6 + application/x-zmachine + + + z7 + application/x-zmachine + + + z8 + application/x-zmachine + + + zaz + application/vnd.zzazz.deck+xml + + + zip + application/zip + + + zir + application/vnd.zul + + + zirz + application/vnd.zul + + + zmm + application/vnd.handheld-entertainment+xml + + + + + + + + + + + + + + + + + + index.html + index.htm + index.jsp + + + + + diff --git a/kubernetes/uui/templates/deployment.yaml b/kubernetes/uui/templates/deployment.yaml index 5d8c7b32b5..c9feacc1ba 100644 --- a/kubernetes/uui/templates/deployment.yaml +++ b/kubernetes/uui/templates/deployment.yaml @@ -16,39 +16,25 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - {{- if .Values.global.aafEnabled }} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: - command: - sh args: - -c - | - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) cd /config-input && for PFILE in `ls -1` do envsubst <${PFILE} >/config/${PFILE} done cat /config/server.xml - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} + volumeMounts: - mountPath: /config-input name: config-input - mountPath: /config @@ -56,7 +42,6 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config - {{- end }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -69,13 +54,8 @@ spec: ls -lh /opt/ echo "*** /opt/app" ls -lh /opt/app/ - echo "*** /opt/app/osaaf/" - ls -lh /opt/app/osaaf/ - echo "*** /opt/app/osaaf/local" - ls -lh /opt/app/osaaf/local/ /home/uui/uuiStartup.sh - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 10 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if eq .Values.liveness.enabled true }} @@ -90,12 +70,13 @@ spec: port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - {{- if .Values.global.aafEnabled }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} + volumeMounts: - mountPath: /home/uui/server.xml name: config subPath: server.xml - {{- end }} + - mountPath: /home/uui/web.xml + name: config + subPath: web.xml env: - name: MSB_ADDR value: {{ tpl .Values.msbaddr . }} @@ -106,14 +87,11 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 10 }} {{- end }} - {{- if .Values.global.aafEnabled }} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} + volumes: - name: config-input configMap: name: {{ include "common.fullname" . }} - name: config emptyDir: medium: Memory - {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/uui/templates/ingress.yaml b/kubernetes/uui/templates/ingress.yaml index 8f87c68f1e..1f6ec7ab0e 100644 --- a/kubernetes/uui/templates/ingress.yaml +++ b/kubernetes/uui/templates/ingress.yaml @@ -1 +1,17 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/uui/templates/service.yaml b/kubernetes/uui/templates/service.yaml index 222100d8c8..143f1c39d5 100644 --- a/kubernetes/uui/templates/service.yaml +++ b/kubernetes/uui/templates/service.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T, ZTE # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,41 +15,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "usecaseui-ui", - "version": "v1", - "url": "/usecase-ui", - "path":"/iui/usecaseui", - "protocol": "UI", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"1", - "enable_ssl": true - } - ]' -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.uuiPortPrefix | default .Values.uuiPortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/uui/values.yaml b/kubernetes/uui/values.yaml index f133ad5a27..b7893bc0fa 100644 --- a/kubernetes/uui/values.yaml +++ b/kubernetes/uui/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada +# Copyright (c) 2022 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,40 +17,7 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. global: - uuiPortPrefix: 303 - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: uui-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: uui - fqi: uui@uui.onap.org - fqi_namespace: org.onap.uui - public_fqdn: uui.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSORE_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** save the generated passwords" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop - echo "TRUSTSORE_PASSWORD=${TRUSTSORE_PASSWORD}" >> mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 {{ .Values.credsPath }} + nodePortPrefix: 302 subChartsOnly: enabled: true @@ -57,7 +25,7 @@ subChartsOnly: flavor: small # application image -image: onap/usecase-ui:4.0.7 +image: onap/usecase-ui:5.2.2 pullPolicy: Always # application configuration @@ -90,16 +58,33 @@ readiness: service: type: NodePort name: uui - portName: uui - internalPort: 8443 - nodePort: 98 + internalPort: 8080 + nodePortPrefixOverride: 303 + ports: + - name: http + port: 8080 + nodePort: '98' + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "usecaseui-ui", + "version": "v1", + "url": "/usecase-ui", + "path":"/iui/usecaseui", + "protocol": "UI", + "visualRange":"1", + "port": "{{ include "common.getPort" (dict "global" . "name" "http" "getPlain" true) }}", + "enable_ssl": false + } + ]{{ end }} ingress: enabled: false service: - - baseaddr: "uui.api" + - baseaddr: "uui-ui" name: "uui" - port: 8443 + port: 8080 config: ssl: "redirect" @@ -116,16 +101,16 @@ ingress: resources: small: limits: - cpu: 250m - memory: 1Gi + cpu: "250m" + memory: "1Gi" requests: - cpu: 250m - memory: 1Gi + cpu: "250m" + memory: "1Gi" large: limits: - cpu: 500m - memory: 1Gi + cpu: "500m" + memory: "1Gi" requests: - cpu: 500m - memory: 1Gi + cpu: "500m" + memory: "1Gi" unlimited: {} diff --git a/kubernetes/vfc/Chart.yaml b/kubernetes/vfc/Chart.yaml index 26c9747d35..0965d00905 100644 --- a/kubernetes/vfc/Chart.yaml +++ b/kubernetes/vfc/Chart.yaml @@ -17,48 +17,48 @@ apiVersion: v2 description: ONAP Virtual Function Controller (VF-C) name: vfc -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: mariadb-galera - version: ~11.x-0 + version: ~13.x-0 repository: '@local' condition: global.mariadbGalera.localCluster - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: vfc-generic-vnfm-driver - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/vfc-generic-vnfm-driver' condition: vfc-generic-vnfm-driver.enabled - name: vfc-huawei-vnfm-driver - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/vfc-huawei-vnfm-driver' condition: vfc-huawei-vnfm-driver.enabled - name: vfc-nslcm - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/vfc-nslcm' condition: vfc-nslcm.enabled - name: vfc-redis - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/vfc-redis' condition: vfc-redis.enabled - name: vfc-vnflcm - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/vfc-vnflcm' condition: vfc-vnflcm.enabled - name: vfc-vnfmgr - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/vfc-vnfmgr' condition: vfc-vnfmgr.enabled - name: vfc-vnfres - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/vfc-vnfres' condition: vfc-vnfres.enabled - name: vfc-zte-vnfm-driver - version: ~11.x-0 + version: ~13.x-0 repository: 'file://components/vfc-zte-vnfm-driver' condition: vfc-zte-vnfm-driver.enabled diff --git a/kubernetes/vfc/Makefile b/kubernetes/vfc/Makefile index 51d7de122c..08ed7cb9da 100644 --- a/kubernetes/vfc/Makefile +++ b/kubernetes/vfc/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := dist resources templates charts docker HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -36,12 +42,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/vfc/components/Makefile b/kubernetes/vfc/components/Makefile index f4c9784bc4..9544d70f33 100644 --- a/kubernetes/vfc/components/Makefile +++ b/kubernetes/vfc/components/Makefile @@ -19,6 +19,12 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets EXCLUDES := HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) .PHONY: $(EXCLUDES) $(HELM_CHARTS) @@ -36,12 +42,13 @@ dep-%: make-% @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) lint $*; fi + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi package-%: lint-% @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @$(HELM_BIN) repo index $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) clean: @rm -f */Chart.lock diff --git a/kubernetes/vfc/components/vfc-generic-vnfm-driver/Chart.yaml b/kubernetes/vfc/components/vfc-generic-vnfm-driver/Chart.yaml index 74f472eeb5..a8f441dce4 100644 --- a/kubernetes/vfc/components/vfc-generic-vnfm-driver/Chart.yaml +++ b/kubernetes/vfc/components/vfc-generic-vnfm-driver/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: ONAP VFC - Generic VNFM Driver name: vfc-generic-vnfm-driver -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/vfc/components/vfc-generic-vnfm-driver/templates/deployment.yaml b/kubernetes/vfc/components/vfc-generic-vnfm-driver/templates/deployment.yaml index b5ab1fb93c..4cd1100988 100644 --- a/kubernetes/vfc/components/vfc-generic-vnfm-driver/templates/deployment.yaml +++ b/kubernetes/vfc/components/vfc-generic-vnfm-driver/templates/deployment.yaml @@ -70,16 +70,12 @@ spec: - name: REG_TO_MSB_WHEN_START value: "{{ .Values.global.config.reg_to_msb_when_start }}" volumeMounts: - - name: {{ include "common.fullname" . }}-localtime - mountPath: /etc/localtime - readOnly: true - name: {{ include "common.fullname" . }}-logs mountPath: "{{ .Values.log.path }}" - name: {{ include "common.fullname" . }}-logconfig mountPath: /opt/vfc/gvnfmdriver/config/log.yml subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -92,14 +88,10 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 8 }} volumes: - - name: {{ include "common.fullname" . }}-localtime - hostPath: - path: /etc/localtime - name: {{ include "common.fullname" . }}-logs emptyDir: {} - name: {{ include "common.fullname" . }}-logconfig configMap: name : {{ include "common.fullname" . }}-logging-configmap {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/vfc/components/vfc-generic-vnfm-driver/values.yaml b/kubernetes/vfc/components/vfc-generic-vnfm-driver/values.yaml index 6a4a802028..c96712be4f 100644 --- a/kubernetes/vfc/components/vfc-generic-vnfm-driver/values.yaml +++ b/kubernetes/vfc/components/vfc-generic-vnfm-driver/values.yaml @@ -72,18 +72,18 @@ ingress: resources: small: limits: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" requests: - cpu: 100m - memory: 250Mi + cpu: "100m" + memory: "200Mi" large: limits: - cpu: 400m - memory: 1000Mi + cpu: "400m" + memory: "1Gi" requests: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" unlimited: {} # Log configuration diff --git a/kubernetes/vfc/components/vfc-huawei-vnfm-driver/Chart.yaml b/kubernetes/vfc/components/vfc-huawei-vnfm-driver/Chart.yaml index 3fa0c45f0c..37158d942d 100644 --- a/kubernetes/vfc/components/vfc-huawei-vnfm-driver/Chart.yaml +++ b/kubernetes/vfc/components/vfc-huawei-vnfm-driver/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: ONAP VFC - Huawei VNFM Driver name: vfc-huawei-vnfm-driver -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/vfc/components/vfc-huawei-vnfm-driver/templates/deployment.yaml b/kubernetes/vfc/components/vfc-huawei-vnfm-driver/templates/deployment.yaml index f96d4d664b..ff22976b17 100644 --- a/kubernetes/vfc/components/vfc-huawei-vnfm-driver/templates/deployment.yaml +++ b/kubernetes/vfc/components/vfc-huawei-vnfm-driver/templates/deployment.yaml @@ -73,16 +73,12 @@ spec: - name: REG_TO_MSB_WHEN_START value: "{{ .Values.global.config.reg_to_msb_when_start }}" volumeMounts: - - name: {{ include "common.fullname" . }}-localtime - mountPath: /etc/localtime - readOnly: true - name: {{ include "common.fullname" . }}-logs mountPath: {{ .Values.log.path }} - name: {{ include "common.fullname" . }}-logconfig mountPath: /opt/vfc/hwvnfmdriver/config/log4j.properties subPath: log4j.properties - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -95,14 +91,10 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 8 }} volumes: - - name: {{ include "common.fullname" . }}-localtime - hostPath: - path: /etc/localtime - name: {{ include "common.fullname" . }}-logs emptyDir: {} - name: {{ include "common.fullname" . }}-logconfig configMap: name : {{ include "common.fullname" . }}-logging-configmap {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/vfc/components/vfc-huawei-vnfm-driver/values.yaml b/kubernetes/vfc/components/vfc-huawei-vnfm-driver/values.yaml index 32221692e3..040ad08694 100644 --- a/kubernetes/vfc/components/vfc-huawei-vnfm-driver/values.yaml +++ b/kubernetes/vfc/components/vfc-huawei-vnfm-driver/values.yaml @@ -74,18 +74,18 @@ ingress: resources: small: limits: - cpu: 200m - memory: 2000Mi + cpu: "200m" + memory: "2Gi" requests: - cpu: 100m - memory: 1000Mi + cpu: "100m" + memory: "1Gi" large: limits: - cpu: 400m - memory: 4000Mi + cpu: "400m" + memory: "4Gi" requests: - cpu: 200m - memory: 2000Mi + cpu: "200m" + memory: "2Gi" unlimited: {} # Log configuration diff --git a/kubernetes/vfc/components/vfc-nslcm/Chart.yaml b/kubernetes/vfc/components/vfc-nslcm/Chart.yaml index f415fec224..3bef3a8743 100644 --- a/kubernetes/vfc/components/vfc-nslcm/Chart.yaml +++ b/kubernetes/vfc/components/vfc-nslcm/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: ONAP VFC - NS Life Cycle Management name: vfc-nslcm -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/vfc/components/vfc-nslcm/templates/deployment.yaml b/kubernetes/vfc/components/vfc-nslcm/templates/deployment.yaml index f9faa7e845..88c322fef7 100644 --- a/kubernetes/vfc/components/vfc-nslcm/templates/deployment.yaml +++ b/kubernetes/vfc/components/vfc-nslcm/templates/deployment.yaml @@ -41,8 +41,8 @@ spec: - command: - /app/ready.py args: - - --container-name - - '{{ ternary (index .Values "mariadb-galera" "nameOverride") .Values.global.mariadbGalera.service .Values.global.mariadbGalera.localCluster }}' + - --service-name + - {{ include "common.mariadbService" . }} env: - name: NAMESPACE valueFrom: @@ -52,6 +52,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} command: @@ -100,16 +107,12 @@ spec: - name: REG_TO_MSB_WHEN_START value: "{{ .Values.global.config.reg_to_msb_when_start }}" volumeMounts: - - name: {{ include "common.fullname" . }}-localtime - mountPath: /etc/localtime - readOnly: true - name: {{ include "common.fullname" . }}-logs mountPath: /var/log/onap - name: {{ include "common.fullname" . }}-logconfig mountPath: /opt/vfc/nslcm/config/log.yml subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -122,14 +125,10 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 8 }} volumes: - - name: {{ include "common.fullname" . }}-localtime - hostPath: - path: /etc/localtime - name: {{ include "common.fullname" . }}-logs emptyDir: {} - name: {{ include "common.fullname" . }}-logconfig configMap: name : {{ include "common.fullname" . }}-logging-configmap {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/vfc/components/vfc-nslcm/values.yaml b/kubernetes/vfc/components/vfc-nslcm/values.yaml index 0cd3ce178a..48cce40822 100644 --- a/kubernetes/vfc/components/vfc-nslcm/values.yaml +++ b/kubernetes/vfc/components/vfc-nslcm/values.yaml @@ -20,6 +20,8 @@ global: config: ssl_enabled: false mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true localCluster: false service: mariadb-galera internalPort: 3306 @@ -91,18 +93,18 @@ ingress: resources: small: limits: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" requests: - cpu: 100m - memory: 250Mi + cpu: "100m" + memory: "200Mi" large: limits: - cpu: 400m - memory: 1000Mi + cpu: "400m" + memory: "1Gi" requests: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" unlimited: {} # Log configuration diff --git a/kubernetes/vfc/components/vfc-redis/Chart.yaml b/kubernetes/vfc/components/vfc-redis/Chart.yaml index 9fe692baeb..84736f364b 100644 --- a/kubernetes/vfc/components/vfc-redis/Chart.yaml +++ b/kubernetes/vfc/components/vfc-redis/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: ONAP VFC - REDIS name: vfc-redis -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/vfc/components/vfc-redis/templates/deployment.yaml b/kubernetes/vfc/components/vfc-redis/templates/deployment.yaml index 787c62c3c5..02fc994599 100644 --- a/kubernetes/vfc/components/vfc-redis/templates/deployment.yaml +++ b/kubernetes/vfc/components/vfc-redis/templates/deployment.yaml @@ -55,8 +55,7 @@ spec: port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -65,5 +64,4 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/vfc/components/vfc-redis/values.yaml b/kubernetes/vfc/components/vfc-redis/values.yaml index 1c6c4b4cce..60c95b9b7c 100644 --- a/kubernetes/vfc/components/vfc-redis/values.yaml +++ b/kubernetes/vfc/components/vfc-redis/values.yaml @@ -66,16 +66,16 @@ ingress: resources: small: limits: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" requests: - cpu: 100m - memory: 250Mi + cpu: "100m" + memory: "200Mi" large: limits: - cpu: 400m - memory: 1000Mi + cpu: "400m" + memory: "1Gi" requests: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" unlimited: {} \ No newline at end of file diff --git a/kubernetes/vfc/components/vfc-vnflcm/Chart.yaml b/kubernetes/vfc/components/vfc-vnflcm/Chart.yaml index 288e447339..fe0ce9b4f9 100644 --- a/kubernetes/vfc/components/vfc-vnflcm/Chart.yaml +++ b/kubernetes/vfc/components/vfc-vnflcm/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: ONAP VFC - VNF Life Cycle Management name: vfc-vnflcm -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/vfc/components/vfc-vnflcm/templates/deployment.yaml b/kubernetes/vfc/components/vfc-vnflcm/templates/deployment.yaml index 8c414ffc59..e915587a4f 100644 --- a/kubernetes/vfc/components/vfc-vnflcm/templates/deployment.yaml +++ b/kubernetes/vfc/components/vfc-vnflcm/templates/deployment.yaml @@ -41,8 +41,8 @@ spec: - command: - /app/ready.py args: - - --container-name - - '{{ ternary (index .Values "mariadb-galera" "nameOverride") .Values.global.mariadbGalera.service .Values.global.mariadbGalera.localCluster }}' + - --service-name + - {{ include "common.mariadbService" . }} env: - name: NAMESPACE valueFrom: @@ -52,6 +52,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} command: @@ -100,16 +107,12 @@ spec: - name: REG_TO_MSB_WHEN_START value: "{{ .Values.global.config.reg_to_msb_when_start }}" volumeMounts: - - name: {{ include "common.fullname" . }}-localtime - mountPath: /etc/localtime - readOnly: true - name: {{ include "common.fullname" . }}-logs mountPath: {{ .Values.log.path }} - name: {{ include "common.fullname" . }}-logconfig mountPath: /opt/vfc/gvnfm-vnflcm/config/log.yml subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -122,14 +125,10 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 8 }} volumes: - - name: {{ include "common.fullname" . }}-localtime - hostPath: - path: /etc/localtime - name: {{ include "common.fullname" . }}-logs emptyDir: {} - name: {{ include "common.fullname" . }}-logconfig configMap: name : {{ include "common.fullname" . }}-logging-configmap {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/vfc/components/vfc-vnflcm/values.yaml b/kubernetes/vfc/components/vfc-vnflcm/values.yaml index fcad261817..bc22a32206 100644 --- a/kubernetes/vfc/components/vfc-vnflcm/values.yaml +++ b/kubernetes/vfc/components/vfc-vnflcm/values.yaml @@ -20,6 +20,8 @@ global: config: ssl_enabled: false mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true localCluster: false service: mariadb-galera internalPort: 3306 @@ -91,18 +93,18 @@ ingress: resources: small: limits: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" requests: - cpu: 100m - memory: 250Mi + cpu: "100m" + memory: "200Mi" large: limits: - cpu: 400m - memory: 1000Mi + cpu: "400m" + memory: "1Gi" requests: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" unlimited: {} # Log configuration diff --git a/kubernetes/vfc/components/vfc-vnfmgr/Chart.yaml b/kubernetes/vfc/components/vfc-vnfmgr/Chart.yaml index 93fb2edafc..d5ec0cfc80 100644 --- a/kubernetes/vfc/components/vfc-vnfmgr/Chart.yaml +++ b/kubernetes/vfc/components/vfc-vnfmgr/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: ONAP VFC - VNF Manager name: vfc-vnfmgr -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/vfc/components/vfc-vnfmgr/templates/deployment.yaml b/kubernetes/vfc/components/vfc-vnfmgr/templates/deployment.yaml index 9fcf9b923d..8dd9f57921 100644 --- a/kubernetes/vfc/components/vfc-vnfmgr/templates/deployment.yaml +++ b/kubernetes/vfc/components/vfc-vnfmgr/templates/deployment.yaml @@ -41,8 +41,8 @@ spec: - command: - /app/ready.py args: - - --container-name - - '{{ ternary (index .Values "mariadb-galera" "nameOverride") .Values.global.mariadbGalera.service .Values.global.mariadbGalera.localCluster }}' + - --service-name + - {{ include "common.mariadbService" . }} env: - name: NAMESPACE valueFrom: @@ -52,6 +52,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} command: @@ -100,16 +107,12 @@ spec: - name: REG_TO_MSB_WHEN_START value: "{{ .Values.global.config.reg_to_msb_when_start }}" volumeMounts: - - name: {{ include "common.fullname" . }}-localtime - mountPath: /etc/localtime - readOnly: true - name: {{ include "common.fullname" . }}-logs mountPath: {{ .Values.log.path }} - name: {{ include "common.fullname" . }}-logconfig mountPath: /opt/vfc/gvnfm-vnfmgr/config/log.yml subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -122,9 +125,6 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 8 }} volumes: - - name: {{ include "common.fullname" . }}-localtime - hostPath: - path: /etc/localtime - name: {{ include "common.fullname" . }}-logs emptyDir: {} - name: {{ include "common.fullname" . }}-logconfig @@ -132,5 +132,4 @@ spec: name : {{ include "common.fullname" . }}-logging-configmap {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/vfc/components/vfc-vnfmgr/values.yaml b/kubernetes/vfc/components/vfc-vnfmgr/values.yaml index 528bbe0c01..31b5a66fd0 100644 --- a/kubernetes/vfc/components/vfc-vnfmgr/values.yaml +++ b/kubernetes/vfc/components/vfc-vnfmgr/values.yaml @@ -20,6 +20,8 @@ global: config: ssl_enabled: false mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true localCluster: false service: mariadb-galera internalPort: 3306 @@ -90,18 +92,18 @@ ingress: resources: small: limits: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" requests: - cpu: 100m - memory: 250Mi + cpu: "100m" + memory: "200Mi" large: limits: - cpu: 400m - memory: 1000Mi + cpu: "400m" + memory: "1Gi" requests: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" unlimited: {} # Log configuration diff --git a/kubernetes/vfc/components/vfc-vnfres/Chart.yaml b/kubernetes/vfc/components/vfc-vnfres/Chart.yaml index b02dfefb62..be05a88d7a 100644 --- a/kubernetes/vfc/components/vfc-vnfres/Chart.yaml +++ b/kubernetes/vfc/components/vfc-vnfres/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: ONAP VFC - VNF Resource Manager name: vfc-vnfres -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/vfc/components/vfc-vnfres/templates/deployment.yaml b/kubernetes/vfc/components/vfc-vnfres/templates/deployment.yaml index 5723b0f322..f4138d256f 100644 --- a/kubernetes/vfc/components/vfc-vnfres/templates/deployment.yaml +++ b/kubernetes/vfc/components/vfc-vnfres/templates/deployment.yaml @@ -41,8 +41,8 @@ spec: - command: - /app/ready.py args: - - --container-name - - '{{ ternary (index .Values "mariadb-galera" "nameOverride") .Values.global.mariadbGalera.service .Values.global.mariadbGalera.localCluster }}' + - --service-name + - {{ include "common.mariadbService" . }} env: - name: NAMESPACE valueFrom: @@ -52,6 +52,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} command: @@ -100,16 +107,12 @@ spec: - name: REG_TO_MSB_WHEN_START value: "{{ .Values.global.config.reg_to_msb_when_start }}" volumeMounts: - - name: {{ include "common.fullname" . }}-localtime - mountPath: /etc/localtime - readOnly: true - name: {{ include "common.fullname" . }}-logs mountPath: /var/log/onap - name: {{ include "common.fullname" . }}-logconfig mountPath: /opt/vfc/gvnfm-vnfres/config/log.yml subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -118,18 +121,13 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} - # side car containers {{ include "common.log.sidecar" . | nindent 8 }} volumes: - - name: {{ include "common.fullname" . }}-localtime - hostPath: - path: /etc/localtime - name: {{ include "common.fullname" . }}-logs emptyDir: {} - name: {{ include "common.fullname" . }}-logconfig configMap: name : {{ include "common.fullname" . }}-logging-configmap {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/vfc/components/vfc-vnfres/values.yaml b/kubernetes/vfc/components/vfc-vnfres/values.yaml index c2954d5517..2c54249de4 100644 --- a/kubernetes/vfc/components/vfc-vnfres/values.yaml +++ b/kubernetes/vfc/components/vfc-vnfres/values.yaml @@ -20,6 +20,8 @@ global: config: ssl_enabled: false mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true localCluster: false service: mariadb-galera internalPort: 3306 @@ -91,18 +93,18 @@ ingress: resources: small: limits: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" requests: - cpu: 100m - memory: 250Mi + cpu: "100m" + memory: "200Mi" large: limits: - cpu: 400m - memory: 1000Mi + cpu: "400m" + memory: "1Gi" requests: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" unlimited: {} # Log configuration diff --git a/kubernetes/vfc/components/vfc-zte-vnfm-driver/Chart.yaml b/kubernetes/vfc/components/vfc-zte-vnfm-driver/Chart.yaml index 5f8a392870..2511b5e587 100644 --- a/kubernetes/vfc/components/vfc-zte-vnfm-driver/Chart.yaml +++ b/kubernetes/vfc/components/vfc-zte-vnfm-driver/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: ONAP VFC - ZTE VNFM Driver name: vfc-zte-vnfm-driver -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/vfc/components/vfc-zte-vnfm-driver/templates/deployment.yaml b/kubernetes/vfc/components/vfc-zte-vnfm-driver/templates/deployment.yaml index 855532ddf3..c58957c2a2 100644 --- a/kubernetes/vfc/components/vfc-zte-vnfm-driver/templates/deployment.yaml +++ b/kubernetes/vfc/components/vfc-zte-vnfm-driver/templates/deployment.yaml @@ -70,16 +70,12 @@ spec: - name: REG_TO_MSB_WHEN_START value: "{{ .Values.global.config.reg_to_msb_when_start }}" volumeMounts: - - name: {{ include "common.fullname" . }}-localtime - mountPath: /etc/localtime - readOnly: true - name: {{ include "common.fullname" . }}-logs mountPath: {{ .Values.log.path }} - name: {{ include "common.fullname" . }}-logconfig mountPath: /opt/vfc/ztevnfmdriver/config/log.yml subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -92,14 +88,10 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 8 }} volumes: - - name: {{ include "common.fullname" . }}-localtime - hostPath: - path: /etc/localtime - name: {{ include "common.fullname" . }}-logs emptyDir: {} - name: {{ include "common.fullname" . }}-logconfig configMap: name : {{ include "common.fullname" . }}-logging-configmap {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/vfc/components/vfc-zte-vnfm-driver/values.yaml b/kubernetes/vfc/components/vfc-zte-vnfm-driver/values.yaml index 258407b6ba..3588ba548e 100644 --- a/kubernetes/vfc/components/vfc-zte-vnfm-driver/values.yaml +++ b/kubernetes/vfc/components/vfc-zte-vnfm-driver/values.yaml @@ -72,18 +72,18 @@ ingress: resources: small: limits: - cpu: 100m - memory: 500Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 50m - memory: 250Mi + cpu: "50m" + memory: "200Mi" large: limits: - cpu: 200m - memory: 1000Mi + cpu: "200m" + memory: "1Gi" requests: - cpu: 100m - memory: 500Mi + cpu: "100m" + memory: "500Mi" unlimited: {} # Log configuration diff --git a/kubernetes/vfc/values.yaml b/kubernetes/vfc/values.yaml index a0b69e0c94..05b7eb1fa3 100644 --- a/kubernetes/vfc/values.yaml +++ b/kubernetes/vfc/values.yaml @@ -30,6 +30,8 @@ global: persistence: mountPath: /dockerdata-nfs mariadbGalera: &mariadbGalera + # flag to enable the DB creation via mariadb-operator + useOperator: true #This flag allows VFC to instantiate its own mariadb-galera cluster localCluster: false service: mariadb-galera @@ -59,6 +61,10 @@ mariadb-galera: &localMariadb # password: externalSecret: *dbRootPassSecret nameOverride: &dbServer vfc-mariadb + service: + name: *dbServer + portName: *dbServer + internalPort: 3306 nfsprovisionerPrefix: vfc persistence: mountSubPath: vfc/data @@ -67,6 +73,9 @@ mariadb-galera: &localMariadb serviceAccount: nameOverride: *dbServer replicaCount: 1 + mariadbOperator: + galera: + enabled: false vfc-generic-vnfm-driver: enabled: true diff --git a/kubernetes/vid/.helmignore b/kubernetes/vid/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/vid/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/vid/Chart.yaml b/kubernetes/vid/Chart.yaml deleted file mode 100644 index fe6164a46e..0000000000 --- a/kubernetes/vid/Chart.yaml +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Virtual Infrastructure Deployment -name: vid -version: 11.0.0 - -dependencies: - - name: common - version: ~11.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: certInitializer - version: ~11.x-0 - repository: '@local' - - name: mariadb-galera - version: ~11.x-0 - repository: '@local' - condition: global.mariadbGalera.localCluster - - name: mariadb-init - version: ~11.x-0 - repository: '@local' - condition: not global.mariadbGalera.localCluster - - name: repositoryGenerator - version: ~11.x-0 - repository: '@local' diff --git a/kubernetes/vid/resources/config/db_cmd.sh b/kubernetes/vid/resources/config/db_cmd.sh deleted file mode 100755 index daa1f8b6ea..0000000000 --- a/kubernetes/vid/resources/config/db_cmd.sh +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/sh -{{/* -# Copyright © 2018 AT&T -# Copyright © 2020 Aarna Networks -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -DB={{index .Values "mariadb-galera" "db" "name" | upper }} -eval "MYSQL_USER=\$MYSQL_USER_${DB}" -eval "MYSQL_PASSWORD=\$MYSQL_PASSWORD_${DB}" - -#echo "Going to run mysql ${DB} -u${MYSQL_USER} -p${MYSQL_PASSWORD} -h${DB_HOST} -P${DB_PORT} ..." -mysql -u${MYSQL_USER} -p${MYSQL_PASSWORD} -h${DB_HOST} -P${DB_PORT} <<'EOD' -CREATE TABLE IF NOT EXISTS `{{index .Values "mariadb-galera" "db" "name" }}`.`schema_info` ( -`SCHEMA_ID` VARCHAR(25) NOT NULL, -`SCHEMA_DESC` VARCHAR(75) NOT NULL, -`DATASOURCE_TYPE` VARCHAR(100) NULL DEFAULT NULL, -`CONNECTION_URL` VARCHAR(200) NOT NULL, -`USER_NAME` VARCHAR(45) NOT NULL, -`PASSWORD` VARCHAR(45) NULL DEFAULT NULL, -`DRIVER_CLASS` VARCHAR(100) NOT NULL, -`MIN_POOL_SIZE` INT(11) NOT NULL, -`MAX_POOL_SIZE` INT(11) NOT NULL, -`IDLE_CONNECTION_TEST_PERIOD` INT(11) NOT NULL) -ENGINE = InnoDB -DEFAULT CHARACTER SET = utf8; -EOD - -if [ $? -ne 0 ];then - echo "ERROR: Failed to run cmd vid-pre-init.sql" - exit 1 -else - echo "INFO: Database initialized successfully" -fi diff --git a/kubernetes/vid/resources/config/log/filebeat/filebeat.yml b/kubernetes/vid/resources/config/log/filebeat/filebeat.yml deleted file mode 100644 index 9a721a885e..0000000000 --- a/kubernetes/vid/resources/config/log/filebeat/filebeat.yml +++ /dev/null @@ -1,57 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -filebeat.prospectors: -#it is mandatory, in our case it's log -- input_type: log - #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. - paths: - - /var/log/onap/*/*/*/*.log - - /var/log/onap/*/*/*.log - - /var/log/onap/*/*.log - #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive - ignore_older: 48h - # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit - clean_inactive: 96h - - -# Name of the registry file. If a relative path is used, it is considered relative to the -# data path. Else full qualified file name. -#filebeat.registry_file: ${path.data}/registry - - -output.logstash: - #List of logstash server ip addresses with port number. - #But, in our case, this will be the loadbalancer IP address. - #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. - hosts: ["{{.Values.config.logstashServiceName}}.{{.Release.Namespace}}:{{.Values.config.logstashPort}}"] - #If enable will do load balancing among availabe Logstash, automatically. - loadbalance: true - - #The list of root certificates for server verifications. - #If certificate_authorities is empty or not set, the trusted - #certificate authorities of the host system are used. - #ssl.certificate_authorities: $ssl.certificate_authorities - - #The path to the certificate for SSL client authentication. If the certificate is not specified, - #client authentication is not available. - #ssl.certificate: $ssl.certificate - - #The client certificate key used for client authentication. - #ssl.key: $ssl.key - - #The passphrase used to decrypt an encrypted key stored in the configured key file - #ssl.key_passphrase: $ssl.key_passphrase diff --git a/kubernetes/vid/resources/config/log/vid/logback.xml b/kubernetes/vid/resources/config/log/vid/logback.xml deleted file mode 100644 index 17af1c990f..0000000000 --- a/kubernetes/vid/resources/config/log/vid/logback.xml +++ /dev/null @@ -1,386 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ${debugLoggerPattern} - - - - - - - - - - ${logDirectory}/${generalLogName}.log - - ${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.%i.log - - ${maxFileSize} - - ${maxHistory} - ${totalSizeCap} - - - ${applicationLoggerPattern} - - - - - - ${queueSize} - true - - - - - - - - - - - - - - ${logDirectory}/${auditLogName}.log - - ${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.%i.log - - ${maxFileSize} - - ${maxHistory} - ${totalSizeCap} - - - ${auditLoggerPattern} - - - - ${queueSize} - - true - - - - - - INVOKE - INVOKE-RETURN - - DENY - ACCEPT - - ${logDirectory}/${metricsLogName}.log - - ${logDirectory}/${metricsLogName}.%d{yyyy-MM-dd}.%i.log - - ${maxFileSize} - - ${maxHistory} - ${totalSizeCap} - - - ${metricsLoggerPattern} - - - - ${queueSize} - - true - - - - - ERROR - ACCEPT - NEUTRAL - - - WARN - ACCEPT - DENY - - ${logDirectory}/${errorLogName}.log - - ${logDirectory}/${errorLogName}.%d{yyyy-MM-dd}.%i.log - - ${maxFileSize} - - ${maxHistory} - ${totalSizeCap} - - - ${errorLoggerPattern} - - - - - ${queueSize} - - true - - - - ${logDirectory}/${debugLogName}.log - - ${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.%i.log - - ${maxFileSize} - - ${maxHistory} - ${totalSizeCap} - - - ${debugLoggerPattern} - - - - ${queueSize} - - true - - - - ${logDirectory}/${outgoingRequestsLogName}.log - - ${logDirectory}/${outgoingRequestsLogName}.%d{yyyy-MM-dd}.%i.log - - ${maxFileSize} - - ${maxHistory} - ${totalSizeCap} - - - ${debugLoggerPattern} - - - - ${queueSize} - - true - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/kubernetes/vid/templates/NOTES.txt b/kubernetes/vid/templates/NOTES.txt deleted file mode 100644 index a209ea8f29..0000000000 --- a/kubernetes/vid/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ .Chart.Name }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/vid/templates/configmap.yaml b/kubernetes/vid/templates/configmap.yaml deleted file mode 100644 index 5c423e61cc..0000000000 --- a/kubernetes/vid/templates/configmap.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-log-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/log/vid/*").AsConfig . | indent 2 }} ---- -{{ include "common.log.configMap" . }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-db-init - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/db_cmd.sh").AsConfig . | indent 2 }} diff --git a/kubernetes/vid/templates/deployment.yaml b/kubernetes/vid/templates/deployment.yaml deleted file mode 100644 index 116a7cdfed..0000000000 --- a/kubernetes/vid/templates/deployment.yaml +++ /dev/null @@ -1,171 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Copyright © 2020 Samsung Electronics -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.fullname" . }}-mariadb-init-config-job - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export VID_TRUSTSTORE_PLAIN_PASSWORD=${VID_TRUSTSTORE_PASSWORD} - export VID_TRUSTSTORE_PASSWORD=`java -cp /usr/local/tomcat/webapps/vid/WEB-INF/lib/jetty-util-9.4.20.v20190813.jar org.eclipse.jetty.util.security.Password ${VID_TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - /tmp/vid/localize.sh - {{- end }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: ASDC_CLIENT_REST_HOST - value: sdc-be.{{ include "common.namespace" . }} - - name: ASDC_CLIENT_REST_AUTH - value: "{{ .Values.config.asdcclientrestauth }}" - - name: ASDC_CLIENT_REST_PORT - value: "{{ .Values.config.asdcclientrestport }}" - - name: ASDC_CLIENT_REST_PROTOCOL - value: "https" - - name: VID_AAI_URL - value: https://aai.{{ include "common.namespace" . }}:{{ .Values.config.vidaaiport }} - - name: VID_ECOMP_SHARED_CONTEXT_REST_URL - value: http://portal-app.{{ include "common.namespace" . }}:{{ .Values.config.onapport }}/ONAPPORTAL/context - - name: VID_MSO_SERVER_URL - value: http://so.{{ include "common.namespace" . }}:{{ .Values.config.msoport }}/onap/so/infra - - name: VID_MSO_PASS - value: "{{ .Values.config.vidmsopass }}" - - name: MSO_DME2_SERVER_URL - value: "{{ .Values.config.msodme2serverurl }}" - - name: MSO_DME2_ENABLED - value: {{ .Values.global.debugEnabled | default .Values.debugEnabled | quote }} - - name: VID_ECOMP_REDIRECT_URL - value: https://{{ .Values.config.portalhost }}:{{ .Values.config.onapport }}/ONAPPORTAL/login.htm - - name: VID_ECOMP_REST_URL - value: https://portal-app:{{ .Values.config.onapportrest }}/ONAPPORTAL/auxapi - - name: VID_ROLE_ACCESS_CENTRALIZED - value: "{{ .Values.config.roleaccesscentralized }}" - - name: VID_CONTACT_US_LINK - value: "{{ .Values.config.vidcontactuslink }}" - - name: VID_UEB_URL_LIST - value: message-router.{{ include "common.namespace" . }} - - name: VID_MYSQL_HOST - value: {{ include "common.mariadbService" . }} - - name: VID_MYSQL_PORT - value: "{{ include "common.mariadbPort" . }}" - - name: VID_MYSQL_DBNAME - value: {{ index .Values "mariadb-galera" "db" "name" }} - - name: VID_MYSQL_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "vid-db-user-secret" "key" "login") | indent 14 }} - - name: VID_MYSQL_PASS - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "vid-db-user-secret" "key" "password") | indent 14 }} - - name: VID_MYSQL_MAXCONNECTIONS - value: "{{ .Values.config.vidmysqlmaxconnections }}" - {{- if .Values.global.aafEnabled }} - - name: VID_KEYSTORE_FILENAME - value: "{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks" - - name: VID_TRUSTSTORE_FILENAME - value: "{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks" - {{- end }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: "{{ .Values.log.path }}" - name: vid-logs - - mountPath: /tmp/logback.xml - name: vid-logback - subPath: logback.xml - - mountPath: /opt/app/vid - name: vid-cache - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - # side car containers - {{ include "common.log.sidecar" . | nindent 8 }} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - {{ include "common.log.volumes" . | nindent 8 }} - - name: vid-cache - emptyDir: {} - - name: vid-logs - emptyDir: {} - - name: vid-logback - configMap: - name: {{ include "common.fullname" . }}-log-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/vid/templates/ingress.yaml b/kubernetes/vid/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/vid/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/vid/templates/secrets.yaml b/kubernetes/vid/templates/secrets.yaml deleted file mode 100644 index 670838c6cf..0000000000 --- a/kubernetes/vid/templates/secrets.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Copyright © 2020 Samsung Electronics -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/vid/templates/service.yaml b/kubernetes/vid/templates/service.yaml deleted file mode 100644 index e62f64d366..0000000000 --- a/kubernetes/vid/templates/service.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }}-http - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: ClusterIP - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - ports: - - name: {{ .Values.service.portName }}-http - port: {{ .Values.service.externalHttpPort }} - targetPort: {{ .Values.service.internalHttpPort }} - protocol: TCP diff --git a/kubernetes/vid/values.yaml b/kubernetes/vid/values.yaml deleted file mode 100644 index aba010eb26..0000000000 --- a/kubernetes/vid/values.yaml +++ /dev/null @@ -1,201 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Copyright © 2020 Samsung Electronics -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Default values for vid. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. -global: - nodePortPrefix: 302 - mariadbGalera: &mariadbGalera - #This flag allows VID to instantiate its own mariadb-galera cluster - localCluster: false - service: mariadb-galera - internalPort: 3306 - nameOverride: mariadb-galera - centralizedLoggingEnabled: true - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: vid-db-user-secret - name: &dbUserSecretName '{{ include "common.release" . }}-vid-db-user-secret' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' - login: '{{ .Values.config.db.userName }}' - password: '{{ .Values.config.db.userPassword }}' - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: vid-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: vid - fqi: vid@vid.onap.org - public_fqdn: vid.onap.org - fqi_namespace: "org.onap.vid" - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "*** retrieving password for keystore and trustore" - export $(/opt/app/aaf_config/bin/agent.sh local showpass \ - {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c' | xargs -0) - if [ -z "$cadi_keystore_password" ] - then - echo " /!\ certificates retrieval failed" - exit 1 - else - echo "*** changing them into shell safe ones" - export KEYSTORE_PASSWD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTORE_PASSWD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWD}" \ - -storepass "${cadi_keystore_password_jks}" \ - -keystore {{ .Values.fqi_namespace }}.jks - keytool -storepasswd -new "${TRUSTORE_PASSWD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** set key password as same password as keystore password" - keytool -keypasswd -new "${KEYSTORE_PASSWD}" \ - -keystore {{ .Values.fqi_namespace }}.jks \ - -keypass "${cadi_keystore_password_jks}" \ - -storepass "${KEYSTORE_PASSWD}" -alias {{ .Values.fqi }} - echo "*** save the generated passwords" - echo "VID_KEYSTORE_PASSWORD=${KEYSTORE_PASSWD}" > mycreds.prop - echo "VID_TRUSTSTORE_PASSWORD=${TRUSTORE_PASSWD}" >> mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 . - fi - -subChartsOnly: - enabled: true - -# application image -image: onap/vid:8.0.2 -pullPolicy: Always - -# application configuration -config: - db: - userName: vidadmin -# userCredentialsExternalSecret: some secret -# userPassword: password - asdcclientrestauth: "Basic dmlkOktwOGJKNFNYc3pNMFdYbGhhazNlSGxjc2UyZ0F3ODR2YW9HR21KdlV5MlU=" - asdcclientrestport: "8443" - vidaaiport: "8443" - onapport: "30225" - onapportrest: "8443" - portalhost: "portal.api.simpledemo.onap.org" - msoport: "8080" - vidmsopass: OBF:1ih71i271vny1yf41ymf1ylz1yf21vn41hzj1icz - msodme2serverurl: http://localhost:8081 - vidcontactuslink: https://todo_contact_us_link.com - vidmysqlmaxconnections: "5" - logstashServiceName: log-ls - logstashPort: 5044 - roleaccesscentralized: remote - -mariadb-galera: - db: - # password: - externalSecret: *dbUserSecretName - name: &mysqlDbName vid_openecomp_epsdk - nameOverride: &vid-galera vid-galera - replicaCount: 3 - persistence: - enabled: true - mountSubPath: vid/maria/data - externalConfig: |- - [mysqld] - lower_case_table_names = 1 - serviceAccount: - nameOverride: *vid-galera - -mariadb-init: - config: - userCredentialsExternalSecret: *dbUserSecretName - mysqlDatabase: *mysqlDbName - nameOverride: vid-mariadb-init - # A configMap of same name is created. It points to file that will be run after - # The DB has been created. - dbScriptConfigMap: '{{ include "common.release" . }}-vid-db-init' - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 120 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: NodePort - name: vid - portName: vid - externalPort: 8443 - internalPort: 8443 - nodePort: "00" - externalHttpPort: 8080 - internalHttpPort: 8080 - -ingress: - enabled: false - service: - - baseaddr: "vid.api" - name: "vid-http" - port: 8443 - config: - ssl: "redirect" - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 200m - memory: 2Gi - requests: - cpu: 100m - memory: 1Gi - large: - limits: - cpu: 400m - memory: 4Gi - requests: - cpu: 200m - memory: 2Gi - unlimited: {} - -# Log configuration -log: - path: /var/log/onap diff --git a/kubernetes/vnfsdk/Chart.yaml b/kubernetes/vnfsdk/Chart.yaml index 7ef08bd32d..bf0dbe6640 100644 --- a/kubernetes/vnfsdk/Chart.yaml +++ b/kubernetes/vnfsdk/Chart.yaml @@ -17,18 +17,18 @@ apiVersion: v2 description: ONAP VNF SDK name: vnfsdk -version: 11.0.0 +version: 13.0.0 dependencies: - name: common - version: ~11.x-0 - repository: '@local' - - name: certInitializer - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: postgres - version: ~11.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~11.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/vnfsdk/resources/nginx/nginx.conf b/kubernetes/vnfsdk/resources/nginx/nginx.conf index d26cc5d813..9d7aa78b36 100644 --- a/kubernetes/vnfsdk/resources/nginx/nginx.conf +++ b/kubernetes/vnfsdk/resources/nginx/nginx.conf @@ -38,16 +38,8 @@ http { error_log /var/log/nginx/error.log; server { - listen *:8703 ssl; - server_name - ssl on; - ssl_certificate {{ .Values.certInitializer.credsPath }}/certs/cert.pem; - ssl_certificate_key {{ .Values.certInitializer.credsPath }}/certs/cert.key; - ssl_session_cache builtin:1000 shared:SSL:80m; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5; - ssl_prefer_server_ciphers on; - ssl_session_timeout 10m; + listen {{ .Values.service.internalPort }}; + server_name {{ .Values.service.name }}; keepalive_timeout 70; location / { diff --git a/kubernetes/vnfsdk/templates/deployment.yaml b/kubernetes/vnfsdk/templates/deployment.yaml index 89eba2f360..bf9ad3e031 100644 --- a/kubernetes/vnfsdk/templates/deployment.yaml +++ b/kubernetes/vnfsdk/templates/deployment.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada +# Modifications © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,26 +17,14 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: - command: - sh args: @@ -54,28 +43,14 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config - - - command: - - /app/ready.py - args: - - --container-name - - "{{ .Values.postgres.nameOverride }}" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} containers: - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }} - resources: -{{ include "common.resources" . | indent 12 }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} + ports: {{ include "common.containerPorts" . | nindent 8 }} + resources: {{ include "common.resources" . | nindent 10 }} + volumeMounts: - mountPath: /service/webapps/ROOT/WEB-INF/classes/mybatis/configuration/configuration.xml name: init-data subPath: configuration.xml @@ -87,9 +62,8 @@ spec: port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} + {{- include "common.imagePullSecrets" . | nindent 6 }} + volumes: - name: init-data-input configMap: name: {{ include "common.fullname" . }} diff --git a/kubernetes/vnfsdk/templates/ingress.yaml b/kubernetes/vnfsdk/templates/ingress.yaml index 8f87c68f1e..1f6ec7ab0e 100644 --- a/kubernetes/vnfsdk/templates/ingress.yaml +++ b/kubernetes/vnfsdk/templates/ingress.yaml @@ -1 +1,17 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/vnfsdk/templates/job.yaml b/kubernetes/vnfsdk/templates/job.yaml index 7c320fc86f..a6966a7708 100644 --- a/kubernetes/vnfsdk/templates/job.yaml +++ b/kubernetes/vnfsdk/templates/job.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada +# Modifications © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -37,8 +38,8 @@ spec: - command: - /app/ready.py args: - - --container-name - - "{{ .Values.postgres.nameOverride }}" + - --service-name + - "{{ .Values.postgres.service.name2 }}" env: - name: NAMESPACE valueFrom: @@ -48,6 +49,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy}} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }}-job image: {{ include "repositoryGenerator.image.postgres" . }} @@ -66,8 +74,8 @@ spec: - name: init-data mountPath: /aaa/init/marketplace_tables_postgres.sql subPath: marketplace_tables_postgres.sql - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{ include "common.waitForJobContainer" . | indent 6 | trim }} + {{- include "common.imagePullSecrets" . | nindent 6 }} volumes: - name: init-data configMap: diff --git a/kubernetes/vnfsdk/templates/service.yaml b/kubernetes/vnfsdk/templates/service.yaml index 25786bd7ad..6127b2b373 100644 --- a/kubernetes/vnfsdk/templates/service.yaml +++ b/kubernetes/vnfsdk/templates/service.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada +# Modification © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,27 +15,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - {{- end}} - name: {{ .Values.service.portName | default "http" }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/vnfsdk/values.yaml b/kubernetes/vnfsdk/values.yaml index 0fbee4c07f..723dfc3b4f 100644 --- a/kubernetes/vnfsdk/values.yaml +++ b/kubernetes/vnfsdk/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada +# Modifications © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -33,37 +34,6 @@ secrets: password: '{{ .Values.postgres.config.pgUserPassword }}' passwordPolicy: generate -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: refrepo-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: refrepo - fqi: refrepo@refrepo.onap.org - fqi_namespace: org.onap.refrepo - public_fqdn: refrepo.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "*** transform AAF certs into pem files" - mkdir -p {{ .Values.credsPath }}/certs - echo "keystore password: $$cadi_keystore_password_p12" - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** copy key" - cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \ - {{ .Values.credsPath }}/certs/cert.key - echo "*** change ownership of certificates to targeted user" - chown -R 999 {{ .Values.credsPath }}/certs - - ################################################################# # Application configuration defaults. ################################################################# @@ -104,18 +74,18 @@ flavor: small resources: small: limits: - cpu: 2000m - memory: 4Gi + cpu: "2000m" + memory: "4Gi" requests: - cpu: 500m - memory: 1Gi + cpu: "500m" + memory: "1Gi" large: limits: - cpu: 4000m - memory: 8Gi + cpu: "4000m" + memory: "8Gi" requests: - cpu: 1000m - memory: 2Gi + cpu: "1000m" + memory: "2Gi" unlimited: {} # probe configuration parameters @@ -133,15 +103,26 @@ readiness: service: type: NodePort name: refrepo - portName: https - nodePort: 97 internalPort: 8703 + ports: + - name: http + port: 8703 + nodePort: '97' ingress: enabled: false service: - - baseaddr: "refrepo" + - baseaddr: "vnfsdk-refrepo-api" name: "refrepo" port: 8703 config: ssl: "redirect" + +readinessCheck: + wait_for: + services: + - '{{ .Values.postgres.service.name2 }}' + +wait_for_job_container: + containers: + - '{{ include "common.name" . }}-job' diff --git a/requirements.txt b/requirements.txt index 554df8559d..b5cdcc0c10 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,3 @@ -lfdocs-conf sphinx>=4.2.0 # BSD sphinx-rtd-theme>=1.0.0 # MIT doc8 @@ -9,4 +8,10 @@ sphinxcontrib-spelling PyEnchant pylint autopep8 -gitlint +gitlint-core +sh==1.14.3 +sphinxcontrib-blockdiag +sphinxcontrib-seqdiag +sphinxcontrib-swaggerdoc +sphinxcontrib-plantuml +sphinx-toolbox diff --git a/tox.ini b/tox.ini index 6388e88cea..253cb6b423 100644 --- a/tox.ini +++ b/tox.ini @@ -12,52 +12,63 @@ skipsdist=true ignore-path-errors=docs/helm-search.txt;D001 [testenv:doc8] +basepython = python3.8 deps = -r{toxinidir}/requirements.txt - -chttps://git.onap.org/doc/plain/etc/upper-constraints.os.txt + -chttps://releases.openstack.org/constraints/upper/yoga -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt commands = - doc8 docs/ [testenv:docs] +basepython = python3.8 deps = -r{toxinidir}/requirements.txt - -chttps://git.onap.org/doc/plain/etc/upper-constraints.os.txt + -chttps://releases.openstack.org/constraints/upper/yoga -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt +allowlist_externals = sudo commands = - sphinx-build -q -W -b html -n -d {envtmpdir}/doctrees ./docs/ {toxinidir}/docs/_build/html + sudo apt install graphviz + sphinx-build -q -W -b html -n -d {envtmpdir}/doctrees ./docs/ {toxinidir}/docs/_build/html [testenv:docs-linkcheck] +basepython = python3.8 deps = -r{toxinidir}/requirements.txt - -chttps://git.onap.org/doc/plain/etc/upper-constraints.os.txt + -chttps://releases.openstack.org/constraints/upper/yoga -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt -commands = sphinx-build -q -W -b linkcheck -d {envtmpdir}/doctrees ./docs/ {toxinidir}/docs/_build/linkcheck +allowlist_externals = sudo +commands = + sudo apt install graphviz + sphinx-build -q -W -b linkcheck -d {envtmpdir}/doctrees ./docs/ {toxinidir}/docs/_build/linkcheck [testenv:spelling] -#basepython = python3 -whitelist_externals = wget +basepython = python3.8 +allowlist_externals = + wget + sudo deps = -r{toxinidir}/requirements.txt - -chttps://git.onap.org/doc/plain/etc/upper-constraints.os.txt + -chttps://releases.openstack.org/constraints/upper/yoga -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt changedir={toxinidir}/docs commands = + sudo apt install graphviz wget -nv https://git.onap.org/doc/plain/docs/spelling_wordlist.txt -O spelling_wordlist.txt sphinx-build -b spelling -d {envtmpdir}/doctrees . _build/spelling [testenv:gitlint] -basepython = python3 +basepython = python3.8 deps = -r{toxinidir}/requirements.txt - -chttps://git.onap.org/doc/plain/etc/upper-constraints.os.txt + -chttps://releases.openstack.org/constraints/upper/yoga -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt commands = gitlint [testenv:checkbashisms] deps = -whitelist_externals = +allowlist_externals = {toxinidir}/.ci/check-bashisms.sh commands = {toxinidir}/.ci/check-bashisms.sh @@ -65,24 +76,26 @@ commands = [testenv:shellcheck] basepython = python3 deps = shellcheck-py -whitelist_externals = find +allowlist_externals = find commands = find . -not -path '*/\.*' -name *.sh -exec shellcheck \{\} + [testenv:autopep8] +basepython = python3.8 deps = -r{toxinidir}/requirements.txt - -chttps://git.onap.org/doc/plain/etc/upper-constraints.os.txt + -chttps://releases.openstack.org/constraints/upper/yoga -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt commands = autopep8 --max-line-length 120 --in-place --recursive kubernetes/ TOSCA/ docs/ [testenv:pylint] +basepython = python3.8 deps = -r{toxinidir}/requirements.txt - -chttps://git.onap.org/doc/plain/etc/upper-constraints.os.txt + -chttps://releases.openstack.org/constraints/upper/yoga -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt -whitelist_externals = find +allowlist_externals = find commands = find kubernetes/ TOSCA/ docs/ -name *.py -exec pylint --max-line-length=120 --disable=missing-docstring --method-rgx="(([a-z_][a-zA-Z0-9_]{2,})|(_[a-z0-9_]*)|(__[a-zA-Z][a-zA-Z0-9_]+__))$" --variable-rgx="[a-zA-Z_][a-zA-Z0-9_]{1,30}$" --reports=y --score=y --output-format=colorized \{\} +