From 7124a4ba6b5d880674ebe98b72073b453bb4780e Mon Sep 17 00:00:00 2001 From: "saul.gill" Date: Thu, 9 Sep 2021 12:02:49 +0100 Subject: [PATCH] [POLICY] Add helm chart for cl-runtime component Added controlloop-runtime chart Issue-ID: POLICY-3593 Change-Id: I4b948f7c12637b0c339eb966e2f93a3b864bcf44 Signed-off-by: saul.gill --- .../components/policy-clamp-cl-runtime/Chart.yaml | 22 +++ .../policy-clamp-cl-runtime/requirements.yaml | 31 +++++ .../resources/config/clRuntimeParameters.yaml | 79 +++++++++++ .../resources/config/logback.xml | 103 ++++++++++++++ .../templates/configmap.yaml | 38 +++++ .../templates/deployment.yaml | 131 ++++++++++++++++++ .../policy-clamp-cl-runtime/templates/secrets.yaml | 21 +++ .../policy-clamp-cl-runtime/templates/service.yaml | 21 +++ .../components/policy-clamp-cl-runtime/values.yaml | 154 +++++++++++++++++++++ kubernetes/policy/requirements.yaml | 4 + kubernetes/policy/resources/config/db.sh | 3 +- kubernetes/policy/values.yaml | 18 +++ 12 files changed, 624 insertions(+), 1 deletion(-) create mode 100644 kubernetes/policy/components/policy-clamp-cl-runtime/Chart.yaml create mode 100644 kubernetes/policy/components/policy-clamp-cl-runtime/requirements.yaml create mode 100644 kubernetes/policy/components/policy-clamp-cl-runtime/resources/config/clRuntimeParameters.yaml create mode 100644 kubernetes/policy/components/policy-clamp-cl-runtime/resources/config/logback.xml create mode 100644 kubernetes/policy/components/policy-clamp-cl-runtime/templates/configmap.yaml create mode 100644 kubernetes/policy/components/policy-clamp-cl-runtime/templates/deployment.yaml create mode 100644 kubernetes/policy/components/policy-clamp-cl-runtime/templates/secrets.yaml create mode 100644 kubernetes/policy/components/policy-clamp-cl-runtime/templates/service.yaml create mode 100644 kubernetes/policy/components/policy-clamp-cl-runtime/values.yaml diff --git a/kubernetes/policy/components/policy-clamp-cl-runtime/Chart.yaml b/kubernetes/policy/components/policy-clamp-cl-runtime/Chart.yaml new file mode 100644 index 0000000000..b7c44d7c3b --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-cl-runtime/Chart.yaml @@ -0,0 +1,22 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +apiVersion: v1 +description: ONAP Policy Clamp Controlloop Runtime +name: policy-clamp-cl-runtime +version: 8.0.0 diff --git a/kubernetes/policy/components/policy-clamp-cl-runtime/requirements.yaml b/kubernetes/policy/components/policy-clamp-cl-runtime/requirements.yaml new file mode 100644 index 0000000000..7878f91d48 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-cl-runtime/requirements.yaml @@ -0,0 +1,31 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +dependencies: + - name: common + version: ~8.x-0 + repository: '@local' + - name: certInitializer + version: ~8.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~8.x-0 + repository: '@local' + - name: serviceAccount + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/policy/components/policy-clamp-cl-runtime/resources/config/clRuntimeParameters.yaml b/kubernetes/policy/components/policy-clamp-cl-runtime/resources/config/clRuntimeParameters.yaml new file mode 100644 index 0000000000..250e91213c --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-cl-runtime/resources/config/clRuntimeParameters.yaml @@ -0,0 +1,79 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +spring: + security: + user: + name: ${RUNTIME_USER} + password: ${RUNTIME_PASSWORD} + http: + converters: + preferred-json-mapper: gson + +security: + enable-csrf: false + +server: + port: 6969 + servlet: + context-path: /onap/controlloop + error: + path: /error + + +runtime: + supervisionScannerIntervalSec: 1000 + participantClUpdateIntervalSec: 1000 + participantClStateChangeIntervalSec: 1000 + participantParameters: + heartBeatMs: 120000 + maxMessageAgeMs: 600000 + maxStatusWaitMs: 100000 + updateParameters: + maxRetryCount: 3 + maxWaitMs: 100000 + databaseProviderParameters: + name: PolicyProviderParameterGroup + implementation: org.onap.policy.models.provider.impl.DatabasePolicyModelsProviderImpl + databaseDriver: org.mariadb.jdbc.Driver + databaseUrl: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/controlloop + databaseUser: ${SQL_USER} + databasePassword: ${SQL_PASSWORD} + persistenceUnit: CommissioningMariaDb + topicParameterGroup: + topicSources: + - + topic: POLICY-CLRUNTIME-PARTICIPANT + servers: + - ${topicServer:message-router} + topicCommInfrastructure: dmaap + useHttps: true + fetchTimeout: 15000 + topicSinks: + - + topic: POLICY-CLRUNTIME-PARTICIPANT + servers: + - ${topicServer:message-router} + topicCommInfrastructure: dmaap + useHttps: true + +management: + endpoints: + web: + exposure: + include: health, metrics, prometheus diff --git a/kubernetes/policy/components/policy-clamp-cl-runtime/resources/config/logback.xml b/kubernetes/policy/components/policy-clamp-cl-runtime/resources/config/logback.xml new file mode 100644 index 0000000000..43cea65306 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-cl-runtime/resources/config/logback.xml @@ -0,0 +1,103 @@ + + + + + + /var/log/onap/policy/pap/error.log + + /var/log/onap/policy/policy-clamp-cl-runtime/error.%d{yyyy-MM-dd}.%i.log.zip + + 50MB + 30 + 10GB + + + WARN + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n + + + + + + + + + /var/log/onap/policy/pap/debug.log + + /var/log/onap/policy/policy-clamp-cl-runtime/debug.%d{yyyy-MM-dd}.%i.log.zip + + 50MB + 30 + 10GB + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n + + + + + + + + + /var/log/onap/policy/policy-clamp-cl-runtime/network.log + + /var/log/onap/policy/policy-clamp-cl-runtime/network.%d{yyyy-MM-dd}.%i.log.zip + + 50MB + 30 + 10GB + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%t]%m%n + + + + + + + + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/kubernetes/policy/components/policy-clamp-cl-runtime/templates/configmap.yaml b/kubernetes/policy/components/policy-clamp-cl-runtime/templates/configmap.yaml new file mode 100644 index 0000000000..66c096d439 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-cl-runtime/templates/configmap.yaml @@ -0,0 +1,38 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +{{- with .Files.Glob "resources/config/*store" }} +binaryData: +{{- range $path, $bytes := . }} + {{ base $path }}: {{ $.Files.Get $path | b64enc | quote }} +{{- end }} +{{- end }} +data: +{{ tpl (.Files.Glob "resources/config/*.{json,xml,yaml}").AsConfig . | indent 2 }} diff --git a/kubernetes/policy/components/policy-clamp-cl-runtime/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-cl-runtime/templates/deployment.yaml new file mode 100644 index 0000000000..92e5c9e6c8 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-cl-runtime/templates/deployment.yaml @@ -0,0 +1,131 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + - command: + - /app/ready.py + args: + - --job-name + - {{ include "common.release" . }}-policy-galera-config + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-readiness + - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: SQL_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} + - name: SQL_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} + - name: RUNTIME_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "runtime-secret" "key" "login") | indent 10 }} + - name: RUNTIME_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "runtime-secret" "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /config-input + name: cl-runtime-config + - mountPath: /config + name: cl-runtime-config-processed + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config +{{ include "common.certInitializer.initContainer" . | indent 6 }} + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} +{{- if .Values.global.aafEnabled }} + command: ["sh","-c"] + args: ["source {{ .Values.certInitializer.credsPath }}/.ci;\ + /opt/app/policy/clamp/bin/controlloop-runtime.sh /opt/app/policy/clamp/etc/mounted/clRuntimeParameters.yaml"] +{{- else }} + command: ["/opt/app/policy/clamp/bin/controlloop-runtime.sh"] + args: ["/opt/app/policy/clamp/etc/mounted/clRuntimeParameters.yaml"] + env: + - name: KEYSTORE_PASSWD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} + - name: TRUSTSTORE_PASSWD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} +{{- end }} + ports: {{ include "common.containerPorts" . | nindent 12 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.liveness.port }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{ .Values.readiness.port }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + volumeMounts: +{{ include "common.certInitializer.volumeMount" . | indent 10 }} + - mountPath: /etc/localtime + name: localtime + readOnly: true + - mountPath: /opt/app/policy/clamp/etc/mounted + name: cl-runtime-config-processed + resources: +{{ include "common.resources" . }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: +{{ include "common.certInitializer.volumes" . | indent 8 }} + - name: localtime + hostPath: + path: /etc/localtime + - name: cl-runtime-config + configMap: + name: {{ include "common.fullname" . }}-configmap + defaultMode: 0755 + - name: cl-runtime-config-processed + emptyDir: + medium: Memory + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/policy/components/policy-clamp-cl-runtime/templates/secrets.yaml b/kubernetes/policy/components/policy-clamp-cl-runtime/templates/secrets.yaml new file mode 100644 index 0000000000..abbfa3fdba --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-cl-runtime/templates/secrets.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/policy/components/policy-clamp-cl-runtime/templates/service.yaml b/kubernetes/policy/components/policy-clamp-cl-runtime/templates/service.yaml new file mode 100644 index 0000000000..be2449f890 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-cl-runtime/templates/service.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-clamp-cl-runtime/values.yaml b/kubernetes/policy/components/policy-clamp-cl-runtime/values.yaml new file mode 100644 index 0000000000..4cf9e67c99 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-cl-runtime/values.yaml @@ -0,0 +1,154 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefixExt: 304 + persistence: {} + aafEnabled: true + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: db-secret + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.db.credsExternalSecret) . }}' + login: '{{ .Values.db.user }}' + password: '{{ .Values.db.password }}' + passwordPolicy: required + - uid: keystore-password + type: password + externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' + password: '{{ .Values.certStores.keyStorePassword }}' + passwordPolicy: required + - uid: truststore-password + type: password + externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' + password: '{{ .Values.certStores.trustStorePassword }}' + passwordPolicy: required + - uid: runtime-secret + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.appUserExternalSecret) . }}' + login: '{{ .Values.config.policyAppUserName }}' + password: '{{ .Values.config.policyAppUserPassword }}' + passwordPolicy: required + +certStores: + keyStorePassword: Pol1cy_0nap + trustStorePassword: Pol1cy_0nap + +certInitializer: + nameOverride: policy-clamp-cl-runtime-cert-initializer + aafDeployFqi: deployer@people.osaaf.org + aafDeployPass: demo123456! + fqdn: policy + fqi: policy@policy.onap.org + public_fqdn: policy.onap.org + cadi_latitude: "0.0" + cadi_longitude: "0.0" + credsPath: /opt/app/osaaf/local + app_ns: org.osaaf.aaf + uid: 100 + gid: 101 + aaf_add_config: > + echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; + echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; + chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); + + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/policy-clamp-cl-runtime:6.1.2 +pullPolicy: Always + +# flag to enable debugging - application support required +debugEnabled: false + +# application configuration +config: + policyAppUserName: runtimeUser + policyAppUserPassword: none + +db: + user: policy_user + password: policy_user + service: + name: policy-mariadb + internalPort: 3306 + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 20 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + port: http-api + +readiness: + initialDelaySeconds: 20 + periodSeconds: 10 + port: http-api + +service: + type: ClusterIP + name: policy-clamp-cl-runtime + useNodePortExt: true + ports: + - name: http-api + port: 6969 + nodePort: 42 + +ingress: + enabled: false + +flavor: small +resources: + small: + limits: + cpu: 1 + memory: 4Gi + requests: + cpu: 100m + memory: 1Gi + large: + limits: + cpu: 2 + memory: 8Gi + requests: + cpu: 200m + memory: 2Gi + unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: policy-clamp-cl-runtime + roles: + - read diff --git a/kubernetes/policy/requirements.yaml b/kubernetes/policy/requirements.yaml index b391d27bb1..0ba1535346 100755 --- a/kubernetes/policy/requirements.yaml +++ b/kubernetes/policy/requirements.yaml @@ -61,6 +61,10 @@ dependencies: version: ~8.x-0 repository: 'file://components/policy-clamp-cl-k8s-ppnt' condition: policy-clamp-cl-k8s-ppnt.enabled + - name: policy-clamp-cl-runtime + version: ~8.x-0 + repository: 'file://components/policy-clamp-cl-runtime' + condition: policy-clamp-cl-runtime.enabled - name: policy-gui version: ~8.x-0 repository: 'file://components/policy-gui' diff --git a/kubernetes/policy/resources/config/db.sh b/kubernetes/policy/resources/config/db.sh index 7b9437217d..787ec0adbe 100755 --- a/kubernetes/policy/resources/config/db.sh +++ b/kubernetes/policy/resources/config/db.sh @@ -2,6 +2,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2018, 2020 AT&T Intellectual Property +# Modifications Copyright (C) 2021 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,7 +19,7 @@ mysql() { /usr/bin/mysql -h ${MYSQL_HOST} -P ${MYSQL_USER} "$@"; }; -for db in migration pooling policyadmin policyclamp operationshistory +for db in migration pooling policyadmin policyclamp operationshistory controlloop do mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "CREATE DATABASE IF NOT EXISTS ${db};" mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "GRANT ALL PRIVILEGES ON \`${db}\`.* TO '${MYSQL_USER}'@'%' ;" diff --git a/kubernetes/policy/values.yaml b/kubernetes/policy/values.yaml index 054c7be2c8..29603690b8 100755 --- a/kubernetes/policy/values.yaml +++ b/kubernetes/policy/values.yaml @@ -45,6 +45,13 @@ secrets: login: '{{ index .Values "mariadb-galera" "db" "user" }}' password: '{{ index .Values "mariadb-galera" "db" "password" }}' passwordPolicy: generate + - uid: policy-app-user-creds + name: &policyAppCredsSecret '{{ include "common.release" . }}-policy-app-user-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.policyAppUserExternalSecret) . }}' + login: '{{ .Values.config.policyAppUserName }}' + password: '{{ .Values.config.policyAppUserPassword }}' + passwordPolicy: generate db: &dbSecretsHook credsExternalSecret: *dbSecretName @@ -70,12 +77,19 @@ policy-distribution: policy-clamp-be: enabled: true db: *dbSecretsHook + config: + appUserExternalSecret: *policyAppCredsSecret policy-clamp-fe: enabled: true policy-clamp-cl-k8s-ppnt: enabled: true policy-nexus: enabled: false +policy-clamp-cl-runtime: + enabled: true + db: *dbSecretsHook + config: + appUserExternalSecret: *policyAppCredsSecret policy-gui: enabled: true @@ -119,6 +133,10 @@ readiness: initialDelaySeconds: 10 periodSeconds: 10 + +config: + policyAppUserName: runtimeUser + mariadb-galera: # mariadb-galera.config and global.mariadb.config must be equals db: -- 2.16.6