From b137f7e426b7556a05d1222716d1870ce9dad72c Mon Sep 17 00:00:00 2001 From: MichaelMorris Date: Sun, 15 Mar 2020 17:44:48 +0000 Subject: [PATCH] Run SDC pods as non-root Change-Id: Id8626c02f4c8bf3e1da406920169c0ed6bee457f Issue-ID: SDC-2798 Signed-off-by: MichaelMorris --- kubernetes/sdc/charts/sdc-be/templates/deployment.yaml | 4 ++-- kubernetes/sdc/charts/sdc-be/templates/job.yaml | 6 +++++- kubernetes/sdc/charts/sdc-be/values.yaml | 4 ++-- kubernetes/sdc/charts/sdc-cs/templates/job.yaml | 4 ++-- kubernetes/sdc/charts/sdc-cs/values.yaml | 4 ++-- kubernetes/sdc/charts/sdc-dcae-be/templates/deployment.yaml | 2 +- kubernetes/sdc/charts/sdc-dcae-be/templates/job.yaml | 2 +- kubernetes/sdc/charts/sdc-dcae-be/values.yaml | 4 ++-- kubernetes/sdc/charts/sdc-dcae-dt/templates/deployment.yaml | 2 +- kubernetes/sdc/charts/sdc-dcae-dt/values.yaml | 2 +- kubernetes/sdc/charts/sdc-dcae-fe/templates/deployment.yaml | 2 +- kubernetes/sdc/charts/sdc-dcae-fe/values.yaml | 2 +- .../sdc/charts/sdc-dcae-tosca-lab/templates/deployment.yaml | 2 +- kubernetes/sdc/charts/sdc-dcae-tosca-lab/values.yaml | 2 +- kubernetes/sdc/charts/sdc-fe/templates/deployment.yaml | 2 +- kubernetes/sdc/charts/sdc-fe/values.yaml | 2 +- .../sdc/charts/sdc-onboarding-be/templates/deployment.yaml | 6 +++--- kubernetes/sdc/charts/sdc-onboarding-be/templates/job.yaml | 2 +- kubernetes/sdc/charts/sdc-onboarding-be/values.yaml | 4 ++-- kubernetes/sdc/charts/sdc-wfd-be/values.yaml | 10 +++++----- kubernetes/sdc/charts/sdc-wfd-fe/values.yaml | 2 +- 21 files changed, 37 insertions(+), 33 deletions(-) diff --git a/kubernetes/sdc/charts/sdc-be/templates/deployment.yaml b/kubernetes/sdc/charts/sdc-be/templates/deployment.yaml index 1aa0010289..87fed417e6 100644 --- a/kubernetes/sdc/charts/sdc-be/templates/deployment.yaml +++ b/kubernetes/sdc/charts/sdc-be/templates/deployment.yaml @@ -80,7 +80,7 @@ spec: readinessProbe: exec: command: - - "/var/lib/ready-probe.sh" + - "/var/lib/jetty/ready-probe.sh" initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} @@ -99,7 +99,7 @@ spec: fieldPath: status.podIP volumeMounts: - name: {{ include "common.fullname" . }}-environments - mountPath: /root/chef-solo/environments/ + mountPath: /var/lib/jetty/chef-solo/environments/ - name: {{ include "common.fullname" . }}-localtime mountPath: /etc/localtime readOnly: true diff --git a/kubernetes/sdc/charts/sdc-be/templates/job.yaml b/kubernetes/sdc/charts/sdc-be/templates/job.yaml index 994c407955..4b5ec51976 100644 --- a/kubernetes/sdc/charts/sdc-be/templates/job.yaml +++ b/kubernetes/sdc/charts/sdc-be/templates/job.yaml @@ -53,7 +53,9 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} volumeMounts: - name: {{ include "common.fullname" . }}-environments - mountPath: /root/chef-solo/environments/ + mountPath: /home/sdc/chef-solo/environments/ + - name: sdc-logs + mountPath: /var/lib/jetty/logs env: - name: ENVNAME value: {{ .Values.global.env.name }} @@ -66,6 +68,8 @@ spec: configMap: name: {{ include "common.release" . }}-sdc-environments-configmap defaultMode: 0755 + - name: sdc-logs + emptyDir: {} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" restartPolicy: Never diff --git a/kubernetes/sdc/charts/sdc-be/values.yaml b/kubernetes/sdc/charts/sdc-be/values.yaml index a58e950b3e..b6bc635071 100644 --- a/kubernetes/sdc/charts/sdc-be/values.yaml +++ b/kubernetes/sdc/charts/sdc-be/values.yaml @@ -28,8 +28,8 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/sdc-backend:1.6.2 -backendInitImage: onap/sdc-backend-init:1.6.2 +image: onap/sdc-backend:1.6.3 +backendInitImage: onap/sdc-backend-init:1.6.3 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/sdc/charts/sdc-cs/templates/job.yaml b/kubernetes/sdc/charts/sdc-cs/templates/job.yaml index 472975ff37..4e4aad46fc 100644 --- a/kubernetes/sdc/charts/sdc-cs/templates/job.yaml +++ b/kubernetes/sdc/charts/sdc-cs/templates/job.yaml @@ -57,9 +57,9 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} volumeMounts: - name: {{ include "common.fullname" . }}-environments - mountPath: /root/chef-solo/environments/ + mountPath: /home/sdc/chef-solo/environments/ - name: {{ include "common.fullname" . }}-chef-cache - mountPath: /root/chef-solo/cache + mountPath: /home/sdc/chef-solo/cache env: - name: ENVNAME value: {{ .Values.global.env.name }} diff --git a/kubernetes/sdc/charts/sdc-cs/values.yaml b/kubernetes/sdc/charts/sdc-cs/values.yaml index c7c8da96b0..ddc194654d 100644 --- a/kubernetes/sdc/charts/sdc-cs/values.yaml +++ b/kubernetes/sdc/charts/sdc-cs/values.yaml @@ -28,8 +28,8 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/sdc-cassandra:1.6.2 -cassandraInitImage: onap/sdc-cassandra-init:1.6.2 +image: onap/sdc-cassandra:1.6.3 +cassandraInitImage: onap/sdc-cassandra-init:1.6.3 pullPolicy: Always diff --git a/kubernetes/sdc/charts/sdc-dcae-be/templates/deployment.yaml b/kubernetes/sdc/charts/sdc-dcae-be/templates/deployment.yaml index f8fb2f61e2..6072148d07 100644 --- a/kubernetes/sdc/charts/sdc-dcae-be/templates/deployment.yaml +++ b/kubernetes/sdc/charts/sdc-dcae-be/templates/deployment.yaml @@ -92,7 +92,7 @@ spec: fieldPath: status.podIP volumeMounts: - name: {{ include "common.fullname" . }}-environments - mountPath: /root/chef-solo/environments/ + mountPath: /var/lib/jetty/chef-solo/environments/ - name: {{ include "common.fullname" . }}-localtime mountPath: /etc/localtime readOnly: true diff --git a/kubernetes/sdc/charts/sdc-dcae-be/templates/job.yaml b/kubernetes/sdc/charts/sdc-dcae-be/templates/job.yaml index 57a25516af..9df959abd4 100644 --- a/kubernetes/sdc/charts/sdc-dcae-be/templates/job.yaml +++ b/kubernetes/sdc/charts/sdc-dcae-be/templates/job.yaml @@ -52,7 +52,7 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} volumeMounts: - name: {{ include "common.fullname" . }}-environments - mountPath: /root/chef-solo/environments + mountPath: /var/lib/jetty/chef-solo/environments env: - name: ENVNAME value: {{ .Values.global.env.name }} diff --git a/kubernetes/sdc/charts/sdc-dcae-be/values.yaml b/kubernetes/sdc/charts/sdc-dcae-be/values.yaml index 77544a75f3..051c076ea1 100644 --- a/kubernetes/sdc/charts/sdc-dcae-be/values.yaml +++ b/kubernetes/sdc/charts/sdc-dcae-be/values.yaml @@ -27,9 +27,9 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/dcae-be:1.3.2 +image: onap/dcae-be:1.3.3 pullPolicy: Always -backendInitImage: onap/dcae-tools:1.3.2 +backendInitImage: onap/dcae-tools:v1.3.3 # flag to enable debugging - application support required debugEnabled: false diff --git a/kubernetes/sdc/charts/sdc-dcae-dt/templates/deployment.yaml b/kubernetes/sdc/charts/sdc-dcae-dt/templates/deployment.yaml index 586baeb609..20a6194e99 100644 --- a/kubernetes/sdc/charts/sdc-dcae-dt/templates/deployment.yaml +++ b/kubernetes/sdc/charts/sdc-dcae-dt/templates/deployment.yaml @@ -91,7 +91,7 @@ spec: fieldPath: status.podIP volumeMounts: - name: {{ include "common.fullname" . }}-environments - mountPath: /root/chef-solo/environments/ + mountPath: /var/lib/jetty/chef-solo/environments/ - name: {{ include "common.fullname" . }}-localtime mountPath: /etc/localtime readOnly: true diff --git a/kubernetes/sdc/charts/sdc-dcae-dt/values.yaml b/kubernetes/sdc/charts/sdc-dcae-dt/values.yaml index df0606fdbe..26e1cacdd0 100644 --- a/kubernetes/sdc/charts/sdc-dcae-dt/values.yaml +++ b/kubernetes/sdc/charts/sdc-dcae-dt/values.yaml @@ -27,7 +27,7 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/dcae-dt:1.3.2 +image: onap/dcae-dt:1.3.3 pullPolicy: IfNotPresent config: javaOptions: -XX:MaxPermSize=256m -Xmx1024m -Dconfig.home=config -Dlog.home=/var/lib/jetty/logs/ -Dlogging.config=config/dcae-dt/logback-spring.xml diff --git a/kubernetes/sdc/charts/sdc-dcae-fe/templates/deployment.yaml b/kubernetes/sdc/charts/sdc-dcae-fe/templates/deployment.yaml index 1bc0d880e7..e99d65b43b 100644 --- a/kubernetes/sdc/charts/sdc-dcae-fe/templates/deployment.yaml +++ b/kubernetes/sdc/charts/sdc-dcae-fe/templates/deployment.yaml @@ -91,7 +91,7 @@ spec: fieldPath: status.podIP volumeMounts: - name: {{ include "common.fullname" . }}-environments - mountPath: /root/chef-solo/environments/ + mountPath: /var/lib/jetty/chef-solo/environments/ - name: {{ include "common.fullname" . }}-localtime mountPath: /etc/localtime readOnly: true diff --git a/kubernetes/sdc/charts/sdc-dcae-fe/values.yaml b/kubernetes/sdc/charts/sdc-dcae-fe/values.yaml index a5794b28c3..46024d57ca 100644 --- a/kubernetes/sdc/charts/sdc-dcae-fe/values.yaml +++ b/kubernetes/sdc/charts/sdc-dcae-fe/values.yaml @@ -27,7 +27,7 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/dcae-fe:1.3.2 +image: onap/dcae-fe:1.3.3 pullPolicy: Always config: javaOptions: -XX:MaxPermSize=256m -Xmx1024m -Dconfig.home=config -Dlog.home=/var/lib/jetty/logs/ -Dlogging.config=config/dcae-fe/logback-spring.xml diff --git a/kubernetes/sdc/charts/sdc-dcae-tosca-lab/templates/deployment.yaml b/kubernetes/sdc/charts/sdc-dcae-tosca-lab/templates/deployment.yaml index 5634aec492..5ae706dee8 100644 --- a/kubernetes/sdc/charts/sdc-dcae-tosca-lab/templates/deployment.yaml +++ b/kubernetes/sdc/charts/sdc-dcae-tosca-lab/templates/deployment.yaml @@ -77,7 +77,7 @@ spec: fieldPath: status.podIP volumeMounts: - name: {{ include "common.fullname" . }}-environments - mountPath: /root/chef-solo/environments/ + mountPath: /var/lib/jetty/chef-solo/environments/ - name: {{ include "common.fullname" . }}-localtime mountPath: /etc/localtime readOnly: true diff --git a/kubernetes/sdc/charts/sdc-dcae-tosca-lab/values.yaml b/kubernetes/sdc/charts/sdc-dcae-tosca-lab/values.yaml index 06169df566..61beab34c4 100644 --- a/kubernetes/sdc/charts/sdc-dcae-tosca-lab/values.yaml +++ b/kubernetes/sdc/charts/sdc-dcae-tosca-lab/values.yaml @@ -27,7 +27,7 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/dcae-tosca-app:1.3.1 +image: onap/dcae-tosca-app:1.3.3 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/sdc/charts/sdc-fe/templates/deployment.yaml b/kubernetes/sdc/charts/sdc-fe/templates/deployment.yaml index 6f35f6bd06..8e19489f9a 100644 --- a/kubernetes/sdc/charts/sdc-fe/templates/deployment.yaml +++ b/kubernetes/sdc/charts/sdc-fe/templates/deployment.yaml @@ -80,7 +80,7 @@ spec: value: {{ .Values.config.javaOptions }} volumeMounts: - name: {{ include "common.fullname" . }}-environments - mountPath: /root/chef-solo/environments/ + mountPath: /var/lib/jetty/chef-solo/environments/ - name: {{ include "common.fullname" . }}-localtime mountPath: /etc/localtime readOnly: true diff --git a/kubernetes/sdc/charts/sdc-fe/values.yaml b/kubernetes/sdc/charts/sdc-fe/values.yaml index ce77dfda4a..64ccaa81b1 100644 --- a/kubernetes/sdc/charts/sdc-fe/values.yaml +++ b/kubernetes/sdc/charts/sdc-fe/values.yaml @@ -28,7 +28,7 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/sdc-frontend:1.6.2 +image: onap/sdc-frontend:1.6.3 pullPolicy: Always config: diff --git a/kubernetes/sdc/charts/sdc-onboarding-be/templates/deployment.yaml b/kubernetes/sdc/charts/sdc-onboarding-be/templates/deployment.yaml index 78b111658a..75779a319c 100644 --- a/kubernetes/sdc/charts/sdc-onboarding-be/templates/deployment.yaml +++ b/kubernetes/sdc/charts/sdc-onboarding-be/templates/deployment.yaml @@ -57,7 +57,7 @@ spec: livenessProbe: exec: command: - - "/var/lib/ready-probe.sh" + - "/var/lib/jetty/ready-probe.sh" initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} @@ -65,7 +65,7 @@ spec: readinessProbe: exec: command: - - "/var/lib/ready-probe.sh" + - "/var/lib/jetty/ready-probe.sh" initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} @@ -94,7 +94,7 @@ spec: value: {{ .Values.cert.certDir }} volumeMounts: - name: {{ include "common.fullname" . }}-environments - mountPath: /root/chef-solo/environments/ + mountPath: /var/lib/jetty/chef-solo/environments/ - name: {{ include "common.fullname" . }}-localtime mountPath: /etc/localtime readOnly: true diff --git a/kubernetes/sdc/charts/sdc-onboarding-be/templates/job.yaml b/kubernetes/sdc/charts/sdc-onboarding-be/templates/job.yaml index 11676147e7..0e5e63b772 100644 --- a/kubernetes/sdc/charts/sdc-onboarding-be/templates/job.yaml +++ b/kubernetes/sdc/charts/sdc-onboarding-be/templates/job.yaml @@ -53,7 +53,7 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} volumeMounts: - name: {{ include "common.fullname" . }}-environments - mountPath: /root/chef-solo/environments/ + mountPath: /home/sdc/chef-solo/environments/ env: - name: ENVNAME value: {{ .Values.global.env.name }} diff --git a/kubernetes/sdc/charts/sdc-onboarding-be/values.yaml b/kubernetes/sdc/charts/sdc-onboarding-be/values.yaml index 727d0a389b..b15f784dee 100644 --- a/kubernetes/sdc/charts/sdc-onboarding-be/values.yaml +++ b/kubernetes/sdc/charts/sdc-onboarding-be/values.yaml @@ -28,8 +28,8 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/sdc-onboard-backend:1.6.2 -onboardingInitImage: onap/sdc-onboard-cassandra-init:1.6.2 +image: onap/sdc-onboard-backend:1.6.3 +onboardingInitImage: onap/sdc-onboard-cassandra-init:1.6.3 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/sdc/charts/sdc-wfd-be/values.yaml b/kubernetes/sdc/charts/sdc-wfd-be/values.yaml index 3e5a83aee7..78fdb32dcc 100644 --- a/kubernetes/sdc/charts/sdc-wfd-be/values.yaml +++ b/kubernetes/sdc/charts/sdc-wfd-be/values.yaml @@ -28,8 +28,8 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/workflow-backend:1.6.1 -configInitImage: onap/workflow-init:1.6.1 +image: onap/workflow-backend:1.6.2 +configInitImage: onap/workflow-init:1.6.2 pullPolicy: Always initJob: @@ -47,13 +47,13 @@ config: serverSSLEnabled: true serverSSLKeyStoreType: jks - serverSSLKeyStorePath: /etc/keystore + serverSSLKeyStorePath: /home/sdc/etc/keystore serverSSLTrustStoreType: jks - serverSSLTrustStorePath: /etc/truststore + serverSSLTrustStorePath: /home/sdc/etc/truststore cassandraSSLEnabled: false - cassandraTrustStorePath: /etc/truststore + cassandraTrustStorePath: /home/sdc/etc/truststore # default number of instances replicaCount: 1 diff --git a/kubernetes/sdc/charts/sdc-wfd-fe/values.yaml b/kubernetes/sdc/charts/sdc-wfd-fe/values.yaml index 66eb22e50c..6b0669b5b6 100644 --- a/kubernetes/sdc/charts/sdc-wfd-fe/values.yaml +++ b/kubernetes/sdc/charts/sdc-wfd-fe/values.yaml @@ -28,7 +28,7 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/workflow-frontend:1.6.1 +image: onap/workflow-frontend:1.6.2 pullPolicy: Always # flag to enable debugging - application support required -- 2.16.6