From f86f62974f0937fe5cd7fea12f180a546956c04b Mon Sep 17 00:00:00 2001 From: Jack Lucas Date: Wed, 8 Jun 2022 09:12:29 -0400 Subject: [PATCH] [DCAEGEN2-SVCS] Support config update via configMap Change chart to mount application configuration configMap directly on the application container and rely on the DCAE SDK to do environment variable substitution on the configMap content. This allows changing configuration by editing the configMap without restarting the application. Remove message router authenticated topic provisioning from DCAE. Issue-ID: DCAEGEN2-2935 Signed-off-by: Jack Lucas Change-Id: I85139e64f8cb7e1b88f8fca8d5d84cc71f946290 --- .../common/common/templates/_dmaapProvisioning.tpl | 27 ++------ .../templates/_configmap.tpl | 36 +++++------ .../templates/_deployment.tpl | 72 ++++++++++------------ .../components/dcae-pm-mapper/values.yaml | 1 - .../components/dcae-prh/values.yaml | 7 +-- .../components/dcae-restconf-collector/values.yaml | 5 +- 6 files changed, 57 insertions(+), 91 deletions(-) diff --git a/kubernetes/common/common/templates/_dmaapProvisioning.tpl b/kubernetes/common/common/templates/_dmaapProvisioning.tpl index eefd00d7bf..11d7501256 100644 --- a/kubernetes/common/common/templates/_dmaapProvisioning.tpl +++ b/kubernetes/common/common/templates/_dmaapProvisioning.tpl @@ -1,6 +1,7 @@ {{/* ################################################################################ # Copyright (C) 2021 Nordix Foundation. # +# Copyright (c) 2022 J. F. Lucas. All rights reserved. # # # # Licensed under the Apache License, Version 2.0 (the "License"); # # you may not use this file except in compliance with the License. # @@ -18,14 +19,14 @@ {{/* This template generates a Kubernetes init containers common template to enable applications to provision - DMaaP topics (on Message Router) and feeds (on Data Router), with associated authorization (on AAF). + DMaaP feeds (on Data Router), with associated authorization. DMaap Bus Controller endpoints are used to provision: - - Authorized topic on MR, and to create and grant permission for publishers and subscribers. + - Feed on DR, with associated user authentication. common.dmaap.provisioning.initContainer: This template make use of Dmaap Bus Controller docker image to create resources on Dmaap Data Router - microservice, with the help of dbc-client.sh script it makes use of Bus Controller API to create Feed, Topics. + microservice, with the help of dbc-client.sh script it makes use of Bus Controller API to create Feeds. If the resource creation is successful via script response is logged back at particular location with appropriate naming convention. @@ -57,20 +58,7 @@ privilegedSubscriber: True deliveryURL: https://dcae-pm-mapper:8443/delivery - # MessageRouter Topic, Publisher Configuration - mrTopicsConfig: - - topicName: PERFORMANCE_MEASUREMENTS - topicDescription: Description about Topic - owner: dcaecm - tnxEnabled: false - clients: - - dcaeLocationName: san-francisco - clientRole: org.onap.dcae.pmPublisher - action: - - pub - - view - - # ConfigMap Configuration for DR Feed, Dr_Publisher, Dr_Subscriber, MR Topics + # ConfigMap Configuration for DR Feed, Dr_Publisher, Dr_Subscriber volumes: - name: feeds-config path: /opt/app/config/feeds @@ -78,8 +66,6 @@ path: /opt/app/config/dr_pubs - name: drsub-config path: /opt/app/config/dr_subs - - name: topics-config - path: /opt/app/config/topics In deployments/jobs/stateful include: initContainers: @@ -113,8 +99,7 @@ {{- define "common.dmaap.provisioning.initContainer" -}} {{- $dot := default . .dot -}} {{- $drFeedConfig := default $dot.Values.drFeedConfig .drFeedConfig -}} -{{- $mrTopicsConfig := default $dot.Values.mrTopicsConfig .mrTopicsConfig -}} -{{- if or $drFeedConfig $mrTopicsConfig -}} +{{- if $drFeedConfig -}} - name: {{ include "common.name" $dot }}-init-dmaap-provisioning image: {{ include "repositoryGenerator.image.dbcClient" $dot }} imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_configmap.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_configmap.tpl index f76be4c190..afd3c38f31 100644 --- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_configmap.tpl +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_configmap.tpl @@ -1,7 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2019 AT&T -# Copyright (c) 2021 J. F. Lucas. All rights reserved. +# Copyright (c) 2021-2022 J. F. Lucas. All rights reserved. # Copyright (c) 2021 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -30,14 +30,21 @@ use of templates from the ONAP "common" collection) references data in .Release. The template always produces a configMap containing the microservice's -initial configuration data. This configMap is used by an initContainer -that loads the configuration into Consul. (See the documentation for +initial configuration data. (See the documentation for dcaegen2-services-common.microserviceDeployment for more details.) -If the microservice is using a logging sidecar (again, see the documentation -for dcaegen2-services-common.microserviceDeployment for more details), the -template generates an additiona configMap that supplies configuration -information for the logging sidecar. +If the microservice is using one or more Data Router (DR) feeds, the +template produces a configMap containing the information needed to +provision the feed(s). An init container performs the provisioning. + +If the microservice acts as a DR publisher for one or more feeds, the +template produces a configMap containing the information needed to +provision the publisher(s). An init container performs the provisioning. + +If the microservice acts as a DR subscriber for one or more feeds, the +template produces a configMap containing the information needed to +provision the subscribeer(s). An init container performs the provisioning. + */}} {{- define "dcaegen2-services-common.configMap" -}} @@ -96,19 +103,4 @@ data: {{ $drsub | toJson | indent 2 }} {{- end }} {{- end }} - -{{- if .Values.mrTopicsConfig }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-topics-config - namespace: {{ include "common.namespace" . }} - labels: {{ include "common.labels" . | nindent 6 }} -data: - {{- range $i, $topics := .Values.mrTopicsConfig }} - topicsConfig-{{$i}}.json: |- - {{ $topics | toJson | indent 2 }} - {{- end }} -{{- end }} {{- end }} diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl index 9781e33f1f..6c742c07de 100644 --- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl @@ -33,7 +33,7 @@ provided to all microservices. The template expects a single argument, pointing to the caller's global context. Microservice-specific environment variables can be specified in two ways: - 1. As literal string values. + 1. As literal string values. (The values can also be Helm template fragments.) 2. As values that are sourced from a secret, identified by the secret's uid and the key within the secret that provides the value. @@ -180,21 +180,6 @@ The sidecar is included if .Values.log.path is set. The logging sidecar and the DCAE microservice container share a volume where the microservice logs are written. -The Deployment includes an initContainer that checks for the -readiness of other components that the microservice relies on. -This container is generated by the "common.readinessCheck.waitfor" -template. - -If the microservice acts as a TLS client or server, the Deployment will -include an initContainer that retrieves certificate information from -the AAF certificate manager. The information is mounted at the -mount point specified in .Values.certDirectory. If the microservice is -a TLS server (indicated by setting .Values.tlsServer to true), the -certificate information will include a server cert and key, in various -formats. It will also include the AAF CA cert. If the microservice is -a TLS client only (indicated by setting .Values.tlsServer to false), the -certificate information includes only the AAF CA cert. - Deployed POD may also include a Policy-sync sidecar container. The sidecar is included if .Values.policies is set. The Policy-sync sidecar polls PolicyEngine (PDP) periodically based @@ -212,6 +197,35 @@ policies: policyRelease: "onap" policyID: | '["onap.vfirewall.tca","onap.vdns.tca"]' + +The Deployment includes an initContainer that checks for the +readiness of other components that the microservice relies on. +This container is generated by the "common.readinessCheck.waitfor" +template. See the documentation for this template +(oom/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl). + +If the microservice uses a DMaaP Data Router (DR) feed, the Deployment +includes an initContainer that makes provisioning requests to the DMaaP +bus controller (dmaap-bc) to create the feed and to set up a publisher +and/or subscriber to the feed. The Deployment also includes a second +initContainer that merges the information returned by the provisioning +process into the microservice's configuration. See the documentation for +the common DMaaP provisioning template +(oom/kubernetes/common/common/templates/_dmaapProvisioning.tpl). + +If the microservice acts as a TLS client or server, the Deployment will +include an initContainer that retrieves certificate information from +the AAF certificate manager. The information is mounted at the +mount point specified in .Values.certDirectory. If the microservice is +a TLS server (indicated by setting .Values.tlsServer to true), the +certificate information will include a server cert and key, in various +formats. It will also include the AAF CA cert. If the microservice is +a TLS client only (indicated by setting .Values.tlsServer to false), the +certificate information includes only the AAF CA cert. + +If the microservice uses certificates from an external CMPv2 provider, +the Deployment will include an initContainer that performs certificate +post-processing. */}} {{- define "dcaegen2-services-common.microserviceDeployment" -}} @@ -236,30 +250,6 @@ spec: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{- if not $drFeedConfig }} - - command: - - sh - args: - - -c - - | - {{- range $var := .Values.customEnvVars }} - export {{ $var.name }}="{{ $var.value }}"; - {{- end }} - cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done - env: - {{- range $cred := .Values.credentials }} - - name: {{ $cred.name }} - {{- include "common.secret.envFromSecretFast" (dict "global" $ "uid" $cred.uid "key" $cred.key) | indent 10 }} - {{- end }} - volumeMounts: - - mountPath: /config-input - name: app-config-input - - mountPath: /config - name: app-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - {{- end }} {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} {{- include "common.dmaap.provisioning.initContainer" . | nindent 6 }} {{- if $certDir }} @@ -331,7 +321,7 @@ spec: resources: {{ include "common.resources" . | nindent 2 }} volumeMounts: - mountPath: /app-config - name: app-config + name: {{ ternary "app-config-input" "app-config" (not $drFeedConfig) }} - mountPath: /app-config-input name: app-config-input {{- if $logDir }} diff --git a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml index 37a1045c82..eaa961c53a 100644 --- a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml @@ -178,7 +178,6 @@ drSubConfig: privilegedSubscriber: true deliveryURL: http://dcae-pm-mapper:8081/delivery - # ConfigMap Configuration for Dr Feed, Subscriber, MR Topics volumes: - name: feeds-config diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml index cac362a3a8..ddb0b08833 100644 --- a/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml @@ -99,10 +99,6 @@ credentials: uid: *aaiCredsUID key: password -customEnvVars: -- name: AUTH_HDR - value: "Basic `echo -n ${AAI_USER}:${AAI_PASSWORD} | base64`" - # initial application configuration applicationConfig: dmaap.dmaapConsumerConfiguration.dmaapContentType: "application/json" @@ -127,7 +123,7 @@ applicationConfig: X-TransactionId: "9999" Accept: "application/json" Real-Time: "true" - Authorization: $AUTH_HDR + Authorization: ${AUTH_HDR} security.trustStorePath: "/opt/app/prh/etc/cert/trust.jks" security.trustStorePasswordPath: "/opt/app/prh/etc/cert/trust.pass" security.keyStorePath: "/opt/app/prh/etc/cert/cert.jks" @@ -151,6 +147,7 @@ applicationConfig: applicationEnv: CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' + AUTH_HDR: '{{ printf "Basic %s" (print .Values.aaiCreds.user ":" .Values.aaiCreds.password | b64enc) }}' # Resource Limit flavor -By Default using small flavor: small diff --git a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml index 41b671d66d..ecbfb72661 100644 --- a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml @@ -139,7 +139,10 @@ applicationConfig: topic_url: http://message-router:3904/events/unauthenticated.DCAE_RCC_OUTPUT type: message_router #rcc_policy: '[{"controller_name":"AccessM&C","controller_restapiUrl":"${CONTROLLER_IP}:{CONTROLLER_PORT}","controller_restapiUser":"${CONTROLLER_USERNAME}","controller_restapiPassword":"${CONTROLLER_PASSWORD}","controller_accessTokenUrl":"/rest/plat/smapp/v1/oauth/token","controller_accessTokenFile":"./etc/access-token.json","controller_accessTokenMethod":"put","controller_subsMethod":"post","controller_subscriptionUrl":"/restconf/v1/operations/huawei-nce-notification-action:establish-subscription","controller_disableSsl":"true","event_details":[{"event_name":"ONT_registration","event_description":"ONTregistartionevent","event_sseventUrlEmbed":"true","event_sseventsField":"output.url","event_sseventsUrl":"null","event_subscriptionTemplate":"./etc/ont_registartion_subscription_template.json","event_unSubscriptionTemplate":"./etc/ont_registartion_unsubscription_template.json","event_ruleId":"12345678","modifyData":"true","modifyMethod": "modifyOntEvent","userData": "remote_id=AC9.0234.0337;svlan=100;cvlan=10;"}]}]' - rcc_policy: '[{"controller_name":"AccessM&C","controller_restapiUrl":"172.30.0.55:26335","controller_restapiUser":"${CONTROLLER_USERNAME}","controller_restapiPassword":"${CONTROLLER_PASSWORD}","controller_accessTokenUrl":"/rest/plat/smapp/v1/oauth/token","controller_accessTokenFile":"./etc/access-token.json","controller_accessTokenMethod":"put","controller_subsMethod":"post","controller_subscriptionUrl":"/restconf/v1/operations/huawei-nce-notification-action:establish-subscription","controller_disableSsl":"true","event_details":[{"event_name":"ONT_registration","event_description":"ONTregistartionevent","event_sseventUrlEmbed":"true","event_sseventsField":"output.url","event_sseventsUrl":"null","event_subscriptionTemplate":"./etc/ont_registartion_subscription_template.json","event_unSubscriptionTemplate":"./etc/ont_registartion_unsubscription_template.json","event_ruleId":"12345678","modifyData":"true","modifyMethod": "modifyOntEvent","userData": "remote_id=AC9.0234.0337;svlan=100;cvlan=10;"}]}]' + # Workaround while DCAEGEN2-3234 is being resolved--hardcording the ${CONTROLLER_USERNAME} and ${CONTROLLER_PASSWORD} until the restconf-collector uses the latest CBS client SDK that can handle multiple substitutions in a string. + # The line immediately below this one should be used once DCAEGEN-3234 is resolved. + #rcc_policy: '[{"controller_name":"AccessM&C","controller_restapiUrl":"172.30.0.55:26335","controller_restapiUser":"${CONTROLLER_USERNAME}","controller_restapiPassword":"${CONTROLLER_PASSWORD}","controller_accessTokenUrl":"/rest/plat/smapp/v1/oauth/token","controller_accessTokenFile":"./etc/access-token.json","controller_accessTokenMethod":"put","controller_subsMethod":"post","controller_subscriptionUrl":"/restconf/v1/operations/huawei-nce-notification-action:establish-subscription","controller_disableSsl":"true","event_details":[{"event_name":"ONT_registration","event_description":"ONTregistartionevent","event_sseventUrlEmbed":"true","event_sseventsField":"output.url","event_sseventsUrl":"null","event_subscriptionTemplate":"./etc/ont_registartion_subscription_template.json","event_unSubscriptionTemplate":"./etc/ont_registartion_unsubscription_template.json","event_ruleId":"12345678","modifyData":"true","modifyMethod": "modifyOntEvent","userData": "remote_id=AC9.0234.0337;svlan=100;cvlan=10;"}]}]' + rcc_policy: '[{"controller_name":"AccessM&C","controller_restapiUrl":"172.30.0.55:26335","controller_restapiUser":"access","controller_restapiPassword":"Huawei@123","controller_accessTokenUrl":"/rest/plat/smapp/v1/oauth/token","controller_accessTokenFile":"./etc/access-token.json","controller_accessTokenMethod":"put","controller_subsMethod":"post","controller_subscriptionUrl":"/restconf/v1/operations/huawei-nce-notification-action:establish-subscription","controller_disableSsl":"true","event_details":[{"event_name":"ONT_registration","event_description":"ONTregistartionevent","event_sseventUrlEmbed":"true","event_sseventsField":"output.url","event_sseventsUrl":"null","event_subscriptionTemplate":"./etc/ont_registartion_subscription_template.json","event_unSubscriptionTemplate":"./etc/ont_registartion_unsubscription_template.json","event_ruleId":"12345678","modifyData":"true","modifyMethod": "modifyOntEvent","userData": "remote_id=AC9.0234.0337;svlan=100;cvlan=10;"}]}]' #applicationEnv: # CONTROLLER_IP: "172.30.0.55" -- 2.16.6