move to OpenDistro
move dashboard to Opendistro and certificate update
Issue-ID: CLAMP-483
Change-Id: Ibaba1d517c13adeab611ab23749fb16295081372
Signed-off-by: osgn422w <gervais-martial.ngueko@intl.att.com>
diff --git a/kubernetes/clamp/charts/clamp-dash-es/resources/config/elasticsearch.yml b/kubernetes/clamp/charts/clamp-dash-es/resources/config/elasticsearch.yml
index 26affe6..e4deab0 100644
--- a/kubernetes/clamp/charts/clamp-dash-es/resources/config/elasticsearch.yml
+++ b/kubernetes/clamp/charts/clamp-dash-es/resources/config/elasticsearch.yml
@@ -1,4 +1,5 @@
-# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved.
+---
+# Copyright © 2020 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -30,30 +31,24 @@
# The default name is elasticsearch, but you should change it to an appropriate name which describes the
# purpose of the cluster.
#
+## Default Elasticsearch configuration from elasticsearch-docker.
+## from https://opendistro.github.io/for-elasticsearch-docs/docs/elasticsearch/configuration/
+#
+
cluster.name: "clamp-dashboard"
+node.name: "cldash-es-node1"
+# ---------------------------------- Network -----------------------------------
#
-# The port that other nodes in the cluster should use when communicating with this node.
-# Required for Elasticsearch's nodes running on different cluster nodes.
-# More : https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-transport.html
-#transport.publish_port:$transport.publish_port
+# Set the bind address to a specific IP (IPv4 or IPv6):
+# In order to communicate and to form a cluster with nodes on other servers, your node will need to bind to a
+# non-loopback address.
+network.host: 0.0.0.0
#
-# The host address to publish for nodes in the cluster to connect to.
-# Required for Elasticsearch's nodes running on different cluster nodes.
-# More : https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-transport.html
-#transport.publish_host:$transport.publish_host
+# Set a custom port for HTTP: If required, default is 9200-9300
#
-# ------------------------------------ Node ------------------------------------
+#http.port: $http.port
#
-# It is better to provide different meaningfull names fot different elastic nodes.
-# By default, Elasticsearch will take the 7 first character of the randomly generated uuid used as the node id.
-# Note that the node id is persisted and does not change when a node restarts
-#
-#node.name: $node.name
-#
-# Add custom attributes to the node:
-#
-#node.attr.rack: r1
-#
+# For more information, consult the network module documentation.
# ----------------------------------- Paths ------------------------------------
#
# The location of the data files of each index / shard allocated on the node. Can hold multiple locations separated by coma.
@@ -78,19 +73,6 @@
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
-# ---------------------------------- Network -----------------------------------
-#
-# Set the bind address to a specific IP (IPv4 or IPv6):
-# In order to communicate and to form a cluster with nodes on other servers, your node will need to bind to a
-# non-loopback address.
-network.host: 0.0.0.0
-#
-# Set a custom port for HTTP: If required, default is 9200-9300
-#
-#http.port: $http.port
-#
-# For more information, consult the network module documentation.
-#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when new node is started
@@ -98,24 +80,16 @@
# that are likely to be live and contactable.
# By default, Elasticsearch will bind to the available loopback addresses and will scan ports 9300 to 9305 to try
# to connect to other nodes running on the same server.
-#
-#$discovery.zen.ping.unicast.hosts
-#
-# This setting tells Elasticsearch to not elect a master unless there are enough master-eligible nodes
-# available. Only then will an election take place.
-# Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):
+# # minimum_master_nodes need to be explicitly set when bound on a public IP
+# # set to 1 to allow single node clusters
+# # Details: https://github.com/elastic/elasticsearch/pull/17288
discovery.zen.minimum_master_nodes: 1
-#
-# For more information, consult the zen discovery module documentation.
-#
-# ---------------------------------- Gateway -----------------------------------
-#
-# Block initial recovery after a full cluster restart until N nodes are started:
-#
-#gateway.recover_after_nodes: 3
-#
-# For more information, consult the gateway module documentation.
-#
+discovery.seed_hosts: []
+# # Breaking change in 7.0
+# # https://www.elastic.co/guide/en/elasticsearch/reference/7.0/breaking-changes-7.0.html#breaking_70_discovery_changes
+cluster.initial_master_nodes:
+ - cldash-es-node1
+# - docker-test-node-1
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
@@ -129,26 +103,26 @@
# Defaults to 9300-9400.
# More info:
transport.tcp.port: {{.Values.service.externalPort2}}
-#xpack.graph.enabled: false
-#Set to false to disable X-Pack graph features.
-#xpack.ml.enabled: false
-#Set to false to disable X-Pack machine learning features.
-#xpack.monitoring.enabled: false
-#Set to false to disable X-Pack monitoring features.
+######## Start OpenDistro for Elasticsearch Security Demo Configuration ########
+# WARNING: revise all the lines below before you go into production
+opendistro_security.ssl.transport.pemcert_filepath: esnode.pem
+opendistro_security.ssl.transport.pemkey_filepath: esnode-key.pem
+opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
+opendistro_security.ssl.transport.enforce_hostname_verification: false
+opendistro_security.ssl.http.enabled: {{.Values.security.ssl.enabled}}
+opendistro_security.ssl.http.pemcert_filepath: esnode.pem
+opendistro_security.ssl.http.pemkey_filepath: esnode-key.pem
+opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
+opendistro_security.allow_unsafe_democertificates: true
+opendistro_security.allow_default_init_securityindex: true
+opendistro_security.authcz.admin_dn:
+ - CN=kirk,OU=client,O=client,L=test, C=de
-#xpack.watcher.enabled: false
-#Set to false to disable Watcher.
-
-#xpack.license.self_generated.type: basic
-#xpack.security.enabled: false
-
-## Search Guard
-#
-searchguard.enterprise_modules_enabled: false
-searchguard.ssl.transport.keystore_filepath: sg/node-0-keystore.jks
-searchguard.ssl.transport.truststore_filepath: sg/truststore.jks
-searchguard.ssl.transport.enforce_hostname_verification: false
-
-searchguard.authcz.admin_dn:
- - "CN=kirk,OU=client,O=client,l=tEst,C=De"
+opendistro_security.audit.type: internal_elasticsearch
+opendistro_security.enable_snapshot_restore_privilege: true
+opendistro_security.check_snapshot_restore_write_privileges: true
+opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
+cluster.routing.allocation.disk.threshold_enabled: false
+node.max_local_storage_nodes: 3
+######## End OpenDistro for Elasticsearch Security Demo Configuration ########
\ No newline at end of file
diff --git a/kubernetes/clamp/charts/clamp-dash-es/templates/deployment.yaml b/kubernetes/clamp/charts/clamp-dash-es/templates/deployment.yaml
index 8060a35..58ff107 100644
--- a/kubernetes/clamp/charts/clamp-dash-es/templates/deployment.yaml
+++ b/kubernetes/clamp/charts/clamp-dash-es/templates/deployment.yaml
@@ -73,12 +73,14 @@
port: {{ .Values.service.internalPort }}
initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.liveness.periodSeconds }}
+ timeoutSeconds: {{ .Values.liveness.timeoutSeconds }}
{{ end -}}
readinessProbe:
tcpSocket:
port: {{ .Values.service.internalPort2 }}
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
+ timeoutSeconds: {{ .Values.readiness.timeoutSeconds }}
env:
volumeMounts:
- mountPath: /etc/localtime
diff --git a/kubernetes/clamp/charts/clamp-dash-es/values.yaml b/kubernetes/clamp/charts/clamp-dash-es/values.yaml
index 2d67048..ae7abd5 100644
--- a/kubernetes/clamp/charts/clamp-dash-es/values.yaml
+++ b/kubernetes/clamp/charts/clamp-dash-es/values.yaml
@@ -1,4 +1,4 @@
-# Copyright © 2017 Amdocs, Bell Canada
+# Copyright © 2020 Amdocs, Bell Canada
# Modifications Copyright © 2018 AT&T
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -32,7 +32,7 @@
# application image
repository: nexus3.onap.org:10001
-image: onap/clamp-dashboard-elasticsearch:4.1.1
+image: onap/clamp-dashboard-elasticsearch:5.0.2
pullPolicy: Always
# flag to enable debugging - application support required
@@ -51,15 +51,17 @@
# probe configuration parameters
liveness:
- initialDelaySeconds: 10
- periodSeconds: 10
+ initialDelaySeconds: 180
+ periodSeconds: 30
+ timeoutSeconds: 5
# necessary to disable liveness probe when setting breakpoints
# in debugger so K8s doesn't restart unresponsive container
enabled: true
readiness:
- initialDelaySeconds: 10
- periodSeconds: 10
+ initialDelaySeconds: 180
+ periodSeconds: 30
+ timeoutSeconds: 5
## Persist data to a persitent volume
persistence:
@@ -83,6 +85,10 @@
mountSubPath: clamp/dashboard-elasticsearch/data
mountSubPathLogs: clamp
+security:
+ ssl:
+ enabled: true
+
service:
type: ClusterIP
name: cdash-es
diff --git a/kubernetes/clamp/charts/clamp-dash-kibana/resources/certs/org.onap.clamp.crt.pem b/kubernetes/clamp/charts/clamp-dash-kibana/resources/certs/org.onap.clamp.crt.pem
deleted file mode 100644
index ce630d4..0000000
--- a/kubernetes/clamp/charts/clamp-dash-kibana/resources/certs/org.onap.clamp.crt.pem
+++ /dev/null
@@ -1,30 +0,0 @@
-Bag Attributes
- friendlyName: clamp@clamp.onap.org
- localKeyID: 54 69 6D 65 20 31 35 35 33 37 38 37 35 31 38 33 30 33
-subject=/CN=clamp/emailAddress=/OU=clamp@clamp.onap.org/OU=OSAAF/O=ONAP/C=US
-issuer=/C=US/O=ONAP/OU=OSAAF/CN=intermediateCA_9
------BEGIN CERTIFICATE-----
-MIIEKDCCAxCgAwIBAgIIWY+5kgf/UG4wDQYJKoZIhvcNAQELBQAwRzELMAkGA1UE
-BhMCVVMxDTALBgNVBAoMBE9OQVAxDjAMBgNVBAsMBU9TQUFGMRkwFwYDVQQDDBBp
-bnRlcm1lZGlhdGVDQV85MB4XDTE5MDMyMTE2MTY1OFoXDTIwMDMyMTE2MTY1OFow
-bDEOMAwGA1UEAwwFY2xhbXAxDzANBgkqhkiG9w0BCQEWADEdMBsGA1UECwwUY2xh
-bXBAY2xhbXAub25hcC5vcmcxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQ
-MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALic
-uDccBjOAlOsL1Z1nKnDPRTNxBwIVfARRQDxK3C0zDHQ5qEmIQlF0Vjp+bJ2rgzMW
-BnodC38zt1jSXymEsekZNV2sUyBbzJl6vxvA1xJKI9VHLyPSzyUEd1H4qh8b7IDX
-3GDqUJgNfvzJ94DaNnnYWFVZq/IYdLjCFaXDxPUQZtlmpdkIWBzvMeNRe4bWajau
-immkmSi5/2BYQfZXHXpiKiyBnN+1FbU3consmjNwS1L+PjD+k3JLsc5ANZYZMOTp
-Szhu3xmDiB3UV4gPQWacQQZEo/5exywY3Ax3TowGwIA660eSkW1L5RPdyvzEgp7A
-vu4+rbhfeR5bXjy2iAUCAwEAAaOB8jCB7zAJBgNVHRMEAjAAMA4GA1UdDwEB/wQE
-AwIF4DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwVAYDVR0jBE0w
-S4AUgfeZWxC5yIze81Je6k5poEM+rN2hMKQuMCwxDjAMBgNVBAsMBU9TQUFGMQ0w
-CwYDVQQKDARPTkFQMQswCQYDVQQGEwJVU4IBBzAdBgNVHQ4EFgQU+GZ6wmWDPrmq
-Wd1/NtMYiCQ8Dg4wOwYDVR0RBDQwMoIFY2xhbXCCHWNsYW1wLmFwaS5zaW1wbGVk
-ZW1vLm9uYXAub3JnggpjbGFtcC5vbmFwMA0GCSqGSIb3DQEBCwUAA4IBAQCFZdhB
-U6xm6l0vj4q89onLx4opTPvwGNRc0n402lifkPYXseFtphZSHIf2Sg0mFTH4KHb4
-FdMyBzq1+f5WLU+xRC1nT4eGJ0FvRR6204/fGVrzJTS67phnRnxr2WZzLPW0wPJe
-K8SzN6tkUgE7/a/s0T/htE/blDxWh75+tA2jQlgj1Ri0y9A1J8wx++REKjGlHjFN
-53aiipsB+wC/oEMzYL4qEPiYPI0Lr3Lsay1F7f6cvDT4+EYzBLMFuwCvpcnHgSMS
-4fFj2ROmUG2+CC23B88Q0WNxjLPq/CrmHZZBsqwruPJ0cSuCQxfshTQ6uZhcjtu8
-6TRYkIcL0x9r/AHP
------END CERTIFICATE-----
diff --git a/kubernetes/clamp/charts/clamp-dash-kibana/resources/certs/org.onap.clamp.key.pem b/kubernetes/clamp/charts/clamp-dash-kibana/resources/certs/org.onap.clamp.key.pem
deleted file mode 100644
index fcf68bf..0000000
--- a/kubernetes/clamp/charts/clamp-dash-kibana/resources/certs/org.onap.clamp.key.pem
+++ /dev/null
@@ -1,32 +0,0 @@
-Bag Attributes
- friendlyName: clamp@clamp.onap.org
- localKeyID: 54 69 6D 65 20 31 35 35 33 37 38 37 35 31 38 33 30 33
-Key Attributes: <No Attributes>
------BEGIN PRIVATE KEY-----
-MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC4nLg3HAYzgJTr
-C9WdZypwz0UzcQcCFXwEUUA8StwtMwx0OahJiEJRdFY6fmydq4MzFgZ6HQt/M7dY
-0l8phLHpGTVdrFMgW8yZer8bwNcSSiPVRy8j0s8lBHdR+KofG+yA19xg6lCYDX78
-yfeA2jZ52FhVWavyGHS4whWlw8T1EGbZZqXZCFgc7zHjUXuG1mo2ropppJkouf9g
-WEH2Vx16YiosgZzftRW1N3KJ7JozcEtS/j4w/pNyS7HOQDWWGTDk6Us4bt8Zg4gd
-1FeID0FmnEEGRKP+XscsGNwMd06MBsCAOutHkpFtS+UT3cr8xIKewL7uPq24X3ke
-W148togFAgMBAAECggEATncV+R5pKFS7dteV2IvzxvTh1cZxkxoslu0t3zJ2OKPc
-5D1pYK+QeGx5Be2cHru6TOlMoXRc4ZjKke8AUXY74/Y573GB91vtL0KznYkuIHDw
-oALcb153eqVWTbniHMzSjcSxv2N4E9iQo8L39oVI6CrjCIvPgFuSqMCdUNJPkVTI
-4nsarTfLK4fzi7IbWzi9JdE1QRNIxcCMcYJRnLZMdneMLBleR0UL82Xc2KOy5SEt
-zyKYCQ8zS247FKolnOrDkhKxXI5fzdDpRK5AQSsAykUPWlYq7pzKjY/dU9rMRohx
-YSltFjPZ3sQ3UKqqIqhZS+GoVuZoc925WyhViPsqtQKBgQDsL4LFfPWN8nnsusQp
-VR3T7HvvwXuEVAydlaJMwZU0cRYN+L7RHHjDoXZZrNJDIDzNoWnBLKRGx3mtLmgJ
-9Pa6SxN6Oc8oo6jzv2D59g1PVjNOMOYTCTb/2Xum4LMLaeeF57HkWxzeA3Ws47++
-gXwzQpbE90tp1Ys4uXD3JoivvwKBgQDIGZTwLGhLSegdAjG83WEgmdtzT1kjvx0Q
-A8IR2jkgkTJHdKiuslJ8Z3/XufHEwWMWwfs1XLwxYluoo1y9eNvNeHZXjLqjL62c
-I3034F9IvvTUqFcxam2WdoklXbAiSvLUo/9exPgOuVxok6Zv1imRgGb/vYV9vyG7
-86MRuQu5OwKBgQC9E3fcA6JMpY3H3uhEsngzfMDm+fyYvfRvfyezzNFWbyWZv8V6
-gBGJg0vMlFarGDa044BW/hbw9qXI5zqwpeOS1aFdGsRlo0cRAuduk/Spy7c85FZ7
-bMgT4BZmTMHo5DpNb2NxDSO59AkThCuvJde47ZjnS5WavzI6EfKGWNnZ3wKBgQCF
-QiwjCp/mS/DtqLFxAsmVSYGROG231aXILYiIFRloa+ndFn7j4NP4D4FfLHErRFL2
-K/ddIUYfaU57b1fqwts26ht90LXWyYDH9AaHOMCcFLe+C+INgcA7rPNG1C7hl6JC
-JHmEJo7AV4eICZSU9D44rRdrB08oYCpaHjYiLmb1UwKBgQCWCDJ4p2DrNL9hzj3K
-kzvM5saXrfI4aVBXVt9rw9s1d/WG8JOpnmHcnLPb6Tj59rDktrLCLv0sVstMwNVJ
-sOO+qsgn1VoZalcVhhjdONm5YvhJQgz0F7Y2xkr6g/AuMPz2YigGfm7fe/z7rc+L
-q9Ua2HmUS8DDBy7W89MNZJNkDQ==
------END PRIVATE KEY-----
diff --git a/kubernetes/clamp/charts/clamp-dash-kibana/resources/config/kibana.yml b/kubernetes/clamp/charts/clamp-dash-kibana/resources/config/kibana.yml
index 55df82b..db81e3d 100644
--- a/kubernetes/clamp/charts/clamp-dash-kibana/resources/config/kibana.yml
+++ b/kubernetes/clamp/charts/clamp-dash-kibana/resources/config/kibana.yml
@@ -1,4 +1,4 @@
-# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved.
+# Copyright © 2020 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -10,126 +10,26 @@
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
-# limitations under the License.
-#xpack.graph.enabled: false
-#Set to false to disable X-Pack graph features.
-#xpack.ml.enabled: false
-#Set to false to disable X-Pack machine learning features.
-#xpack.monitoring.enabled: false
-#Set to false to disable X-Pack monitoring features.
-#xpack.reporting.enabled: false
-#Set to false to disable X-Pack reporting features.
-#xpack.security.enabled: false
-#Set to false to disable X-Pack security features.
-#xpack.watcher.enabled: false
-#Set to false to disable Watcher.
+# limitations under the License.# Default Kibana configuration from kibana-docker.
+
+server.name: "Clamp CL Dashboard"
+server.host: "0"
# Kibana is served by a back end server. This setting specifies the port to use.
server.port: {{.Values.service.externalPort}}
-# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
-# The default is 'localhost', which usually means remote machines will not be able to connect.
-# To allow connections from remote users, set this parameter to a non-loopback address.
-server.host: "0.0.0.0"
-
-# Enables you to specify a path to mount Kibana at if you are running behind a proxy. This only affects
-# the URLs generated by Kibana, your proxy is expected to remove the basePath value before forwarding requests
-# to Kibana. This setting cannot end in a slash.
-#server.basePath: ""
-
-# The maximum payload size in bytes for incoming server requests.
-#server.maxPayloadBytes: 1048576
-
-# The Kibana server's name. This is used for display purposes.
-server.name: "Clamp Dashboard"
-
-# The URL of the Elasticsearch instance to use for all your queries.
-elasticsearch.url: "http://{{.Values.config.elasticsearchServiceName}}.{{ include "common.namespace" . }}:{{.Values.config.elasticsearchPort}}"
-# When this setting's value is true Kibana uses the hostname specified in the server.host
-# setting. When the value of this setting is false, Kibana uses the hostname of the host
-# that connects to this Kibana instance.
-#elasticsearch.preserveHost: true
-
-# Kibana uses an index in Elasticsearch to store saved searches, visualizations and
-# dashboards. Kibana creates a new index if the index doesn't already exist.
-#kibana.index: ".kibana"
-
-# The default application to load.
-#kibana.defaultAppId: "discover"
-
-# If your Elasticsearch is protected with basic authentication, these settings provide
-# the username and password that the Kibana server uses to perform maintenance on the Kibana
-# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
-# is proxied through the Kibana server.
-#elasticsearch.username: "elastic"
-#elasticsearch.password: "changeme"
-# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
-# These settings enable SSL for outgoing requests from the Kibana server to the browser.
server.ssl.enabled: {{.Values.config.sslEnabled}}
server.ssl.certificate: {{.Values.config.sslPemCertFilePath}}
server.ssl.key: {{.Values.config.sslPemkeyFilePath}}
-# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
-# These files validate that your Elasticsearch backend uses the same key files.
-#elasticsearch.ssl.certificate: $elasticsearch_ssl_certificate
-#elasticsearch.ssl.key: $elasticsearch_ssl_key
+# The URL of the Elasticsearch instance to use for all your queries.
+elasticsearch.hosts: ${elasticsearch_base_url}
-# Optional setting that enables you to specify a path to the PEM file for the certificate
-# authority for your Elasticsearch instance.
-#elasticsearch.ssl.certificateAuthorities: $elasticsearch_ssl_certificateAuthorities
-
-# To disregard the validity of SSL certificates, change this setting's value to 'none'.
-#elasticsearch.ssl.verificationMode: $elasticsearch_ssl_verificationMode
-
-# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
-# the elasticsearch.requestTimeout setting.
-#elasticsearch.pingTimeout: 1500
-
-# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
-# must be a positive integer.
-#elasticsearch.requestTimeout: 30000
-
-# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side
-# headers, set this value to [] (an empty list).
-#elasticsearch.requestHeadersWhitelist: [ authorization ]
-
-# Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten
-# by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.
-#elasticsearch.customHeaders: {}
-
-# Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.
-#elasticsearch.shardTimeout: 0
-
-# Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying.
-#elasticsearch.startupTimeout: 5000
-
-# Specifies the path where Kibana creates the process ID file.
-#pid.file: /var/run/kibana.pid
-
-# Enables you specify a file where Kibana stores log output.
-#logging.dest: stdout
-
-# Set the value of this setting to true to suppress all logging output.
-#logging.silent: false
-
-# Set the value of this setting to true to suppress all logging output other than error messages.
-#logging.quiet: false
-
-# Set the value of this setting to true to log all events, including system usage information
-# and all requests.
-#logging.verbose: false
-
-# Set the interval in milliseconds to sample system and process performance
-# metrics. Minimum is 100ms. Defaults to 5000.
-#ops.interval: 5000
-
-# The default locale. This locale can be used in certain circumstances to substitute any missing
-# translations.
-#i18n.defaultLocale: "en"
-
-## Search Guard
-#
-#xpack.security.enabled: false
+elasticsearch.ssl.verificationMode: none
elasticsearch.username: {{.Values.config.elasticUSR}}
elasticsearch.password: {{.Values.config.elasticPWD}}
-searchguard.cookie.password: 123567818187654rwrwfsfshdhdhtegdhfzftdhncn
+elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
+
+opendistro_security.multitenancy.enabled: true
+opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
+opendistro_security.readonly_mode.roles: ["kibana_read_only"]
\ No newline at end of file
diff --git a/kubernetes/clamp/charts/clamp-dash-kibana/templates/deployment.yaml b/kubernetes/clamp/charts/clamp-dash-kibana/templates/deployment.yaml
index 2b0adac..26547b2 100644
--- a/kubernetes/clamp/charts/clamp-dash-kibana/templates/deployment.yaml
+++ b/kubernetes/clamp/charts/clamp-dash-kibana/templates/deployment.yaml
@@ -68,6 +68,8 @@
periodSeconds: {{ .Values.liveness.periodSeconds }}
{{ end -}}
env:
+ - name: elasticsearch_base_url
+ value: "{{ternary "https" "http" .Values.security.ssl.enabled}}://{{.Values.config.elasticsearchServiceName}}.{{.Release.Namespace}}.svc.cluster.local:{{.Values.config.elasticsearchPort}}"
volumeMounts:
- mountPath: /etc/localtime
name: localtime
@@ -75,8 +77,6 @@
- mountPath: /usr/share/kibana/config/kibana.yml
name: {{ include "common.fullname" . }}
subPath: kibana.yml
- - name: {{ include "common.fullname" . }}-aaf-pem-certs
- mountPath: /usr/share/kibana/config/keystore/
resources:
{{ include "common.resources" . | indent 12 }}
{{- if .Values.nodeSelector }}
@@ -97,8 +97,5 @@
items:
- key: kibana.yml
path: kibana.yml
- - name: {{ include "common.fullname" . }}-aaf-pem-certs
- secret:
- secretName: {{ include "common.fullname" . }}-aaf-pem-keys
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/clamp/charts/clamp-dash-kibana/values.yaml b/kubernetes/clamp/charts/clamp-dash-kibana/values.yaml
index 8858716..be0c40e 100644
--- a/kubernetes/clamp/charts/clamp-dash-kibana/values.yaml
+++ b/kubernetes/clamp/charts/clamp-dash-kibana/values.yaml
@@ -34,13 +34,14 @@
# application image
repository: nexus3.onap.org:10001
-image: onap/clamp-dashboard-kibana:4.1.3
+image: onap/clamp-dashboard-kibana:5.0.2
pullPolicy: Always
# flag to enable debugging - application support required
debugEnabled: false
# application configuration
+#the 'sslEnabled flag' here below is for the kibana UI connection (web browser connection to kibana)
config:
elasticsearchServiceName: cdash-es
elasticsearchPort: 9200
@@ -60,14 +61,19 @@
# probe configuration parameters
liveness:
initialDelaySeconds: 360
- periodSeconds: 10
+ periodSeconds: 30
# necessary to disable liveness probe when setting breakpoints
# in debugger so K8s doesn't restart unresponsive container
enabled: true
readiness:
- initialDelaySeconds: 10
- periodSeconds: 10
+ initialDelaySeconds: 360
+ periodSeconds: 30
+
+#internal ssl security scheme for elasticsearch connection mainly
+security:
+ ssl:
+ enabled: true
service:
#Example service definition with external, internal and node ports.
diff --git a/kubernetes/clamp/charts/clamp-dash-logstash/resources/certs/aafca.pem b/kubernetes/clamp/charts/clamp-dash-logstash/resources/certs/aafca.pem
deleted file mode 100644
index cf12ec4..0000000
--- a/kubernetes/clamp/charts/clamp-dash-logstash/resources/certs/aafca.pem
+++ /dev/null
@@ -1,26 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEVDCCAjygAwIBAgIBAjANBgkqhkiG9w0BAQsFADAsMQ4wDAYDVQQLDAVPU0FB
-RjENMAsGA1UECgwET05BUDELMAkGA1UEBhMCVVMwHhcNMTgwNjA1MDg1MTQxWhcN
-MjMwNjA1MDg1MTQxWjBHMQswCQYDVQQGEwJVUzENMAsGA1UECgwET05BUDEOMAwG
-A1UECwwFT1NBQUYxGTAXBgNVBAMMEGludGVybWVkaWF0ZUNBXzEwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOXCdZIoWM0EnEEw3qPiVMhAgNolWCTaLt
-eI2TjlTQdGDIcXdBZukHdNeOKYzOXRsLt6bLRtd5yARpn53EbzS/dgAyHuaz1HjE
-5IPWSFRg9SulfHUmcS+GBt1+KiMJTlOsw6wSA73H/PjjXBbWs/uRJTnaNmV3so7W
-DhNW6fHOrbom4p+3FucbB/QAM9b/3l/1LKnRgdXx9tekDnaKN5u3HVBmyOlRhaRp
-tscLUCT3jijoGAPRcYZybgrpa0z3iCWquibTO/eLwuO/Dn7yHWau9ZZAHGPBSn9f
-TiLKRYV55mNjr3zvs8diTPECFPW8w8sRIH3za1aKHgUC1gd87Yr3AgMBAAGjZjBk
-MB0GA1UdDgQWBBQa1FdycErTZ6nr4dxiMbKH0P7vqjAfBgNVHSMEGDAWgBRTVTPy
-S+vQUbHBeJrBKDF77+rtSTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE
-AwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAlA/RTPy5i09fJ4ytSAmAdytMwEwRaU9F
-dshG7LU9q95ODsuM79yJvV9+ISIJZRsBqf5PDv93bUCKKHIYGvR6kNd+n3yx/fce
-txDkC/tMj1T9D8TuDKAclGEO9K5+1roOQQFxr4SE6XKb/wjn8OMrCoJ75S0F3htF
-LKL85T77JeGeNgSk8JEsZvQvj32m0gv9rxi5jM/Zi5E2vxrBR9T1v3kVvlt6+PSF
-BoHXROk5HQmdHxnH+VYQtDHSwj9Xe9aoJMyL0WjYKd//8NUO+VACDOtK4Nia6gy9
-m/n9kMASMw6f9iF4n6t4902RWrRKTYM1CVu5wyVklVbEdE9i6Db4CpL9E8HpBUAP
-t44JiNzuFkDmSE/z5XuQIimDt6nzOaSF8pX2KHY2ICDLwpMNUvxzqXD9ECbdspiy
-JC2RGq8uARGGl6kQQBKDNO8SrO7rSBPANd1+LgqrKbCrHYfvFgkZPgT5MlQi+E1G
-LNT+i6fzZha9ed/L6yjl5Em71flJGFwRZl2pfErZRxp8pLPcznYyIpSjcwnqNCRC
-orhlp8nheiODC3oO3AFHDiFgUqvm8hgpnT2cPk2lpU2VY1TcZ8sW5qUDCxINIPcW
-u1SAsa87IJK3vEzPZfTCs/S6XThoqRfXj0c0Rahj7YFRi/PqIPY0ejwdtmZ9m9pZ
-8Lb0GYmlo44=
------END CERTIFICATE-----
diff --git a/kubernetes/clamp/charts/clamp-dash-logstash/resources/config/logstash.yml b/kubernetes/clamp/charts/clamp-dash-logstash/resources/config/logstash.yml
index 369b582..cecd5b1 100644
--- a/kubernetes/clamp/charts/clamp-dash-logstash/resources/config/logstash.yml
+++ b/kubernetes/clamp/charts/clamp-dash-logstash/resources/config/logstash.yml
@@ -1,4 +1,4 @@
-# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved.
+# Copyright © 2020 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -22,8 +22,3 @@
## Setting true makes logstash check periodically for change in pipeline configurations
config.reload.automatic: true
-## xpack configurations
-#xpack.monitoring.elasticsearch.url: ["http://10.247.186.12:9200", "http://10.247.186.13:9200"]
-#xpack.monitoring.elasticsearch.username: elastic
-#xpack.monitoring.elasticsearch.password: changeme
-#xpack.monitoring.enabled: false
diff --git a/kubernetes/clamp/charts/clamp-dash-logstash/resources/config/pipeline.conf b/kubernetes/clamp/charts/clamp-dash-logstash/resources/config/pipeline.conf
index 05d8085..4b05910 100644
--- a/kubernetes/clamp/charts/clamp-dash-logstash/resources/config/pipeline.conf
+++ b/kubernetes/clamp/charts/clamp-dash-logstash/resources/config/pipeline.conf
@@ -218,6 +218,8 @@
if "error" in [tags] {
elasticsearch {
codec => "json"
+ cacert => "/clamp-cert/ca-certs.pem"
+ ssl_certificate_verification => false
hosts => ["${elasticsearch_base_url}"]
user => ["${logstash_user}"]
password => ["${logstash_pwd}"]
@@ -229,6 +231,8 @@
elasticsearch {
codec => "json"
hosts => ["${elasticsearch_base_url}"]
+ cacert => "/clamp-cert/ca-certs.pem"
+ ssl_certificate_verification => false
user => ["${logstash_user}"]
password => ["${logstash_pwd}"]
document_id => "%{requestID}"
@@ -241,6 +245,8 @@
elasticsearch {
codec => "json"
hosts => ["${elasticsearch_base_url}"]
+ cacert => "/clamp-cert/ca-certs.pem"
+ ssl_certificate_verification => false
user => ["${logstash_user}"]
password => ["${logstash_pwd}"]
index => "events-%{+YYYY.MM.DD}" # creates daily indexes
diff --git a/kubernetes/clamp/charts/clamp-dash-logstash/templates/configmap.yaml b/kubernetes/clamp/charts/clamp-dash-logstash/templates/configmap.yaml
index 01ee76b..4278a6e 100644
--- a/kubernetes/clamp/charts/clamp-dash-logstash/templates/configmap.yaml
+++ b/kubernetes/clamp/charts/clamp-dash-logstash/templates/configmap.yaml
@@ -25,13 +25,3 @@
heritage: {{ .Release.Service }}
data:
{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }}
-
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ include "common.fullname" . }}-aaf-keys
- namespace: {{ include "common.namespace" . }}
-type: Opaque
-data:
-{{ tpl (.Files.Glob "resources/certs/*").AsSecrets . | indent 2 }}
diff --git a/kubernetes/clamp/charts/clamp-dash-logstash/templates/deployment.yaml b/kubernetes/clamp/charts/clamp-dash-logstash/templates/deployment.yaml
index 697ebb6..7c5c047 100644
--- a/kubernetes/clamp/charts/clamp-dash-logstash/templates/deployment.yaml
+++ b/kubernetes/clamp/charts/clamp-dash-logstash/templates/deployment.yaml
@@ -62,13 +62,13 @@
- name: request_topic
value: "{{ .Values.config.requestTopic }}"
- name: dmaap_base_url
- value: {{ .Values.config.dmaapScheme }}://{{ .Values.config.dmaapHost }}.{{ include "common.namespace" . }}:{{ .Values.config.dmaapPort }}
+ value: {{ ternary "https" "http" .Values.security.ssl.enabled }}://{{ .Values.config.dmaapHost }}.{{ include "common.namespace" . }}:{{ .Values.config.dmaapPort }}
- name: logstash_user
value: "{{ .Values.config.logstash_user }}"
- name: logstash_pwd
value: "{{ .Values.config.logstash_pwd }}"
- name: elasticsearch_base_url
- value: "http://{{.Values.config.elasticsearchServiceName}}.{{.Release.Namespace}}.svc.cluster.local:{{.Values.config.elasticsearchPort}}"
+ value: "{{ ternary "https" "http" .Values.security.ssl.enabled }}://{{.Values.config.elasticsearchServiceName}}.{{.Release.Namespace}}.svc.cluster.local:{{.Values.config.elasticsearchPort}}"
ports:
- containerPort: {{ .Values.service.internalPort }}
name: {{ include "common.servicename" . }}
@@ -77,6 +77,7 @@
port: {{ .Values.service.internalPort }}
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
+ timeoutSeconds: {{ .Values.readiness.timeoutSeconds }}
# disable liveness probe when breakpoints set in debugger
# so K8s doesn't restart unresponsive container
{{- if eq .Values.liveness.enabled true }}
@@ -85,6 +86,7 @@
port: {{ .Values.service.internalPort }}
initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.liveness.periodSeconds }}
+ timeoutSeconds: {{ .Values.liveness.timeoutSeconds }}
{{ end -}}
volumeMounts:
- mountPath: /etc/localtime
@@ -96,8 +98,6 @@
- mountPath: /usr/share/logstash/pipeline/logstash.conf
name: {{ include "common.fullname" . }}
subPath: pipeline.conf
- - name: {{ include "common.fullname" . }}-aaf-certs
- mountPath: /certs.d/
resources:
{{ include "common.resources" . | indent 12 }}
{{- if .Values.nodeSelector }}
@@ -120,9 +120,5 @@
path: logstash.yml
- key: pipeline.conf
path: pipeline.conf
- - name: {{ include "common.fullname" . }}-aaf-certs
- secret:
- secretName: {{ include "common.fullname" . }}-aaf-keys
-
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/clamp/charts/clamp-dash-logstash/values.yaml b/kubernetes/clamp/charts/clamp-dash-logstash/values.yaml
index 20bf974..9a0321a 100644
--- a/kubernetes/clamp/charts/clamp-dash-logstash/values.yaml
+++ b/kubernetes/clamp/charts/clamp-dash-logstash/values.yaml
@@ -30,7 +30,7 @@
# application image
repository: nexus3.onap.org:10001
-image: onap/clamp-dashboard-logstash:4.1.3
+image: onap/clamp-dashboard-logstash:5.0.2
pullPolicy: Always
# flag to enable debugging - application support required
@@ -41,7 +41,8 @@
elasticsearchServiceName: cdash-es
elasticsearchPort: 9200
dmaapHost: message-router
- dmaapScheme: https
+ dmaapSchemeSSL: https
+ dmaapSchemeNoSSL: http
dmaapPort: 3905
dmaapConsumerGroup: "clampdashboard"
dmaapConsumerId: "clampdashboard"
@@ -60,15 +61,21 @@
# probe configuration parameters
liveness:
- initialDelaySeconds: 120
- periodSeconds: 10
+ initialDelaySeconds: 900
+ periodSeconds: 20
+ timeoutSeconds: 5
# necessary to disable liveness probe when setting breakpoints
# in debugger so K8s doesn't restart unresponsive container
enabled: true
readiness:
- initialDelaySeconds: 10
- periodSeconds: 10
+ initialDelaySeconds: 900
+ periodSeconds: 20
+ timeoutSeconds: 5
+
+security:
+ ssl:
+ enabled: true
service:
#Example service definition with external, internal and node ports.