Merge "[POLICY] Fix https connection in policy-ppnt"
diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/artifact.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/artifact.dat
index 23a0687..8a923b2 100644
--- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/artifact.dat
+++ b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/artifact.dat
@@ -2,12 +2,13 @@
aaf@aaf.osaaf.org|aaf-hello|local|/opt/app/osaaf/local||mailto:|org.osaaf.aaf|root|30|{'aaf-hello', 'aaf-hello.api.simpledemo.onap.org', 'aaf-hello.onap', 'aaf.osaaf.org'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12', 'script'}
aaf@aaf.osaaf.org|aaf|local|/opt/app/osaaf/local||mailto:|org.osaaf.aaf|root|30|{'aaf', 'aaf.api.simpledemo.onap.org', 'aaf.onap'}|aaf_admin@osaaf.org|{'pkcs12', 'script'}
aaf-sms@aaf-sms.onap.org|aaf-sms|local|/opt/app/osaaf/local||mailto:|org.onap.aaf-sms|root|30|{'aaf-sms-db.onap', 'aaf-sms.api.simpledemo.onap.org', 'aaf-sms.onap', 'aaf-sms.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'pkcs12', 'file'}
-aai@aai.onap.org|aai1|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|30|{'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'pkcs12'}
-aai@aai.onap.org|aai2|aaf|/Users/jf2512||mailto:|org.onap.aai|jf2512|60|{'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.onap aai-sparky-be.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org aai1.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'}
-aai@aai.onap.org|aai|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|60|{'aai-search-data.onap', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'}
-aai@aai.onap.org|aai.onap|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|30|{'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12'}
-aai@aai.onap.org|mithrilcsp.sbc.com|local|/tmp/onap||mailto:|org.onap.aai|jg1555|30|{'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'file', 'pkcs12', 'script'}
+aai@aai.onap.org|aai1|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|30|{'aai-babel.onap', 'aai-babel', 'aai-modelloader.onap', 'aai-modelloader', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'pkcs12'}
+aai@aai.onap.org|aai2|aaf|/Users/jf2512||mailto:|org.onap.aai|jf2512|60|{'aai-babel.onap', 'aai-babel', 'aai-modelloader.onap', 'aai-modelloader', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.onap aai-sparky-be.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org aai1.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'}
+aai@aai.onap.org|aai|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|60|{'aai-babel.onap', 'aai-babel', 'aai-graphadmin', 'aai-graphadmin.onap', 'aai-modelloader.onap', 'aai-modelloader', 'aai-search-data.onap', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'}
+aai@aai.onap.org|aai.onap|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|30|{'aai-babel.onap', 'aai-babel', 'aai-modelloader.onap', 'aai-modelloader', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12'}
+aai@aai.onap.org|mithrilcsp.sbc.com|local|/tmp/onap||mailto:|org.onap.aai|jg1555|30|{'aai-babel.onap', 'aai-babel', 'aai-modelloader.onap', 'aai-modelloader', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'file', 'pkcs12', 'script'}
aai-resources@aai-resources.onap.org|aai-resources|local|/opt/app/osaaf/local||mailto:|org.onap.aai-resources|root|30|{'aai-resources', 'aai-resources.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'}
+aai-schema-service@aai-schema-service.onap.org|aai-schema-service|local|/opt/app/osaaf/local||mailto:|org.onap.aai-schema-service|root|30|{'aai-schema-service', 'aai-schema-service.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'}
aai-traversal@aai-traversal.onap.org|aai-traversal|local|/opt/app/osaaf/local||mailto:|org.onap.aai-traversal|root|30|{'aai-traversal', 'aai-traversal.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'}
appc@appc.onap.org|appc|local|/opt/app/osaaf/local||mailto:|org.onap.appc|root|60|{'appc.api.simpledemo.onap.org', 'appc.onap', 'appc.simpledemo.onap.org'}|mmanager@osaaf.org|{'pkcs12'}
appc-cdt@appc-cdt.onap.org|appc-cdt|local|/opt/app/osaaf/local||mailto:|org.onap.appc-cdt|root|30|{'appc-cdt', 'appc-cdt.api.simpledemo.onap.org', 'appc-cdt.onap'}|mmanager@osaaf.org|{'file', 'pkcs12', 'script'}
diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/cred.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/cred.dat
index 7112b0b..1279c36 100644
--- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/cred.dat
+++ b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/cred.dat
@@ -6,6 +6,7 @@
clamp@clamp.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.clamp|53344||
aai@aai.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.aai|53344||
aai-resources@aai-resources.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.aai-resources|53344||
+aai-schema-service@aai-schema-service.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.aai-schema-service|53344||
aai-traversal@aai-traversal.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.aai-traversal|53344||
appc@appc.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.appc|53344||
appc-cdt@appc-cdt.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.appc-cdt|53344||
diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/ns.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/ns.dat
index 6763069..7d20d55 100644
--- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/ns.dat
+++ b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/ns.dat
@@ -2,6 +2,7 @@
org.onap.aaf-sms||org.onap||3
org.onap.aai||org.onap||3
org.onap.aai-resources||org.onap||3
+org.onap.aai-schema-service||org.onap||3
org.onap.aai-traversal||org.onap||3
org.onap.appc||org.onap||3
org.onap.appc-cdt||org.onap||3
diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat
index 48ec26e..89c726f 100644
--- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat
+++ b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat
@@ -20,6 +20,9 @@
org.onap.aai-resources|access|*|*|AAF Namespace Write Access|"{'org.onap.aai-resources|admin', 'org.onap.aai-resources|service'}"
org.onap.aai-resources|access|*|read|AAF Namespace Read Access|"{'org.onap.aai-resources|owner'}"
org.onap.aai-resources|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}"
+org.onap.aai-schema-service|access|*|*|AAF Namespace Write Access|"{'org.onap.aai-schema-service|admin', 'org.onap.aai-schema-service|service'}"
+org.onap.aai-schema-service|access|*|read|AAF Namespace Read Access|"{'org.onap.aai-schema-service|owner'}"
+org.onap.aai-schema-service|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}"
org.onap.aai-traversal|access|*|*|AAF Namespace Write Access|"{'org.onap.aai-traversal|admin', 'org.onap.aai-traversal|service'}"
org.onap.aai-traversal|access|*|read|AAF Namespace Read Access|"{'org.onap.aai-traversal|owner'}"
org.onap.aai-traversal|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}"
diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat
index 397846c..111b94e 100644
--- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat
+++ b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat
@@ -15,10 +15,13 @@
org.onap.aai|traversal_basic|traversal_basic|"{'org.onap.aai|traversal|*|basic'}"
org.onap.aai-resources|admin|AAF Namespace Administrators|"{'org.onap.aai-resources|access|*|*'}"
org.onap.aai-resources|owner|AAF Namespace Owners|"{'org.onap.aai-resources|access|*|read'}"
-org.onap.aai-resources|service||"{'org.onapaai-resources|access|*|*'}"
+org.onap.aai-resources|service||"{'org.onap.aai-resources|access|*|*'}"
+org.onap.aai-schema-service|admin|AAF Namespace Administrators|"{'org.onap.aai-schema-service|access|*|*'}"
+org.onap.aai-schema-service|owner|AAF Namespace Owners|"{'org.onap.aai-schema-service|access|*|read'}"
+org.onap.aai-schema-service|service||"{'org.onap.aai-schema-service|access|*|*'}"
org.onap.aai-traversal|admin|AAF Namespace Administrators|"{'org.onap.aai-traversal|access|*|*'}"
org.onap.aai-traversal|owner|AAF Namespace Owners|"{'org.onap.aai-traversal|access|*|read'}"
-org.onap.aai-traversal|service||"{'org.onapaai-traversal|access|*|*'}"
+org.onap.aai-traversal|service||"{'org.onap.aai-traversal|access|*|*'}"
org.onap|admin|Onap Admins|"{'org.onap.access|*|*'}"
org.onap.appc|admin|AAF Namespace Administrators|"{'org.onap.appc|access|*|*'}"
org.onap.appc|apidoc||"{'org.onap.appc|apidoc|/apidoc/.*|ALL'}"
@@ -339,7 +342,7 @@
org.openecomp.dmaapBC|owner|AAF Owners|"{'org.openecomp.dmaapBC.access|*|read'}"
org.openecomp|owner|OpenEcomp Owners|"{'org.openecomp.access|*|read'}"
org.osaaf.aaf|admin|AAF Admins|"{'org.osaaf.aaf.access|*|*', 'org.osaaf.aaf|cache|all|clear', 'org.osaaf.aaf|cache|role|clear', 'org.osaaf.aaf|password|*|create,reset'}"
-org.osaaf.aaf|deploy|ONAP Deployment Role|"{'org.onap.a1p|certman|local|request,ignoreIPs,showpass', 'org.onap.aaf-sms|certman|local|request,ignoreIPs,showpass', 'org.onap.aai|certman|local|request,ignoreIPs,showpass', 'org.onap.aai-resources|certman|local|request,ignoreIPs,showpass', 'org.onap.aai-traversal|certman|local|request,ignoreIPs,showpass', 'org.onap.appc|certman|local|request,ignoreIPs,showpass', 'org.onap.appc-cdt|certman|local|request,ignoreIPs,showpass', 'org.onap.clamp|certman|local|request,ignoreIPs,showpass', 'org.onap.cli|certman|local|request,ignoreIPs,showpass', 'org.onap.dcae|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-bc-mm-prov|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-bc-topic-mgr|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-bc|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-dr|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-mr|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap.mr|certman|local|request,ignoreIPs,showpass', 'org.onap.holmes-engine-mgmt|certman|local|request,ignoreIPs,showpass', 'org.onap.holmes-rule-mgmt|certman|local|request,ignoreIPs,showpass', 'org.onap.msb-eag|certman|local|request,ignoreIPs,showpass', 'org.onap.msb-iag|certman|local|request,ignoreIPs,showpass', 'org.onap.music|certman|local|request,ignoreIPs,showpass', 'org.onap.nbi|certman|local|request,ignoreIPs,showpass', 'org.onap.oof|certman|local|request,ignoreIPs,showpass', 'org.onap.policy|certman|local|request,ignoreIPs,showpass', 'org.onap.pomba|certman|local|request,ignoreIPs,showpass', 'org.onap.portal|certman|local|request,ignoreIPs,showpass', 'org.onap.refrepo|certman|local|request,ignoreIPs,showpass', 'org.onap.sdc|certman|local|request,ignoreIPs,showpass', 'org.onap.sdnc-cds|certman|local|request,ignoreIPs,showpass', 'org.onap.sdnc|certman|local|request,ignoreIPs,showpass', 'org.onap.so|certman|local|request,ignoreIPs,showpass', 'org.onap.vfc|certman|local|request,ignoreIPs,showpass', 'org.onap.vid1|certman|local|request,ignoreIPs,showpass', 'org.onap.vid2|certman|local|request,ignoreIPs,showpass', 'org.onap.vid|certman|local|request,ignoreIPs,showpass', 'org.onap.uui|certman|local|request,ignoreIPs,showpass', 'org.osaaf.aaf|certman|local|request,ignoreIPs,showpass'}"
+org.osaaf.aaf|deploy|ONAP Deployment Role|"{'org.onap.a1p|certman|local|request,ignoreIPs,showpass', 'org.onap.aaf-sms|certman|local|request,ignoreIPs,showpass', 'org.onap.aai|certman|local|request,ignoreIPs,showpass', 'org.onap.aai-resources|certman|local|request,ignoreIPs,showpass', 'org.onap.aai-schema-service|certman|local|request,ignoreIPs,showpass', 'org.onap.aai-traversal|certman|local|request,ignoreIPs,showpass', 'org.onap.appc|certman|local|request,ignoreIPs,showpass', 'org.onap.appc-cdt|certman|local|request,ignoreIPs,showpass', 'org.onap.clamp|certman|local|request,ignoreIPs,showpass', 'org.onap.cli|certman|local|request,ignoreIPs,showpass', 'org.onap.dcae|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-bc-mm-prov|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-bc-topic-mgr|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-bc|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-dr|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-mr|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap.mr|certman|local|request,ignoreIPs,showpass', 'org.onap.holmes-engine-mgmt|certman|local|request,ignoreIPs,showpass', 'org.onap.holmes-rule-mgmt|certman|local|request,ignoreIPs,showpass', 'org.onap.msb-eag|certman|local|request,ignoreIPs,showpass', 'org.onap.msb-iag|certman|local|request,ignoreIPs,showpass', 'org.onap.music|certman|local|request,ignoreIPs,showpass', 'org.onap.nbi|certman|local|request,ignoreIPs,showpass', 'org.onap.oof|certman|local|request,ignoreIPs,showpass', 'org.onap.policy|certman|local|request,ignoreIPs,showpass', 'org.onap.pomba|certman|local|request,ignoreIPs,showpass', 'org.onap.portal|certman|local|request,ignoreIPs,showpass', 'org.onap.refrepo|certman|local|request,ignoreIPs,showpass', 'org.onap.sdc|certman|local|request,ignoreIPs,showpass', 'org.onap.sdnc-cds|certman|local|request,ignoreIPs,showpass', 'org.onap.sdnc|certman|local|request,ignoreIPs,showpass', 'org.onap.so|certman|local|request,ignoreIPs,showpass', 'org.onap.vfc|certman|local|request,ignoreIPs,showpass', 'org.onap.vid1|certman|local|request,ignoreIPs,showpass', 'org.onap.vid2|certman|local|request,ignoreIPs,showpass', 'org.onap.vid|certman|local|request,ignoreIPs,showpass', 'org.onap.uui|certman|local|request,ignoreIPs,showpass', 'org.osaaf.aaf|certman|local|request,ignoreIPs,showpass'}"
org.osaaf.aaf|owner|AAF Owners|"{'org.osaaf.aaf.access|*|read,approve'}"
org.osaaf.aaf|service||"{'org.osaaf.aaf|cache|*|clear'}"
org.osaaf|admin|OSAAF Admins|"{'org.osaaf.access|*|*'}"
diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/user_role.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/user_role.dat
index 0dabc4d..bc9f0ec 100644
--- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/user_role.dat
+++ b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/user_role.dat
@@ -6,6 +6,8 @@
mmanager@people.osaaf.org|org.onap.aai.owner|2020-11-26 12:31:54.000+0000|org.onap.aai|owner
mmanager@people.osaaf.org|org.onap.aai-resources.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-resources|admin
mmanager@people.osaaf.org|org.onap.aai-resources.owner|2020-11-26 12:31:54.000+0000|org.onap.aai-resources|owner
+mmanager@people.osaaf.org|org.onap.aai-schema-service.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-schema-service|admin
+mmanager@people.osaaf.org|org.onap.aai-schema-service.owner|2020-11-26 12:31:54.000+0000|org.onap.aai-schema-service|owner
mmanager@people.osaaf.org|org.onap.aai-traversal.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-traversal|admin
mmanager@people.osaaf.org|org.onap.aai-traversal.owner|2020-11-26 12:31:54.000+0000|org.onap.aai-traversal|owner
mmanager@people.osaaf.org|org.onap.admin|2020-11-26 12:31:54.000+0000|org.onap|admin
@@ -202,6 +204,7 @@
aaf_admin@people.osaaf.org|org.onap.aaf-sms.admin|2020-11-26 12:31:54.000+0000|org.onap.aaf-sms|admin
aaf_admin@people.osaaf.org|org.onap.aai.admin|2020-11-26 12:31:54.000+0000|org.onap.aai|admin
aaf_admin@people.osaaf.org|org.onap.aai-resources.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-resources|admin
+aaf_admin@people.osaaf.org|org.onap.aai-schema-service.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-schema-service|admin
aaf_admin@people.osaaf.org|org.onap.aai-traversal.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-traversal|admin
aaf_admin@people.osaaf.org|org.onap.appc.admin|2020-11-26 12:31:54.000+0000|org.onap.appc|admin
aaf_admin@people.osaaf.org|org.onap.appc.apidoc|2020-11-26 12:31:54.000+0000|org.onap.appc|apidoc
@@ -272,6 +275,7 @@
aai@aai.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all
aai@aai.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced
aai-resources@aai-resources.onap.org|org.onap.aai-resources.service|2020-11-26 12:31:54.000+0000|org.onap.aai-resources|service
+aai-schema-service@aai-schema-service.onap.org|org.onap.aai-schema-service.service|2020-11-26 12:31:54.000+0000|org.onap.aai-schema-service|service
aai-traversal@aai-traversal.onap.org|org.onap.aai-traversal.service|2020-11-26 12:31:54.000+0000|org.onap.aai-traversal|service
appc@appc.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all
appc@appc.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced
diff --git a/kubernetes/aaf/resources/data/identities.dat b/kubernetes/aaf/resources/data/identities.dat
index 972b2ed..4813cc1 100644
--- a/kubernetes/aaf/resources/data/identities.dat
+++ b/kubernetes/aaf/resources/data/identities.dat
@@ -54,6 +54,7 @@
clamp|ONAP CLAMP Application|CLAMP|Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager
aai|ONAP AAI Application|AAI|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager
aai-resources|ONAP AAI Resources Application|AAI Resources|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager
+aai-schema-service|ONAP AAI Schema Service Application|AAI Schema Service|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager
aai-traversal|ONAP AAI Traversal Application|AAI Resources|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager
appc|ONAP APPC Application|APPC|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager
appc-cdt|ONAP APPC CDT Application|APPC|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager
diff --git a/kubernetes/aai/components/aai-babel/requirements.yaml b/kubernetes/aai/components/aai-babel/requirements.yaml
index a725a4e..7a434fc 100644
--- a/kubernetes/aai/components/aai-babel/requirements.yaml
+++ b/kubernetes/aai/components/aai-babel/requirements.yaml
@@ -21,6 +21,9 @@
# a part of this chart's package and will not
# be published independently to a repo (at this point)
repository: '@local'
+ - name: certInitializer
+ version: ~9.x-0
+ repository: '@local'
- name: repositoryGenerator
version: ~9.x-0
repository: '@local'
diff --git a/kubernetes/aai/components/aai-babel/resources/config/application.properties b/kubernetes/aai/components/aai-babel/resources/config/application.properties
index 21ed6cd..6a3a74c 100644
--- a/kubernetes/aai/components/aai-babel/resources/config/application.properties
+++ b/kubernetes/aai/components/aai-babel/resources/config/application.properties
@@ -1,14 +1,33 @@
+{{/*
+# Copyright © 2018 Amdocs, Bell Canada, AT&T
+# Copyright © 2021 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
server.port=9516
{{ if ( include "common.needTLS" .) }}
-server.ssl.key-store=${CONFIG_HOME}/auth/tomcat_keystore
+server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
+server.ssl.key-store-password=${KEYSTORE_PASSWORD}
+server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD}
server.ssl.client-auth=need
+server.ssl.key-store-type=PKCS12
{{ else }}
security.require-ssl=false
server.ssl.enabled=false
{{ end }}
+spring.main.allow-bean-definition-overriding=true
server.servlet.context-path=/services/babel-service
-
logging.config=${CONFIG_HOME}/logback.xml
-
tosca.mappings.config=${CONFIG_HOME}/tosca-mappings.json
diff --git a/kubernetes/aai/components/aai-babel/resources/config/auth/tomcat_keystore b/kubernetes/aai/components/aai-babel/resources/config/auth/tomcat_keystore
deleted file mode 100644
index e1d24d9..0000000
--- a/kubernetes/aai/components/aai-babel/resources/config/auth/tomcat_keystore
+++ /dev/null
Binary files differ
diff --git a/kubernetes/aai/components/aai-babel/resources/config/logback.xml b/kubernetes/aai/components/aai-babel/resources/config/logback.xml
index c29da77..125731c 100644
--- a/kubernetes/aai/components/aai-babel/resources/config/logback.xml
+++ b/kubernetes/aai/components/aai-babel/resources/config/logback.xml
@@ -1,6 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
# Copyright © 2018 Amdocs, Bell Canada, AT&T
+# Modifications Copyright © 2021 Orange
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -27,25 +28,20 @@
<property name="auditLogName" value="audit" />
<property name="debugLogName" value="debug" />
- <property name="errorLogPattern"
- value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{RequestId}|%thread|%mdc{ServiceName}|%mdc{PartnerName}|%mdc{TargetEntity}|%mdc{TargetServiceName}|%.-5level|%logger|%mdc{ClassName}|%msg%n" />
+ <property name="errorLogPattern" value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{RequestId}|%thread|%mdc{ServiceName}|%mdc{PartnerName}|%mdc{TargetEntity}|%mdc{TargetServiceName}|%.-5level|%logger|%mdc{ClassName}|%msg%n" />
- <property name="auditLogPattern"
- value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{BeginTimestamp}|%mdc{EndTimestamp}|%mdc{RequestId}|%mdc{ServiceInstanceId}|%thread|%mdc{ServerFQDN}|%mdc{ServiceName}|%mdc{PartnerName}|%mdc{StatusCode}|%mdc{ResponseCode}|%mdc{ResponseDescription}|%logger|%.-5level|||%mdc{ElapsedTime}|%mdc{RemoteHost}|%mdc{ClientAddress}|%mdc{ClassName}|||%msg%n" />
+ <property name="auditLogPattern" value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{BeginTimestamp}|%mdc{EndTimestamp}|%mdc{RequestId}|%mdc{ServiceInstanceId}|%thread|%mdc{ServerFQDN}|%mdc{ServiceName}|%mdc{PartnerName}|%mdc{StatusCode}|%mdc{ResponseCode}|%mdc{ResponseDescription}|%logger|%.-5level|||%mdc{ElapsedTime}|%mdc{RemoteHost}|%mdc{ClientAddress}|%mdc{ClassName}|||%msg%n" />
- <property name="metricsLogPattern"
- value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{BeginTimestamp}|%mdc{EndTimestamp}|%mdc{RequestId}|%mdc{ServiceInstanceId}|%thread|%mdc{ServerFQDN}|%mdc{ServiceName}|%mdc{PartnerName}|%mdc{TargetEntity}|%mdc{TargetServiceName}|%mdc{StatusCode}|%mdc{ResponseCode}|%mdc{ResponseDescription}|%logger|%.-5level|||%mdc{ElapsedTime}|%mdc{RemoteHost}|%mdc{ClientAddress}|%mdc{ClassName}|||%msg%n" />
+ <property name="metricsLogPattern" value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{BeginTimestamp}|%mdc{EndTimestamp}|%mdc{RequestId}|%mdc{ServiceInstanceId}|%thread|%mdc{ServerFQDN}|%mdc{ServiceName}|%mdc{PartnerName}|%mdc{TargetEntity}|%mdc{TargetServiceName}|%mdc{StatusCode}|%mdc{ResponseCode}|%mdc{ResponseDescription}|%logger|%.-5level|||%mdc{ElapsedTime}|%mdc{RemoteHost}|%mdc{ClientAddress}|%mdc{ClassName}|||%msg%n" />
<!-- ============================================================================ -->
<!-- EELF Appenders -->
<!-- ============================================================================ -->
- <appender name="EELF"
- class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <appender name="EELF" class="ch.qos.logback.core.rolling.RollingFileAppender">
<file>${logDirectory}/${generalLogName}.log</file>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
- <fileNamePattern>${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.log.zip
- </fileNamePattern>
+ <fileNamePattern>${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.log.zip</fileNamePattern>
<maxHistory>60</maxHistory>
</rollingPolicy>
<encoder>
@@ -65,12 +61,10 @@
are specializations of the EELF application root logger and appender. This can be used to segregate Policy engine events
from other components, or it can be eliminated to record these events as part of the application root log. -->
- <appender name="EELFAudit"
- class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <appender name="EELFAudit" class="ch.qos.logback.core.rolling.RollingFileAppender">
<file>${logDirectory}/${auditLogName}.log</file>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
- <fileNamePattern>${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.log.zip
- </fileNamePattern>
+ <fileNamePattern>${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.log.zip</fileNamePattern>
<maxHistory>60</maxHistory>
</rollingPolicy>
<encoder>
@@ -82,12 +76,10 @@
<appender-ref ref="EELFAudit" />
</appender>
- <appender name="EELFMetrics"
- class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <appender name="EELFMetrics" class="ch.qos.logback.core.rolling.RollingFileAppender">
<file>${logDirectory}/${metricsLogName}.log</file>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
- <fileNamePattern>${logDirectory}/${metricsLogName}.%d{yyyy-MM-dd}.log.zip
- </fileNamePattern>
+ <fileNamePattern>${logDirectory}/${metricsLogName}.%d{yyyy-MM-dd}.log.zip</fileNamePattern>
<maxHistory>60</maxHistory>
</rollingPolicy>
<encoder>
@@ -100,14 +92,10 @@
<appender-ref ref="EELFMetrics" />
</appender>
- <appender name="EELFDebug"
- class="ch.qos.logback.core.rolling.RollingFileAppender">
- <file>
- ${logDirectory}/${debugLogName}.log
- </file>
+ <appender name="EELFDebug" class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <file>${logDirectory}/${debugLogName}.log</file>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
- <fileNamePattern>${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.log.zip
- </fileNamePattern>
+ <fileNamePattern>${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.log.zip</fileNamePattern>
<maxHistory>60</maxHistory>
</rollingPolicy>
<encoder>
@@ -119,9 +107,7 @@
<!-- allow only events with a level below INFO, that is TRACE and DEBUG -->
<filter class="ch.qos.logback.core.filter.EvaluatorFilter">
<evaluator class="ch.qos.logback.classic.boolex.GEventEvaluator">
- <expression>
- e.level.toInt() < INFO.toInt()
- </expression>
+ <expression>e.level.toInt() < INFO.toInt()</expression>
</evaluator>
<OnMismatch>DENY</OnMismatch>
<OnMatch>NEUTRAL</OnMatch>
@@ -131,6 +117,15 @@
<includeCallerData>false</includeCallerData>
</appender>
+ <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+ <encoder>
+ <pattern>${errorLogPattern}</pattern>
+ </encoder>
+ </appender>
+ <appender name="AsyncSysOut" class="ch.qos.logback.classic.AsyncAppender">
+ <appender-ref ref="STDOUT" />
+ </appender>
+
<!-- ============================================================================ -->
<!-- Default / root appenders -->
<!-- This determines the logging level for 3rd party code -->
@@ -138,29 +133,34 @@
<root level="INFO">
<appender-ref ref="asyncEELF" />
- <appender-ref ref="asyncEELFDebug" />
-</root>
+ <appender-ref ref="asyncEELFDebug" />
+ <appender-ref ref="AsyncSysOut" />
+ </root>
<!-- ============================================================================ -->
<!-- EELF loggers -->
<!-- ============================================================================ -->
<logger name="com.att.eelf" level="INFO" additivity="false">
- <appender-ref ref="asyncEELF" />
-</logger>
+ <appender-ref ref="asyncEELF" />
+ <appender-ref ref="AsyncSysOut" />
+ </logger>
<!-- The level of this logger determines the contents of the debug log -->
<logger name="com.att.eelf.debug" level="INFO" additivity="false">
- <appender-ref ref="asyncEELFDebug" />
-</logger>
+ <appender-ref ref="asyncEELFDebug" />
+ <appender-ref ref="AsyncSysOut" />
+ </logger>
<logger name="com.att.eelf.audit" level="INFO" additivity="false">
- <appender-ref ref="asyncEELFAudit" />
-</logger>
+ <appender-ref ref="asyncEELFAudit" />
+ <appender-ref ref="AsyncSysOut" />
+ </logger>
<logger name="com.att.eelf.metrics" level="INFO" additivity="false">
- <appender-ref ref="asyncEELFMetrics" />
-</logger>
+ <appender-ref ref="asyncEELFMetrics" />
+ <appender-ref ref="AsyncSysOut" />
+ </logger>
<!-- ============================================================================ -->
<!-- Non-EELF loggers -->
diff --git a/kubernetes/aai/components/aai-babel/templates/deployment.yaml b/kubernetes/aai/components/aai-babel/templates/deployment.yaml
index e12a234..bd6b8c7 100644
--- a/kubernetes/aai/components/aai-babel/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-babel/templates/deployment.yaml
@@ -37,10 +37,22 @@
app: {{ include "common.name" . }}
release: {{ include "common.release" . }}
spec:
+ initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
containers:
- name: {{ include "common.name" . }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{- if .Values.global.aafEnabled }}
+ command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** retrieve Truststore and Keystore password"
+ export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0)
+ echo "*** actual launch of AAI Babel"
+ /bin/bash /opt/app/babel/bin/start.sh
+ {{- end }}
ports:
- containerPort: {{ .Values.service.internalPort }}
# disable liveness probe when breakpoints set in debugger
@@ -60,35 +72,28 @@
env:
- name: CONFIG_HOME
value: /opt/app/babel/config
- - name: KEY_STORE_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ template "common.fullname" . }}-pass
- key: KEY_STORE_PASSWORD
- - name: KEY_MANAGER_PASSWORD
- valueFrom:
- secretKeyRef:
- name: {{ template "common.fullname" . }}-pass
- key: KEY_MANAGER_PASSWORD
- volumeMounts:
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
+ - mountPath: /opt/app/babel/config/application.properties
+ name: config
+ subPath: application.properties
- mountPath: /opt/app/babel/config/artifact-generator.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: artifact-generator.properties
- mountPath: /opt/app/babel/config/tosca-mappings.json
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: tosca-mappings.json
- mountPath: /opt/app/babel/config/babel-auth.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: babel-auth.properties
- mountPath: /opt/app/babel/config/auth
- name: {{ include "common.fullname" . }}-secrets
+ name: secrets
- mountPath: {{ .Values.log.path }}
name: logs
- mountPath: /opt/app/babel/config/logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: logback.xml
resources:
{{ include "common.resources" . }}
@@ -104,23 +109,14 @@
# side car containers
{{ include "common.log.sidecar" . | nindent 8 }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes:
+ volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }}
- name: localtime
hostPath:
path: /etc/localtime
- - name: {{ include "common.fullname" . }}-config
+ - name: config
configMap:
name: {{ include "common.fullname" . }}-configmap
- items:
- - key: artifact-generator.properties
- path: artifact-generator.properties
- - key: tosca-mappings.json
- path: tosca-mappings.json
- - key: babel-auth.properties
- path: babel-auth.properties
- - key: logback.xml
- path: logback.xml
- - name: {{ include "common.fullname" . }}-secrets
+ - name: secrets
secret:
secretName: {{ include "common.fullname" . }}-babel-secrets
- name: logs
diff --git a/kubernetes/aai/components/aai-babel/templates/secrets.yaml b/kubernetes/aai/components/aai-babel/templates/secrets.yaml
index b81ffa0..9d7d2c5 100644
--- a/kubernetes/aai/components/aai-babel/templates/secrets.yaml
+++ b/kubernetes/aai/components/aai-babel/templates/secrets.yaml
@@ -29,18 +29,3 @@
type: Opaque
data:
{{ tpl (.Files.Glob "resources/config/auth/*").AsSecrets . | indent 2 }}
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ include "common.fullname" . }}-pass
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-type: Opaque
-data:
- KEY_STORE_PASSWORD: {{ .Values.config.keyStorePassword | b64enc | quote }}
- KEY_MANAGER_PASSWORD: {{ .Values.config.keyManagerPassword | b64enc | quote }}
diff --git a/kubernetes/aai/components/aai-babel/values.yaml b/kubernetes/aai/components/aai-babel/values.yaml
index 0c34dea..3b68f4d 100644
--- a/kubernetes/aai/components/aai-babel/values.yaml
+++ b/kubernetes/aai/components/aai-babel/values.yaml
@@ -20,6 +20,41 @@
global: {}
#################################################################
+# Certificate configuration
+#################################################################
+certInitializer:
+ nameOverride: aai-babel-cert-initializer
+ aafDeployFqi: deployer@people.osaaf.org
+ aafDeployPass: demo123456!
+ # aafDeployCredsExternalSecret: some secret
+ fqdn: aai
+ fqi: aai@aai.onap.org
+ public_fqdn: aai.onap.org
+ cadi_longitude: "0.0"
+ cadi_latitude: "0.0"
+ app_ns: org.osaaf.aaf
+ credsPath: /opt/app/osaaf/local
+ fqi_namespace: org.onap.aai
+ aaf_add_config: |
+ echo "*** changing them into shell safe ones"
+ export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ cd {{ .Values.credsPath }}
+ keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \
+ -storepass "${cadi_keystore_password_p12}" \
+ -keystore {{ .Values.fqi_namespace }}.p12
+ keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \
+ -storepass "${cadi_truststore_password}" \
+ -keystore {{ .Values.fqi_namespace }}.trust.jks
+ echo "*** writing passwords into prop file"
+ echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop
+ echo "KEY_STORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
+ echo "KEY_MANAGER_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
+ echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
+ echo "*** change ownership of certificates to targeted user"
+ chown -R 1000 {{ .Values.credsPath }}
+
+#################################################################
# Application configuration defaults.
#################################################################
@@ -29,11 +64,6 @@
flavor: small
flavorOverride: small
-# application configuration
-config:
- keyStorePassword: OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
- keyManagerPassword: OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
-
# default number of instances
replicaCount: 1
diff --git a/kubernetes/aai/components/aai-graphadmin/requirements.yaml b/kubernetes/aai/components/aai-graphadmin/requirements.yaml
index d80dc5a..5a41aef 100644
--- a/kubernetes/aai/components/aai-graphadmin/requirements.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/requirements.yaml
@@ -21,6 +21,9 @@
# a part of this chart's package and will not
# be published independently to a repo (at this point)
repository: '@local'
+ - name: certInitializer
+ version: ~9.x-0
+ repository: '@local'
- name: repositoryGenerator
version: ~9.x-0
repository: '@local'
diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties b/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties
index 512e906..f768338 100644
--- a/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties
+++ b/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties
@@ -4,6 +4,7 @@
# org.onap.aai
# ================================================================================
# Copyright © 2018 AT&T Intellectual Property. All rights reserved.
+# Modifications Copyright © 2021 Orange
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -41,10 +42,10 @@
{{ end }}
{{ if ( include "common.needTLS" .) }}
-aai.truststore.filename={{ .Values.global.config.truststore.filename }}
-aai.truststore.passwd.x={{ .Values.global.config.truststore.passwd }}
-aai.keystore.filename={{ .Values.global.config.keystore.filename }}
-aai.keystore.passwd.x={{ .Values.global.config.keystore.passwd }}
+aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD}
+aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
+aai.keystore.passwd.x=${KEYSTORE_PASSWORD}
{{ end }}
aai.notification.current.version={{ .Values.global.config.schema.version.api.default }}
diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties b/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties
index 367e903..2760602 100644
--- a/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties
+++ b/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties
@@ -4,6 +4,7 @@
# org.onap.aai
# ================================================================================
# Copyright � 2018 AT&T Intellectual Property. All rights reserved.
+# Modifications Copyright © 2021 Orange
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -44,16 +45,16 @@
# If you get an application startup failure that the port is already taken
# If thats not it, please check if the key-store file path makes sense
-server.local.startpath=aai-graphadmin/src/main/resources/
+server.local.startpath=/opt/app/aai-graphadmin/resources/
server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties
server.port=8449
{{ if ( include "common.needTLS" .) }}
server.ssl.enabled-protocols=TLSv1.1,TLSv1.2
-server.ssl.key-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.keystore.filename }}
-server.ssl.key-store-password=password({{ .Values.global.config.keystore.passwd }})
-server.ssl.trust-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.truststore.filename }}
-server.ssl.trust-store-password=password({{ .Values.global.config.truststore.passwd }})
+server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks
+server.ssl.key-store-password=password(${KEYSTORE_JKS_PASSWORD})
+server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+server.ssl.trust-store-password=password(${TRUSTSTORE_PASSWORD})
server.ssl.client-auth=want
server.ssl.key-store-type=JKS
{{ else }}
@@ -103,10 +104,10 @@
schema.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }}
{{ if ( include "common.needTLS" .) }}
-schema.service.ssl.key-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.keystore.filename }}
-schema.service.ssl.trust-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.truststore.filename }}
-schema.service.ssl.key-store-password=password({{ .Values.global.config.keystore.passwd }})
-schema.service.ssl.trust-store-password=password({{ .Values.global.config.truststore.passwd }})
+schema.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks
+schema.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+schema.service.ssl.key-store-password=password(${KEYSTORE_JKS_PASSWORD})
+schema.service.ssl.trust-store-password=password(${TRUSTSTORE_PASSWORD})
{{ end }}
aperture.rdbmsname=aai_relational
@@ -115,9 +116,9 @@
aperture.service.base.url=http://localhost:8457/aai/aperture
{{ if ( include "common.needTLS" .) }}
-aperture.service.ssl.key-store=${server.local.startpath}etc/auth/{{ .Values.global.config.keystore.filename }}
-aperture.service.ssl.trust-store=${server.local.startpath}etc/auth/{{ .Values.global.config.truststore.filename }}
-aperture.service.ssl.key-store-password=password({{ .Values.global.config.keystore.passwd }})
-aperture.service.ssl.trust-store-password=password({{ .Values.global.config.truststore.passwd }})
+aperture.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks
+aperture.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+aperture.service.ssl.key-store-password=password(${KEYSTORE_JKS_PASSWORD})
+aperture.service.ssl.trust-store-password=password(${TRUSTSTORE_PASSWORD})
{{ end }}
aperture.service.timeout-in-milliseconds=300000
diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/logback.xml b/kubernetes/aai/components/aai-graphadmin/resources/config/logback.xml
index 95b8140..243acd2 100644
--- a/kubernetes/aai/components/aai-graphadmin/resources/config/logback.xml
+++ b/kubernetes/aai/components/aai-graphadmin/resources/config/logback.xml
@@ -839,32 +839,41 @@
<!-- logback jms appenders & loggers definition ends here -->
<logger name="org.onap.aai.aaf" level="DEBUG" additivity="false">
<appender-ref ref="asyncAUTH"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.aailog.filter.RestClientLoggingInterceptor" level="INFO">
<appender-ref ref="asyncMETRIC"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.logging.filter.base.AbstractMetricLogFilter" level="INFO">
<appender-ref ref="asyncMETRIC"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.aailog.logs.AaiScheduledTaskAuditLog" level="INFO">
<appender-ref ref="asyncAUDIT"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.logging.filter.base.AbstractAuditLogFilter" level="INFO">
<appender-ref ref="asyncAUDIT"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.aailog.logs.AaiDBMetricLog" level="INFO">
<appender-ref ref="asyncMETRIC"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.logging.ErrorLogHelper" level="WARN">
<appender-ref ref="asyncERROR"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.interceptors.post" level="DEBUG" additivity="false">
<appender-ref ref="asynctranslog"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.dmaap" level="DEBUG" additivity="false">
<appender-ref ref="dmaapAAIEventConsumer"/>
<appender-ref ref="dmaapAAIEventConsumerDebug"/>
<appender-ref ref="dmaapAAIEventConsumerMetric"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.datasnapshot" level="DEBUG" additivity="false">
<appender-ref ref="dataSnapshot"/>
@@ -938,6 +947,7 @@
<appender-ref ref="asyncDEBUG"/>
<appender-ref ref="asyncERROR"/>
<appender-ref ref="asyncMETRIC"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<root level="DEBUG">
<appender-ref ref="external"/>
diff --git a/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml b/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml
index 91cd748..8eb4a4a 100644
--- a/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml
@@ -4,6 +4,7 @@
# org.onap.aai
# ================================================================================
# Copyright © 2018 AT&T Intellectual Property. All rights reserved.
+# Modifications Copyright © 2021 Orange
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -22,7 +23,7 @@
apiVersion: v1
kind: ConfigMap
metadata:
- name: {{ include "common.fullname" . }}-configmap
+ name: {{ include "common.fullname" . }}
namespace: {{ include "common.namespace" . }}
labels:
app: {{ include "common.name" . }}
@@ -40,16 +41,33 @@
{{ tpl (.Files.Glob "resources/config/localhost-access-logback.xml").AsConfig . | indent 2 }}
{{ tpl (.Files.Glob "resources/config/janusgraph-realtime.properties").AsConfig . | indent 2 }}
{{ tpl (.Files.Glob "resources/config/janusgraph-cached.properties").AsConfig . | indent 2 }}
+{{ tpl (.Files.Glob "resources/config/realm.properties").AsConfig . | indent 2 }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "common.fullname" . }}-properties
+ namespace: {{ include "common.namespace" . }}
+ labels:
+ app: {{ include "common.name" . }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ include "common.release" . }}
+ heritage: {{ .Release.Service }}
+ {{- if .Values.global.jobs.migration.enabled }}
+ annotations:
+ "helm.sh/hook": pre-upgrade,pre-install
+ "helm.sh/hook-weight": "0"
+ "helm.sh/hook-delete-policy": before-hook-creation
+ {{- end }}
+data:
{{ tpl (.Files.Glob "resources/config/aaiconfig.properties").AsConfig . | indent 2 }}
{{ tpl (.Files.Glob "resources/config/application.properties").AsConfig . | indent 2 }}
-{{ tpl (.Files.Glob "resources/config/realm.properties").AsConfig . | indent 2 }}
-
{{- if .Values.global.jobs.migration.enabled }}
---
apiVersion: v1
kind: ConfigMap
metadata:
- name: {{ include "common.fullname" . }}-migration-configmap
+ name: {{ include "common.fullname" . }}-migration
namespace: {{ include "common.namespace" . }}
labels:
app: {{ include "common.name" . }}
diff --git a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml
index 6de34e9..6b58eaa 100644
--- a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml
@@ -5,7 +5,7 @@
# ================================================================================
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2020 Nokia Intellectual Property. All rights reserved.
-# Copyright (c) 2020 Orange Intellectual Property. All rights reserved.
+# Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -53,7 +53,49 @@
hostname: aai-graphadmin
terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }}
{{ if .Values.global.initContainers.enabled }}
- initContainers:
+ initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ {{- if .Values.global.aafEnabled }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** retrieve Truststore and Keystore password"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ echo "*** obfuscate them "
+ export KEYSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export KEYSTORE_JKS_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export TRUSTSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ image: {{ include "repositoryGenerator.image.jetty" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-obfuscate
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.user_id }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** Set obfuscated Truststore and Keystore password into configuration file"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ cd /config-input
+ for PFILE in `ls -1`
+ do
+ envsubst <${PFILE} >/config/${PFILE}
+ done
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ - mountPath: /config-input
+ name: properties-input
+ - mountPath: /config
+ name: properties
+ image: {{ include "repositoryGenerator.image.envsubst" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
+ {{- end }}
- command:
{{ if .Values.global.jobs.migration.enabled }}
- /app/ready.py
@@ -93,46 +135,40 @@
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
env:
- name: LOCAL_USER_ID
- value: {{ .Values.global.config.userId | quote }}
+ value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
- value: {{ .Values.global.config.groupId | quote }}
+ value: {{ .Values.securityContext.group_id | quote }}
- name: INTERNAL_PORT_1
value: {{ .Values.service.internalPort | quote }}
- name: INTERNAL_PORT_2
value: {{ .Values.service.internalPort2 | quote }}
- volumeMounts:
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: janusgraph-realtime.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: janusgraph-cached.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: aaiconfig.properties
- mountPath: /opt/aai/logroot/AAI-RES
name: logs
- mountPath: /opt/app/aai-graphadmin/resources/logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/localhost-access-logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: localhost-access-logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/etc/auth/realm.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: realm.properties
- mountPath: /opt/app/aai-graphadmin/resources/application.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: application.properties
- {{ $global := . }}
- {{ range $job := .Values.global.config.auth.files }}
- - mountPath: /opt/app/aai-graphadmin/resources/etc/auth/{{ . }}
- name: {{ include "common.fullname" $global }}-auth-truststore-sec
- subPath: {{ . }}
- {{ end }}
ports:
- containerPort: {{ .Values.service.internalPort }}
- containerPort: {{ .Values.service.internalPort2 }}
@@ -176,24 +212,22 @@
# side car containers
{{ include "common.log.sidecar" . | nindent 6 }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes:
+ volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
- name: localtime
hostPath:
path: /etc/localtime
- name: logs
emptyDir: {}
{{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }}
- - name: {{ include "common.fullname" . }}-config
+ - name: config
configMap:
- name: {{ include "common.fullname" . }}-configmap
- - name: {{ include "common.fullname" . }}-auth-truststore-sec
- secret:
- secretName: aai-common-truststore
- items:
- {{ range $job := .Values.global.config.auth.files }}
- - key: {{ . }}
- path: {{ . }}
- {{ end }}
+ name: {{ include "common.fullname" . }}
+ - name: properties-input
+ configMap:
+ name: {{ include "common.fullname" . }}-properties
+ - name: properties
+ emptyDir:
+ medium: Memory
restartPolicy: {{ .Values.restartPolicy }}
imagePullSecrets:
- name: {{ include "common.namespace" . }}-docker-registry-key
diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml
index 0cdce11..d1e7284 100644
--- a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml
@@ -5,7 +5,7 @@
# ================================================================================
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2020 Nokia Intellectual Property. All rights reserved.
-# Copyright (c) 2020 Orange Intellectual Property. All rights reserved.
+# Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -58,8 +58,50 @@
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}
spec:
+ initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ {{- if .Values.global.aafEnabled }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** retrieve Truststore and Keystore password"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ echo "*** obfuscate them "
+ export KEYSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export KEYSTORE_JKS_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export TRUSTSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ image: {{ include "repositoryGenerator.image.jetty" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-obfuscate
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.user_id }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** Set obfuscated Truststore and Keystore password into configuration file"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ cd /config-input
+ for PFILE in `ls -1`
+ do
+ envsubst <${PFILE} >/config/${PFILE}
+ done
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ - mountPath: /config-input
+ name: properties-input
+ - mountPath: /config
+ name: properties
+ image: {{ include "repositoryGenerator.image.envsubst" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
+ {{- end }}
{{ if eq .Values.global.jobs.migration.remoteCassandra.enabled false }}
- initContainers:
- command:
- /bin/bash
- -c
@@ -79,65 +121,69 @@
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command:
- - /bin/bash
+ - sh
+ args:
- -c
- |
- bash docker-entrypoint.sh dataSnapshot.sh ;
+ bash docker-entrypoint.sh dataSnapshot.sh
{{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }}
env:
- name: LOCAL_USER_ID
- value: {{ .Values.global.config.userId | quote }}
+ value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
- value: {{ .Values.global.config.groupId | quote }}
- volumeMounts:
+ value: {{ .Values.securityContext.group_id | quote }}
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /opt/app/aai-graphadmin/logs/data/dataSnapshots
- name: {{ include "common.fullname" . }}-snapshots
+ name: snapshots
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties
- name: {{ include "common.fullname" . }}-migration
+ name: migration
subPath: janusgraph-migration-real.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties
- name: {{ include "common.fullname" . }}-migration
+ name: migration
subPath: janusgraph-migration-cached.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: aaiconfig.properties
- mountPath: /opt/aai/logroot/AAI-RES/
- name: {{ include "common.fullname" . }}-logs
+ name: logs
- mountPath: /opt/app/aai-graphadmin/resources/logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/localhost-access-logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: localhost-access-logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/application.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: application.properties
- resources:
-{{ include "common.resources" . | indent 10 }}
+ resources: {{ include "common.resources" . | nindent 10 }}
{{- if .Values.nodeSelector }}
- nodeSelector:
-{{ toYaml .Values.nodeSelector | indent 8 }}
- {{- end -}}
- {{- if .Values.affinity }}
- affinity:
-{{ toYaml .Values.affinity | indent 8 }}
+ nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
{{- end }}
- volumes:
+ {{- if .Values.affinity }}
+ affinity: {{ toYaml .Values.affinity | nindent 8 }}
+ {{- end }}
+ volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
- name: localtime
hostPath:
path: /etc/localtime
- - name: {{ include "common.fullname" . }}-logs
+ - name: logs
emptyDir: {}
- - name: {{ include "common.fullname" . }}-config
+ - name: config
configMap:
- name: {{ include "common.fullname" . }}-configmap
- - name: {{ include "common.fullname" . }}-migration
+ name: {{ include "common.fullname" . }}
+ - name: properties-input
configMap:
- name: {{ include "common.fullname" . }}-migration-configmap
- - name: {{ include "common.fullname" . }}-snapshots
+ name: {{ include "common.fullname" . }}-properties
+ - name: properties
+ emptyDir:
+ medium: Memory
+ - name: migration
+ configMap:
+ name: {{ include "common.fullname" . }}-migration
+ - name: snapshots
persistentVolumeClaim:
claimName: {{ include "common.fullname" . }}-migration
restartPolicy: Never
diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml
index 1705cf5..4a7de64 100644
--- a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml
@@ -5,7 +5,7 @@
# ================================================================================
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2020 Nokia Intellectual Property. All rights reserved.
-# Copyright (c) 2020 Orange Intellectual Property. All rights reserved.
+# Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -53,7 +53,49 @@
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}
spec:
- initContainers:
+ initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ {{- if .Values.global.aafEnabled }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** retrieve Truststore and Keystore password"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ echo "*** obfuscate them "
+ export KEYSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export KEYSTORE_JKS_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export TRUSTSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ image: {{ include "repositoryGenerator.image.jetty" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-obfuscate
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.user_id }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** Set obfuscated Truststore and Keystore password into configuration file"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ cd /config-input
+ for PFILE in `ls -1`
+ do
+ envsubst <${PFILE} >/config/${PFILE}
+ done
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ - mountPath: /config-input
+ name: properties-input
+ - mountPath: /config
+ name: properties
+ image: {{ include "repositoryGenerator.image.envsubst" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
+ {{- end }}
- command:
- /app/ready.py
args:
@@ -79,74 +121,64 @@
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command:
- - /bin/bash
+ - sh
+ args:
- -c
- |
- bash docker-entrypoint.sh createDBSchema.sh ;
+ bash docker-entrypoint.sh createDBSchema.sh
{{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }}
env:
- name: LOCAL_USER_ID
- value: {{ .Values.global.config.userId | quote }}
+ value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
- value: {{ .Values.global.config.groupId | quote }}
- volumeMounts:
+ value: {{ .Values.securityContext.group_id | quote }}
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: janusgraph-realtime.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: janusgraph-cached.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: aaiconfig.properties
- mountPath: /opt/aai/logroot/AAI-GA
- name: {{ include "common.fullname" . }}-logs
+ name: logs
- mountPath: /opt/app/aai-graphadmin/resources/logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/localhost-access-logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: localhost-access-logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/application.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: application.properties
- {{ $global := . }}
- {{ range $job := .Values.global.config.auth.files }}
- - mountPath: /opt/app/aai-graphadmin/resources/etc/auth/{{ . }}
- name: {{ include "common.fullname" $global }}-auth-truststore-sec
- subPath: {{ . }}
- {{ end }}
- resources:
-{{ include "common.resources" . }}
+ resources: {{ include "common.resources" . | nindent 10 }}
{{- if .Values.nodeSelector }}
- nodeSelector:
-{{ toYaml .Values.nodeSelector | indent 8 }}
- {{- end -}}
- {{- if .Values.affinity }}
- affinity:
-{{ toYaml .Values.affinity | indent 8 }}
+ nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
{{- end }}
- volumes:
+ {{- if .Values.affinity }}
+ affinity: {{ toYaml .Values.affinity | nindent 8 }}
+ {{- end }}
+ volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
- name: localtime
hostPath:
path: /etc/localtime
{{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }}
- - name: {{ include "common.fullname" . }}-logs
+ - name: logs
emptyDir: {}
- - name: {{ include "common.fullname" . }}-config
+ - name: config
configMap:
- name: {{ include "common.fullname" . }}-configmap
- - name: {{ include "common.fullname" . }}-auth-truststore-sec
- secret:
- secretName: aai-common-truststore
- items:
- {{ range $job := .Values.global.config.auth.files }}
- - key: {{ . }}
- path: {{ . }}
- {{ end }}
+ name: {{ include "common.fullname" . }}
+ - name: properties-input
+ configMap:
+ name: {{ include "common.fullname" . }}-properties
+ - name: properties
+ emptyDir:
+ medium: Memory
restartPolicy: Never
imagePullSecrets:
- name: {{ include "common.namespace" . }}-docker-registry-key
diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml
index 5752e54..1256e71 100644
--- a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml
@@ -5,7 +5,7 @@
# ================================================================================
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2020 Nokia Intellectual Property. All rights reserved.
-# Copyright (c) 2020 Orange Intellectual Property. All rights reserved.
+# Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -58,7 +58,49 @@
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}
spec:
- initContainers:
+ initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ {{- if .Values.global.aafEnabled }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** retrieve Truststore and Keystore password"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ echo "*** obfuscate them "
+ export KEYSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export KEYSTORE_JKS_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export TRUSTSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ image: {{ include "repositoryGenerator.image.jetty" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-obfuscate
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.user_id }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** Set obfuscated Truststore and Keystore password into configuration file"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ cd /config-input
+ for PFILE in `ls -1`
+ do
+ envsubst <${PFILE} >/config/${PFILE}
+ done
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ - mountPath: /config-input
+ name: properties-input
+ - mountPath: /config
+ name: properties
+ image: {{ include "repositoryGenerator.image.envsubst" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
+ {{- end }}
- command:
- /app/ready.py
args:
@@ -80,46 +122,42 @@
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
name: {{ include "common.name" . }}-readiness
- command:
- - /bin/bash
+ - sh
+ args:
- -c
- - bash docker-entrypoint.sh dataRestoreFromSnapshot.sh `ls -t /opt/app/aai-graphadmin/logs/data/dataSnapshots|head -1|awk -F".P" '{ print $1 }'`
+ - |
+ bash docker-entrypoint.sh dataRestoreFromSnapshot.sh `ls -t /opt/app/aai-graphadmin/logs/data/dataSnapshots|head -1|awk -F".P" '{ print $1 }'`
env:
- name: LOCAL_USER_ID
- value: {{ .Values.global.config.userId | quote }}
+ value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
- value: {{ .Values.global.config.groupId | quote }}
- volumeMounts:
+ value: {{ .Values.securityContext.group_id | quote }}
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: janusgraph-realtime.properties
- mountPath: /opt/app/aai-graphadmin/logs/data/dataSnapshots
- name: {{ include "common.fullname" . }}-snapshots
+ name: snapshots
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: janusgraph-cached.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: aaiconfig.properties
- mountPath: /opt/aai/logroot/AAI-GA
- name: {{ include "common.fullname" . }}-logs
+ name: logs
- mountPath: /opt/app/aai-graphadmin/resources/logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/localhost-access-logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: localhost-access-logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/application.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: application.properties
- {{ $global := . }}
- {{ range $job := .Values.global.config.auth.files }}
- - mountPath: /opt/app/aai-graphadmin/resources/etc/auth/{{ . }}
- name: {{ include "common.fullname" $global }}-auth-truststore-sec
- subPath: {{ . }}
- {{ end }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
name: {{ include "common.name" . }}-restore-backup
@@ -128,57 +166,49 @@
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
name: {{ include "common.name" . }}-perform-migration
command:
- - /bin/bash
+ - sh
+ args:
- -c
- |
bash docker-entrypoint.sh run_Migrations.sh -e UpdateAaiUriIndexMigration --commit --skipPreMigrationSnapShot --runDisabled RebuildAllEdges ;
{{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }}
env:
- name: LOCAL_USER_ID
- value: {{ .Values.global.config.userId | quote }}
+ value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
- value: {{ .Values.global.config.groupId | quote }}
- volumeMounts:
+ value: {{ .Values.securityContext.group_id | quote }}
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: janusgraph-realtime.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: janusgraph-cached.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: aaiconfig.properties
- mountPath: /opt/aai/logroot/AAI-GA
- name: {{ include "common.fullname" . }}-logs
+ name: logs
- mountPath: /opt/app/aai-graphadmin/resources/logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/localhost-access-logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: localhost-access-logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/application.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: application.properties
- {{ $global := . }}
- {{ range $job := .Values.global.config.auth.files }}
- - mountPath: /opt/app/aai-graphadmin/resources/etc/auth/{{ . }}
- name: {{ include "common.fullname" $global }}-auth-truststore-sec
- subPath: {{ . }}
- {{ end }}
- resources:
-{{ include "common.resources" . }}
+ resources: {{ include "common.resources" . | nindent 10 }}
{{- if .Values.nodeSelector }}
- nodeSelector:
-{{ toYaml .Values.nodeSelector | indent 8 }}
- {{- end -}}
- {{- if .Values.affinity }}
- affinity:
-{{ toYaml .Values.affinity | indent 8 }}
+ nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
{{- end }}
- volumes:
+ {{- if .Values.affinity }}
+ affinity: {{ toYaml .Values.affinity | nindent 8 }}
+ {{- end }}
+ volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
- name: localtime
hostPath:
path: /etc/localtime
@@ -191,14 +221,12 @@
- name: {{ include "common.fullname" . }}-snapshots
persistentVolumeClaim:
claimName: {{ include "common.fullname" . }}-migration
- - name: {{ include "common.fullname" . }}-auth-truststore-sec
- secret:
- secretName: aai-common-truststore
- items:
- {{ range $job := .Values.global.config.auth.files }}
- - key: {{ . }}
- path: {{ . }}
- {{ end }}
+ - name: properties-input
+ configMap:
+ name: {{ include "common.fullname" . }}-properties
+ - name: properties
+ emptyDir:
+ medium: Memory
restartPolicy: Never
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
@@ -226,8 +254,50 @@
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}
spec:
+ initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ {{- if .Values.global.aafEnabled }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** retrieve Truststore and Keystore password"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ echo "*** obfuscate them "
+ export KEYSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export KEYSTORE_JKS_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export TRUSTSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ image: {{ include "repositoryGenerator.image.jetty" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-obfuscate
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.user_id }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** Set obfuscated Truststore and Keystore password into configuration file"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ cd /config-input
+ for PFILE in `ls -1`
+ do
+ envsubst <${PFILE} >/config/${PFILE}
+ done
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ - mountPath: /config-input
+ name: properties-input
+ - mountPath: /config
+ name: properties
+ image: {{ include "repositoryGenerator.image.envsubst" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
+ {{- end }}
{{ if eq .Values.global.jobs.migration.remoteCassandra.enabled false }}
- initContainers:
- command:
- /bin/bash
- -c
@@ -247,65 +317,69 @@
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
command:
- - /bin/bash
+ - sh
+ args:
- -c
- |
- bash docker-entrypoint.sh dataSnapshot.sh ;
+ bash docker-entrypoint.sh dataSnapshot.sh
{{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }}
env:
- name: LOCAL_USER_ID
- value: {{ .Values.global.config.userId | quote }}
+ value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
- value: {{ .Values.global.config.groupId | quote }}
- volumeMounts:
+ value: {{ .Values.securityContext.group_id | quote }}
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /opt/app/aai-graphadmin/logs/data/dataSnapshots
- name: {{ include "common.fullname" . }}-snapshots
+ name: snapshots
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties
- name: {{ include "common.fullname" . }}-migration
+ name: migration
subPath: janusgraph-migration-real.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties
- name: {{ include "common.fullname" . }}-migration
+ name: migration
subPath: janusgraph-migration-cached.properties
- mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: aaiconfig.properties
- mountPath: /opt/aai/logroot/AAI-RES/
- name: {{ include "common.fullname" . }}-logs
+ name: logs
- mountPath: /opt/app/aai-graphadmin/resources/logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/localhost-access-logback.xml
- name: {{ include "common.fullname" . }}-config
+ name: config
subPath: localhost-access-logback.xml
- mountPath: /opt/app/aai-graphadmin/resources/application.properties
- name: {{ include "common.fullname" . }}-config
+ name: properties
subPath: application.properties
- resources:
-{{ include "common.resources" . | indent 10 }}
+ resources: {{ include "common.resources" . | nindent 10 }}
{{- if .Values.nodeSelector }}
- nodeSelector:
-{{ toYaml .Values.nodeSelector | indent 8 }}
- {{- end -}}
- {{- if .Values.affinity }}
- affinity:
-{{ toYaml .Values.affinity | indent 8 }}
+ nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
{{- end }}
- volumes:
+ {{- if .Values.affinity }}
+ affinity: {{ toYaml .Values.affinity | nindent 8 }}
+ {{- end }}
+ volumes: {{ include "common.resources" . | nindent 10 }}
- name: localtime
hostPath:
path: /etc/localtime
- - name: {{ include "common.fullname" . }}-logs
+ - name: logs
emptyDir: {}
- - name: {{ include "common.fullname" . }}-config
+ - name: config
configMap:
- name: {{ include "common.fullname" . }}-configmap
- - name: {{ include "common.fullname" . }}-migration
+ name: {{ include "common.fullname" . }}
+ - name: properties-input
configMap:
- name: {{ include "common.fullname" . }}-migration-configmap
- - name: {{ include "common.fullname" . }}-snapshots
+ name: {{ include "common.fullname" . }}-properties
+ - name: properties
+ emptyDir:
+ medium: Memory
+ - name: migration
+ configMap:
+ name: {{ include "common.fullname" . }}-migration
+ - name: snapshots
persistentVolumeClaim:
claimName: {{ include "common.fullname" . }}-migration
restartPolicy: Never
diff --git a/kubernetes/aai/components/aai-graphadmin/templates/service.yaml b/kubernetes/aai/components/aai-graphadmin/templates/service.yaml
index 85165e2..cf46553 100644
--- a/kubernetes/aai/components/aai-graphadmin/templates/service.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/service.yaml
@@ -4,6 +4,7 @@
# org.onap.aai
# ================================================================================
# Copyright © 2018 AT&T Intellectual Property. All rights reserved.
+# Modifications Copyright © 2021 Orange
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/kubernetes/aai/components/aai-graphadmin/values.yaml b/kubernetes/aai/components/aai-graphadmin/values.yaml
index 031a082..2774609 100644
--- a/kubernetes/aai/components/aai-graphadmin/values.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/values.yaml
@@ -4,7 +4,7 @@
# ================================================================================
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2020 Nokia Intellectual Property. All rights reserved.
-# Copyright (c) 2020 Orange Intellectual Property. All rights reserved.
+# Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -37,8 +37,6 @@
migration:
enabled: false
config:
- # User information for the admin user in container
- userId: 1000
# Specifies that the cluster connected to a dynamic
# cluster being spinned up by kubernetes deployment
@@ -96,27 +94,54 @@
edge:
label: v12
- # Keystore configuration password and filename
- keystore:
- filename: aai_keystore
- passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
-
- # Truststore configuration password and filename
- truststore:
- filename: aai_keystore
- passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
-
-
-
- # Specifies a list of files to be included in auth volume
- auth:
- files:
- - aai_keystore
-
# Specifies which clients should always default to realtime graph connection
realtime:
clients: SDNC,MSO,SO,robot-ete
+#################################################################
+# Certificate configuration
+#################################################################
+certInitializer:
+ nameOverride: aai-graphadmin-cert-initializer
+ aafDeployFqi: deployer@people.osaaf.org
+ aafDeployPass: demo123456!
+ # aafDeployCredsExternalSecret: some secret
+ fqdn: aai
+ fqi: aai@aai.onap.org
+ public_fqdn: aai.onap.org
+ cadi_longitude: "0.0"
+ cadi_latitude: "0.0"
+ app_ns: org.osaaf.aaf
+ credsPath: /opt/app/osaaf/local
+ fqi_namespace: org.onap.aai
+ user_id: &user_id 1000
+ group_id: &group_id 1000
+ aaf_add_config: |
+ echo "*** changing them into shell safe ones"
+ export KEYSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ export KEYSTORE_JKS_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ export TRUSTSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ cd {{ .Values.credsPath }}
+ keytool -storepasswd -new "${KEYSTORE_PLAIN_PASSWORD}" \
+ -storepass "${cadi_keystore_password_p12}" \
+ -keystore {{ .Values.fqi_namespace }}.p12
+ keytool -storepasswd -new "${TRUSTSTORE_PLAIN_PASSWORD}" \
+ -storepass "${cadi_truststore_password}" \
+ -keystore {{ .Values.fqi_namespace }}.trust.jks
+ keytool -storepasswd -new "${KEYSTORE_JKS_PLAIN_PASSWORD}" \
+ -storepass "${cadi_keystore_password_jks}" \
+ -keystore {{ .Values.fqi_namespace }}.jks
+ echo "*** set key password as same password as keystore password"
+ keytool -keypasswd -new "${KEYSTORE_JKS_PLAIN_PASSWORD}" \
+ -keystore {{ .Values.fqi_namespace }}.jks \
+ -keypass "${cadi_keystore_password_jks}" \
+ -storepass "${KEYSTORE_JKS_PLAIN_PASSWORD}" -alias {{ .Values.fqi }}
+ echo "*** writing passwords into prop file"
+ echo "KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop
+ echo "KEYSTORE_JKS_PLAIN_PASSWORD=${KEYSTORE_JKS_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
+ echo "TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
+ echo "*** change ownership of certificates to targeted user"
+ chown -R {{ .Values.user_id }}:{{ .Values.group_id }} {{ .Values.credsPath }}
# application image
image: onap/aai-graphadmin:1.9.1
@@ -259,6 +284,11 @@
memory: 2Gi
unlimited: {}
+# Not fully used for now
+securityContext:
+ user_id: *user_id
+ group_id: *group_id
+
#Pods Service Account
serviceAccount:
nameOverride: aai-graphadmin
diff --git a/kubernetes/aai/components/aai-modelloader/requirements.yaml b/kubernetes/aai/components/aai-modelloader/requirements.yaml
index d80dc5a..5a41aef 100644
--- a/kubernetes/aai/components/aai-modelloader/requirements.yaml
+++ b/kubernetes/aai/components/aai-modelloader/requirements.yaml
@@ -21,6 +21,9 @@
# a part of this chart's package and will not
# be published independently to a repo (at this point)
repository: '@local'
+ - name: certInitializer
+ version: ~9.x-0
+ repository: '@local'
- name: repositoryGenerator
version: ~9.x-0
repository: '@local'
diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/auth/babel-client-cert.p12 b/kubernetes/aai/components/aai-modelloader/resources/config/auth/babel-client-cert.p12
deleted file mode 100644
index e64895e..0000000
--- a/kubernetes/aai/components/aai-modelloader/resources/config/auth/babel-client-cert.p12
+++ /dev/null
Binary files differ
diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/auth/tomcat_keystore b/kubernetes/aai/components/aai-modelloader/resources/config/auth/tomcat_keystore
deleted file mode 100644
index e1d24d9..0000000
--- a/kubernetes/aai/components/aai-modelloader/resources/config/auth/tomcat_keystore
+++ /dev/null
Binary files differ
diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/log/logback.xml b/kubernetes/aai/components/aai-modelloader/resources/config/log/logback.xml
index cd36e79..129af8f 100644
--- a/kubernetes/aai/components/aai-modelloader/resources/config/log/logback.xml
+++ b/kubernetes/aai/components/aai-modelloader/resources/config/log/logback.xml
@@ -1,6 +1,7 @@
{{/*
<!--
# Copyright © 2018 Amdocs, Bell Canada, AT&T
+# Modifications Copyright © 2021 Orange
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -26,8 +27,7 @@
<property name="auditLogName" value="audit" />
<property name="debugLogName" value="debug" />
- <property name="errorLogPattern"
- value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{RequestId}|%thread|ModelLoader|%mdc{PartnerName}|%logger||%.-5level|%msg%n" />
+ <property name="errorLogPattern" value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{RequestId}|%thread|ModelLoader|%mdc{PartnerName}|%logger||%.-5level|%msg%n" />
<property name="auditMetricPattern" value="%m%n" />
<property name="logDirectory" value="${logDir}/${componentName}" />
@@ -35,9 +35,12 @@
<!-- Example evaluator filter applied against console appender -->
<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
- <pattern>${defaultPattern}</pattern>
+ <pattern>${errorLogPattern}</pattern>
</encoder>
</appender>
+ <appender name="AsyncSysOut" class="ch.qos.logback.classic.AsyncAppender">
+ <appender-ref ref="STDOUT" />
+ </appender>
<!-- ============================================================================ -->
<!-- EELF Appenders -->
@@ -46,8 +49,7 @@
<!-- The EELFAppender is used to record events to the general application
log -->
- <appender name="EELF"
- class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <appender name="EELF" class="ch.qos.logback.core.rolling.RollingFileAppender">
<file>${logDirectory}/${generalLogName}.log</file>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
<fileNamePattern>${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.log.zip</fileNamePattern>
@@ -66,8 +68,7 @@
<appender-ref ref="EELF" />
</appender>
- <appender name="EELFAudit"
- class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <appender name="EELFAudit" class="ch.qos.logback.core.rolling.RollingFileAppender">
<file>${logDirectory}/${auditLogName}.log</file>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
<fileNamePattern>${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.log.zip</fileNamePattern>
@@ -82,8 +83,7 @@
<appender-ref ref="EELFAudit" />
</appender>
- <appender name="EELFMetrics"
- class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <appender name="EELFMetrics" class="ch.qos.logback.core.rolling.RollingFileAppender">
<file>${logDirectory}/${metricsLogName}.log</file>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
<fileNamePattern>${logDirectory}/${metricsLogName}.%d{yyyy-MM-dd}.log.zip</fileNamePattern>
@@ -98,8 +98,7 @@
<appender-ref ref="EELFMetrics" />
</appender>
- <appender name="EELFDebug"
- class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <appender name="EELFDebug" class="ch.qos.logback.core.rolling.RollingFileAppender">
<file>${logDirectory}/${debugLogName}.log</file>
<rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
<fileNamePattern>${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.log.zip</fileNamePattern>
@@ -121,12 +120,15 @@
<logger name="com.att.eelf" level="info" additivity="false">
<appender-ref ref="asyncEELF" />
<appender-ref ref="asyncEELFDebug" />
+ <appender-ref ref="AsyncSysOut" />
</logger>
<logger name="com.att.eelf.audit" level="info" additivity="false">
<appender-ref ref="asyncEELFAudit" />
+ <appender-ref ref="AsyncSysOut" />
</logger>
<logger name="com.att.eelf.metrics" level="info" additivity="false">
<appender-ref ref="asyncEELFMetrics" />
+ <appender-ref ref="AsyncSysOut" />
</logger>
<!-- Spring related loggers -->
@@ -162,8 +164,9 @@
<logger name="ch.qos.logback.core" level="WARN" />
<root>
- <appender-ref ref="asyncEELF" />
- <!-- <appender-ref ref="asyncEELFDebug" /> -->
-</root>
+ <appender-ref ref="asyncEELF" />
+ <appender-ref ref="AsyncSysOut" />
+ <!-- <appender-ref ref="asyncEELFDebug" /> -->
+ </root>
</configuration>
diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties b/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties
index 41b8554..09eb397 100644
--- a/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties
+++ b/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties
@@ -1,5 +1,6 @@
{{/*
# Copyright © 2018 Amdocs, Bell Canada, AT&T
+# Modifications Copyright © 2021 Orange
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -20,7 +21,7 @@
ml.distribution.ASDC_ADDRESS=sdc-be.{{.Release.Namespace}}:8443
ml.distribution.ASDC_USE_HTTPS=true
ml.distribution.KEYSTORE_PASSWORD=
-ml.distribution.KEYSTORE_FILE=asdc-client.jks
+ml.distribution.KEYSTORE_FILE=
ml.distribution.PASSWORD=OBF:1ks51l8d1o3i1pcc1r2r1e211r391kls1pyj1z7u1njf1lx51go21hnj1y0k1mli1sop1k8o1j651vu91mxw1vun1mze1vv11j8x1k5i1sp11mjc1y161hlr1gm41m111nkj1z781pw31kku1r4p1e391r571pbm1o741l4x1ksp
{{ else }}
ml.distribution.ASDC_ADDRESS=sdc-be.{{.Release.Namespace}}:8080
@@ -54,8 +55,8 @@
ml.babel.BASE_URL={{ include "common.scheme" . }}://aai-babel.{{.Release.Namespace}}:9516
ml.babel.GENERATE_ARTIFACTS_URL=/services/babel-service/v1/app/generateArtifacts
{{ if ( include "common.needTLS" .) }}
-ml.babel.KEYSTORE_FILE=babel-client-cert.p12
-ml.babel.KEYSTORE_PASSWORD=OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
-ml.babel.TRUSTSTORE_FILE=tomcat_keystore
-ml.babel.TRUSTSTORE_PASSWORD=OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
+ml.babel.KEYSTORE_FILE=aaf/local/{{ .Values.certInitializer.fqi_namespace }}.p12
+ml.babel.KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}
+ml.babel.TRUSTSTORE_FILE=aaf/local/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+ml.babel.TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}
{{ end }}
diff --git a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml
index 7e05d3b..0213d631 100644
--- a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml
@@ -1,7 +1,7 @@
{{/*
# Copyright © 2018 Amdocs, AT&T
# Modifications Copyright © 2018 Bell Canada
-# Modifications Copyright © 2020 Orange
+# Modifications Copyright © 2020-2021 Orange
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -39,12 +39,53 @@
name: {{ include "common.name" . }}
spec:
{{- if .Values.nodeSelector }}
- nodeSelector:
-{{ toYaml .Values.nodeSelector | indent 8 }}
+ nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
{{- end -}}
{{- if .Values.affinity }}
- affinity:
-{{ toYaml .Values.affinity | indent 8 }}
+ affinity: {{ toYaml .Values.affinity | nindent 8 }}
+ {{- end }}
+ {{- if .Values.global.aafEnabled }}
+ initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** retrieve Truststore and Keystore password"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ echo "*** obfuscate them "
+ export KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}
+ export TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}
+ export KEYSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export TRUSTSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ image: {{ include "repositoryGenerator.image.jetty" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-obfuscate
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.user_id }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** Set obfuscated Truststore and Keystore password into configuration file"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ cd /config-input
+ for PFILE in `ls -1`
+ do
+ envsubst <${PFILE} >/config/${PFILE}
+ done
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ - mountPath: /config-input
+ name: prop-config-input
+ - mountPath: /config
+ name: prop-config
+ image: {{ include "repositoryGenerator.image.envsubst" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-update-config
{{- end }}
containers:
- name: {{ include "common.name" . }}
@@ -53,43 +94,41 @@
env:
- name: CONFIG_HOME
value: /opt/app/model-loader/config/
- volumeMounts:
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
- mountPath: /opt/app/model-loader/config/model-loader.properties
subPath: model-loader.properties
- name: {{ include "common.fullname" . }}-prop-config
+ name: prop-config
- mountPath: /opt/app/model-loader/config/auth/
- name: {{ include "common.fullname" . }}-auth-config
+ name: auth-config
- mountPath: {{ .Values.log.path }}
name: logs
- mountPath: /opt/app/model-loader/logback.xml
- name: {{ include "common.fullname" . }}-log-conf
+ name: log-config
subPath: logback.xml
- ports:
- - containerPort: {{ .Values.service.internalPort }}
- - containerPort: {{ .Values.service.internalPort2 }}
- resources:
-{{ include "common.resources" . }}
-
+ resources: {{ include "common.resources" . | nindent 10 }}
# side car containers
{{ include "common.log.sidecar" . | nindent 6 }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes:
+ volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
- name: localtime
hostPath:
path: /etc/localtime
- - name: {{ include "common.fullname" . }}-prop-config
+ - name: prop-config-input
configMap:
name: {{ include "common.fullname" . }}-prop
- - name: {{ include "common.fullname" . }}-auth-config
+ - name: prop-config
+ emptyDir:
+ medium: Memory
+ - name: auth-config
secret:
secretName: {{ include "common.fullname" . }}
- name: logs
emptyDir: {}
{{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }}
- - name: {{ include "common.fullname" . }}-log-conf
+ - name: log-config
configMap:
name: {{ include "common.fullname" . }}-log
restartPolicy: {{ .Values.global.restartPolicy | default .Values.restartPolicy }}
diff --git a/kubernetes/aai/components/aai-modelloader/templates/service.yaml b/kubernetes/aai/components/aai-modelloader/templates/service.yaml
deleted file mode 100644
index fad857b..0000000
--- a/kubernetes/aai/components/aai-modelloader/templates/service.yaml
+++ /dev/null
@@ -1,45 +0,0 @@
-{{/*
-# Copyright © 2018 Amdocs, Bell Canada, AT&T
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-*/}}
-
-apiVersion: v1
-kind: Service
-metadata:
- name: {{ include "common.servicename" . }}
- namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
-spec:
- type: {{ .Values.service.type }}
- ports:
- {{if eq .Values.service.type "NodePort" -}}
- - port: {{ .Values.service.internalPort }}
- nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
- name: {{ .Values.service.portName }}
- - port: {{ .Values.service.internalPort2 }}
- nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }}
- name: {{ .Values.service.portName2 }}
- {{- else -}}
- - port: {{ .Values.service.internalPort }}
- name: {{ .Values.service.portName }}
- - port: {{ .Values.service.internalPort2 }}
- name: {{ .Values.service.portName2 }}
- {{- end}}
- selector:
- app: {{ include "common.name" . }}
- release: {{ include "common.release" . }}
diff --git a/kubernetes/aai/components/aai-modelloader/values.yaml b/kubernetes/aai/components/aai-modelloader/values.yaml
index 443bf40..95eae6a 100644
--- a/kubernetes/aai/components/aai-modelloader/values.yaml
+++ b/kubernetes/aai/components/aai-modelloader/values.yaml
@@ -1,5 +1,5 @@
# Copyright © 2018 Amdocs, Bell Canada, AT&T
-# Modifications Copyright © 2020 Orange
+# Modifications Copyright © 2020-2021 Orange
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -19,6 +19,42 @@
global: # global defaults
nodePortPrefix: 302
+#################################################################
+# Certificate configuration
+#################################################################
+certInitializer:
+ nameOverride: aai-ml-cert-initializer
+ aafDeployFqi: deployer@people.osaaf.org
+ aafDeployPass: demo123456!
+ # aafDeployCredsExternalSecret: some secret
+ fqdn: aai
+ fqi: aai@aai.onap.org
+ public_fqdn: aai.onap.org
+ cadi_longitude: "0.0"
+ cadi_latitude: "0.0"
+ app_ns: org.osaaf.aaf
+ credsPath: /opt/app/osaaf/local
+ appMountPath: /opt/app/model-loader/config/auth/aaf
+ fqi_namespace: org.onap.aai
+ user_id: &user_id 1000
+ group_id: &group_id 1000
+ aaf_add_config: |
+ echo "*** changing them into shell safe ones"
+ export KEYSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ export TRUSTSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ cd {{ .Values.credsPath }}
+ keytool -storepasswd -new "${KEYSTORE_PLAIN_PASSWORD}" \
+ -storepass "${cadi_keystore_password_p12}" \
+ -keystore {{ .Values.fqi_namespace }}.p12
+ keytool -storepasswd -new "${TRUSTSTORE_PLAIN_PASSWORD}" \
+ -storepass "${cadi_truststore_password}" \
+ -keystore {{ .Values.fqi_namespace }}.trust.jks
+ echo "*** writing passwords into prop file"
+ echo "KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop
+ echo "TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
+ echo "*** change ownership of certificates to targeted user"
+ chown -R {{ .Values.user_id }}:{{ .Values.group_id }} {{ .Values.credsPath }}
+
# application image
image: onap/model-loader:1.9.1
pullPolicy: Always
@@ -47,26 +83,6 @@
initialDelaySeconds: 10
periodSeconds: 10
-service:
- type: NodePort
- portName: http
- externalPort: 8080
- internalPort: 8080
- nodePort: 10
- portName2: https
- externalPort2: 8443
- internalPort2: 8443
- nodePort2: 29
-
-ingress:
- enabled: false
- service:
- - baseaddr: "aaimodelloader"
- name: "aai-modelloader"
- port: 8443
- config:
- ssl: "redirect"
-
resources:
small:
limits:
@@ -90,6 +106,11 @@
roles:
- read
+# Not fully used for now
+securityContext:
+ user_id: *user_id
+ group_id: *group_id
+
#Log configuration
log:
path: /var/log/onap
diff --git a/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties b/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties
index b0ed0e8..a2abaf3 100644
--- a/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties
+++ b/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties
@@ -36,10 +36,10 @@
{{ end }}
{{ if ( include "common.needTLS" .) }}
-aai.truststore.filename={{ .Values.global.config.truststore.filename }}
-aai.truststore.passwd.x={{ .Values.global.config.truststore.passwd }}
-aai.keystore.filename={{ .Values.global.config.keystore.filename }}
-aai.keystore.passwd.x={{ .Values.global.config.keystore.passwd }}
+aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD}
+aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
+aai.keystore.passwd.x=${KEYSTORE_PASSWORD}
{{ end }}
aai.default.api.version={{ .Values.global.config.schema.version.api.default }}
diff --git a/kubernetes/aai/components/aai-schema-service/config/application.properties b/kubernetes/aai/components/aai-schema-service/config/application.properties
index ad700dc..a3f7998 100644
--- a/kubernetes/aai/components/aai-schema-service/config/application.properties
+++ b/kubernetes/aai/components/aai-schema-service/config/application.properties
@@ -39,12 +39,12 @@
server.port=8452
{{ if ( include "common.needTLS" .) }}
server.ssl.enabled-protocols=TLSv1.1,TLSv1.2
-server.ssl.key-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.keystore.filename }}
-server.ssl.key-store-password=password({{ .Values.global.config.keystore.passwd }})
-server.ssl.trust-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.truststore.filename }}
-server.ssl.trust-store-password=password({{ .Values.global.config.truststore.passwd }})
+server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
+server.ssl.key-store-password=${KEYSTORE_PASSWORD}
+server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD}
server.ssl.client-auth=want
-server.ssl.key-store-type=JKS
+server.ssl.key-store-type=PKCS12
{{ else }}
security.require-ssl=false
server.ssl.enabled=false
diff --git a/kubernetes/aai/components/aai-schema-service/config/logback.xml b/kubernetes/aai/components/aai-schema-service/config/logback.xml
index cfcd3c0..e91e257 100644
--- a/kubernetes/aai/components/aai-schema-service/config/logback.xml
+++ b/kubernetes/aai/components/aai-schema-service/config/logback.xml
@@ -268,20 +268,25 @@
<logger name="org.onap.aai.aaf.auth" level="DEBUG" additivity="false">
<appender-ref ref="asyncAUTH" />
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.aailog.logs.AaiScheduledTaskAuditLog" level="INFO">
<appender-ref ref="asyncAUDIT"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.logging.filter.base.AbstractAuditLogFilter" level="INFO">
<appender-ref ref="asyncAUDIT"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.logging.ErrorLogHelper" level="WARN">
<appender-ref ref="asyncERROR"/>
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.onap.aai.schemaservice.interceptors.post" level="DEBUG" additivity="false">
<appender-ref ref="asynctranslog" />
+ <appender-ref ref="STDOUT"/>
</logger>
<logger name="org.apache" level="OFF"/>
diff --git a/kubernetes/aai/components/aai-schema-service/config/realm.properties b/kubernetes/aai/components/aai-schema-service/config/realm.properties
index 988bb24..7c8539d 100644
--- a/kubernetes/aai/components/aai-schema-service/config/realm.properties
+++ b/kubernetes/aai/components/aai-schema-service/config/realm.properties
@@ -10,6 +10,7 @@
AaiUI:OBF:1gfr1p571unz1p4j1gg7,admin
OOF:OBF:1img1ke71ily,admin
aai@aai.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin
+aai-graphadmin@aai-graphadmin.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin
so@so.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin
sdnc@sdnc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin
dcae@dcae.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin
diff --git a/kubernetes/aai/components/aai-schema-service/requirements.yaml b/kubernetes/aai/components/aai-schema-service/requirements.yaml
index d80dc5a..5a41aef 100644
--- a/kubernetes/aai/components/aai-schema-service/requirements.yaml
+++ b/kubernetes/aai/components/aai-schema-service/requirements.yaml
@@ -21,6 +21,9 @@
# a part of this chart's package and will not
# be published independently to a repo (at this point)
repository: '@local'
+ - name: certInitializer
+ version: ~9.x-0
+ repository: '@local'
- name: repositoryGenerator
version: ~9.x-0
repository: '@local'
diff --git a/kubernetes/aai/components/aai-schema-service/templates/configmap.yaml b/kubernetes/aai/components/aai-schema-service/templates/configmap.yaml
index 23a2af5..9573871 100644
--- a/kubernetes/aai/components/aai-schema-service/templates/configmap.yaml
+++ b/kubernetes/aai/components/aai-schema-service/templates/configmap.yaml
@@ -30,7 +30,7 @@
apiVersion: v1
kind: ConfigMap
metadata:
- name: {{ include "common.fullname" . }}-localhost-access-log-configmap
+ name: {{ include "common.fullname" . }}-localhost-access-log
namespace: {{ include "common.namespace" . }}
labels:
app: {{ include "common.name" . }}
@@ -43,7 +43,7 @@
apiVersion: v1
kind: ConfigMap
metadata:
- name: {{ include "common.fullname" . }}-aaiconfig-configmap
+ name: {{ include "common.fullname" . }}-aaiconfig
namespace: {{ include "common.namespace" . }}
labels:
app: {{ include "common.name" . }}
@@ -56,7 +56,7 @@
apiVersion: v1
kind: ConfigMap
metadata:
- name: {{ include "common.fullname" . }}-springapp-configmap
+ name: {{ include "common.fullname" . }}-springapp
namespace: {{ include "common.namespace" . }}
labels:
app: {{ include "common.name" . }}
@@ -69,7 +69,7 @@
apiVersion: v1
kind: ConfigMap
metadata:
- name: {{ include "common.fullname" . }}-realm-configmap
+ name: {{ include "common.fullname" . }}-realm
namespace: {{ include "common.namespace" . }}
labels:
app: {{ include "common.name" . }}
diff --git a/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml b/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml
index 7c25ab7..e4f1d72 100644
--- a/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml
@@ -40,16 +40,52 @@
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
spec:
+ {{- if .Values.global.aafEnabled }}
+ initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+ - command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** retrieve Truststore and Keystore password"
+ export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+ echo "*** obfuscate them "
+ export KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}
+ export TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}
+ export KEYSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ export TRUSTSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+ echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+ image: {{ include "repositoryGenerator.image.jetty" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-obfuscate
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.user_id }}
+ {{- end }}
containers:
- name: {{ include "common.name" . }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{- if .Values.global.aafEnabled }}
+ command:
+ - sh
+ args:
+ - -c
+ - |
+ echo "*** retrieve Truststore and Keystore password"
+ export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0)
+ echo "keystore pass: $KEYSTORE_PASSWORD"
+ echo "truststore pass: $TRUSTSTORE_PASSWORD"
+ echo "*** actual launch of AAI Schema Service"
+ /bin/bash /opt/app/aai-schema-service/docker-entrypoint.sh
+ {{- end }}
env:
- name: LOCAL_USER_ID
- value: {{ .Values.global.config.userId | quote }}
+ value: {{ .Values.securityContext.user_id | quote }}
- name: LOCAL_GROUP_ID
- value: {{ .Values.global.config.groupId | quote }}
- volumeMounts:
+ value: {{ .Values.securityContext.group_id | quote }}
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
@@ -59,7 +95,7 @@
- mountPath: /opt/aai/logroot/AAI-SS
name: logs
- mountPath: /opt/app/aai-schema-service/resources/logback.xml
- name: {{ include "common.fullname" . }}-log-conf
+ name: log-conf
subPath: logback.xml
- mountPath: /opt/app/aai-schema-service/resources/localhost-access-logback.xml
name: localhost-access-log-conf
@@ -70,12 +106,6 @@
- mountPath: /opt/app/aai-schema-service/resources/application.properties
name: springapp-conf
subPath: application.properties
- {{ $global := . }}
- {{ range $job := .Values.global.config.auth.files }}
- - mountPath: /opt/app/aai-schema-service/resources/etc/auth/{{ . }}
- name: auth-truststore-sec
- subPath: {{ . }}
- {{ end }}
ports:
- containerPort: {{ .Values.service.internalPort }}
- containerPort: {{ .Values.service.internalPort2 }}
@@ -107,7 +137,7 @@
# side car containers
{{ include "common.log.sidecar" . | nindent 6 }}
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
- volumes:
+ volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
- name: aai-common-aai-auth-mount
secret:
secretName: aai-common-aai-auth
@@ -117,29 +147,21 @@
- name: logs
emptyDir: {}
{{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }}
- - name: {{ include "common.fullname" . }}-log-conf
+ - name: log-conf
configMap:
name: {{ include "common.fullname" . }}-log
- name: localhost-access-log-conf
configMap:
- name: {{ include "common.fullname" . }}-localhost-access-log-configmap
+ name: {{ include "common.fullname" . }}-localhost-access-log
- name: springapp-conf
configMap:
- name: {{ include "common.fullname" . }}-springapp-configmap
+ name: {{ include "common.fullname" . }}-springapp
- name: aaiconfig-conf
configMap:
- name: {{ include "common.fullname" . }}-aaiconfig-configmap
+ name: {{ include "common.fullname" . }}-aaiconfig
- name: realm-conf
configMap:
- name: {{ include "common.fullname" . }}-realm-configmap
- - name: auth-truststore-sec
- secret:
- secretName: aai-common-truststore
- items:
- {{ range $job := .Values.global.config.auth.files }}
- - key: {{ . }}
- path: {{ . }}
- {{ end }}
+ name: {{ include "common.fullname" . }}-realm
restartPolicy: {{ .Values.restartPolicy }}
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/aai/components/aai-schema-service/values.yaml b/kubernetes/aai/components/aai-schema-service/values.yaml
index 4c2b64a..7989bcc 100644
--- a/kubernetes/aai/components/aai-schema-service/values.yaml
+++ b/kubernetes/aai/components/aai-schema-service/values.yaml
@@ -58,20 +58,40 @@
edge:
label: v12
- # Keystore configuration password and filename
- keystore:
- filename: aai_keystore
- passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
-
- # Truststore configuration password and filename
- truststore:
- filename: aai_keystore
- passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
-
- # Specifies a list of files to be included in auth volume
- auth:
- files:
- - aai_keystore
+#################################################################
+# Certificate configuration
+#################################################################
+certInitializer:
+ nameOverride: aai-schema-service-cert-initializer
+ aafDeployFqi: deployer@people.osaaf.org
+ aafDeployPass: demo123456!
+ # aafDeployCredsExternalSecret: some secret
+ fqdn: aai-schema-service
+ fqi: aai-schema-service@aai-schema-service.onap.org
+ public_fqdn: aai-schema-service.onap.org
+ cadi_longitude: "0.0"
+ cadi_latitude: "0.0"
+ app_ns: org.osaaf.aaf
+ credsPath: /opt/app/osaaf/local
+ fqi_namespace: org.onap.aai-schema-service
+ user_id: &user_id 1000
+ group_id: &group_id 1000
+ aaf_add_config: |
+ echo "*** changing them into shell safe ones"
+ export KEYSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ export TRUSTSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+ cd {{ .Values.credsPath }}
+ keytool -storepasswd -new "${KEYSTORE_PLAIN_PASSWORD}" \
+ -storepass "${cadi_keystore_password_p12}" \
+ -keystore {{ .Values.fqi_namespace }}.p12
+ keytool -storepasswd -new "${TRUSTSTORE_PLAIN_PASSWORD}" \
+ -storepass "${cadi_truststore_password}" \
+ -keystore {{ .Values.fqi_namespace }}.trust.jks
+ echo "*** writing passwords into prop file"
+ echo "KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop
+ echo "TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
+ echo "*** change ownership of certificates to targeted user"
+ chown -R {{ .Values.user_id }}:{{ .Values.group_id }} {{ .Values.credsPath }}
# application image
image: onap/aai-schema-service:1.9.2
@@ -147,6 +167,11 @@
roles:
- read
+# Not fully used for now
+securityContext:
+ user_id: *user_id
+ group_id: *group_id
+
#Log configuration
log:
path: /var/log/onap
diff --git a/kubernetes/aai/components/aai-sparky-be/values.yaml b/kubernetes/aai/components/aai-sparky-be/values.yaml
index b9c8207..5c540c9 100644
--- a/kubernetes/aai/components/aai-sparky-be/values.yaml
+++ b/kubernetes/aai/components/aai-sparky-be/values.yaml
@@ -75,7 +75,7 @@
gerritBranch: 3.0.0-ONAP
gerritProject: http://gerrit.onap.org/r/aai/test-config
portalUsername: aaiui
- portalPassword: OBF:1t2v1vfv1unz1vgz1t3b
+ portalPassword: OBF:1t2v1vfv1unz1vgz1t3b # aaiui
portalCookieName: UserId
portalAppRoles: ui_view
cadiFileLocation: /opt/app/sparky/config/portal/cadi.properties
diff --git a/kubernetes/aai/resources/config/aai/aai_keystore b/kubernetes/aai/resources/config/aai/aai_keystore
index b9a3e45..dc86acc 100644
--- a/kubernetes/aai/resources/config/aai/aai_keystore
+++ b/kubernetes/aai/resources/config/aai/aai_keystore
Binary files differ
diff --git a/kubernetes/aai/values.yaml b/kubernetes/aai/values.yaml
index 79a0f04..3ceeb84 100644
--- a/kubernetes/aai/values.yaml
+++ b/kubernetes/aai/values.yaml
@@ -252,12 +252,12 @@
# Keystore configuration password and filename
keystore:
filename: aai_keystore
- passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
+ passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0 # changeit
# Truststore configuration password and filename
truststore:
filename: aai_keystore
- passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
+ passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0 # changeit
# Specifies a list of files to be included in auth volume
auth:
diff --git a/kubernetes/common/mongo/templates/statefulset.yaml b/kubernetes/common/mongo/templates/statefulset.yaml
index 9f24493..1160205 100644
--- a/kubernetes/common/mongo/templates/statefulset.yaml
+++ b/kubernetes/common/mongo/templates/statefulset.yaml
@@ -72,7 +72,7 @@
periodSeconds: {{ .Values.readiness.periodSeconds }}
volumeMounts:
- name: {{ include "common.fullname" . }}-data
- mountPath: /data/db
+ mountPath: /var/lib/mongo
resources: {{ include "common.resources" . | nindent 12 }}
{{ include "common.containerSecurityContext" . | indent 10 }}
{{- if .Values.nodeSelector }}
diff --git a/kubernetes/common/repositoryGenerator/templates/_repository.tpl b/kubernetes/common/repositoryGenerator/templates/_repository.tpl
index 1662985..349bb40 100644
--- a/kubernetes/common/repositoryGenerator/templates/_repository.tpl
+++ b/kubernetes/common/repositoryGenerator/templates/_repository.tpl
@@ -105,6 +105,10 @@
{{- include "repositoryGenerator.image._helper" (merge (dict "image" "htpasswdImage") .) }}
{{- end -}}
+{{- define "repositoryGenerator.image.jetty" -}}
+ {{- include "repositoryGenerator.image._helper" (merge (dict "image" "jettyImage") .) }}
+{{- end -}}
+
{{- define "repositoryGenerator.image.jre" -}}
{{- include "repositoryGenerator.image._helper" (merge (dict "image" "jreImage") .) }}
{{- end -}}
diff --git a/kubernetes/common/repositoryGenerator/values.yaml b/kubernetes/common/repositoryGenerator/values.yaml
index f410453..e2fe1ff 100644
--- a/kubernetes/common/repositoryGenerator/values.yaml
+++ b/kubernetes/common/repositoryGenerator/values.yaml
@@ -28,6 +28,7 @@
envsubstImage: dibi/envsubst:1
# there's only latest image for htpasswd
htpasswdImage: xmartlabs/htpasswd:latest
+ jettyImage: jetty:9-jdk11-slim
jreImage: onap/integration-java11:7.1.0
kubectlImage: bitnami/kubectl:1.19
loggingImage: beats/filebeat:5.5.0
@@ -60,6 +61,7 @@
curlImage: dockerHubRepository
envsubstImage: dockerHubRepository
htpasswdImage: dockerHubRepository
+ jettyImage: dockerHubRepository
jreImage: repository
kubectlImage: dockerHubRepository
loggingImage: elasticRepository
diff --git a/kubernetes/uui/components/uui-nlp/Chart.yaml b/kubernetes/uui/components/uui-nlp/Chart.yaml
new file mode 100644
index 0000000..3f09b48
--- /dev/null
+++ b/kubernetes/uui/components/uui-nlp/Chart.yaml
@@ -0,0 +1,22 @@
+#============LICENSE_START========================================================
+# ================================================================================
+# Copyright (c) 2021 AT&T. All rights reserved.
+# Modifications Copyright © 2021 Orange
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+
+apiVersion: v1
+description: ONAP UUI NLP
+name: uui-nlp
+version: 9.0.0
diff --git a/kubernetes/uui/components/uui-nlp/requirements.yaml b/kubernetes/uui/components/uui-nlp/requirements.yaml
new file mode 100644
index 0000000..52fd1da
--- /dev/null
+++ b/kubernetes/uui/components/uui-nlp/requirements.yaml
@@ -0,0 +1,27 @@
+#============LICENSE_START========================================================
+# Copyright (c) 2021 AT&T. All rights reserved.
+# Modifications Copyright © 2021 Orange
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+
+dependencies:
+ - name: common
+ version: ~9.x-0
+ repository: '@local'
+ - name: repositoryGenerator
+ version: ~9.x-0
+ repository: '@local'
+ - name: serviceAccount
+ version: ~9.x-0
+ repository: '@local'
diff --git a/kubernetes/uui/components/uui-nlp/templates/deployment.yaml b/kubernetes/uui/components/uui-nlp/templates/deployment.yaml
new file mode 100644
index 0000000..e72ee44
--- /dev/null
+++ b/kubernetes/uui/components/uui-nlp/templates/deployment.yaml
@@ -0,0 +1,62 @@
+{{/*
+#============LICENSE_START========================================================
+# ================================================================================
+# Copyright (c) 2021 AT&T. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+*/}}
+
+apiVersion: apps/v1
+kind: Deployment
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
+spec:
+ replicas: 1
+ selector: {{- include "common.selectors" . | nindent 4 }}
+ template:
+ metadata: {{- include "common.templateMetadata" . | nindent 6 }}
+ spec:
+ {{ include "common.podSecurityContext" . | indent 6 | trim}}
+ containers:
+ - name: {{ include "common.name" . }}
+ image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ resources: {{ include "common.resources" . | nindent 12 }}
+ ports: {{ include "common.containerPorts" . | nindent 12 }}
+ {{- if eq .Values.liveness.enabled true }}
+ livenessProbe:
+ tcpSocket:
+ port: {{ .Values.service.internalPort }}
+ initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
+ periodSeconds: {{ .Values.liveness.periodSeconds }}
+ {{ end }}
+ readinessProbe:
+ tcpSocket:
+ port: {{ .Values.service.internalPort }}
+ initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
+ periodSeconds: {{ .Values.readiness.periodSeconds }}
+ volumeMounts:
+ - mountPath: /home/run/bert-master/upload
+ name: uui-server-v
+ serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
+ volumes:
+ - name: uui-server-v
+ {{- if .Values.persistence.enabled }}
+ persistentVolumeClaim:
+ claimName: {{ include "common.fullname" . }}
+ {{- else }}
+ emptyDir: {}
+ {{- end }}
+
+ imagePullSecrets:
+ - name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/aai/components/aai-modelloader/templates/ingress.yaml b/kubernetes/uui/components/uui-nlp/templates/ingress.yaml
similarity index 100%
rename from kubernetes/aai/components/aai-modelloader/templates/ingress.yaml
rename to kubernetes/uui/components/uui-nlp/templates/ingress.yaml
diff --git a/kubernetes/uui/components/uui-nlp/templates/pv.yaml b/kubernetes/uui/components/uui-nlp/templates/pv.yaml
new file mode 100644
index 0000000..a05ebfb
--- /dev/null
+++ b/kubernetes/uui/components/uui-nlp/templates/pv.yaml
@@ -0,0 +1,20 @@
+{{/*
+#============LICENSE_START========================================================
+# ================================================================================
+# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+*/}}
+
+{{ include "common.PV" . }}
\ No newline at end of file
diff --git a/kubernetes/uui/components/uui-nlp/templates/pvc.yaml b/kubernetes/uui/components/uui-nlp/templates/pvc.yaml
new file mode 100644
index 0000000..2bd21dd
--- /dev/null
+++ b/kubernetes/uui/components/uui-nlp/templates/pvc.yaml
@@ -0,0 +1,19 @@
+{{/*
+################################################################################
+# Copyright (c) 2021 AT&T #
+# #
+# Licensed under the Apache License, Version 2.0 (the "License"); #
+# you may not use this file except in compliance with the License. #
+# You may obtain a copy of the License at #
+# #
+# http://www.apache.org/licenses/LICENSE-2.0 #
+# #
+# Unless required by applicable law or agreed to in writing, software #
+# distributed under the License is distributed on an "AS IS" BASIS, #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
+# See the License for the specific language governing permissions and #
+# limitations under the License. #
+################################################################################
+*/}}
+
+{{ include "common.PVC" . }}
\ No newline at end of file
diff --git a/kubernetes/uui/components/uui-nlp/templates/service.yaml b/kubernetes/uui/components/uui-nlp/templates/service.yaml
new file mode 100644
index 0000000..40aaa73
--- /dev/null
+++ b/kubernetes/uui/components/uui-nlp/templates/service.yaml
@@ -0,0 +1,20 @@
+{{/*
+#============LICENSE_START========================================================
+# ================================================================================
+# Copyright (c) 2021 AT&T. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+*/}}
+
+{{ include "common.service" . }}
diff --git a/kubernetes/uui/components/uui-nlp/values.yaml b/kubernetes/uui/components/uui-nlp/values.yaml
new file mode 100644
index 0000000..3fb70fe
--- /dev/null
+++ b/kubernetes/uui/components/uui-nlp/values.yaml
@@ -0,0 +1,96 @@
+#============LICENSE_START========================================================
+#=================================================================================
+# Copyright (c) 2021 AT&T. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+
+# Global values
+global:
+ pullPolicy: Always
+ persistence: {}
+image: onap/usecase-ui-nlp:1.0.2
+
+uui-nlp:
+ enabled: true
+
+flavor: large
+
+onLinePort: &online_port 33011
+offLinePort: &offline_port 33012
+uploadPort: &upload_port 33013
+
+# service configuration
+service:
+ internalPort: 33013
+ type: ClusterIP
+ name: uui-nlp
+ ports:
+ - name: http-online
+ port: *online_port
+ - name: http-offline
+ port: *offline_port
+ - name: http-upload
+ port: *upload_port
+
+
+liveness:
+ initialDelaySeconds: 300
+ periodSeconds: 30
+ enabled: true
+
+readiness:
+ initialDelaySeconds: 300
+ periodSeconds: 10
+
+# Below parameter should match setting in all clients
+# including contrib\tools\registry-initialize.sh
+# which does preload
+#registryCred:
+# username: onapinitializer
+# password: demo123456!
+
+# Parameters for persistent storage
+persistence:
+ enabled: true
+ accessMode: ReadWriteOnce
+ size: 4Gi
+ mountPath: /dockerdata-nfs
+ mountSubPath: uui-nlp
+ volumeReclaimPolicy: Retain
+
+serviceAccount:
+ nameOverride: uui-nlp
+ roles:
+ - read
+
+securityContext:
+ user_id: 1000
+ group_id: 1000
+
+resources:
+ small:
+ limits:
+ cpu: 1
+ memory: 1Gi
+ requests:
+ cpu: 0.5
+ memory: 512Mi
+ large:
+ limits:
+ cpu: 2
+ memory: 2Gi
+ requests:
+ cpu: 1
+ memory: 1Gi
+ unlimited: {}
diff --git a/kubernetes/uui/requirements.yaml b/kubernetes/uui/requirements.yaml
index 05d649f..d60dc43 100644
--- a/kubernetes/uui/requirements.yaml
+++ b/kubernetes/uui/requirements.yaml
@@ -29,3 +29,7 @@
- name: uui-server
version: ~9.x-0
repository: 'file://components/uui-server'
+ - name: uui-nlp
+ version: ~9.x-0
+ repository: 'file://components/uui-nlp'
+ condition: uui-nlp.enabled