From: Lusheng Ji Date: Tue, 30 Jul 2019 21:33:31 +0000 (+0000) Subject: Merge "ves collector chart adapter to use common chart definitions" X-Git-Tag: 0.0.2~44 X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=commitdiff_plain;h=42649d65935eadc3cee27cce8f01b296ef0fb292;hp=9af6b6ee209de8b09df1a19ea34e4c7d951006a1;p=it%2Fdep.git Merge "ves collector chart adapter to use common chart definitions" --- diff --git a/.gitmodules b/.gitmodules deleted file mode 100644 index 77b95efa..00000000 --- a/.gitmodules +++ /dev/null @@ -1,3 +0,0 @@ -[submodule "ric-infra/10-Nexus/docker/nexus-repository-helm"] - path = ric-infra/10-Nexus/docker/nexus-repository-helm - url = https://github.com/sonatype-nexus-community/nexus-repository-helm.git diff --git a/ric-infra/00-Kubernetes/heat/scripts/k8s_vm_install.sh b/ric-infra/00-Kubernetes/heat/scripts/k8s_vm_install.sh index e1e96150..25550a1b 100644 --- a/ric-infra/00-Kubernetes/heat/scripts/k8s_vm_install.sh +++ b/ric-infra/00-Kubernetes/heat/scripts/k8s_vm_install.sh @@ -127,7 +127,13 @@ echo 'deb http://apt.kubernetes.io/ kubernetes-xenial main' > /etc/apt/sources.l # install low latency kernel, docker.io, and kubernetes apt-get update -apt-get install -y linux-image-4.15.0-45-lowlatency curl jq netcat docker.io=${DOCKERVERSION} +apt-get install -y virt-what +if ! echo $(virt-what) | grep "virtualbox"; then + # this version of low latency kernel causes virtualbox VM to hand. + # install if identifying the VM not being a virtualbox VM. + apt-get install -y linux-image-4.15.0-45-lowlatency +fi +apt-get install -y curl jq netcat docker.io=${DOCKERVERSION} apt-get install -y kubernetes-cni=${CNIVERSION} apt-get install -y --allow-unauthenticated kubeadm=${KUBEVERSION} kubelet=${KUBEVERSION} kubectl=${KUBEVERSION} apt-mark hold docker.io kubernetes-cni kubelet kubeadm kubectl diff --git a/ric-infra/10-Nexus/docker/nexus-repository-helm b/ric-infra/10-Nexus/docker/nexus-repository-helm deleted file mode 160000 index 6de97765..00000000 --- a/ric-infra/10-Nexus/docker/nexus-repository-helm +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 6de97765b747008e3016f202ccbe2dba18667b83 diff --git a/ric-infra/25-tiller/docker/Dockerfile b/ric-infra/25-tiller/docker/Dockerfile new file mode 100644 index 00000000..5883e038 --- /dev/null +++ b/ric-infra/25-tiller/docker/Dockerfile @@ -0,0 +1,36 @@ +# Copyright (c) 2019 AT&T Intellectual Property. +# Copyright (c) 2019 Nokia. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +FROM alpine + +MAINTAINER "RIC" + +LABEL name="A container with support for creating Kubernetes SSL secrets" + +RUN apk update + +RUN apk add openssl + +# unfortunately not available by itself in apk +ADD https://storage.googleapis.com/kubernetes-release/release/v1.14.1/bin/linux/amd64/kubectl /bin/kubectl +RUN chmod +x /bin/kubectl + +COPY bin/cert-gen.sh /bin/cert-gen.sh +COPY bin/svcacct-to-kubeconfig.sh /bin/svcacct-to-kubeconfig.sh +COPY bin/tls-secrets.sh /tls-secrets.sh + +RUN mkdir /pki + +CMD /tls-secrets.sh + diff --git a/ric-infra/25-tiller/docker/bin/cert-gen.sh b/ric-infra/25-tiller/docker/bin/cert-gen.sh new file mode 100755 index 00000000..29fba98d --- /dev/null +++ b/ric-infra/25-tiller/docker/bin/cert-gen.sh @@ -0,0 +1,84 @@ +#!/bin/sh + +# Copyright (c) 2019 AT&T Intellectual Property. +# Copyright (c) 2019 Nokia. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dnBase=${CERT_DN:-'/C=US/O=O-RAN Alliance/OU=O-RAN Software Community'} +keyBits=${KEY_BITS:-4096} + +CAHome=${CA_DIR:-'/pki'} +CADays=${CA_CERT_EXPIRY:-9125} +CAKey=${CAHome}/${CA_KEY_NAME:-ca.key.pem} +CACert=${CAHome}/${CA_CERT_NAME:-ca.cert.pem} +# +CertHome=${CERT_DIR:-$CAHome} +# +TillerDays=${TILLER_CERT_EXPIRY:-3650} +TillerKey=${CertHome}/${TILLER_KEY_NAME:-tiller.key.pem} +TillerCert=${CertHome}/${TILLER_CERT_NAME:-tiller.cert.pem} +TillerCN=${TILLER_CN:-tiller} +# +HelmDays=${HELM_CERT_EXPIRY:-3650} +HelmKey=${CertHome}/${HELM_KEY_NAME:-helm.key.pem} +HelmCert=${CertHome}/${HELM_CERT_NAME:-helm.cert.pem} +HelmCN=${HELM_CN:-helm} + +# 1. CA +if [ ! -d ${CAHome} ]; then + mkdir -p ${CAHome} +fi +if [ ! -f ${CAKey} ]; then + openssl genrsa -out ${CAKey} ${keyBits} +fi +if [ ! -f ${CACert} ]; then + openssl req -new -x509 -extensions v3_ca -sha256 -days ${CADays} \ + -key ${CAKey} \ + -out ${CACert} \ + -subj "${dnBase}" +fi + +# 2. tiller server cert +if [ ! -f ${TillerKey} ]; then + openssl genrsa -out ${TillerKey} ${keyBits} +fi +if [ ! -f ${TillerCert} ]; then + CSR=`mktemp` + openssl req -new -sha256 \ + -key ${TillerKey} \ + -out ${CSR} \ + -subj "${dnBase}/CN=${TillerCN}" + openssl x509 -req -CAcreateserial -days ${TillerDays} \ + -CA ${CACert} \ + -CAkey ${CAKey} \ + -in ${CSR} \ + -out ${TillerCert} +fi + +# 3. helm client cert +if [ ! -f ${HelmKey} ]; then + openssl genrsa -out ${HelmKey} ${keyBits} +fi +if [ ! -f ${HelmCert} ]; then + CSR=`mktemp` + openssl req -new -sha256 \ + -key ${HelmKey} \ + -out ${CSR} \ + -subj "${dnBase}/CN=${HelmCN}" + openssl x509 -req -CAcreateserial -days ${HelmDays} \ + -CA ${CACert} \ + -CAkey ${CAKey} \ + -in ${CSR} \ + -out ${HelmCert} +fi diff --git a/ric-infra/25-tiller/docker/bin/svcacct-to-kubeconfig.sh b/ric-infra/25-tiller/docker/bin/svcacct-to-kubeconfig.sh new file mode 100755 index 00000000..e294b617 --- /dev/null +++ b/ric-infra/25-tiller/docker/bin/svcacct-to-kubeconfig.sh @@ -0,0 +1,45 @@ +#!/bin/sh + +# Copyright (c) 2019 AT&T Intellectual Property. +# Copyright (c) 2019 Nokia. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# generate a kubconfig (at ${KUBECONFIG} file from the automatically-mounted +# service account token. +# ENVIRONMENT: +# SVCACCT_NAME: the name of the service account user. default "default" +# CLUSTER_NAME: the name of the kubernetes cluster. default "kubernetes" +# KUBECONFIG: where the generated file will be deposited. +SVCACCT_TOKEN=`cat /var/run/secrets/kubernetes.io/serviceaccount/token` +CLUSTER_CA=`base64 /var/run/secrets/kubernetes.io/serviceaccount/ca.crt|tr -d '\n'` + +cat >${KUBECONFIG} <<__EOF__ +ApiVersion: v1 +kind: Config +users: +- name: ${SVCACCT_NAME:-default} + user: + token: ${SVCACCT_TOKEN} +clusters: +- cluster: + certificate-authority-data: ${CLUSTER_CA} + server: https://kubernetes.default.svc.cluster.local/ + name: ${CLUSTER_NAME:-kubernetes} +contexts: +- context: + cluster: ${CLUSTER_NAME:-kubernetes} + user: ${SVCACCT_NAME:-default} + name: svcs-acct-context +current-context: svcs-acct-context +__EOF__ diff --git a/ric-infra/25-tiller/docker/bin/tls-secrets.sh b/ric-infra/25-tiller/docker/bin/tls-secrets.sh new file mode 100755 index 00000000..b2657504 --- /dev/null +++ b/ric-infra/25-tiller/docker/bin/tls-secrets.sh @@ -0,0 +1,51 @@ +#!/bin/sh + +# Copyright (c) 2019 AT&T Intellectual Property. +# Copyright (c) 2019 Nokia. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -x + +export ENTITIES=${ENTITIES:-helm tiller} +export KUBECONFIG=${KUBECONFIG:-/kubeconfig} +export CA_DIR=${CA_DIR:-/pki} +if [ ! -z ${TARGET_NAMESPACE} ]; then + SECRET_NS="--namespace ${TARGET_NAMESPACE}" +else + SECRET_NS='' +fi + +if [ ! -f ${KUBECONFIG} ]; then + export SVCACCT_NAME=${SVCACCT_NAME:-tiller} + /bin/svcacct-to-kubeconfig.sh +fi + +if [ ! -f ${CA_DIR}/helm.key.pem -o \ + ! -f ${CA_DIR}/tiller.key.pem ]; then + /bin/cert-gen.sh +fi + +# i'm assuming we can just lose the CA key. +for entity in ${ENTITIES}; do + kubectl create secret generic \ + --from-file=ca.crt=/pki/ca.cert.pem \ + --from-file=tls.crt=/pki/${entity}.cert.pem \ + --from-file=tls.key=/pki/${entity}.key.pem \ + ${SECRET_NS} ${entity} + + kubectl label secret \ + ${SECRET_NS} ${entity} \ + app=helm \ + name=${entity} +done diff --git a/ric-infra/25-tiller/docker/container-tag.yaml b/ric-infra/25-tiller/docker/container-tag.yaml new file mode 100644 index 00000000..079c0dc8 --- /dev/null +++ b/ric-infra/25-tiller/docker/container-tag.yaml @@ -0,0 +1,2 @@ +--- +tag: 0.0.1 diff --git a/ric-xapps/90-xApps/bin/install b/ric-xapps/90-xApps/bin/install index 08f45635..3ed7fe60 100755 --- a/ric-xapps/90-xApps/bin/install +++ b/ric-xapps/90-xApps/bin/install @@ -155,7 +155,8 @@ else fi - +mkdir /tmp/$CHART_NAME/config/ +mkdir /tmp/$CHART_NAME/descriptors/ cp $CONFIG_JSON_PATH /tmp/$CHART_NAME/config/ cp $DESCRIPTOR_PATH /tmp/$CHART_NAME/descriptors/ diff --git a/ric-xapps/90-xApps/helm/xapp-std/templates/appconfig.yaml b/ric-xapps/90-xApps/helm/xapp-std/templates/appconfig.yaml index e08ecc8d..ab8c2940 100644 --- a/ric-xapps/90-xApps/helm/xapp-std/templates/appconfig.yaml +++ b/ric-xapps/90-xApps/helm/xapp-std/templates/appconfig.yaml @@ -29,4 +29,4 @@ data: {{- $rtmgrrmrservice := .Values.ricplt.rtmgrRMRService | quote -}} {{- $a1mediatorrmrservice := .Values.ricplt.a1mediatorRMRService | quote -}} -{{ (.Files.Glob "config/*").AsConfig | replace "__DBAAS_SERVICE__" $dbaasservice | replace "__PLT_INGRESS_URL__" $pltingressurl | replace "__XAPP_INGRESS_URL__" $xappingressurl | replace "__APPMGR_RMR_SERVICE__" $appmgrrmrservice | replace "__E2MGR_RMR_SERVICE__" $e2mgrrmrservice | replace "__E2TERM_RMR_SERVICE__" $e2termrmrservice | replace "__RTMGR_RMR_SERVICE__" $rtmgrrmrservice | replace "__A1MEDIATOR_RMR_SERVICE__" $a1mediatorrmrservice | indent 2 }} +{{- (.Files.Glob "config/*").AsConfig | replace "__DBAAS_SERVICE__" $dbaasservice | replace "__PLT_INGRESS_URL__" $pltingressurl | replace "__XAPP_INGRESS_URL__" $xappingressurl | replace "__APPMGR_RMR_SERVICE__" $appmgrrmrservice | replace "__E2MGR_RMR_SERVICE__" $e2mgrrmrservice | replace "__E2TERM_RMR_SERVICE__" $e2termrmrservice | replace "__RTMGR_RMR_SERVICE__" $rtmgrrmrservice | replace "__A1MEDIATOR_RMR_SERVICE__" $a1mediatorrmrservice | nindent 2 }} diff --git a/ric-xapps/90-xApps/helm/xapp-std/templates/deployment.yaml b/ric-xapps/90-xApps/helm/xapp-std/templates/deployment.yaml index 28bd23bb..b539b9b4 100644 --- a/ric-xapps/90-xApps/helm/xapp-std/templates/deployment.yaml +++ b/ric-xapps/90-xApps/helm/xapp-std/templates/deployment.yaml @@ -46,10 +46,10 @@ spec: - name: http containerPort: {{ .Values.ricxapp.service.http.containerPort }} protocol: TCP - - name: rmrRoute + - name: rmrroute containerPort: {{ .Values.ricxapp.service.rmr.route.port }} protocol: TCP - - name: rmrData + - name: rmrdata containerPort: {{ .Values.ricxapp.service.rmr.data.port }} protocol: TCP volumeMounts: @@ -58,18 +58,14 @@ spec: envFrom: - configMapRef: name: {{ include "ricxapp.configmapname" . }}-appenv + {{- if .Values.ricxapp.livenessProbe }} livenessProbe: - httpGet: - path: {{ .Values.ricxapp.probes.healthAliveCheckEndpoint }} - port: {{ .Values.ricxapp.service.http.containerPort }} - initialDelaySeconds: 5 - periodSeconds: 15 + {{- .Values.ricxapp.livenessProbe | nindent 12 -}} + {{ end }} + {{- if .Values.ricxapp.readinessProbe }} readinessProbe: - httpGet: - path: {{ .Values.ricxapp.probes.healthReadyCheckEndpoint }} - port: {{ .Values.ricxapp.service.http.containerPort }} - initialDelaySeconds: 5 - periodSeconds: 15 + {{- .Values.ricxapp.readinessProbe | nindent 12 -}} + {{ end }} restartPolicy: Always volumes: - name: config-volume diff --git a/ric-xapps/90-xApps/helm/xapp-std/templates/service-rmr.yaml b/ric-xapps/90-xApps/helm/xapp-std/templates/service-rmr.yaml index ee1670b1..14a75722 100644 --- a/ric-xapps/90-xApps/helm/xapp-std/templates/service-rmr.yaml +++ b/ric-xapps/90-xApps/helm/xapp-std/templates/service-rmr.yaml @@ -29,13 +29,13 @@ spec: type: ClusterIP ports: - port: {{ .Values.ricxapp.service.rmr.data.port }} - targetPort: rmrData + targetPort: rmrdata protocol: TCP - name: rmrData + name: rmrdata - port: {{ .Values.ricxapp.service.rmr.route.port }} - targetPort: rmrRoute + targetPort: rmrroute protocol: TCP - name: rmrRoute + name: rmrroute selector: app: {{ include "ricxapp.namespace" . }}-{{ include "ricxapp.name" . }} release: {{ .Release.Name }} diff --git a/ric-xapps/90-xApps/helm/xapp-std/values.yaml b/ric-xapps/90-xApps/helm/xapp-std/values.yaml index bf9be32c..50eab3c2 100644 --- a/ric-xapps/90-xApps/helm/xapp-std/values.yaml +++ b/ric-xapps/90-xApps/helm/xapp-std/values.yaml @@ -53,9 +53,20 @@ ricxapp: data: port: 4560 - probes: - healthAliveCheckEndpoint: ric/v1/health/alive - healthReadyCheckEndpoint: ric/v1/health/ready + livenessProbe: |- + httpGet: + path: ric/v1/health/alive + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 15 + + readinessProbe: |- + httpGet: + path: ric/v1/health/ready + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 15 + appconfig: path: /opt/ric/config