VOL-3145 - remove etcd operator usage
- removed dependencies as they are not part of VOLTHA
- removed RBAC config (no longer used)
- put each resources in separate file (best practice)
- added security context for containers (best practice)
Change-Id: If9e250ebe998369cb973561d1406517ea622e670
diff --git a/voltha/Chart.yaml b/voltha/Chart.yaml
index dc435be..31481dd 100644
--- a/voltha/Chart.yaml
+++ b/voltha/Chart.yaml
@@ -12,13 +12,24 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-
-name: voltha
-description: A Helm chart for Voltha based on K8S resources in Voltha project
-icon: https://guide.opencord.org/logos/cord.svg
-
-version: 2.4.6
+apiVersion: "v1"
+name: "voltha"
+version: "2.4.7"
+description: "A Helm chart for Voltha based on K8S resources in Voltha project"
+keywords:
+ - "onf"
+ - "voltha"
+home: "https://www.opennetworking.org/voltha"
+icon: "https://guide.opencord.org/logos/cord.svg"
+sources:
+ - "https://github.com/opencord/voltha-go"
+ - "https://github.com/opencord/ofagent-go"
+ - "https://gerrit.opencord.org/#/admin/projects/ofagent-py"
+maintainers:
+ - name: "Open Networking Foundation"
+ email: "info@opennetworking.org"
+ url: "https://www.opennetworking.org"
# app version applies to multiple components with potentially different
# container image versions
-appVersion: 2.4
+appVersion: "2.4"
diff --git a/voltha/templates/10-rbac.yaml b/voltha/templates/10-rbac.yaml
deleted file mode 100644
index 430f842..0000000
--- a/voltha/templates/10-rbac.yaml
+++ /dev/null
@@ -1,72 +0,0 @@
-# Copyright 2019-present Open Networking Foundation
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: voltha-serviceaccount
-
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
- name: pod-reader
-rules:
- - apiGroups: [""]
- resources: ["pods", "nodes"]
- verbs: ["get", "watch", "list"]
-
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: Role
-metadata:
- name: voltha-role
- namespace: {{ .Release.Namespace }}
-rules:
- - apiGroups: [""]
- resources: ["pods", "secrets", "namespaces", "endpoints"]
- verbs: ["get"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "update", "create"]
-
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: RoleBinding
-metadata:
- name: voltha-role-nisa-binding
- namespace: {{ .Release.Namespace }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: voltha-role
-subjects:
- - kind: ServiceAccount
- name: voltha-serviceaccount
- namespace: {{ .Release.Namespace }}
-
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
- name: voltha-clusterrole-nisa-binding
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: pod-reader
-subjects:
- - kind: ServiceAccount
- name: voltha-serviceaccount
- namespace: {{ .Release.Namespace }}
diff --git a/voltha/requirements.yaml b/voltha/templates/api-svc.yaml
similarity index 66%
copy from voltha/requirements.yaml
copy to voltha/templates/api-svc.yaml
index a6e50db..04f8dea 100644
--- a/voltha/requirements.yaml
+++ b/voltha/templates/api-svc.yaml
@@ -11,14 +11,15 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-
---
-dependencies:
- - name: kafka
- repository: https://kubernetes-charts-incubator.storage.googleapis.com
- version: 0.15.3
- condition: private_kafka_cluster
- - name: voltha-etcd-cluster
- repository: file://../voltha-etcd-cluster
- version: 2.2.0
- condition: private_etcd_cluster
+apiVersion: v1
+kind: Service
+metadata:
+ name: voltha-api
+spec:
+ ports:
+ - name: grpc
+ port: 55555
+ targetPort: 50057
+ selector:
+ app: rw-core
diff --git a/voltha/templates/rw-core.yaml b/voltha/templates/core-deploy.yaml
similarity index 79%
rename from voltha/templates/rw-core.yaml
rename to voltha/templates/core-deploy.yaml
index 3e71aa7..1a805ec 100644
--- a/voltha/templates/rw-core.yaml
+++ b/voltha/templates/core-deploy.yaml
@@ -13,57 +13,10 @@
# limitations under the License.
{{- $log_level := tpl .Values.rw_core.log_level . | upper }}
---
-apiVersion: v1
-kind: Service
-metadata:
- name: voltha-api
- serviceAccountName: {{ .Values.serviceaccount }}
-spec:
- serviceAccountName: {{ .Values.serviceaccount }}
- ports:
- - name: grpc
- port: 55555
- targetPort: 50057
- selector:
- app: rw-core
----
-apiVersion: v1
-kind: Service
-metadata:
- name: voltha-rw-core
- serviceAccountName: {{ .Values.serviceaccount }}
-spec:
- serviceAccountName: {{ .Values.serviceaccount }}
- clusterIP: None
- ports:
- - name: grpc
- port: 50057
- targetPort: 50057
- selector:
- app: rw-core
----
-{{- if .Values.profiler.enabled }}
-apiVersion: v1
-kind: Service
-metadata:
- name: voltha-rw-core-profiler
- serviceAccountName: {{ .Values.serviceaccount }}
-spec:
- serviceAccountName: {{ .Values.serviceaccount }}
- clusterIP: None
- ports:
- - name: rw-core-profiler
- port: 6060
- targetPort: 6060
- selector:
- app: rw-core
----
-{{- end }}
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: voltha-rw-core
- serviceAccountName: {{ .Values.serviceaccount }}
{{- if or (hasKey .Values "extra_deployment_labels") (hasKey .Values "rw_core_deployment_labels") }}
labels:
{{- if hasKey .Values "extra_deployment_labels" }}
@@ -99,10 +52,13 @@
{{ $key }}: {{ $val | quote }}
{{- end }}
{{- end }}
- annotations:
- cni: "calico"
spec:
- serviceAccountName: {{ .Values.serviceaccount }}
+ {{- if .Values.securityContext.enabled }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.runAsUser }}
+ runAsGroup: {{ .Values.securityContext.runAsGroup }}
+ fsGroup: {{ .Values.securityContext.fsGroup }}
+ {{- end }}
containers:
- name: voltha
image: '{{ tpl .Values.images.rw_core.registry . }}{{ tpl .Values.images.rw_core.repository . }}:{{ tpl .Values.images.rw_core.tag . }}'
@@ -142,6 +98,10 @@
ports:
- containerPort: 50057
name: grpc
+ {{- if .Values.securityContext.enabled }}
+ securityContext:
+ allowPrivilegeEscalation: false
+ {{- end }}
livenessProbe:
httpGet:
path: /healthz
diff --git a/voltha/requirements.yaml b/voltha/templates/core-profile-svc.yaml
similarity index 66%
rename from voltha/requirements.yaml
rename to voltha/templates/core-profile-svc.yaml
index a6e50db..967d4ab 100644
--- a/voltha/requirements.yaml
+++ b/voltha/templates/core-profile-svc.yaml
@@ -11,14 +11,18 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-
+{{- if .Values.profiler.enabled }}
---
-dependencies:
- - name: kafka
- repository: https://kubernetes-charts-incubator.storage.googleapis.com
- version: 0.15.3
- condition: private_kafka_cluster
- - name: voltha-etcd-cluster
- repository: file://../voltha-etcd-cluster
- version: 2.2.0
- condition: private_etcd_cluster
+apiVersion: v1
+kind: Service
+metadata:
+ name: voltha-rw-core-profiler
+spec:
+ clusterIP: None
+ ports:
+ - name: rw-core-profiler
+ port: 6060
+ targetPort: 6060
+ selector:
+ app: rw-core
+{{- end }}
diff --git a/voltha/templates/ofagent-go.yaml b/voltha/templates/ofagent-go-deploy.yaml
similarity index 85%
rename from voltha/templates/ofagent-go.yaml
rename to voltha/templates/ofagent-go-deploy.yaml
index 324850d..a32e19a 100644
--- a/voltha/templates/ofagent-go.yaml
+++ b/voltha/templates/ofagent-go-deploy.yaml
@@ -1,4 +1,3 @@
-{{- if and (hasKey .Values "use_ofagent_go") .Values.use_ofagent_go }}
# Copyright 2020-present Open Networking Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -12,30 +11,13 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
+{{- if .Values.use_ofagent_go }}
{{- $log_level := tpl .Values.ofagent.log_level . | upper }}
-{{- if .Values.profiler.enabled }}
----
-apiVersion: v1
-kind: Service
-metadata:
- name: voltha-of-agent-profiler
- serviceAccountName: {{ .Values.serviceaccount }}
-spec:
- serviceAccountName: {{ .Values.serviceaccount }}
- clusterIP: None
- ports:
- - name: ofagent-profiler
- port: 6060
- targetPort: 6060
- selector:
- app: ofagent
-{{- end }}
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: voltha-ofagent
- serviceAccountName: {{ .Values.serviceaccount }}
{{- if or (hasKey .Values "extra_deployment_labels") (hasKey .Values "ofagent_deployment_labels") }}
labels:
{{- if hasKey .Values "extra_deployment_labels" }}
@@ -71,11 +53,14 @@
{{ $key }}: {{ $val | quote }}
{{- end }}
{{- end }}
- annotations:
- cni: "calico"
spec:
terminationGracePeriodSeconds: 10
- serviceAccountName: {{ .Values.serviceaccount }}
+ {{- if .Values.securityContext.enabled }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.runAsUser }}
+ runAsGroup: {{ .Values.securityContext.runAsGroup }}
+ fsGroup: {{ .Values.securityContext.fsGroup }}
+ {{- end }}
containers:
- name: ofagent
image: '{{ tpl .Values.images.ofagent_go.registry . }}{{ tpl .Values.images.ofagent_go.repository . }}:{{ tpl .Values.images.ofagent_go.tag . }}'
@@ -97,6 +82,10 @@
- "--kv_store_request_timeout=60s"
- "--log_level={{ $log_level }}"
- "--probe=:8080"
+ {{- if .Values.securityContext.enabled }}
+ securityContext:
+ allowPrivilegeEscalation: false
+ {{- end }}
livenessProbe:
httpGet:
path: /healthz
diff --git a/voltha/requirements.yaml b/voltha/templates/ofagent-go-profile-svc.yaml
similarity index 60%
copy from voltha/requirements.yaml
copy to voltha/templates/ofagent-go-profile-svc.yaml
index a6e50db..0bcbb93 100644
--- a/voltha/requirements.yaml
+++ b/voltha/templates/ofagent-go-profile-svc.yaml
@@ -1,4 +1,4 @@
-# Copyright 2019-present Open Networking Foundation
+# Copyright 2020-present Open Networking Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -11,14 +11,18 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-
+{{- if and .Values.use_ofagent_go .Values.profiler.enabled }}
---
-dependencies:
- - name: kafka
- repository: https://kubernetes-charts-incubator.storage.googleapis.com
- version: 0.15.3
- condition: private_kafka_cluster
- - name: voltha-etcd-cluster
- repository: file://../voltha-etcd-cluster
- version: 2.2.0
- condition: private_etcd_cluster
+apiVersion: v1
+kind: Service
+metadata:
+ name: voltha-of-agent-profiler
+spec:
+ clusterIP: None
+ ports:
+ - name: ofagent-profiler
+ port: 6060
+ targetPort: 6060
+ selector:
+ app: ofagent
+{{- end }}
diff --git a/voltha/templates/ofagent-py.yaml b/voltha/templates/ofagent-py-deploy.yaml
similarity index 86%
rename from voltha/templates/ofagent-py.yaml
rename to voltha/templates/ofagent-py-deploy.yaml
index 711c4d6..1372c18 100644
--- a/voltha/templates/ofagent-py.yaml
+++ b/voltha/templates/ofagent-py-deploy.yaml
@@ -1,4 +1,3 @@
-{{- if not (and (hasKey .Values "use_ofagent_go") .Values.use_ofagent_go) }}
# Copyright 2019-present Open Networking Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -12,13 +11,12 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-
+{{- if not .Values.use_ofagent_go }}
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: voltha-ofagent
- serviceAccountName: {{ .Values.serviceaccount }}
{{- if or (hasKey .Values "extra_deployment_labels") (hasKey .Values "ofagent_deployment_labels") }}
labels:
{{- if hasKey .Values "extra_deployment_labels" }}
@@ -54,11 +52,14 @@
{{ $key }}: {{ $val | quote }}
{{- end }}
{{- end }}
- annotations:
- cni: "calico"
spec:
+ {{- if .Values.securityContext.enabled }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.runAsUser }}
+ runAsGroup: {{ .Values.securityContext.runAsGroup }}
+ fsGroup: {{ .Values.securityContext.fsGroup }}
+ {{- end }}
terminationGracePeriodSeconds: 10
- serviceAccountName: {{ .Values.serviceaccount }}
containers:
- name: ofagent
image: '{{ tpl .Values.images.ofagent_py.registry . }}{{ tpl .Values.images.ofagent_py.repository . }}:{{ tpl .Values.images.ofagent_py.tag . }}'
@@ -72,6 +73,10 @@
{{- end }}
- "--grpc-endpoint=voltha-api.{{ .Release.Namespace }}.svc.cluster.local:55555"
- "--probe=:8080"
+ {{- if .Values.securityContext.enabled }}
+ securityContext:
+ allowPrivilegeEscalation: false
+ {{- end }}
livenessProbe:
httpGet:
path: /healthz
diff --git a/voltha/values.yaml b/voltha/values.yaml
index 4a84637..ed99cbf 100644
--- a/voltha/values.yaml
+++ b/voltha/values.yaml
@@ -13,9 +13,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-serviceaccount: voltha-serviceaccount
-private_etcd_cluster: true
-private_kafka_cluster: true
use_ofagent_go: true
# Default Values
@@ -30,40 +27,30 @@
rw_core:
timeout: "8000"
-# Configure the Kafka sub-chart (if it is used)
-kafka:
- configurationOverrides:
- # Increase replication factor along with Replicas for HA
- "default.replication.factor": 1
- "offsets.topic.replication.factor": 1
- "log.retention.hours": 4
- "log.message.timestamp.type": "LogAppendTime"
- persistence:
- enabled: false
- zookeeper:
- replicaCount: 1
- persistence:
- enabled: false
- replicas: 1
+securityContext:
+ enabled: true
+ fsGroup: 1001
+ runAsUser: 1001
+ runAsGroup: 1001
# Define connectivity to services on which VOLTHA depends
services:
kafka:
adapter:
- service: voltha-kafka.voltha.svc.cluster.local
+ service: kafka
port: 9092
cluster:
- service: voltha-kafka.voltha.svc.cluster.local
+ service: kafka
port: 9092
# Define connectivity to etcd
etcd:
- service: voltha-etcd-cluster-client.voltha.svc.cluster.local
+ service: etcd
port: 2379
# Define the list of controllers to connect to
controller:
- - service: onos-openflow.default.svc.cluster.local
+ - service: onos-openflow
port: 6653
# Expose the golang pprof webserver, if enabled
@@ -79,7 +66,6 @@
# For everything else replicas are replicas
ofagent: 1
-
rw_core:
log_level: '{{ .Values.defaults.log_level }}'
core_timeout: '{{ .Values.defaults.rw_core.timeout }}'