diff --git a/deployment/helm/README.md b/deployment/helm/README.md index ed5ca8a3..75a817fd 100644 --- a/deployment/helm/README.md +++ b/deployment/helm/README.md @@ -1,16 +1,44 @@ # EdgeX Foundry on Kubernetes A [Helm](https://helm.sh/) chart to easily deploy the EdgeX IoT project on Kubernetes. -Based on EdgeX [Jakarta](https://github.com/edgexfoundry/edgex-compose/tree/kamakura) version. +Based on EdgeX [Minnesota](https://github.com/edgexfoundry/edgex-compose/tree/minnesota) version. + +The helm chart is based on the secure and non-secure versions of the +[EdgeX Docker deployment scripts](https://github.com/edgexfoundry/edgex-compose/). +This helm chart can be used as a starting point for your own EdgeX deployment. + ## Prerequisites -- Kubernetes cluster 1.10+ +- Kubernetes cluster 1.24+ - [Helm](https://helm.sh/) 3.7.0+ -## Installation +Before starting, make sure you have curl and openssl installed locally. +These tools are needed to generate TLS assets and test the configuration. + +These instructions also assume that your Kubernetes cluster has an installed +ingress controller and an installed load balancer. +The examples were built with a stock Ngnix ingress controller, +and a MetalLB load balancer (with an assigned IP of 192.168.122.200). +Adaptations may be needed if your cluster uses something different. + +To install the Nginx ingress controller, +follow the instructions at + + +To install MetalLB, +follow the instructions at + + +The example also arbitrarily configures the ingress route to +respond to the hostname `edgex` +(which should be passed in using the TLS Server Name Identification (SNI) feature). +This can also be customized as well using the `edgex.security.tlsHost` setting. + -Install the EdgeX helm chart with a release name edgex-kamakura +## Quick-start Installation + +Install the EdgeX helm chart with a release name edgex-minnesota You can install the helm chart 1 of 2 ways. 1. Install the chart from by cloning the edgex-examples repository @@ -22,7 +50,7 @@ $ git clone https://github.com/edgexfoundry/edgex-examples.git $ cd edgex-examples $ cd deployment/helm $ kubectl create namespace edgex -$ helm install edgex-kamakura -n edgex . +$ helm install edgex-minnesota -n edgex . ``` **If you are only interested in installing the helm chart as a standalone:** @@ -40,12 +68,12 @@ $ helm install edgex-kamakura -n edgex . If you're using a Linux variant, you can use the copied URL to download the file from your terminal ```console -curl -o edgex-examples-heml.tar.gz +curl -o edgex-examples-helm.tar.gz ``` You will then need to unpack the tar zipped file: ```console -tar -xvf edgex-examples-heml.tar.gz +tar -xvf edgex-examples-helm.tar.gz ``` You will see output similar to: ![image](https://user-images.githubusercontent.com/8902109/174187588-910e9ee7-c8e2-4083-a7c3-d2614385c42c.png) @@ -55,12 +83,12 @@ You can now change to the unzipped directory and install the helm chart. ```console cd helm kubectl create namespace edgex -helm install edgex-kamakura -n edgex . +helm install edgex-minnesota -n edgex . ``` ## Uninstallation ```bash -helm uninstall edgex-kamakura -n edgex +helm uninstall edgex-minnesota -n edgex ``` ## Test EdgeX @@ -69,13 +97,13 @@ EdgeX on kubernetes using NodePort type to expose services by default. You can u The ping command format: ```bash -http://:/api/v2/ping +http://:/api/v3/ping ``` For example, the edgex-core-data ping command format: ```bash -curl http://localhost:59880/api/v2/ping +curl http://localhost:59880/api/v3/ping ``` @@ -85,70 +113,67 @@ With a modern browser, navigate to http://\:30400. Use details see [EdgeX UI doc](https://github.com/edgexfoundry/edgex-ui-go) -## Tips -- This project is based on [docker-compose-no-secty.yml](https://github.com/edgexfoundry/edgex-compose/blob/kamakura/docker-compose-no-secty.yml), -you can implement your customized version based on this. -- Since the EdgeX pods communicates with each other through the kubernetes service name, make sure the kubernetes DNS is enabled. -- Since other EdgeX services need to rely on consul to obtain configuration or register themselves to consul, other services cannot run normally until consul starts successfully. -- Unlike the docker-compose files for this release (which use a separate Docker volume container), the manifest files mount host based volumes as follows: +## Helm Chart User's Guide -1、edgex-core-consul's /consul/config directory is mapped to the host's /mnt/edgex-consul-config directory. +This section will cover some of the features of the Helm chart, +so that it may be properly configured. -2、edgex-core-consul's /consul/data directory is mapped to the host's /mnt/edgex-consul-data directory. -3、edgex-db's /data/db directory is mapped to the host's /mnt/edgex-db directory. +### Creating Docker Image Pull Secrets -4、edgex-kuiper's /kuiper/data directory is mapped to the host's /mnt/edgex-kuiper-data directory. +The helm chart pulls a number of standard Docker images from Docker Hub. +This may cause Docker pull limits to be exceeded. +If you have a Docker hub account, +you may create a Docker image pull secrets that allows for more generous pull limits. -- NodePort is enabled by default. According to default NodePort range(30000~32767), EdgeX NodePort mappings are as follows. +To create a Docker image pull secret, create the Kubernetes namespace for EdgeX, +and run the following command: -| EdgeX Service Name | Exposed Port -| :-------------------------- | ------------- -| edgex-core-data | 59880 -| edgex-core-metadata | 59881 -| edgex-core-command | 59882 -| edgex-support-notifications | 59860 -| edgex-support-scheduler | 59861 -| edgex-app-rules-engine | 59701 -| edgex-kuiper | 59720 -| edgex-device-rest | 59986 -| edgex-device-virtual | 59900 -| edgex-ui | 4000 -| edgex-redis | Not Exposed -| edgex-core-consul | 8500 +```shell +$ kubectl create namespace edgex +$ kubectl create secret docker-registry dockerhub --namespace --docker-server=https://index.docker.io/v1/ --docker-username= --docker-password= --docker-email= +``` -## Enabling security features +On the `helm` command-line, specify the secrets to be used for pull secrets, for example: `--set imagePullSecrets="{ dockerhub }"`. -The helm chart uses an Kubernetes ingress controller in lieu of a Kong API gateway. -The ingress routes are configured to require client-side TLS authentication, -which replaces the Kong JWT authentication method. -### Prerequisites +### Volumes -Before starting, make sure you have curl and openssl installed locally. -These tools are need to generate TLS assets and test the configuration. +The default value of `edgex.storage.useHostPath` is `true`. +This setting causes EdgeX data volumes to be created under `/mnt` on the host file system, +which is a reasonable choice for a single-node Kubernetes deployment only. +For all other scenarios, set `edgex.storage.useHostPath` to `false`, +and configure the following settings: -These instructions also assume that your Kubernetes cluster has an installed -ingress controller and an installed load balancer. -The examples were built with a stock Ngnix ingress controller, -and a MetalLB load balancer (with an assigned IP of 192.168.122.200). -Adaptations may be needed if your cluster uses something different. +```yaml +edgex: + storage: + useHostPath: false + nonSharedVolumesClassName: "TBD" + nonSharedVolumesAccessMode: "ReadWriteOnce" + sharedVolumesClassName: "TBD" + sharedVolumesAccessMode: "ReadWriteMany" +``` -To install the Nginx ingress controller, -follow the instructions at - +The EdgeX helm char has been tested with both `ReadWriteOnce` and `ReadWriteMany` for both types of volumes, +and has been compatibility tested with Rook-Ceph, OpenEBS, and the Rancher LocalPath provisioner. -To install MetalLB, -follow the instructions at - -The example also arbitrarily configures the ingress route to -respond to the hostname `edgex` -(which should be passed using the TLS Server Name Identification (SNI) feature). -This can also be customized as well using the `edgex.security.tlsHost` setting. +### Enabling Security Features + +The default value of `edgex.security.enabled` is `false`. This may change in the future. + +Setting `edgex.security.enabled` to `true` during installation (recommended) +will enable microservice-level authentication +for EdgeX peer-to-peer communcation +as well authentication to Redis, Consul, and the MQTT broker, if used. -### Installation with security features +In lieu of a standalone API gateway used by the snap- and docker-based EdgeX deployments, +the security-enabled helm chart is coded against a standard Kubernetes NGINX-based ingress controller, +and ingress routes are configured to require client-side TLS authentication. + +#### Configuring Ingress TLS Run the following two scripts to generate key material and install it into the cluster. @@ -165,28 +190,143 @@ and a client-side TLS certificate for the curl client to present to the server. To install with security features enabled, set the `edgex.security.enabled` flag to `true` during installation. -If necessary, uninstall the non-security one first. +If EdgeX was previously installed on security disabled, uninstall the non-security one first. The helm chart is not coded to allow for dynamic switching in and out of secure mode. ```sh -helm install edgex-kamakura --set edgex.security.enabled=true -n edgex . +helm install edgex-minnesota --set edgex.security.enabled=true -n edgex . +``` + +#### Creating an Authentication JWT in Kubernetes + +The following job is included at the root of the helm chart as `create-proxy-user-job.yaml`. +In this example, `edgexuser` should be replaced with a username of your own choosing, +and the `image` should be updated to an appropriate release image, +such as `edgexfoundry/security-proxy-setup:3.0.0`. + +```yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: security-proxy-setup +spec: + template: + spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + org.edgexfoundry.service: edgex-security-secretstore-setup + topologyKey: "kubernetes.io/hostname" + imagePullSecrets: + - name: dockerhub + automountServiceAccountToken: false + containers: + - name: security-proxy-setup + image: nexus3.edgexfoundry.org:10004/security-proxy-setup:latest + imagePullPolicy: Always + command: ["/edgex-init/ready_to_run_wait_install.sh"] + args: ["/edgex/secrets-config", "proxy", "adduser", "--user", "edgexuser", "--useRootToken"] + envFrom: + - configMapRef: + name: edgex-common-variables + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /edgex-init + name: edgex-init + - mountPath: /vault/config + name: vault-config + - mountPath: /tmp/edgex/secrets + name: edgex-secrets + restartPolicy: Never + securityContext: + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 0 + volumes: + - name: edgex-init + persistentVolumeClaim: + claimName: edgex-init + - name: vault-config + persistentVolumeClaim: + claimName: vault-config + - name: edgex-secrets + persistentVolumeClaim: + claimName: edgex-secrets +``` + + +To get a credential, first run the job and inspect the output: + +```shell + $ kubectl apply -f create-proxy-user.job.yaml + $ kubectl get pods + $ kubectl logs security-proxy-setup-m78g + {"username":"edgexuser","password":"dZ4SX...redacted...fOT"} ``` +After the passwords is saved away, be sure to delete the completed job: + +```shell +$ kubectl delete job security-proxy-setup +``` + +Next, create a script to obtain a secret store token and run it: + +```shell +username=edgexuser +password="dZ4SX...redacted...fOT" +vault_token=$(curl -s --resolve edgex:443:192.168.122.200 --cacert server-ca.pem --cert client.pem --key client.key -X POST -H "Content-Type: application/json" "https://edgex/vault/v1/auth/userpass/login/${username}" -d "{\"password\":\"${password}\"}" | jq -r '.auth.client_token') +id_token=$(curl -s --resolve edgex:443:192.168.122.200 --cacert server-ca.pem --cert client.pem --key client.key -H "Authorization: Bearer ${vault_token}" "https://edgex/vault/v1/identity/oidc/token/${username}" | jq -r '.data.token') +echo "${id_token}" +``` + +The output will be a JWT of the form: +``` +eyJ.redacted.redacted +``` + +### Sending a Test Request via Ingress + Finally, test with `curl`. Note the use of the special options to enable SNI, client-side certificates, and server-side certificate validation. Replace `` below with the external IP that is servicing the Kubernetes ingress controller. +Use the `$id_token` above to authenticate at the microservice layer. ```sh -curl -iv --resolve edgex:443: --cacert server-ca.pem --cert client.pem --key client.key "https://edgex/core-data/api/v2/ping" +curl -iv --resolve edgex:443: --cacert server-ca.pem --cert client.pem --key client.key -H"Authorization: Bearer ${id_token}" "https://edgex/core-data/api/v3/version" ``` +If everything was done correctly, the output will look like: + ```text ... a bunch of diagnostics ... * Connection #0 to host edgex left intact -{"apiVersion":"v2","timestamp":"Wed Feb 2 18:32:57 UTC 2022"} +{"apiVersion":"v3","version":"3.0.0-dev.137","serviceName":"core-data"} +``` + + +### Configuring Port Bindings + +The helm chart exposes EdgeX services as `ClusterIP` services by default. +This can be changed by the `expose.type.<...>` settings on a per-service basis. +Since the security flag enables the ingress rules for EdgeX microservices by default, +it is unlikely that directly exposing an EdgeX service on its own port will be necessary. + +The feature `edgex.features.enableHostPort` is set to `false` by default. +If enabled, EdgeX services behave as the do on the snap- and docker-based implementations: +the map service ports to localhost or the external network interface, +as specified in the hostPortXXXBind settings: + +```yaml +hostPortInternalBind: 127.0.0.1 +hostPortExternalBind: 0.0.0.0 ``` diff --git a/deployment/helm/create-proxy-user.job.yaml b/deployment/helm/create-proxy-user.job.yaml new file mode 100644 index 00000000..c7eff8b4 --- /dev/null +++ b/deployment/helm/create-proxy-user.job.yaml @@ -0,0 +1,51 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: security-proxy-setup +spec: + template: + spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + org.edgexfoundry.service: edgex-security-secretstore-setup + topologyKey: "kubernetes.io/hostname" + imagePullSecrets: + - name: dockerhub + automountServiceAccountToken: false + containers: + - name: security-proxy-setup + image: nexus3.edgexfoundry.org:10004/security-proxy-setup:latest + imagePullPolicy: Always + command: ["/edgex-init/ready_to_run_wait_install.sh"] + args: ["/edgex/secrets-config", "proxy", "adduser", "--user", "edgexuser", "--useRootToken"] + envFrom: + - configMapRef: + name: edgex-common-variables + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /edgex-init + name: edgex-init + - mountPath: /vault/config + name: vault-config + - mountPath: /tmp/edgex/secrets + name: edgex-secrets + restartPolicy: Never + securityContext: + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 0 + volumes: + - name: edgex-init + persistentVolumeClaim: + claimName: edgex-init + - name: vault-config + persistentVolumeClaim: + claimName: vault-config + - name: edgex-secrets + persistentVolumeClaim: + claimName: edgex-secrets diff --git a/deployment/helm/development-images-values-x86_64.yaml b/deployment/helm/development-images-values-x86_64.yaml new file mode 100644 index 00000000..2cef2054 --- /dev/null +++ b/deployment/helm/development-images-values-x86_64.yaml @@ -0,0 +1,146 @@ +edgex: + image: + core: + common_config: + repository: nexus3.edgexfoundry.org:10004/core-common-config-bootstrapper + tag: latest + pullPolicy: Always + command: + repository: nexus3.edgexfoundry.org:10004/core-command + tag: latest + pullPolicy: Always + data: + repository: nexus3.edgexfoundry.org:10004/core-data + tag: latest + pullPolicy: Always + metadata: + repository: nexus3.edgexfoundry.org:10004/core-metadata + tag: latest + pullPolicy: Always + support: + notifications: + repository: nexus3.edgexfoundry.org:10004/support-notifications + tag: latest + pullPolicy: Always + scheduler: + repository: nexus3.edgexfoundry.org:10004/support-scheduler + tag: latest + pullPolicy: Always + appservice: + rules: + repository: nexus3.edgexfoundry.org:10004/app-service-configurable + tag: latest + pullPolicy: Always + appsample: + repository: nexus3.edgexfoundry.org:10004/app-service-configurable + tag: latest + pullPolicy: Always + metricsinfluxdb: + repository: nexus3.edgexfoundry.org:10004/app-service-configurable + tag: latest + pullPolicy: Always + rfidllrpinventory: + repository: nexus3.edgexfoundry.org:10004/app-rfid-llrp-inventory + tag: latest + pullPolicy: Always + mqttexport: + repository: nexus3.edgexfoundry.org:10004/app-service-configurable + tag: latest + pullPolicy: Always + httpexport: + repository: nexus3.edgexfoundry.org:10004/app-service-configurable + tag: latest + pullPolicy: Always + externalmqtttrigger: + repository: nexus3.edgexfoundry.org:10004/app-service-configurable + tag: latest + pullPolicy: Always + device: + virtual: + repository: nexus3.edgexfoundry.org:10004/device-virtual + tag: latest + pullPolicy: Always + rest: + repository: nexus3.edgexfoundry.org:10004/device-rest + tag: latest + pullPolicy: Always + onvifcamera: + repository: nexus3.edgexfoundry.org:10004/device-onvif-camera + tag: latest + pullPolicy: Always + usbcamera: + repository: nexus3.edgexfoundry.org:10004/device-usb-camera + tag: latest + pullPolicy: Always + mqtt: + repository: nexus3.edgexfoundry.org:10004/device-mqtt + tag: latest + pullPolicy: Always + modbus: + repository: nexus3.edgexfoundry.org:10004/device-modbus + tag: latest + pullPolicy: Always + bacnet: + repository: nexus3.edgexfoundry.org:10004/device-bacnet + tag: latest + pullPolicy: Always + coap: + repository: nexus3.edgexfoundry.org:10004/device-coap + tag: latest + pullPolicy: Always + snmp: + repository: nexus3.edgexfoundry.org:10004/device-snmp + tag: latest + pullPolicy: Always + rfidllrp: + repository: nexus3.edgexfoundry.org:10004/device-rfid-llrp + tag: latest + pullPolicy: Always + gpio: + repository: nexus3.edgexfoundry.org:10004/device-gpio + tag: latest + pullPolicy: Always + ui: + repository: nexus3.edgexfoundry.org:10004/edgex-ui + tag: latest + pullPolicy: Always + consul: + repository: hashicorp/consul + tag: "1.15" + pullPolicy: Always + redis: + repository: redis + tag: "7.0-alpine" + pullPolicy: Always + ekuiper: + repository: lfedge/ekuiper + tag: "1.7-alpine" + pullPolicy: Always + vault: + repository: hashicorp/vault + tag: "1.13" + pullPolicy: Always + bootstrapper: + repository: nexus3.edgexfoundry.org:10004/security-bootstrapper + tag: latest + pullPolicy: Always + proxysetup: + repository: nexus3.edgexfoundry.org:10004/security-proxy-setup + tag: "latest" + pullPolicy: Always + secretstoresetup: + repository: nexus3.edgexfoundry.org:10004/security-secretstore-setup + tag: latest + pullPolicy: Always + modbussimulator: + repository: nexus3.edgexfoundry.org:10003/edgex-devops/edgex-modbus-simulator + tag: "latest" + pullPolicy: Always + mqttbroker: + repository: eclipse-mosquitto + tag: "2.0" + pullPolicy: Always + natsserver: + repository: nats + tag: "2.9-alpine" + pullPolicy: Always diff --git a/deployment/helm/openssl.conf b/deployment/helm/openssl.conf index 723c2561..98513886 100644 --- a/deployment/helm/openssl.conf +++ b/deployment/helm/openssl.conf @@ -16,11 +16,17 @@ basicConstraints = critical,CA:FALSE keyUsage = digitalSignature, keyAgreement, keyEncipherment extendedKeyUsage = serverAuth subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer:always +authorityKeyIdentifier = keyid:always [ client_ext ] basicConstraints = critical,CA:FALSE keyUsage = digitalSignature, keyAgreement extendedKeyUsage = clientAuth subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer:always +authorityKeyIdentifier = keyid:always + +[edgex_san] +subjectAltName = @alt_names_edgex + +[alt_names_edgex] +DNS.1 = edgex diff --git a/deployment/helm/release-images-values-x86_64.yaml b/deployment/helm/release-images-values-x86_64.yaml new file mode 100644 index 00000000..120564ad --- /dev/null +++ b/deployment/helm/release-images-values-x86_64.yaml @@ -0,0 +1,146 @@ +edgex: + image: + core: + common_config: + repository: edgexfoundry/core-common-config-bootstrapper + tag: "3.0.0" + pullPolicy: IfNotPresent + command: + repository: edgexfoundry/core-command + tag: "3.0.0" + pullPolicy: IfNotPresent + data: + repository: edgexfoundry/core-data + tag: "3.0.0" + pullPolicy: IfNotPresent + metadata: + repository: edgexfoundry/core-metadata + tag: "3.0.0" + pullPolicy: IfNotPresent + support: + notifications: + repository: edgexfoundry/support-notifications + tag: "3.0.0" + pullPolicy: IfNotPresent + scheduler: + repository: edgexfoundry/support-scheduler + tag: "3.0.0" + pullPolicy: IfNotPresent + appservice: + rules: + repository: edgexfoundry/app-service-configurable + tag: "3.0.0" + pullPolicy: IfNotPresent + appsample: + repository: edgexfoundry/app-service-configurable + tag: "3.0.0" + pullPolicy: IfNotPresent + metricsinfluxdb: + repository: edgexfoundry/app-service-configurable + tag: "3.0.0" + pullPolicy: IfNotPresent + rfidllrpinventory: + repository: edgexfoundry/app-rfid-llrp-inventory + tag: "3.0.0" + pullPolicy: IfNotPresent + mqttexport: + repository: edgexfoundry/app-service-configurable + tag: "3.0.0" + pullPolicy: IfNotPresent + httpexport: + repository: edgexfoundry/app-service-configurable + tag: "3.0.0" + pullPolicy: IfNotPresent + externalmqtttrigger: + repository: edgexfoundry/app-service-configurable + tag: "3.0.0" + pullPolicy: IfNotPresent + device: + virtual: + repository: edgexfoundry/device-virtual + tag: "3.0.0" + pullPolicy: IfNotPresent + rest: + repository: edgexfoundry/device-rest + tag: "3.0.0" + pullPolicy: IfNotPresent + onvifcamera: + repository: edgexfoundry/device-onvif-camera + tag: "3.0.0" + pullPolicy: IfNotPresent + usbcamera: + repository: edgexfoundry/device-usb-camera + tag: "3.0.0" + pullPolicy: IfNotPresent + mqtt: + repository: edgexfoundry/device-mqtt + tag: "3.0.0" + pullPolicy: IfNotPresent + modbus: + repository: edgexfoundry/device-modbus + tag: "3.0.0" + pullPolicy: IfNotPresent + bacnet: + repository: edgexfoundry/device-bacnet + tag: "3.0.0" + pullPolicy: IfNotPresent + coap: + repository: edgexfoundry/device-coap + tag: "3.0.0" + pullPolicy: IfNotPresent + snmp: + repository: edgexfoundry/device-snmp + tag: "3.0.0" + pullPolicy: IfNotPresent + rfidllrp: + repository: edgexfoundry/device-rfid-llrp + tag: "3.0.0" + pullPolicy: IfNotPresent + gpio: + repository: edgexfoundry/device-gpio + tag: "3.0.0" + pullPolicy: IfNotPresent + ui: + repository: edgexfoundry/edgex-ui + tag: "3.0.0" + pullPolicy: IfNotPresent + consul: + repository: hashicorp/consul + tag: "1.15.2" + pullPolicy: IfNotPresent + redis: + repository: redis + tag: "7.0.5-alpine" + pullPolicy: IfNotPresent + ekuiper: + repository: lfedge/ekuiper + tag: "1.7.1-alpine" + pullPolicy: IfNotPresent + vault: + repository: hashicorp/vault + tag: "1.13.1" + pullPolicy: IfNotPresent + bootstrapper: + repository: edgexfoundry/security-bootstrapper + tag: "3.0.0" + pullPolicy: IfNotPresent + proxysetup: + repository: edgexfoundry/security-proxy-setup + tag: "3.0.0" + pullPolicy: IfNotPresent + secretstoresetup: + repository: edgexfoundry/security-secretstore-setup + tag: "3.0.0" + pullPolicy: IfNotPresent + modbussimulator: + repository: nexus3.edgexfoundry.org:10003/edgex-devops/edgex-modbus-simulator + tag: "latest" + pullPolicy: IfNotPresent + mqttbroker: + repository: eclipse-mosquitto + tag: "2.0" + pullPolicy: IfNotPresent + natsserver: + repository: nats + tag: "2.9.3-alpine" + pullPolicy: IfNotPresent diff --git a/deployment/helm/templates/NOTES.txt b/deployment/helm/templates/NOTES.txt index 3bfe5bf3..53c46e42 100644 --- a/deployment/helm/templates/NOTES.txt +++ b/deployment/helm/templates/NOTES.txt @@ -1,29 +1,2 @@ -# Copyright (C) 2022 Intel Corporation -# -# SPDX-License-Identifier: Apache-2.0 -# Please wait for several minutes for EdgeX deployment to complete. -Then you should be able to visit the EdgeX. - -Ping edgex-core-data -curl http://localhost:{{ int .Values.edgex.port.core.data}}/api/v2/ping -Ping edgex-core-metadata -curl http://localhost:{{ int .Values.edgex.port.core.metadata}}/api/v2/ping -Ping edgex-core-command -curl http://localhost:{{ int .Values.edgex.port.core.command}}/api/v2/ping -Ping edgex-support-notifications -curl http://localhost:{{ int .Values.edgex.port.support.notifications}}/api/v2/ping -Ping edgex-support-scheduler -curl http://localhost:{{ int .Values.edgex.port.support.scheduler}}/api/v2/ping -Ping edgex-support-ruleengine -curl http://localhost:{{ int .Values.edgex.port.support.scheduler}}/ -Ping edgex-device-rest -curl http://localhost:{{ int .Values.edgex.port.device.rest}}/api/v2/ping -Ping edgex-device-virtual -curl http://localhost:{{ int .Values.edgex.port.device.virtual}}/api/v2/ping -Ping edgex-appservice-rules -curl http://localhost:{{ int .Values.edgex.port.appservice.rules}}/api/v2/ping -Ping edgex-system -curl http://localhost:{{ int .Values.edgex.port.system}}/api/v2/ping -Ping edgex-ui -curl http://localhost:{{ int .Values.edgex.port.ui}}/ \ No newline at end of file +Consult README.md for usage instructions. diff --git a/deployment/helm/templates/configmaps/as-common-configmap.yaml b/deployment/helm/templates/configmaps/as-common-configmap.yaml deleted file mode 100644 index 7b38ab60..00000000 --- a/deployment/helm/templates/configmaps/as-common-configmap.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: as-common-variables -data: - DATABASE_HOST: edgex-redis - {{- if (eq .Values.edgex.features.messagebusbackend "redis") }} - TRIGGER_EDGEXMESSAGEBUS_SUBSCRIBEHOST_HOST: edgex-redis - TRIGGER_EDGEXMESSAGEBUS_PUBLISHHOST_HOST: edgex-redis - {{- end}} diff --git a/deployment/helm/templates/configmaps/device-common-configmap.yaml b/deployment/helm/templates/configmaps/device-common-configmap.yaml deleted file mode 100644 index 8448593a..00000000 --- a/deployment/helm/templates/configmaps/device-common-configmap.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: device-common-variables -data: - {{- if (eq .Values.edgex.features.messagebusbackend "redis") }} - MESSAGEQUEUE_HOST: edgex-redis - {{- end}} diff --git a/deployment/helm/templates/configmaps/edgex-configmap.yaml b/deployment/helm/templates/configmaps/edgex-configmap.yaml index 2281aa02..a0f28182 100644 --- a/deployment/helm/templates/configmaps/edgex-configmap.yaml +++ b/deployment/helm/templates/configmaps/edgex-configmap.yaml @@ -7,42 +7,24 @@ kind: ConfigMap metadata: name: edgex-common-variables data: - CLIENTS_CORE_DATA_HOST: {{.Values.edgex.app.core.data}} - CLIENTS_CORE_METADATA_HOST: {{.Values.edgex.app.core.metadata}} - CLIENTS_CORE_COMMAND_HOST: {{.Values.edgex.app.core.command}} - CLIENTS_SUPPORT_NOTIFICATIONS_HOST: {{.Values.edgex.app.support.notifications}} - CLIENTS_SUPPORT_SCHEDULER_HOST: {{.Values.edgex.app.support.scheduler}} - REGISTRY_HOST: {{.Values.edgex.app.consul}} - DATABASES_PRIMARY_HOST: {{.Values.edgex.app.redis}} -{{- if (eq .Values.edgex.features.messagebusbackend "redis") }} - MESSAGEQUEUE_HOST: {{.Values.edgex.app.redis}} -{{- end}} {{- if .Values.edgex.security.enabled }} EDGEX_SECURITY_SECRET_STORE: "true" SECRETSTORE_HOST: edgex-vault - SECRETSTORE_PORT: "8200" - DEFAULT_EDGEX_RUN_CMD_PARMS: "-cp=consul.http://edgex-core-consul:8500 --registry --confdir=/res" - # stagegate - STAGEGATE_WAITFOR_TIMEOUT: 60s - STAGEGATE_BOOTSTRAPPER_HOST: {{.Values.edgex.app.bootstrapper}} + STAGEGATE_WAITFOR_TIMEOUT: "60s" + STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321" STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322" - # this is intended to be the same as Database.Primary.Host/.Port for other services - STAGEGATE_DATABASE_HOST: {{.Values.edgex.app.redis}} + # this is intended to be the same as Database.Host/.Port for other services + STAGEGATE_DATABASE_HOST: edgex-redis STAGEGATE_DATABASE_PORT: "6379" STAGEGATE_DATABASE_READYPORT: "6379" # this is intended to be the same as Registry.Host/.Port for other services - STAGEGATE_REGISTRY_HOST: {{.Values.edgex.app.consul}} + STAGEGATE_REGISTRY_HOST: edgex-core-consul STAGEGATE_REGISTRY_PORT: "8500" STAGEGATE_REGISTRY_READYPORT: "54324" - STAGEGATE_KONGDB_HOST: edgex-kong-db - STAGEGATE_KONGDB_PORT: "5432" - STAGEGATE_KONGDB_READYPORT: "54325" STAGEGATE_READY_TORUNPORT: "54329" PROXY_SETUP_HOST: edgex-security-proxy-setup - API_GATEWAY_HOST: edgex-kong - API_GATEWAY_STATUS_PORT: "8100" {{- else }} EDGEX_SECURITY_SECRET_STORE: "false" {{- end }} diff --git a/deployment/helm/templates/dummy-postgres/dummy-postgres-deployment.yaml b/deployment/helm/templates/dummy-postgres/dummy-postgres-deployment.yaml deleted file mode 100644 index 5045bc98..00000000 --- a/deployment/helm/templates/dummy-postgres/dummy-postgres-deployment.yaml +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright (C) 2022 Intel Corporation -# -# SPDX-License-Identifier: Apache-2.0 -# -{{- if .Values.edgex.security.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - org.edgexfoundry.service: edgex-kong-db - name: edgex-kong-db -spec: - replicas: 1 - selector: - matchLabels: - org.edgexfoundry.service: edgex-kong-db - strategy: - type: Recreate - template: - metadata: - labels: - org.edgexfoundry.service: edgex-kong-db - spec: - terminationGracePeriodSeconds: 60 - containers: - - name: default-http-backend - # Any image is permissible as long as: - # 1. It serves a 404 page at / - # 2. It serves 200 on a /healthz endpoint - image: gcr.io/google_containers/defaultbackend:1.4 - livenessProbe: - httpGet: - path: /healthz - port: 8080 - scheme: HTTP - initialDelaySeconds: 30 - timeoutSeconds: 5 - ports: - - containerPort: 8080 - resources: - limits: - cpu: 10m - memory: 20Mi - requests: - cpu: 10m - memory: 20Mi -{{- end }} diff --git a/deployment/helm/templates/dummy-postgres/dummy-postgres-service.yaml b/deployment/helm/templates/dummy-postgres/dummy-postgres-service.yaml deleted file mode 100644 index 07c133dd..00000000 --- a/deployment/helm/templates/dummy-postgres/dummy-postgres-service.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright (C) 2022 Intel Corporation -# -# SPDX-License-Identifier: Apache-2.0 -# -{{- if .Values.edgex.security.enabled }} -apiVersion: v1 -kind: Service -metadata: - labels: - org.edgexfoundry.service: edgex-kong-db - name: edgex-kong-db -spec: - ports: - - name: "dummy-psql" - port: 5432 - targetPort: 8080 - - name: "ready" - port: {{.Values.edgex.bootstrap.port.kongdbready}} - targetPort: 8080 - selector: - org.edgexfoundry.service: edgex-kong-db - type: ClusterIP -{{- end }} diff --git a/deployment/helm/templates/edgex-app-external-mqtt-trigger/edgex-app-external-mqtt-trigger-deployment.yaml b/deployment/helm/templates/edgex-app-external-mqtt-trigger/edgex-app-external-mqtt-trigger-deployment.yaml index 5afc7965..c8b3f6c4 100644 --- a/deployment/helm/templates/edgex-app-external-mqtt-trigger/edgex-app-external-mqtt-trigger-deployment.yaml +++ b/deployment/helm/templates/edgex-app-external-mqtt-trigger/edgex-app-external-mqtt-trigger-deployment.yaml @@ -28,6 +28,12 @@ spec: org.edgexfoundry.service: {{ .Values.edgex.app.secretstoresetup}} topologyKey: "kubernetes.io/hostname" {{- end}} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false containers: - name: {{.Values.edgex.app.appservice.externalmqtttrigger}} @@ -35,7 +41,7 @@ spec: imagePullPolicy: {{.Values.edgex.image.appservice.externalmqtttrigger.pullPolicy}} {{- if .Values.edgex.security.enabled }} command: ["/edgex-init/ready_to_run_wait_install.sh"] - args: ["/app-service-configurable", "-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"] + args: ["/app-service-configurable", "-cp=consul.http://edgex-core-consul:8500", "--registry"] {{- end}} ports: - containerPort: {{.Values.edgex.port.appservice.externalmqtttrigger}} @@ -54,36 +60,26 @@ spec: value: "external-mqtt-trigger" - name: SERVICE_HOST value: {{.Values.edgex.app.appservice.externalmqtttrigger}} + - name: TRIGGER_EXTERNALMQTT_URL + value: "{{.Values.edgex.features.mqttBrokerAddress}}" - name: WRITABLE_LOGLEVEL value: INFO - {{- if (eq .Values.edgex.features.messagebusbackend "redis") }} - - name: TRIGGER_EDGEXMESSAGEBUS_PUBLISHHOST_HOST - value: {{.Values.edgex.app.redis}} - - name: TRIGGER_EDGEXMESSAGEBUS_SUBSCRIBEHOST_HOST - value: {{.Values.edgex.app.redis}} - {{- end}} - {{- if (eq .Values.edgex.features.messagebusbackend "mqtt") }} - name: WRITABLE_PIPELINE_FUNCTIONS_MQTTEXPORT_PARAMETERS_BROKERADDRESS value: "{{.Values.edgex.features.mqttBrokerAddress}}" - name: WRITABLE_PIPELINE_FUNCTIONS_MQTTEXPORT_PARAMETERS_TOPIC value: edgex-export - - name: TRIGGER_EXTERNALMQTT_URL - value: "{{.Values.edgex.features.mqttBrokerAddress}}" - {{- end}} - - securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true startupProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.appservice.externalmqtttrigger}} periodSeconds: 1 failureThreshold: 120 livenessProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.appservice.externalmqtttrigger}} {{- if .Values.edgex.security.enabled }} volumeMounts: diff --git a/deployment/helm/templates/edgex-app-external-mqtt-trigger/edgex-app-external-mqtt-trigger-service.yaml b/deployment/helm/templates/edgex-app-external-mqtt-trigger/edgex-app-external-mqtt-trigger-service.yaml index 85874277..3a36540c 100644 --- a/deployment/helm/templates/edgex-app-external-mqtt-trigger/edgex-app-external-mqtt-trigger-service.yaml +++ b/deployment/helm/templates/edgex-app-external-mqtt-trigger/edgex-app-external-mqtt-trigger-service.yaml @@ -10,7 +10,7 @@ metadata: name: {{.Values.edgex.app.appservice.externalmqtttrigger}} spec: ports: - - name: "app-mqtt-trigger-http" + - name: "http" port: {{.Values.edgex.port.appservice.externalmqtttrigger}} selector: org.edgexfoundry.service: {{.Values.edgex.app.appservice.externalmqtttrigger}} diff --git a/deployment/helm/templates/edgex-app-http-export/edgex-app-http-export-deployment.yaml b/deployment/helm/templates/edgex-app-http-export/edgex-app-http-export-deployment.yaml index eae3a2c8..de7ca33c 100644 --- a/deployment/helm/templates/edgex-app-http-export/edgex-app-http-export-deployment.yaml +++ b/deployment/helm/templates/edgex-app-http-export/edgex-app-http-export-deployment.yaml @@ -29,6 +29,12 @@ spec: org.edgexfoundry.service: {{ .Values.edgex.app.secretstoresetup}} topologyKey: "kubernetes.io/hostname" {{- end}} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false containers: - name: {{.Values.edgex.app.appservice.httpexport}} @@ -36,7 +42,7 @@ spec: imagePullPolicy: {{.Values.edgex.image.appservice.httpexport.pullPolicy}} {{- if .Values.edgex.security.enabled }} command: ["/edgex-init/ready_to_run_wait_install.sh"] - args: ["/app-service-configurable", "-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"] + args: ["/app-service-configurable", "-cp=consul.http://edgex-core-consul:8500", "--registry"] {{- end}} ports: - containerPort: {{.Values.edgex.port.appservice.httpexport}} @@ -52,35 +58,25 @@ spec: value: "http-export" - name: SERVICE_HOST value: {{.Values.edgex.app.appservice.httpexport}} - {{- if (eq .Values.edgex.features.messagebusbackend "redis") }} - - name: TRIGGER_EDGEXMESSAGEBUS_PUBLISHHOST_HOST - value: {{.Values.edgex.app.redis}} - - name: TRIGGER_EDGEXMESSAGEBUS_SUBSCRIBEHOST_HOST - value: {{.Values.edgex.app.redis}} - {{- end}} - {{- if (eq .Values.edgex.features.messagebusbackend "nats") }} - name: WRITABLE_PIPELINE_FUNCTIONS_HTTPEXPORT_PARAMETERS_URL value: "{{.Values.edgex.features.httpExportURL}}" - name: WRITABLE_LOGLEVEL value: INFO - {{- end}} envFrom: - configMapRef: name: edgex-common-variables - - configMapRef: - name: as-common-variables securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true startupProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.appservice.httpexport}} periodSeconds: 1 failureThreshold: 120 livenessProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.appservice.httpexport}} {{- if .Values.edgex.security.enabled }} volumeMounts: diff --git a/deployment/helm/templates/edgex-app-http-export/edgex-app-http-export-service.yaml b/deployment/helm/templates/edgex-app-http-export/edgex-app-http-export-service.yaml index 695ecf97..258e2e5e 100644 --- a/deployment/helm/templates/edgex-app-http-export/edgex-app-http-export-service.yaml +++ b/deployment/helm/templates/edgex-app-http-export/edgex-app-http-export-service.yaml @@ -10,7 +10,7 @@ metadata: name: {{.Values.edgex.app.appservice.httpexport}} spec: ports: - - name: "app-http-export-http" + - name: "http" port: {{.Values.edgex.port.appservice.httpexport}} selector: org.edgexfoundry.service: {{.Values.edgex.app.appservice.httpexport}} diff --git a/deployment/helm/templates/edgex-app-metrics-influxdb/edgex-app-metrics-influxdb-deployment.yaml b/deployment/helm/templates/edgex-app-metrics-influxdb/edgex-app-metrics-influxdb-deployment.yaml index 00a84a58..bbbacf8f 100644 --- a/deployment/helm/templates/edgex-app-metrics-influxdb/edgex-app-metrics-influxdb-deployment.yaml +++ b/deployment/helm/templates/edgex-app-metrics-influxdb/edgex-app-metrics-influxdb-deployment.yaml @@ -28,6 +28,12 @@ spec: org.edgexfoundry.service: {{ .Values.edgex.app.secretstoresetup}} topologyKey: "kubernetes.io/hostname" {{- end}} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false containers: - name: {{.Values.edgex.app.appservice.metricsinfluxdb}} @@ -35,7 +41,7 @@ spec: imagePullPolicy: {{.Values.edgex.image.appservice.metricsinfluxdb.pullPolicy}} {{- if .Values.edgex.security.enabled }} command: ["/edgex-init/ready_to_run_wait_install.sh"] - args: ["/app-service-configurable", "-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"] + args: ["/app-service-configurable", "-cp=consul.http://edgex-core-consul:8500", "--registry"] {{- end}} ports: - containerPort: {{.Values.edgex.port.appservice.metricsinfluxdb}} @@ -49,8 +55,6 @@ spec: envFrom: - configMapRef: name: edgex-common-variables - - configMapRef: - name: as-common-variables env: - name: EDGEX_PROFILE value: "metrics-influxdb" @@ -67,13 +71,13 @@ spec: readOnlyRootFilesystem: true startupProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.appservice.metricsinfluxdb}} periodSeconds: 1 failureThreshold: 120 livenessProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.appservice.metricsinfluxdb}} {{- if .Values.edgex.security.enabled }} volumeMounts: diff --git a/deployment/helm/templates/edgex-app-metrics-influxdb/edgex-app-metrics-influxdb-service.yaml b/deployment/helm/templates/edgex-app-metrics-influxdb/edgex-app-metrics-influxdb-service.yaml index 70bfd4cd..108e94d7 100644 --- a/deployment/helm/templates/edgex-app-metrics-influxdb/edgex-app-metrics-influxdb-service.yaml +++ b/deployment/helm/templates/edgex-app-metrics-influxdb/edgex-app-metrics-influxdb-service.yaml @@ -10,7 +10,7 @@ metadata: name: {{.Values.edgex.app.appservice.metricsinfluxdb}} spec: ports: - - name: "app-metrics-influxdb-http" + - name: "http" port: {{.Values.edgex.port.appservice.metricsinfluxdb}} selector: org.edgexfoundry.service: {{.Values.edgex.app.appservice.metricsinfluxdb}} diff --git a/deployment/helm/templates/edgex-app-mqtt-export/edgex-app-mqtt-export-deployment.yaml b/deployment/helm/templates/edgex-app-mqtt-export/edgex-app-mqtt-export-deployment.yaml index 0d0ab636..f97ccdb1 100644 --- a/deployment/helm/templates/edgex-app-mqtt-export/edgex-app-mqtt-export-deployment.yaml +++ b/deployment/helm/templates/edgex-app-mqtt-export/edgex-app-mqtt-export-deployment.yaml @@ -28,6 +28,12 @@ spec: org.edgexfoundry.service: {{ .Values.edgex.app.secretstoresetup}} topologyKey: "kubernetes.io/hostname" {{- end}} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false containers: - name: {{.Values.edgex.app.appservice.mqttexport}} @@ -35,7 +41,7 @@ spec: imagePullPolicy: {{.Values.edgex.image.appservice.mqttexport.pullPolicy}} {{- if .Values.edgex.security.enabled }} command: ["/edgex-init/ready_to_run_wait_install.sh"] - args: ["/app-service-configurable", "-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"] + args: ["/app-service-configurable", "-cp=consul.http://edgex-core-consul:8500", "--registry"] {{- end}} ports: - containerPort: {{.Values.edgex.port.appservice.mqttexport}} @@ -49,8 +55,6 @@ spec: envFrom: - configMapRef: name: edgex-common-variables - - configMapRef: - name: as-common-variables env: - name: EDGEX_PROFILE value: "mqtt-export" @@ -62,30 +66,18 @@ spec: value: edgex-events - name: WRITABLE_LOGLEVEL value: INFO - {{- if (eq .Values.edgex.features.messagebusbackend "redis") }} - - name: TRIGGER_EDGEXMESSAGEBUS_PUBLISHHOST_HOST - value: {{.Values.edgex.app.redis}} - - name: WRITABLE_PIPELINE_FUNCTIONS_MQTTEXPORT_PARAMETERS_BROKERADDRESS - value: {{.Values.edgex.app.redis}} - {{- end}} - {{- if (eq .Values.edgex.features.messagebusbackend "nats") }} - - name: TRIGGER_EDGEXMESSAGEBUS_SUBSCRIBEHOST_HOST - value: "{{.Values.edgex.features.mqttBrokerAddress}}" - - name: WRITABLE_PIPELINE_FUNCTIONS_MQTTEXPORT_PARAMETERS_TOPIC - value: edgex-events - {{- end}} securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true startupProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.appservice.mqttexport}} periodSeconds: 1 failureThreshold: 120 livenessProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.appservice.mqttexport}} {{- if .Values.edgex.security.enabled }} volumeMounts: diff --git a/deployment/helm/templates/edgex-app-mqtt-export/edgex-app-mqtt-export-service.yaml b/deployment/helm/templates/edgex-app-mqtt-export/edgex-app-mqtt-export-service.yaml index ce75c4e3..9fb48196 100644 --- a/deployment/helm/templates/edgex-app-mqtt-export/edgex-app-mqtt-export-service.yaml +++ b/deployment/helm/templates/edgex-app-mqtt-export/edgex-app-mqtt-export-service.yaml @@ -10,7 +10,7 @@ metadata: name: {{.Values.edgex.app.appservice.mqttexport}} spec: ports: - - name: "app-mqtt-export-http" + - name: "http" port: {{.Values.edgex.port.appservice.mqttexport}} selector: org.edgexfoundry.service: {{.Values.edgex.app.appservice.mqttexport}} diff --git a/deployment/helm/templates/edgex-app-rfid-llrp-inventory/edgex-app-rfid-llrp-inventory-deployment.yaml b/deployment/helm/templates/edgex-app-rfid-llrp-inventory/edgex-app-rfid-llrp-inventory-deployment.yaml index 5b93c86a..23633289 100644 --- a/deployment/helm/templates/edgex-app-rfid-llrp-inventory/edgex-app-rfid-llrp-inventory-deployment.yaml +++ b/deployment/helm/templates/edgex-app-rfid-llrp-inventory/edgex-app-rfid-llrp-inventory-deployment.yaml @@ -28,6 +28,12 @@ spec: org.edgexfoundry.service: {{ .Values.edgex.app.secretstoresetup}} topologyKey: "kubernetes.io/hostname" {{- end}} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false containers: - name: {{.Values.edgex.app.appservice.rfidllrpinventory}} @@ -35,7 +41,7 @@ spec: imagePullPolicy: {{.Values.edgex.image.appservice.rfidllrpinventory.pullPolicy}} {{- if .Values.edgex.security.enabled }} command: ["/edgex-init/ready_to_run_wait_install.sh"] - args: ["/app-rfid-llrp-inventory", "-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"] + args: ["/app-rfid-llrp-inventory", "-cp=consul.http://edgex-core-consul:8500", "--registry"] {{- end}} ports: - containerPort: {{.Values.edgex.port.appservice.rfidllrpinventory}} @@ -49,8 +55,6 @@ spec: envFrom: - configMapRef: name: edgex-common-variables - - configMapRef: - name: as-common-variables env: - name: SERVICE_HOST value: {{.Values.edgex.app.appservice.rfidllrpinventory}} @@ -65,22 +69,22 @@ spec: readOnlyRootFilesystem: true startupProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.appservice.rfidllrpinventory}} periodSeconds: 1 failureThreshold: 120 livenessProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.appservice.rfidllrpinventory}} - {{- if .Values.edgex.security.enabled }} volumeMounts: + - mountPath: /cache + name: llrp-inventory-data + {{- if .Values.edgex.security.enabled }} - mountPath: /edgex-init name: edgex-init - mountPath: /tmp/edgex/secrets name: edgex-secrets - - mountPath: /tmp/edgex/edgex-app-rfid-llrp-inventory - name: edgex-app-rfid-llrp-inventory {{- end }} {{- if .Values.edgex.resources.appservice.rfidllrpinventory.enforceLimits }} resources: @@ -97,15 +101,15 @@ spec: runAsNonRoot: true runAsUser: {{ .Values.edgex.security.runAsUser }} runAsGroup: {{ .Values.edgex.security.runAsGroup }} - {{- if .Values.edgex.security.enabled }} volumes: + - name: llrp-inventory-data + persistentVolumeClaim: + claimName: llrp-inventory-data + {{- if .Values.edgex.security.enabled }} - name: edgex-init persistentVolumeClaim: claimName: edgex-init - name: edgex-secrets persistentVolumeClaim: claimName: edgex-secrets - - name: edgex-app-rfid-llrp-inventory - persistentVolumeClaim: - claimName: app-rfid-llrp-inventory {{- end}} diff --git a/deployment/helm/templates/edgex-app-rfid-llrp-inventory/edgex-app-rfid-llrp-inventory-service.yaml b/deployment/helm/templates/edgex-app-rfid-llrp-inventory/edgex-app-rfid-llrp-inventory-service.yaml index d6ff967d..e0a67058 100644 --- a/deployment/helm/templates/edgex-app-rfid-llrp-inventory/edgex-app-rfid-llrp-inventory-service.yaml +++ b/deployment/helm/templates/edgex-app-rfid-llrp-inventory/edgex-app-rfid-llrp-inventory-service.yaml @@ -10,7 +10,7 @@ metadata: name: {{.Values.edgex.app.appservice.rfidllrpinventory}} spec: ports: - - name: "app-rfid-llrp-inventory-http" + - name: "http" port: {{.Values.edgex.port.appservice.rfidllrpinventory}} selector: org.edgexfoundry.service: {{.Values.edgex.app.appservice.rfidllrpinventory}} diff --git a/deployment/helm/templates/edgex-app-sample/edgex-app-sample-deployment.yaml b/deployment/helm/templates/edgex-app-sample/edgex-app-sample-deployment.yaml index 05b06aec..4e31112e 100644 --- a/deployment/helm/templates/edgex-app-sample/edgex-app-sample-deployment.yaml +++ b/deployment/helm/templates/edgex-app-sample/edgex-app-sample-deployment.yaml @@ -28,6 +28,12 @@ spec: org.edgexfoundry.service: {{ .Values.edgex.app.secretstoresetup}} topologyKey: "kubernetes.io/hostname" {{- end}} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false containers: - name: {{.Values.edgex.app.appservice.appsample}} @@ -35,7 +41,7 @@ spec: imagePullPolicy: {{.Values.edgex.image.appservice.appsample.pullPolicy}} {{- if .Values.edgex.security.enabled }} command: ["/edgex-init/ready_to_run_wait_install.sh"] - args: ["/app-service-configurable", "-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"] + args: ["/app-service-configurable", "-cp=consul.http://edgex-core-consul:8500", "--registry"] {{- end}} ports: - containerPort: {{.Values.edgex.port.appservice.appsample}} @@ -49,31 +55,29 @@ spec: envFrom: - configMapRef: name: edgex-common-variables - - configMapRef: - name: as-common-variables env: - name: EDGEX_PROFILE value: "sample" - name: SERVICE_HOST value: {{.Values.edgex.app.appservice.appsample}} - {{- if (eq .Values.edgex.features.messagebusbackend "redis") }} - - name: TRIGGER_EDGEXMESSAGEBUS_PUBLISHHOST_HOST - value: {{.Values.edgex.app.redis}} - - name: TRIGGER_EDGEXMESSAGEBUS_SUBSCRIBEHOST_HOST - value: {{.Values.edgex.app.redis}} - {{end}} + - name: CLIENTS_CORE_DATA_HOST + value: edgex-core-data + - name: CLIENTS_CORE_COMMAND_HOST + value: edgex-core-command + - name: CLIENTS_SUPPORT-NOTIFICATIONS_HOST + value: edgex-support-notifications securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true startupProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.appservice.appsample}} periodSeconds: 1 failureThreshold: 120 livenessProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.appservice.appsample}} {{- if .Values.edgex.security.enabled }} volumeMounts: diff --git a/deployment/helm/templates/edgex-app-sample/edgex-app-sample-service.yaml b/deployment/helm/templates/edgex-app-sample/edgex-app-sample-service.yaml index 966c10af..5edde2da 100644 --- a/deployment/helm/templates/edgex-app-sample/edgex-app-sample-service.yaml +++ b/deployment/helm/templates/edgex-app-sample/edgex-app-sample-service.yaml @@ -10,7 +10,7 @@ metadata: name: {{.Values.edgex.app.appservice.appsample}} spec: ports: - - name: "app-sample-http" + - name: "http" port: {{.Values.edgex.port.appservice.appsample}} selector: org.edgexfoundry.service: {{.Values.edgex.app.appservice.appsample}} diff --git a/deployment/helm/templates/edgex-appservice-rules/edgex-app-rules-engine-deployment.yaml b/deployment/helm/templates/edgex-appservice-rules/edgex-app-rules-engine-deployment.yaml index 7381a6de..3f78549f 100644 --- a/deployment/helm/templates/edgex-appservice-rules/edgex-app-rules-engine-deployment.yaml +++ b/deployment/helm/templates/edgex-appservice-rules/edgex-app-rules-engine-deployment.yaml @@ -28,6 +28,12 @@ spec: org.edgexfoundry.service: {{ .Values.edgex.app.secretstoresetup}} topologyKey: "kubernetes.io/hostname" {{- end}} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false containers: - name: {{.Values.edgex.app.appservice.rules}} @@ -35,7 +41,7 @@ spec: imagePullPolicy: {{.Values.edgex.image.appservice.rules.pullPolicy}} {{- if .Values.edgex.security.enabled }} command: ["/edgex-init/ready_to_run_wait_install.sh"] - args: ["/app-service-configurable", "-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"] + args: ["/app-service-configurable", "-cp=consul.http://edgex-core-consul:8500", "--registry"] {{- end}} ports: - containerPort: {{.Values.edgex.port.appservice.rules}} @@ -54,45 +60,18 @@ spec: value: "rules-engine" - name: SERVICE_HOST value: {{.Values.edgex.app.appservice.rules}} - {{- if (eq .Values.edgex.features.messagebusbackend "redis") }} - - name: TRIGGER_EDGEXMESSAGEBUS_PUBLISHHOST_HOST - value: {{.Values.edgex.app.redis}} - - name: TRIGGER_EDGEXMESSAGEBUS_SUBSCRIBEHOST_HOST - value: {{.Values.edgex.app.redis}} - {{- end}} - {{- if (eq .Values.edgex.features.messagebusbackend "nats") }} - - name: TRIGGER_EDGEXMESSAGEBUS_OPTIONAL_AUTHMODE - value: none - - name: TRIGGER_EDGEXMESSAGEBUS_PUBLISHHOST_HOST - value: edgex-nats-server - - name: TRIGGER_EDGEXMESSAGEBUS_PUBLISHHOST_PORT - value: "4222" - - name: TRIGGER_EDGEXMESSAGEBUS_PUBLISHHOST_PROTOCOL - value: tcp - - name: TRIGGER_EDGEXMESSAGEBUS_PUBLISHHOST_PUBLISHTOPIC - value: edgex/rules-events - - name: TRIGGER_EDGEXMESSAGEBUS_SUBSCRIBEHOST_HOST - value: edgex-nats-server - - name: TRIGGER_EDGEXMESSAGEBUS_SUBSCRIBEHOST_PORT - value: "4222" - - name: TRIGGER_EDGEXMESSAGEBUS_SUBSCRIBEHOST_PROTOCOL - value: tcp - - name: TRIGGER_EDGEXMESSAGEBUS_TYPE - value: nats-jetstream - {{- end}} - securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true startupProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.appservice.rules}} periodSeconds: 1 failureThreshold: 120 livenessProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.appservice.rules}} {{- if .Values.edgex.security.enabled }} volumeMounts: @@ -100,10 +79,6 @@ spec: name: edgex-init - mountPath: /tmp/edgex/secrets name: edgex-secrets - - mountPath: /kuiper/etc/sources - name: kuiper-sources - - mountPath: /kuiper/etc/connections - name: kuiper-connections {{- end }} {{- if .Values.edgex.resources.appservice.rules.enforceLimits }} resources: @@ -128,10 +103,4 @@ spec: - name: edgex-secrets persistentVolumeClaim: claimName: edgex-secrets - - name: kuiper-sources - persistentVolumeClaim: - claimName: kuiper-sources - - name: kuiper-connections - persistentVolumeClaim: - claimName: kuiper-connections {{- end}} diff --git a/deployment/helm/templates/edgex-appservice-rules/edgex-app-rules-engine-service.yaml b/deployment/helm/templates/edgex-appservice-rules/edgex-app-rules-engine-service.yaml index 72dab723..6af9b54b 100644 --- a/deployment/helm/templates/edgex-appservice-rules/edgex-app-rules-engine-service.yaml +++ b/deployment/helm/templates/edgex-appservice-rules/edgex-app-rules-engine-service.yaml @@ -10,7 +10,7 @@ metadata: name: {{.Values.edgex.app.appservice.rules}} spec: ports: - - name: "app-rules-engine-http" + - name: "http" port: {{.Values.edgex.port.appservice.rules}} selector: org.edgexfoundry.service: {{.Values.edgex.app.appservice.rules}} diff --git a/deployment/helm/templates/edgex-common-config/edgex-core-common-config-deployment.yaml b/deployment/helm/templates/edgex-common-config/edgex-core-common-config-deployment.yaml new file mode 100644 index 00000000..21de1a2f --- /dev/null +++ b/deployment/helm/templates/edgex-common-config/edgex-core-common-config-deployment.yaml @@ -0,0 +1,134 @@ +# Copyright (C) 2022 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 +# +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + org.edgexfoundry.service: {{.Values.edgex.app.core.common_config}} + name: {{.Values.edgex.app.core.common_config}} +spec: + replicas: {{.Values.edgex.replicas.core.common_config}} + selector: + matchLabels: + org.edgexfoundry.service: {{.Values.edgex.app.core.common_config}} + strategy: + type: Recreate + template: + metadata: + labels: + org.edgexfoundry.service: {{.Values.edgex.app.core.common_config}} + spec: + {{- if and (eq .Values.edgex.security.enabled true) (or (eq .Values.edgex.storage.sharedVolumesAccessMode "ReadWriteOnce") (eq .Values.edgex.storage.useHostPath true))}} + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + org.edgexfoundry.service: {{ .Values.edgex.app.secretstoresetup}} + topologyKey: "kubernetes.io/hostname" + {{- end}} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + automountServiceAccountToken: false + containers: + - name: {{.Values.edgex.app.core.common_config}} + image: {{.Values.edgex.image.core.common_config.repository}}:{{.Values.edgex.image.core.common_config.tag}} + imagePullPolicy: {{.Values.edgex.image.core.common_config.pullPolicy}} + {{- if .Values.edgex.security.enabled }} + command: ["/edgex-init/ready_to_run_wait_install.sh"] + args: ["/entrypoint.sh", "/core-common-config-bootstrapper", "-cp=consul.http://edgex-core-consul:8500"] + {{- end}} + env: + - name: ALL_SERVICES_REGISTRY_HOST + value: edgex-core-consul + - name: ALL_SERVICES_DATABASE_HOST + value: edgex-redis + - name: APP_SERVICES_CLIENTS_CORE_METADATA_HOST + value: edgex-core-metadata + - name: DEVICE_SERVICES_CLIENTS_CORE_METADATA_HOST + value: edgex-core-metadata + {{- if (eq .Values.edgex.features.messagebusbackend "redis") }} + - name: ALL_SERVICES_MESSAGEBUS_HOST + value: edgex-redis + {{- end}} + {{- if (eq .Values.edgex.features.messagebusbackend "mqtt") }} + - name: ALL_SERVICES_MESSAGEBUS_TYPE + value: mqtt + - name: ALL_SERVICES_MESSAGEBUS_PROTOCOL + value: tcp + - name: ALL_SERVICES_MESSAGEBUS_HOST + value: edgex-mqtt-broker + - name: ALL_SERVICES_MESSAGEBUS_PORT + value: "1883" + {{- if .Values.edgex.security.enabled }} + - name: ALL_SERVICES_MESSAGEBUS_AUTHMODE + value: usernamepassword + - name: ALL_SERVICES_MESSAGEBUS_SECRETNAME + value: message-bus + {{- else }} + - name: ALL_SERVICES_MESSAGEBUS_AUTHMODE + value: none + {{- end }} + {{- end }} + {{- if (eq .Values.edgex.features.messagebusbackend "nats") }} + - name: ALL_SERVICES_MESSAGEBUS_TYPE + value: nats-jetstream + - name: ALL_SERVICES_MESSAGEBUS_PROTOCOL + value: tcp + - name: ALL_SERVICES_MESSAGEBUS_HOST + value: edgex-nats-server + - name: ALL_SERVICES_MESSAGEBUS_PORT + value: "4222" + {{- if .Values.edgex.security.enabled }} + - name: ALL_SERVICES_MESSAGEBUS_AUTHMODE + value: usernamepassword + - name: ALL_SERVICES_MESSAGEBUS_SECRETNAME + value: message-bus + {{- else }} + - name: ALL_SERVICES_MESSAGEBUS_AUTHMODE + value: none + {{- end }} + {{- end}} + envFrom: + - configMapRef: + name: edgex-common-variables + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + {{- if .Values.edgex.security.enabled }} + volumeMounts: + - mountPath: /edgex-init + name: edgex-init + - mountPath: /tmp/edgex/secrets + name: edgex-secrets + {{- end }} + {{- if .Values.edgex.resources.core.common_config.enforceLimits }} + resources: + limits: + memory: {{ .Values.edgex.resources.core.common_config.limits.memory }} + cpu: {{ .Values.edgex.resources.core.common_config.limits.cpu }} + requests: + memory: {{ .Values.edgex.resources.core.common_config.requests.memory }} + cpu: {{ .Values.edgex.resources.core.common_config.requests.cpu }} + {{- end}} + hostname: {{.Values.edgex.app.core.common_config}} + restartPolicy: Always + securityContext: + runAsNonRoot: true + runAsUser: {{ .Values.edgex.security.runAsUser }} + runAsGroup: {{ .Values.edgex.security.runAsGroup }} + {{- if .Values.edgex.security.enabled }} + volumes: + - name: edgex-init + persistentVolumeClaim: + claimName: edgex-init + - name: edgex-secrets + persistentVolumeClaim: + claimName: edgex-secrets + {{- end}} diff --git a/deployment/helm/templates/edgex-consul/edgex-consul-deployment.yaml b/deployment/helm/templates/edgex-consul/edgex-consul-deployment.yaml index 097980ec..afe70c3d 100644 --- a/deployment/helm/templates/edgex-consul/edgex-consul-deployment.yaml +++ b/deployment/helm/templates/edgex-consul/edgex-consul-deployment.yaml @@ -29,6 +29,12 @@ spec: org.edgexfoundry.service: {{ .Values.edgex.app.secretstoresetup}} topologyKey: "kubernetes.io/hostname" {{- end}} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false containers: - name: {{.Values.edgex.app.consul}} @@ -51,14 +57,13 @@ spec: value: "{{ .Values.edgex.security.runAsUser }}" - name: EDGEX_GROUP value: "{{ .Values.edgex.security.runAsGroup }}" - # uncomment and modify the following "ADD_REGISTRY_ACL_ROLES" to add additional registry ACL roles on the fly - # the list is comma-separated service keys for these services - #ADD_REGISTRY_ACL_ROLES: app-sample,app-rules-engine-redis, app-rules-engine-mqtt, app-push-to-core - - name: STAGEGATE_REGISTRY_ACL_SENTINELFILEPATH - value: /consul/config/consul_acl_done - name: STAGEGATE_REGISTRY_ACL_BOOTSTRAPTOKENPATH value: /tmp/edgex/secrets/consul-acl-token/bootstrap_token.json - - name: ADD_REGISTRY_ACL_ROLES + - name: STAGEGATE_REGISTRY_ACL_MANAGEMENTTOKENPATH + value: /tmp/edgex/secrets/consul-acl-token/mgmt_token.json + - name: STAGEGATE_REGISTRY_ACL_SENTINELFILEPATH + value: /consul/config/consul_acl_done + - name: EDGEX_ADD_REGISTRY_ACL_ROLES value: {{.Values.edgex.security.addConsulRoles}} {{- end }} envFrom: diff --git a/deployment/helm/templates/edgex-consul/edgex-consul-service.yaml b/deployment/helm/templates/edgex-consul/edgex-consul-service.yaml index c3a5d799..ead42402 100644 --- a/deployment/helm/templates/edgex-consul/edgex-consul-service.yaml +++ b/deployment/helm/templates/edgex-consul/edgex-consul-service.yaml @@ -10,7 +10,7 @@ metadata: name: {{.Values.edgex.app.consul}} spec: ports: - - name: "consul-http" + - name: "http" port: {{.Values.edgex.port.consul}} {{- if .Values.edgex.security.enabled }} - name: "ready" diff --git a/deployment/helm/templates/edgex-core-command/edgex-core-command-deployment.yaml b/deployment/helm/templates/edgex-core-command/edgex-core-command-deployment.yaml index ce15ea81..2cb42a54 100644 --- a/deployment/helm/templates/edgex-core-command/edgex-core-command-deployment.yaml +++ b/deployment/helm/templates/edgex-core-command/edgex-core-command-deployment.yaml @@ -29,6 +29,12 @@ spec: org.edgexfoundry.service: {{ .Values.edgex.app.secretstoresetup}} topologyKey: "kubernetes.io/hostname" {{- end}} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false containers: - name: {{.Values.edgex.app.core.command}} @@ -36,7 +42,7 @@ spec: imagePullPolicy: {{.Values.edgex.image.core.command.pullPolicy}} {{- if .Values.edgex.security.enabled }} command: ["/edgex-init/ready_to_run_wait_install.sh"] - args: ["/core-command", "-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"] + args: ["/core-command", "-cp=consul.http://edgex-core-consul:8500", "--registry"] {{- end}} ports: - containerPort: {{.Values.edgex.port.core.command}} @@ -50,18 +56,8 @@ spec: env: - name: SERVICE_HOST value: {{.Values.edgex.app.core.command}} - {{- if (eq .Values.edgex.features.messagebusbackend "nats") }} - - name: MESSAGEQUEUE_INTERNAL_AUTHMODE - value: none - - name: MESSAGEQUEUE_INTERNAL_HOST - value: edgex-nats-server - - name: MESSAGEQUEUE_INTERNAL_PORT - value: "4222" - - name: MESSAGEQUEUE_INTERNAL_PROTOCOL - value: tcp - - name: MESSAGEQUEUE_INTERNAL_TYPE - value: nats-jetstream - {{end}} + - name: EXTERNALMQTT_URL + value: "tcp://{{.Values.edgex.app.mqttbroker}}{{.Values.edgex.port.mqttbroker}}" envFrom: - configMapRef: name: edgex-common-variables @@ -70,13 +66,13 @@ spec: readOnlyRootFilesystem: true startupProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.core.command}} periodSeconds: 1 failureThreshold: 120 livenessProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.core.command}} {{- if .Values.edgex.security.enabled }} volumeMounts: diff --git a/deployment/helm/templates/edgex-core-command/edgex-core-command-service.yaml b/deployment/helm/templates/edgex-core-command/edgex-core-command-service.yaml index 4b388b31..211e0705 100644 --- a/deployment/helm/templates/edgex-core-command/edgex-core-command-service.yaml +++ b/deployment/helm/templates/edgex-core-command/edgex-core-command-service.yaml @@ -10,7 +10,7 @@ metadata: name: {{.Values.edgex.app.core.command}} spec: ports: - - name: "core-command-http" + - name: "http" port: {{.Values.edgex.port.core.command}} selector: org.edgexfoundry.service: {{.Values.edgex.app.core.command}} diff --git a/deployment/helm/templates/edgex-core-data/edgex-core-data-deployment.yaml b/deployment/helm/templates/edgex-core-data/edgex-core-data-deployment.yaml index 94310cd8..7fca61c9 100644 --- a/deployment/helm/templates/edgex-core-data/edgex-core-data-deployment.yaml +++ b/deployment/helm/templates/edgex-core-data/edgex-core-data-deployment.yaml @@ -29,6 +29,12 @@ spec: org.edgexfoundry.service: {{ .Values.edgex.app.secretstoresetup}} topologyKey: "kubernetes.io/hostname" {{- end}} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false containers: - name: {{.Values.edgex.app.core.data}} @@ -36,7 +42,7 @@ spec: imagePullPolicy: {{.Values.edgex.image.core.data.pullPolicy}} {{- if .Values.edgex.security.enabled }} command: ["/edgex-init/ready_to_run_wait_install.sh"] - args: ["/core-data", "-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"] + args: ["/core-data", "-cp=consul.http://edgex-core-consul:8500", "--registry"] {{- end}} ports: - containerPort: {{.Values.edgex.port.core.data}} @@ -50,24 +56,6 @@ spec: env: - name: SERVICE_HOST value: {{.Values.edgex.app.core.data}} - {{- if .Values.edgex.security.enabled }} - - name: SECRETSTORE_TOKENFILE - value: /tmp/edgex/secrets/core-data/secrets-token.json - {{- end}} - {{- if (eq .Values.edgex.features.messagebusbackend "nats") }} - - name: MESSAGEQUEUE_AUTHMODE - value: none - - name: MESSAGEQUEUE_HOST - value: edgex-nats-server - - name: MESSAGEQUEUE_OPTIONAL_CLIENTID - value: core-data - - name: MESSAGEQUEUE_PORT - value: '4222' - - name: MESSAGEQUEUE_PROTOCOL - value: tcp - - name: MESSAGEQUEUE_TYPE - value: nats-jetstream - {{end}} envFrom: - configMapRef: name: edgex-common-variables @@ -76,13 +64,13 @@ spec: readOnlyRootFilesystem: true startupProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.core.data}} periodSeconds: 1 failureThreshold: 120 livenessProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.core.data}} {{- if .Values.edgex.security.enabled }} volumeMounts: diff --git a/deployment/helm/templates/edgex-core-data/edgex-core-data-service.yaml b/deployment/helm/templates/edgex-core-data/edgex-core-data-service.yaml index f4a7c1bc..5ce5504a 100644 --- a/deployment/helm/templates/edgex-core-data/edgex-core-data-service.yaml +++ b/deployment/helm/templates/edgex-core-data/edgex-core-data-service.yaml @@ -10,7 +10,7 @@ metadata: name: {{.Values.edgex.app.core.data}} spec: ports: - - name: "core-data-http" + - name: "http" port: {{.Values.edgex.port.core.data}} selector: org.edgexfoundry.service: {{.Values.edgex.app.core.data}} diff --git a/deployment/helm/templates/edgex-device-bacnet/edgex-device-bacnet-deployment.yaml b/deployment/helm/templates/edgex-device-bacnet/edgex-device-bacnet-deployment.yaml index cb7b3f02..074bdfe5 100644 --- a/deployment/helm/templates/edgex-device-bacnet/edgex-device-bacnet-deployment.yaml +++ b/deployment/helm/templates/edgex-device-bacnet/edgex-device-bacnet-deployment.yaml @@ -29,6 +29,12 @@ spec: org.edgexfoundry.service: {{ .Values.edgex.app.secretstoresetup}} topologyKey: "kubernetes.io/hostname" {{- end}} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false containers: - name: {{.Values.edgex.app.device.bacnet}} @@ -36,7 +42,11 @@ spec: imagePullPolicy: {{.Values.edgex.image.device.bacnet.pullPolicy}} {{- if .Values.edgex.security.enabled }} command: [ "/bin/sh", "/edgex-init/ready_to_run_wait_install.sh"] - args: ["/startup.sh"] + args: + - "/device-bacnet-ip/device-bacnet-c" + - "-cp=consul://edgex-core-consul:8500" + - "--registry" + - "--confdir=/res" {{- end}} ports: - containerPort: {{.Values.edgex.port.device.bacnet}} @@ -53,20 +63,18 @@ spec: envFrom: - configMapRef: name: edgex-common-variables - - configMapRef: - name: device-common-variables securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true startupProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.device.bacnet}} periodSeconds: 1 failureThreshold: 120 livenessProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.device.bacnet}} {{- if .Values.edgex.security.enabled }} volumeMounts: diff --git a/deployment/helm/templates/edgex-device-bacnet/edgex-device-bacnet-service.yaml b/deployment/helm/templates/edgex-device-bacnet/edgex-device-bacnet-service.yaml index 3a0e8354..0c69778c 100644 --- a/deployment/helm/templates/edgex-device-bacnet/edgex-device-bacnet-service.yaml +++ b/deployment/helm/templates/edgex-device-bacnet/edgex-device-bacnet-service.yaml @@ -10,7 +10,7 @@ metadata: name: {{.Values.edgex.app.device.bacnet}} spec: ports: - - name: "device-bacnet-http" + - name: "http" port: {{.Values.edgex.port.device.bacnet}} selector: org.edgexfoundry.service: {{.Values.edgex.app.device.bacnet}} diff --git a/deployment/helm/templates/edgex-device-coap/edgex-device-coap-deployment.yaml b/deployment/helm/templates/edgex-device-coap/edgex-device-coap-deployment.yaml new file mode 100644 index 00000000..0a53bc15 --- /dev/null +++ b/deployment/helm/templates/edgex-device-coap/edgex-device-coap-deployment.yaml @@ -0,0 +1,109 @@ +# Copyright (C) 2022 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 +# +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + org.edgexfoundry.service: {{.Values.edgex.app.device.coap}} + name: {{.Values.edgex.app.device.coap}} +spec: + replicas: {{.Values.edgex.replicas.device.coap}} + selector: + matchLabels: + org.edgexfoundry.service: {{.Values.edgex.app.device.coap}} + strategy: + type: Recreate + template: + metadata: + labels: + org.edgexfoundry.service: {{.Values.edgex.app.device.coap}} + spec: + {{- if and (eq .Values.edgex.security.enabled true) (or (eq .Values.edgex.storage.sharedVolumesAccessMode "ReadWriteOnce") (eq .Values.edgex.storage.useHostPath true))}} + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + org.edgexfoundry.service: {{ .Values.edgex.app.secretstoresetup}} + topologyKey: "kubernetes.io/hostname" + {{- end}} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + automountServiceAccountToken: false + containers: + - name: {{.Values.edgex.app.device.coap}} + image: {{.Values.edgex.image.device.coap.repository}}:{{.Values.edgex.image.device.coap.tag}} + imagePullPolicy: {{.Values.edgex.image.device.coap.pullPolicy}} + {{- if .Values.edgex.security.enabled }} + command: [ "/bin/sh", "/edgex-init/ready_to_run_wait_install.sh"] + args: + - "/device-coap" + - "-cp=consul://edgex-core-consul:8500" + - "--registry" + - "--confdir=/res" + {{- end}} + ports: + - containerPort: {{.Values.edgex.port.device.coap}} + name: "http" + {{- if not .Values.edgex.security.enabled }} + {{- if .Values.edgex.features.enableHostPort}} + hostPort: {{.Values.edgex.port.device.coap}} + hostIP: {{.Values.edgex.hostPortInternalBind}} + {{- end}} + {{- end}} + env: + - name: SERVICE_HOST + value: {{.Values.edgex.app.device.coap}} + envFrom: + - configMapRef: + name: edgex-common-variables + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + startupProbe: + httpGet: + path: /api/v3/ping + port: {{.Values.edgex.port.device.coap}} + periodSeconds: 1 + failureThreshold: 120 + livenessProbe: + httpGet: + path: /api/v3/ping + port: {{.Values.edgex.port.device.coap}} + {{- if .Values.edgex.security.enabled }} + volumeMounts: + - mountPath: /edgex-init + name: edgex-init + - mountPath: /tmp/edgex/secrets + name: edgex-secrets + {{- end }} + {{- if .Values.edgex.resources.device.coap.enforceLimits }} + resources: + limits: + memory: {{ .Values.edgex.resources.device.coap.limits.memory }} + cpu: {{ .Values.edgex.resources.device.coap.limits.cpu }} + requests: + memory: {{ .Values.edgex.resources.device.coap.requests.memory }} + cpu: {{ .Values.edgex.resources.device.coap.requests.cpu }} + {{- end}} + hostname: {{.Values.edgex.app.device.coap}} + restartPolicy: Always + securityContext: + runAsNonRoot: true + runAsUser: {{ .Values.edgex.security.runAsUser }} + runAsGroup: {{ .Values.edgex.security.runAsGroup }} + {{- if .Values.edgex.security.enabled }} + volumes: + - name: edgex-init + persistentVolumeClaim: + claimName: edgex-init + - name: edgex-secrets + persistentVolumeClaim: + claimName: edgex-secrets + {{- end}} diff --git a/deployment/helm/templates/edgex-device-coap/edgex-device-coap-service.yaml b/deployment/helm/templates/edgex-device-coap/edgex-device-coap-service.yaml new file mode 100644 index 00000000..c98abaa9 --- /dev/null +++ b/deployment/helm/templates/edgex-device-coap/edgex-device-coap-service.yaml @@ -0,0 +1,18 @@ +# Copyright (C) 2022 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 +# +apiVersion: v1 +kind: Service +metadata: + labels: + org.edgexfoundry.service: {{.Values.edgex.app.device.coap}} + name: {{.Values.edgex.app.device.coap}} +spec: + ports: + - name: "http" + port: {{.Values.edgex.port.device.coap}} + selector: + org.edgexfoundry.service: {{.Values.edgex.app.device.coap}} + type: {{.Values.expose.type.device.coap}} + diff --git a/deployment/helm/templates/edgex-device-gpio/edgex-device-gpio-deployment.yaml b/deployment/helm/templates/edgex-device-gpio/edgex-device-gpio-deployment.yaml index bc639ffe..5b6ba604 100644 --- a/deployment/helm/templates/edgex-device-gpio/edgex-device-gpio-deployment.yaml +++ b/deployment/helm/templates/edgex-device-gpio/edgex-device-gpio-deployment.yaml @@ -29,6 +29,12 @@ spec: org.edgexfoundry.service: {{ .Values.edgex.app.secretstoresetup}} topologyKey: "kubernetes.io/hostname" {{- end}} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false containers: - name: {{.Values.edgex.app.device.gpio}} @@ -36,7 +42,7 @@ spec: imagePullPolicy: {{.Values.edgex.image.device.gpio.pullPolicy}} {{- if .Values.edgex.security.enabled }} command: ["/bin/sh","/edgex-init/ready_to_run_wait_install.sh"] - args: ["/device-gpio", "-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"] + args: ["/device-gpio", "-cp=consul.http://edgex-core-consul:8500", "--registry"] {{- end}} ports: - containerPort: {{.Values.edgex.port.device.gpio}} @@ -55,20 +61,18 @@ spec: envFrom: - configMapRef: name: edgex-common-variables - - configMapRef: - name: device-common-variables securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true startupProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.device.gpio}} periodSeconds: 1 failureThreshold: 120 livenessProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.device.gpio}} {{- if .Values.edgex.security.enabled }} volumeMounts: diff --git a/deployment/helm/templates/edgex-device-gpio/edgex-device-gpio-service.yaml b/deployment/helm/templates/edgex-device-gpio/edgex-device-gpio-service.yaml index a3e9304d..6b2d1f45 100644 --- a/deployment/helm/templates/edgex-device-gpio/edgex-device-gpio-service.yaml +++ b/deployment/helm/templates/edgex-device-gpio/edgex-device-gpio-service.yaml @@ -10,7 +10,7 @@ metadata: name: {{.Values.edgex.app.device.gpio}} spec: ports: - - name: "device-gpio-http" + - name: "http" port: {{.Values.edgex.port.device.gpio}} selector: org.edgexfoundry.service: {{.Values.edgex.app.device.gpio}} diff --git a/deployment/helm/templates/edgex-device-modbus/edgex-device-modbus-deployment.yaml b/deployment/helm/templates/edgex-device-modbus/edgex-device-modbus-deployment.yaml index f9b883bd..acf56e75 100644 --- a/deployment/helm/templates/edgex-device-modbus/edgex-device-modbus-deployment.yaml +++ b/deployment/helm/templates/edgex-device-modbus/edgex-device-modbus-deployment.yaml @@ -29,6 +29,12 @@ spec: org.edgexfoundry.service: {{ .Values.edgex.app.secretstoresetup}} topologyKey: "kubernetes.io/hostname" {{- end}} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false containers: - name: {{.Values.edgex.app.device.modbus}} @@ -36,7 +42,7 @@ spec: imagePullPolicy: {{.Values.edgex.image.device.modbus.pullPolicy}} {{- if .Values.edgex.security.enabled }} command: ["/edgex-init/ready_to_run_wait_install.sh"] - args: ["/device-modbus", "-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"] + args: ["/device-modbus", "-cp=consul.http://edgex-core-consul:8500", "--registry"] {{- end}} ports: - containerPort: {{.Values.edgex.port.device.modbus}} @@ -48,25 +54,23 @@ spec: {{- end}} {{- end}} env: - - name: SERVICE_HOST - value: {{.Values.edgex.app.device.modbus}} + - name: SERVICE_HOST + value: {{.Values.edgex.app.device.modbus}} envFrom: - configMapRef: name: edgex-common-variables - - configMapRef: - name: device-common-variables securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true startupProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.device.modbus}} periodSeconds: 1 failureThreshold: 120 livenessProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.device.modbus}} {{- if .Values.edgex.security.enabled }} volumeMounts: diff --git a/deployment/helm/templates/edgex-device-modbus/edgex-device-modbus-service.yaml b/deployment/helm/templates/edgex-device-modbus/edgex-device-modbus-service.yaml index c7a57a94..c5d06c35 100644 --- a/deployment/helm/templates/edgex-device-modbus/edgex-device-modbus-service.yaml +++ b/deployment/helm/templates/edgex-device-modbus/edgex-device-modbus-service.yaml @@ -10,7 +10,7 @@ metadata: name: {{.Values.edgex.app.device.modbus}} spec: ports: - - name: "device-modbus-http" + - name: "http" port: {{.Values.edgex.port.device.modbus}} selector: org.edgexfoundry.service: {{.Values.edgex.app.device.modbus}} diff --git a/deployment/helm/templates/edgex-device-mqtt/edgex-device-mqtt-deployment.yaml b/deployment/helm/templates/edgex-device-mqtt/edgex-device-mqtt-deployment.yaml index 8893331d..2aad3eb1 100644 --- a/deployment/helm/templates/edgex-device-mqtt/edgex-device-mqtt-deployment.yaml +++ b/deployment/helm/templates/edgex-device-mqtt/edgex-device-mqtt-deployment.yaml @@ -29,6 +29,12 @@ spec: org.edgexfoundry.service: {{ .Values.edgex.app.secretstoresetup}} topologyKey: "kubernetes.io/hostname" {{- end}} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false containers: - name: {{.Values.edgex.app.device.mqtt}} @@ -36,7 +42,7 @@ spec: imagePullPolicy: {{.Values.edgex.image.device.mqtt.pullPolicy}} {{- if .Values.edgex.security.enabled }} command: ["/edgex-init/ready_to_run_wait_install.sh"] - args: ["/device-mqtt", "-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"] + args: ["/device-mqtt", "-cp=consul.http://edgex-core-consul:8500", "--registry"] {{- end}} ports: - containerPort: {{.Values.edgex.port.device.mqtt}} @@ -50,25 +56,33 @@ spec: env: - name: SERVICE_HOST value: {{.Values.edgex.app.device.mqtt}} + {{- if .Values.edgex.security.enabled }} + {{- if (eq .Values.edgex.features.messagebusbackend "mqtt") }} + - name: MQTTBROKERINFO_AUTHMODE + value: usernamepassword + - name: MQTTBROKERINFO_CREDENTIALSNAME + value: message-bus - name: MQTTBROKERINFO_HOST value: {{.Values.edgex.app.mqttbroker}} + {{- end}} + {{- end }} + + envFrom: - configMapRef: name: edgex-common-variables - - configMapRef: - name: device-common-variables securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true startupProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.device.mqtt}} periodSeconds: 1 failureThreshold: 120 livenessProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.device.mqtt}} {{- if .Values.edgex.security.enabled }} volumeMounts: diff --git a/deployment/helm/templates/edgex-device-mqtt/edgex-device-mqtt-service.yaml b/deployment/helm/templates/edgex-device-mqtt/edgex-device-mqtt-service.yaml index cc00ca23..a5926c29 100644 --- a/deployment/helm/templates/edgex-device-mqtt/edgex-device-mqtt-service.yaml +++ b/deployment/helm/templates/edgex-device-mqtt/edgex-device-mqtt-service.yaml @@ -10,7 +10,7 @@ metadata: name: {{.Values.edgex.app.device.mqtt}} spec: ports: - - name: "device-mqtt-htpp" + - name: "http" port: {{.Values.edgex.port.device.mqtt}} selector: org.edgexfoundry.service: {{.Values.edgex.app.device.mqtt}} diff --git a/deployment/helm/templates/edgex-device-onvif-camera/edgex-device-onvif-camera-deployment.yaml b/deployment/helm/templates/edgex-device-onvif-camera/edgex-device-onvif-camera-deployment.yaml index bc7d27fb..5e3bfe3e 100644 --- a/deployment/helm/templates/edgex-device-onvif-camera/edgex-device-onvif-camera-deployment.yaml +++ b/deployment/helm/templates/edgex-device-onvif-camera/edgex-device-onvif-camera-deployment.yaml @@ -29,6 +29,12 @@ spec: org.edgexfoundry.service: {{ .Values.edgex.app.secretstoresetup}} topologyKey: "kubernetes.io/hostname" {{- end}} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false containers: - name: {{.Values.edgex.app.device.onvifcamera}} @@ -36,7 +42,7 @@ spec: imagePullPolicy: {{.Values.edgex.image.device.onvifcamera.pullPolicy}} {{- if .Values.edgex.security.enabled }} command: ["/edgex-init/ready_to_run_wait_install.sh"] - args: ["/device-onvif-camera", "-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"] + args: ["/device-onvif-camera", "-cp=consul.http://edgex-core-consul:8500", "--registry"] {{- end}} ports: - containerPort: {{.Values.edgex.port.device.onvifcamera}} @@ -53,20 +59,18 @@ spec: envFrom: - configMapRef: name: edgex-common-variables - - configMapRef: - name: device-common-variables securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true startupProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.device.onvifcamera}} periodSeconds: 1 failureThreshold: 120 livenessProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.device.onvifcamera}} {{- if .Values.edgex.security.enabled }} volumeMounts: @@ -74,8 +78,6 @@ spec: name: edgex-init - mountPath: /tmp/edgex/secrets name: edgex-secrets - - mountPath: /mnt/edgex-device-onvif-camera - name: device-onvif-camera {{- end }} {{- if .Values.edgex.resources.device.onvifcamera.enforceLimits }} resources: @@ -100,7 +102,4 @@ spec: - name: edgex-secrets persistentVolumeClaim: claimName: edgex-secrets - - name: device-onvif-camera - persistentVolumeClaim: - claimName: device-onvif-camera {{- end}} diff --git a/deployment/helm/templates/edgex-device-onvif-camera/edgex-device-onvif-camera-service.yaml b/deployment/helm/templates/edgex-device-onvif-camera/edgex-device-onvif-camera-service.yaml index c8b89113..4b70a1a7 100644 --- a/deployment/helm/templates/edgex-device-onvif-camera/edgex-device-onvif-camera-service.yaml +++ b/deployment/helm/templates/edgex-device-onvif-camera/edgex-device-onvif-camera-service.yaml @@ -10,7 +10,7 @@ metadata: name: {{.Values.edgex.app.device.onvifcamera}} spec: ports: - - name: "device-onvif-camera-http" + - name: "http" port: {{.Values.edgex.port.device.onvifcamera}} selector: org.edgexfoundry.service: {{.Values.edgex.app.device.onvifcamera}} diff --git a/deployment/helm/templates/edgex-device-rest/edgex-device-rest-deployment.yaml b/deployment/helm/templates/edgex-device-rest/edgex-device-rest-deployment.yaml index cca6896c..d5c57e8f 100644 --- a/deployment/helm/templates/edgex-device-rest/edgex-device-rest-deployment.yaml +++ b/deployment/helm/templates/edgex-device-rest/edgex-device-rest-deployment.yaml @@ -29,6 +29,12 @@ spec: org.edgexfoundry.service: {{ .Values.edgex.app.secretstoresetup}} topologyKey: "kubernetes.io/hostname" {{- end}} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false containers: - name: {{.Values.edgex.app.device.rest}} @@ -36,7 +42,7 @@ spec: imagePullPolicy: {{.Values.edgex.image.device.rest.pullPolicy}} {{- if .Values.edgex.security.enabled }} command: ["/edgex-init/ready_to_run_wait_install.sh"] - args: ["/device-rest", "-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"] + args: ["/device-rest", "-cp=consul.http://edgex-core-consul:8500", "--registry"] {{- end}} ports: - containerPort: {{.Values.edgex.port.device.rest}} @@ -53,20 +59,18 @@ spec: envFrom: - configMapRef: name: edgex-common-variables - - configMapRef: - name: device-common-variables securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true startupProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.device.rest}} periodSeconds: 1 failureThreshold: 120 livenessProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.device.rest}} {{- if .Values.edgex.security.enabled }} volumeMounts: diff --git a/deployment/helm/templates/edgex-device-rest/edgex-device-rest-service.yaml b/deployment/helm/templates/edgex-device-rest/edgex-device-rest-service.yaml index 573da7e0..3d3b5771 100644 --- a/deployment/helm/templates/edgex-device-rest/edgex-device-rest-service.yaml +++ b/deployment/helm/templates/edgex-device-rest/edgex-device-rest-service.yaml @@ -10,7 +10,7 @@ metadata: name: {{.Values.edgex.app.device.rest}} spec: ports: - - name: "device-rest-http" + - name: "http" port: {{.Values.edgex.port.device.rest}} selector: org.edgexfoundry.service: {{.Values.edgex.app.device.rest}} diff --git a/deployment/helm/templates/edgex-device-rfid-llrp/edgex-device-rfid-llrp-deployment.yaml b/deployment/helm/templates/edgex-device-rfid-llrp/edgex-device-rfid-llrp-deployment.yaml index 654d26a6..f8363e4b 100644 --- a/deployment/helm/templates/edgex-device-rfid-llrp/edgex-device-rfid-llrp-deployment.yaml +++ b/deployment/helm/templates/edgex-device-rfid-llrp/edgex-device-rfid-llrp-deployment.yaml @@ -29,6 +29,12 @@ spec: org.edgexfoundry.service: {{ .Values.edgex.app.secretstoresetup}} topologyKey: "kubernetes.io/hostname" {{- end}} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false containers: - name: {{.Values.edgex.app.device.rfidllrp}} @@ -36,7 +42,7 @@ spec: imagePullPolicy: {{.Values.edgex.image.device.rfidllrp.pullPolicy}} {{- if .Values.edgex.security.enabled }} command: ["/edgex-init/ready_to_run_wait_install.sh"] - args: ["/device-rfid-llrp", "-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"] + args: ["/device-rfid-llrp", "-cp=consul.http://edgex-core-consul:8500", "--registry"] {{- end}} ports: - containerPort: {{.Values.edgex.port.device.rfidllrp}} @@ -48,25 +54,23 @@ spec: {{- end}} {{- end}} env: - - name: SERVICE_HOST - value: {{.Values.edgex.app.device.rfidllrp}} + - name: SERVICE_HOST + value: {{.Values.edgex.app.device.rfidllrp}} envFrom: - configMapRef: name: edgex-common-variables - - configMapRef: - name: device-common-variables securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true startupProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.device.rfidllrp}} periodSeconds: 1 failureThreshold: 120 livenessProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.device.rfidllrp}} {{- if .Values.edgex.security.enabled }} volumeMounts: diff --git a/deployment/helm/templates/edgex-device-rfid-llrp/edgex-device-rfid-llrp-service.yaml b/deployment/helm/templates/edgex-device-rfid-llrp/edgex-device-rfid-llrp-service.yaml index 20d0ee40..9a0a07aa 100644 --- a/deployment/helm/templates/edgex-device-rfid-llrp/edgex-device-rfid-llrp-service.yaml +++ b/deployment/helm/templates/edgex-device-rfid-llrp/edgex-device-rfid-llrp-service.yaml @@ -10,7 +10,7 @@ metadata: name: {{.Values.edgex.app.device.rfidllrp}} spec: ports: - - name: "device-rfid-llrp-http" + - name: "http" port: {{.Values.edgex.port.device.rfidllrp}} selector: org.edgexfoundry.service: {{.Values.edgex.app.device.rfidllrp}} diff --git a/deployment/helm/templates/edgex-device-snmp/edgex-device-snmp-deployment.yaml b/deployment/helm/templates/edgex-device-snmp/edgex-device-snmp-deployment.yaml index 20f71f77..6ec608b2 100644 --- a/deployment/helm/templates/edgex-device-snmp/edgex-device-snmp-deployment.yaml +++ b/deployment/helm/templates/edgex-device-snmp/edgex-device-snmp-deployment.yaml @@ -29,6 +29,12 @@ spec: org.edgexfoundry.service: {{ .Values.edgex.app.secretstoresetup}} topologyKey: "kubernetes.io/hostname" {{- end}} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false containers: - name: {{.Values.edgex.app.device.snmp}} @@ -36,7 +42,7 @@ spec: imagePullPolicy: {{.Values.edgex.image.device.snmp.pullPolicy}} {{- if .Values.edgex.security.enabled }} command: ["/edgex-init/ready_to_run_wait_install.sh"] - args: ["/device-snmp", "-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"] + args: ["/device-snmp", "-cp=consul.http://edgex-core-consul:8500", "--registry"] {{- end}} ports: - containerPort: {{.Values.edgex.port.device.snmp}} @@ -48,25 +54,23 @@ spec: {{- end}} {{- end}} env: - - name: SERVICE_HOST - value: {{.Values.edgex.app.device.snmp}} + - name: SERVICE_HOST + value: {{.Values.edgex.app.device.snmp}} envFrom: - configMapRef: name: edgex-common-variables - - configMapRef: - name: device-common-variables securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true startupProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.device.snmp}} periodSeconds: 1 failureThreshold: 120 livenessProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.device.snmp}} {{- if .Values.edgex.security.enabled }} volumeMounts: diff --git a/deployment/helm/templates/edgex-device-snmp/edgex-device-snmp-service.yaml b/deployment/helm/templates/edgex-device-snmp/edgex-device-snmp-service.yaml index 3b807c27..d4f7f546 100644 --- a/deployment/helm/templates/edgex-device-snmp/edgex-device-snmp-service.yaml +++ b/deployment/helm/templates/edgex-device-snmp/edgex-device-snmp-service.yaml @@ -10,7 +10,7 @@ metadata: name: {{.Values.edgex.app.device.snmp}} spec: ports: - - name: "device-snmp-http" + - name: "http" port: {{.Values.edgex.port.device.snmp}} selector: org.edgexfoundry.service: {{.Values.edgex.app.device.snmp}} diff --git a/deployment/helm/templates/edgex-device-usb-camera/edgex-device-usb-camera-deployment.yaml b/deployment/helm/templates/edgex-device-usb-camera/edgex-device-usb-camera-deployment.yaml index 60ec1c65..877d8bec 100644 --- a/deployment/helm/templates/edgex-device-usb-camera/edgex-device-usb-camera-deployment.yaml +++ b/deployment/helm/templates/edgex-device-usb-camera/edgex-device-usb-camera-deployment.yaml @@ -29,6 +29,12 @@ spec: org.edgexfoundry.service: {{ .Values.edgex.app.secretstoresetup}} topologyKey: "kubernetes.io/hostname" {{- end}} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false containers: - name: {{.Values.edgex.app.device.usbcamera}} @@ -36,7 +42,7 @@ spec: imagePullPolicy: {{.Values.edgex.image.device.usbcamera.pullPolicy}} {{- if .Values.edgex.security.enabled }} command: ["/edgex-init/ready_to_run_wait_install.sh"] - args: ["/device-usb-camera", "-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"] + args: ["/device-usb-camera", "-cp=consul.http://edgex-core-consul:8500", "--registry"] {{- end}} ports: - containerPort: {{.Values.edgex.port.device.usbcamera}} @@ -53,20 +59,18 @@ spec: envFrom: - configMapRef: name: edgex-common-variables - - configMapRef: - name: device-common-variables securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true startupProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.device.usbcamera}} periodSeconds: 1 failureThreshold: 120 livenessProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.device.usbcamera}} {{- if .Values.edgex.security.enabled }} volumeMounts: @@ -74,8 +78,6 @@ spec: name: edgex-init - mountPath: /tmp/edgex/secrets name: edgex-secrets - - mountPath: /mnt/edgex-device-usb-camera - name: device-usb-camera {{- end }} {{- if .Values.edgex.resources.device.usbcamera.enforceLimits }} resources: @@ -100,7 +102,4 @@ spec: - name: edgex-secrets persistentVolumeClaim: claimName: edgex-secrets - - name: device-usb-camera - persistentVolumeClaim: - claimName: device-usb-camera {{- end}} diff --git a/deployment/helm/templates/edgex-device-usb-camera/edgex-device-usb-camera-service.yaml b/deployment/helm/templates/edgex-device-usb-camera/edgex-device-usb-camera-service.yaml index 93f67dd3..6df47311 100644 --- a/deployment/helm/templates/edgex-device-usb-camera/edgex-device-usb-camera-service.yaml +++ b/deployment/helm/templates/edgex-device-usb-camera/edgex-device-usb-camera-service.yaml @@ -10,7 +10,7 @@ metadata: name: {{.Values.edgex.app.device.usbcamera}} spec: ports: - - name: "device-usb-camera-http" + - name: "http" port: {{.Values.edgex.port.device.onvifcamera}} selector: org.edgexfoundry.service: {{.Values.edgex.app.device.usbcamera}} diff --git a/deployment/helm/templates/edgex-device-virtual/edgex-device-virtual-deployment.yaml b/deployment/helm/templates/edgex-device-virtual/edgex-device-virtual-deployment.yaml index c49e7309..627efe17 100644 --- a/deployment/helm/templates/edgex-device-virtual/edgex-device-virtual-deployment.yaml +++ b/deployment/helm/templates/edgex-device-virtual/edgex-device-virtual-deployment.yaml @@ -29,6 +29,12 @@ spec: org.edgexfoundry.service: {{ .Values.edgex.app.secretstoresetup}} topologyKey: "kubernetes.io/hostname" {{- end}} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false containers: - name: {{.Values.edgex.app.device.virtual}} @@ -36,7 +42,7 @@ spec: imagePullPolicy: {{.Values.edgex.image.device.virtual.pullPolicy}} {{- if .Values.edgex.security.enabled }} command: ["/edgex-init/ready_to_run_wait_install.sh"] - args: ["/device-virtual", "-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"] + args: ["/device-virtual", "-cp=consul.http://edgex-core-consul:8500", "--registry"] {{- end}} ports: - containerPort: {{.Values.edgex.port.device.virtual}} @@ -53,20 +59,18 @@ spec: envFrom: - configMapRef: name: edgex-common-variables - - configMapRef: - name: device-common-variables securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true startupProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.device.virtual}} periodSeconds: 1 failureThreshold: 120 livenessProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.device.virtual}} {{- if .Values.edgex.security.enabled }} volumeMounts: diff --git a/deployment/helm/templates/edgex-device-virtual/edgex-device-virtual-service.yaml b/deployment/helm/templates/edgex-device-virtual/edgex-device-virtual-service.yaml index de54fb7b..4562f497 100644 --- a/deployment/helm/templates/edgex-device-virtual/edgex-device-virtual-service.yaml +++ b/deployment/helm/templates/edgex-device-virtual/edgex-device-virtual-service.yaml @@ -10,7 +10,7 @@ metadata: name: {{.Values.edgex.app.device.virtual}} spec: ports: - - name: "device-virtual-name" + - name: "http" port: {{.Values.edgex.port.device.virtual}} selector: org.edgexfoundry.service: {{.Values.edgex.app.device.virtual}} diff --git a/deployment/helm/templates/edgex-ekuiper/edgex-ekuiper-deployment.yaml b/deployment/helm/templates/edgex-ekuiper/edgex-ekuiper-deployment.yaml index a8559fe9..f0fe1ee1 100644 --- a/deployment/helm/templates/edgex-ekuiper/edgex-ekuiper-deployment.yaml +++ b/deployment/helm/templates/edgex-ekuiper/edgex-ekuiper-deployment.yaml @@ -28,11 +28,18 @@ spec: org.edgexfoundry.service: {{ .Values.edgex.app.bootstrapper}} topologyKey: "kubernetes.io/hostname" {{- end}} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false initContainers: - name: prep-volumes - image: busybox:latest - command: [ "sh", "-c", "chown -Rh 1001:1001 /kuiper; exit 0" ] + image: {{.Values.edgex.image.ekuiper.repository}}:{{.Values.edgex.image.ekuiper.tag}} + imagePullPolicy: {{.Values.edgex.image.ekuiper.pullPolicy}} + command: [ "sh", "-c", "chown -Rh 1001:1001 /kuiper/log /kuiper/data; cp -rpd /kuiper/etc/* /mnt/kuiper-etc/; cp -rpd /kuiper/plugins/* /mnt/kuiper-plugins/; exit 0" ] securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true @@ -40,13 +47,20 @@ spec: runAsGroup: 0 volumeMounts: - mountPath: /kuiper/log - name: kuiper-logs + name: kuiper-log - mountPath: /kuiper/data name: kuiper-data + - mountPath: /mnt/kuiper-etc + name: kuiper-etc + - mountPath: /mnt/kuiper-plugins + name: kuiper-plugins containers: - name: {{.Values.edgex.app.ekuiper}} image: {{.Values.edgex.image.ekuiper.repository}}:{{.Values.edgex.image.ekuiper.tag}} imagePullPolicy: {{.Values.edgex.image.ekuiper.pullPolicy}} + {{- if .Values.edgex.security.enabled }} + command: ["/edgex-init/kuiper_wait_install.sh"] + {{- end}} ports: - containerPort: {{.Values.edgex.port.ekuiper}} name: "http" @@ -56,50 +70,89 @@ spec: hostIP: {{.Values.edgex.hostPortInternalBind}} {{- end}} {{- end}} + envFrom: + - configMapRef: + name: edgex-common-variables env: -# - name: KUIPER__BASIC__DEBUG -# value: "true" + # - name: KUIPER__BASIC__DEBUG + # value: "true" - name: KUIPER__BASIC__CONSOLELOG value: "true" - name: KUIPER__BASIC__RESTPORT value: "{{.Values.edgex.port.ekuiper}}" + - name: EDGEX__DEFAULT__TOPIC + value: edgex/rules-events {{- if (eq .Values.edgex.features.messagebusbackend "redis") }} - - name: EDGEX__DEFAULT__SERVER + - name: CONNECTION__EDGEX__REDISMSGBUS__PORT + value: "{{.Values.edgex.port.redis}}" + - name: CONNECTION__EDGEX__REDISMSGBUS__PROTOCOL + value: redis + - name: CONNECTION__EDGEX__REDISMSGBUS__SERVER value: {{.Values.edgex.app.redis}} - - name: EDGEX__DEFAULT__PROTOCOL - value: "redis" + - name: CONNECTION__EDGEX__REDISMSGBUS__TYPE + value: redis - name: EDGEX__DEFAULT__PORT value: "{{.Values.edgex.port.redis}}" - - name: EDGEX__DEFAULT__TOPIC - value: "rules-events" - {{end}} + - name: EDGEX__DEFAULT__PROTOCOL + value: redis + - name: EDGEX__DEFAULT__SERVER + value: {{.Values.edgex.app.redis}} + - name: EDGEX__DEFAULT__TYPE + value: redis + {{- end }} + {{- if (eq .Values.edgex.features.messagebusbackend "mqtt") }} + - name: CONNECTION__EDGEX__MQTTMSGBUS__PORT + value: "{{.Values.edgex.port.mqttbroker}}" + - name: CONNECTION__EDGEX__MQTTMSGBUS__PROTOCOL + value: tcp + - name: CONNECTION__EDGEX__MQTTMSGBUS__HOST + value: {{.Values.edgex.app.mqttbroker}} + - name: CONNECTION__EDGEX__MQTTMSGBUS__TYPE + value: mqtt + - name: CONNECTION__EDGEX__MQTTMSGBUS__AUTHMODE + value: none + - name: CONNECTION__EDGEX__MQTTMSGBUS__OPTIONAL__CLIENTID + value: kupiper-rules-engine + - name: CONNECTION__EDGEX__MQTTMSGBUS__OPTIONAL__KEEPALIVE + value: "500" + - name: EDGEX__DEFAULT__PORT + value: "{{.Values.edgex.port.mqttbroker}}" + - name: EDGEX__DEFAULT__PROTOCOL + value: tcp + - name: EDGEX__DEFAULT__SERVER + value: {{.Values.edgex.app.mqttbroker}} + - name: EDGEX__DEFAULT__TYPE + value: mqtt + - name: EDGEX__DEFAULT__OPTIONAL__CLIENTID + value: kupiper-rules-engine + - name: EDGEX__DEFAULT__OPTIONAL__KEEPALIVE + value: "500" + {{- end }} {{- if (eq .Values.edgex.features.messagebusbackend "nats") }} - - name: MESSAGEQUEUE_HOST - value: edgex-nats-server - - name: MESSAGEQUEUE_OPTIONAL_CLIENTID - value: kuiper-rules-engine - - name: MESSAGEQUEUE_PORT - value: '4222' - - name: MESSAGEQUEUE_PROTOCOL + - name: CONNECTION__EDGEX__NATSMSGBUS__PORT + value: "{{.Values.edgex.port.natsserver}}" + - name: CONNECTION__EDGEX__NATSMSGBUS__PROTOCOL value: tcp - - name: MESSAGEQUEUE_TYPE + - name: CONNECTION__EDGEX__NATSMSGBUS__SERVER + value: {{.Values.edgex.app.natsserver}} + - name: CONNECTION__EDGEX__NATSMSGBUS__TYPE value: nats-jetstream - - name: EDGEX__DEFAULT__OPTIONAL__CLIENTID - value: kuiper-rules-engine + - name: CONNECTION__EDGEX__NATSMSGBUS__OPTIONAL__CLIENTID + value: kupiper-rules-engine - name: EDGEX__DEFAULT__PORT - value: '4222' + value: "{{.Values.edgex.port.natsserver}}" - name: EDGEX__DEFAULT__PROTOCOL value: tcp - name: EDGEX__DEFAULT__SERVER - value: edgex-nats-server - - name: EDGEX__DEFAULT__TOPIC - value: edgex/rules-events + value: {{.Values.edgex.app.natsserver}} - name: EDGEX__DEFAULT__TYPE value: nats-jetstream - {{end}} + - name: EDGEX__DEFAULT__OPTIONAL__CLIENTID + value: kupiper-rules-engine + {{- end }} securityContext: allowPrivilegeEscalation: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true startupProbe: tcpSocket: port: {{.Values.edgex.port.ekuiper}} @@ -109,10 +162,22 @@ spec: tcpSocket: port: {{.Values.edgex.port.ekuiper}} volumeMounts: - - mountPath: /kuiper/log - name: kuiper-logs - mountPath: /kuiper/data name: kuiper-data + - mountPath: /kuiper/etc + name: kuiper-etc + - mountPath: /kuiper/log + name: kuiper-log + - mountPath: /kuiper/plugins + name: kuiper-plugins + {{- if .Values.edgex.security.enabled }} + - mountPath: /edgex-init + name: edgex-init + - mountPath: /kuiper/etc/sources + name: kuiper-connections + - mountPath: /kuiper/etc/connections + name: kuiper-sources + {{- end }} {{- if .Values.edgex.resources.ekuiper.enforceLimits }} resources: limits: @@ -132,7 +197,23 @@ spec: - name: kuiper-data persistentVolumeClaim: claimName: kuiper-data - - name: kuiper-logs - emptyDir: - medium: Memory - sizeLimit: 64Mi + - name: kuiper-etc + persistentVolumeClaim: + claimName: kuiper-etc + - name: kuiper-log + persistentVolumeClaim: + claimName: kuiper-log + - name: kuiper-plugins + persistentVolumeClaim: + claimName: kuiper-plugins + {{- if .Values.edgex.security.enabled }} + - name: kuiper-sources + persistentVolumeClaim: + claimName: kuiper-sources + - name: kuiper-connections + persistentVolumeClaim: + claimName: kuiper-connections + - name: edgex-init + persistentVolumeClaim: + claimName: edgex-init + {{- end }} diff --git a/deployment/helm/templates/edgex-ekuiper/edgex-ekuiper-service.yaml b/deployment/helm/templates/edgex-ekuiper/edgex-ekuiper-service.yaml index d3b56d40..d278e9a6 100644 --- a/deployment/helm/templates/edgex-ekuiper/edgex-ekuiper-service.yaml +++ b/deployment/helm/templates/edgex-ekuiper/edgex-ekuiper-service.yaml @@ -10,7 +10,7 @@ metadata: name: {{.Values.edgex.app.ekuiper}} spec: ports: - - name: "ekuiper-http" + - name: "http" port: {{.Values.edgex.port.ekuiper}} selector: org.edgexfoundry.service: {{.Values.edgex.app.ekuiper}} diff --git a/deployment/helm/templates/edgex-metadata/edgex-core-metadata-deployment.yaml b/deployment/helm/templates/edgex-metadata/edgex-core-metadata-deployment.yaml index 3572bc33..5946fba2 100644 --- a/deployment/helm/templates/edgex-metadata/edgex-core-metadata-deployment.yaml +++ b/deployment/helm/templates/edgex-metadata/edgex-core-metadata-deployment.yaml @@ -29,6 +29,12 @@ spec: org.edgexfoundry.service: {{ .Values.edgex.app.secretstoresetup}} topologyKey: "kubernetes.io/hostname" {{- end}} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false containers: - name: {{.Values.edgex.app.core.metadata}} @@ -36,7 +42,7 @@ spec: imagePullPolicy: {{.Values.edgex.image.core.metadata.pullPolicy}} {{- if .Values.edgex.security.enabled }} command: ["/edgex-init/ready_to_run_wait_install.sh"] - args: ["/core-metadata", "-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"] + args: ["/core-metadata", "-cp=consul.http://edgex-core-consul:8500", "--registry"] {{- end}} ports: - containerPort: {{.Values.edgex.port.core.metadata}} @@ -53,34 +59,18 @@ spec: env: - name: SERVICE_HOST value: {{.Values.edgex.app.core.metadata}} - - name: NOTIFICATIONS_SENDER - value: {{.Values.edgex.app.core.metadata}} - {{- if (eq .Values.edgex.features.messagebusbackend "nats") }} - - name: MESSAGEQUEUE_AUTHMODE - value: none - - name: MESSAGEQUEUE_HOST - value: edgex-nats-server - - name: MESSAGEQUEUE_OPTIONAL_CLIENTID - value: core-metadata - - name: MESSAGEQUEUE_PORT - value: '4222' - - name: MESSAGEQUEUE_PROTOCOL - value: tcp - - name: MESSAGEQUEUE_TYPE - value: nats-jetstream - {{end}} securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true startupProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.core.metadata}} periodSeconds: 1 failureThreshold: 120 livenessProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.core.metadata}} {{- if .Values.edgex.security.enabled }} volumeMounts: diff --git a/deployment/helm/templates/edgex-metadata/edgex-core-metadata-service.yaml b/deployment/helm/templates/edgex-metadata/edgex-core-metadata-service.yaml index 2061846f..2cc91076 100644 --- a/deployment/helm/templates/edgex-metadata/edgex-core-metadata-service.yaml +++ b/deployment/helm/templates/edgex-metadata/edgex-core-metadata-service.yaml @@ -10,7 +10,7 @@ metadata: name: {{.Values.edgex.app.core.metadata}} spec: ports: - - name: "core-metadata-http" + - name: "http" port: {{.Values.edgex.port.core.metadata}} selector: org.edgexfoundry.service: {{.Values.edgex.app.core.metadata}} diff --git a/deployment/helm/templates/edgex-modbus-simulator/edgex-modbus-simulator-deployment.yaml b/deployment/helm/templates/edgex-modbus-simulator/edgex-modbus-simulator-deployment.yaml index c32a10c6..fabe8ca1 100644 --- a/deployment/helm/templates/edgex-modbus-simulator/edgex-modbus-simulator-deployment.yaml +++ b/deployment/helm/templates/edgex-modbus-simulator/edgex-modbus-simulator-deployment.yaml @@ -20,6 +20,12 @@ spec: labels: org.edgexfoundry.service: {{.Values.edgex.app.modbussimulator}} spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false containers: - name: {{.Values.edgex.app.modbussimulator}} diff --git a/deployment/helm/templates/edgex-modbus-simulator/edgex-modbus-simulator-service.yaml b/deployment/helm/templates/edgex-modbus-simulator/edgex-modbus-simulator-service.yaml index d315a315..ced87298 100644 --- a/deployment/helm/templates/edgex-modbus-simulator/edgex-modbus-simulator-service.yaml +++ b/deployment/helm/templates/edgex-modbus-simulator/edgex-modbus-simulator-service.yaml @@ -10,7 +10,7 @@ metadata: name: {{.Values.edgex.app.modbussimulator}} spec: ports: - - name: "modbus-simulator-mbap" + - name: "mbap" port: {{.Values.edgex.port.modbussimulator}} selector: org.edgexfoundry.service: {{.Values.edgex.app.modbussimulator}} diff --git a/deployment/helm/templates/edgex-mqtt-broker/edgex-mqtt-broker-deployment.yaml b/deployment/helm/templates/edgex-mqtt-broker/edgex-mqtt-broker-deployment.yaml index 1a0f3e9b..1eceac6e 100644 --- a/deployment/helm/templates/edgex-mqtt-broker/edgex-mqtt-broker-deployment.yaml +++ b/deployment/helm/templates/edgex-mqtt-broker/edgex-mqtt-broker-deployment.yaml @@ -20,15 +20,39 @@ spec: labels: org.edgexfoundry.service: {{.Values.edgex.app.mqttbroker}} spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false + {{- if .Values.edgex.security.enabled }} + initContainers: + - name: prep-volumes + image: {{.Values.edgex.image.mqttbroker.repository}}:{{.Values.edgex.image.mqttbroker.tag}} + imagePullPolicy: {{.Values.edgex.image.mqttbroker.pullPolicy}} + command: [ "sh", "-c", "cp -rpd /mosquitto/* /mnt/tmp-mosquitto/; exit 0" ] + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 0 + runAsGroup: 0 + volumeMounts: + - mountPath: /mnt/tmp-mosquitto + name: mqtt + {{- end }} containers: - name: {{.Values.edgex.app.mqttbroker}} image: {{.Values.edgex.image.mqttbroker.repository}}:{{.Values.edgex.image.mqttbroker.tag}} imagePullPolicy: {{.Values.edgex.image.mqttbroker.pullPolicy}} {{- if .Values.edgex.security.enabled }} + command: ["/edgex-init/messagebus_wait_install.sh"] + args: [ "/usr/sbin/mosquitto", "-c", "/mosquitto/config/mosquitto.conf" ] + {{- else }} command: ["/usr/sbin/mosquitto", "-c", "/mosquitto-no-auth.conf"] args: [] - {{- end}} + {{- end }} ports: - containerPort: {{.Values.edgex.port.mqttbroker}} name: "mqtt" @@ -36,8 +60,20 @@ spec: {{- if .Values.edgex.features.enableHostPort}} hostPort: {{.Values.edgex.port.mqttbroker}} hostIP: {{.Values.edgex.hostPortInternalBind}} - {{- end}} - {{- end}} + {{- end }} + {{- end }} + envFrom: + - configMapRef: + name: edgex-common-variables + {{- if .Values.edgex.security.enabled }} + env: + - name: BROKER_TYPE + value: mosquitto + - name: CONF_DIR + value: /edgex-init/bootstrap-mosquitto/res + - name: ENTRYPOINT + value: /docker-entrypoint.sh /usr/sbin/mosquitto -c /mosquitto/config/mosquitto.conf + {{- end }} securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true @@ -49,6 +85,15 @@ spec: livenessProbe: tcpSocket: port: {{.Values.edgex.port.mqttbroker}} + {{- if .Values.edgex.security.enabled }} + volumeMounts: + - mountPath: /edgex-init + name: edgex-init + - mountPath: /tmp/edgex/secrets + name: edgex-secrets + - mountPath: /mosquitto + name: mqtt + {{- end }} {{- if .Values.edgex.resources.mqttbroker.enforceLimits }} resources: limits: @@ -61,6 +106,23 @@ spec: hostname: {{.Values.edgex.app.mqttbroker}} restartPolicy: Always securityContext: - runAsNonRoot: true + runAsNonRoot: false + {{- if .Values.edgex.security.enabled }} + runAsUser: 0 + runAsGroup: 0 + {{- else }} runAsUser: {{ .Values.edgex.security.runAsUser }} runAsGroup: {{ .Values.edgex.security.runAsGroup }} + {{- end }} + {{- if .Values.edgex.security.enabled }} + volumes: + - name: edgex-init + persistentVolumeClaim: + claimName: edgex-init + - name: edgex-secrets + persistentVolumeClaim: + claimName: edgex-secrets + - name: mqtt + persistentVolumeClaim: + claimName: mqtt + {{- end }} diff --git a/deployment/helm/templates/edgex-mqtt-broker/edgex-mqtt-broker-service.yaml b/deployment/helm/templates/edgex-mqtt-broker/edgex-mqtt-broker-service.yaml index 037a71ad..eca937c8 100644 --- a/deployment/helm/templates/edgex-mqtt-broker/edgex-mqtt-broker-service.yaml +++ b/deployment/helm/templates/edgex-mqtt-broker/edgex-mqtt-broker-service.yaml @@ -10,7 +10,7 @@ metadata: name: {{.Values.edgex.app.mqttbroker}} spec: ports: - - name: "mqtt-broker-mqtt" + - name: "mqtt" port: {{.Values.edgex.port.mqttbroker}} selector: org.edgexfoundry.service: {{.Values.edgex.app.mqttbroker}} diff --git a/deployment/helm/templates/edgex-nats-server/edgex-nats-server-deployment.yaml b/deployment/helm/templates/edgex-nats-server/edgex-nats-server-deployment.yaml index 30390a82..5a93767f 100644 --- a/deployment/helm/templates/edgex-nats-server/edgex-nats-server-deployment.yaml +++ b/deployment/helm/templates/edgex-nats-server/edgex-nats-server-deployment.yaml @@ -20,6 +20,12 @@ spec: labels: org.edgexfoundry.service: {{.Values.edgex.app.natsserver}} spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false containers: - name: {{.Values.edgex.app.natsserver}} @@ -45,6 +51,9 @@ spec: livenessProbe: tcpSocket: port: {{.Values.edgex.port.natsserver}} + volumeMounts: + - mountPath: /tmp/nats + name: nats-data {{- if .Values.edgex.resources.natsserver.enforceLimits }} resources: limits: @@ -60,3 +69,7 @@ spec: runAsNonRoot: true runAsUser: {{ .Values.edgex.security.runAsUser }} runAsGroup: {{ .Values.edgex.security.runAsGroup }} + volumes: + - name: nats-data + persistentVolumeClaim: + claimName: nats-data diff --git a/deployment/helm/templates/edgex-nats-server/edgex-nats-server-service.yaml b/deployment/helm/templates/edgex-nats-server/edgex-nats-server-service.yaml index ffeb60c5..4c6b62bf 100644 --- a/deployment/helm/templates/edgex-nats-server/edgex-nats-server-service.yaml +++ b/deployment/helm/templates/edgex-nats-server/edgex-nats-server-service.yaml @@ -10,7 +10,7 @@ metadata: name: {{.Values.edgex.app.natsserver}} spec: ports: - - name: "nats-server-http" + - name: "http" port: {{.Values.edgex.port.natsserver}} selector: org.edgexfoundry.service: {{.Values.edgex.app.natsserver}} diff --git a/deployment/helm/templates/edgex-pv-secure.yaml b/deployment/helm/templates/edgex-pv-secure.yaml new file mode 100644 index 00000000..3d0f4c53 --- /dev/null +++ b/deployment/helm/templates/edgex-pv-secure.yaml @@ -0,0 +1,179 @@ +# Copyright (C) 2023 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 +# +{{- if .Values.edgex.security.enabled }} +{{- if .Values.edgex.storage.useHostPath }} +apiVersion: v1 +kind: PersistentVolume +metadata: + name: edgex-init-volume +spec: + storageClassName: "" + claimRef: + name: edgex-init + namespace: {{ .Release.Namespace }} + capacity: + storage: 128Mi + accessModes: + - {{.Values.edgex.storage.sharedVolumesAccessMode}} + hostPath: + path: "/mnt/edgex-init-volume" + type: DirectoryOrCreate +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: edgex-vault-config-volume +spec: + storageClassName: "" + claimRef: + name: vault-config + namespace: {{ .Release.Namespace }} + capacity: + storage: 8Mi + accessModes: + - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} + hostPath: + path: "/mnt/edgex-vault-config" + type: DirectoryOrCreate +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: edgex-vault-data-volume +spec: + storageClassName: "" + claimRef: + name: vault-file + namespace: {{ .Release.Namespace }} + capacity: + storage: 128Mi + accessModes: + - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} + hostPath: + path: "/mnt/edgex-vault-data" + type: DirectoryOrCreate +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: edgex-vault-logs-volume +spec: + storageClassName: "" + claimRef: + name: vault-logs + namespace: {{ .Release.Namespace }} + capacity: + storage: 128Mi + accessModes: + - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} + hostPath: + path: "/mnt/edgex-vault-logs" + type: DirectoryOrCreate +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: edgex-secrets-volume +spec: + storageClassName: "" + claimRef: + name: edgex-secrets + namespace: {{ .Release.Namespace }} + capacity: + storage: 8Mi + accessModes: + - {{.Values.edgex.storage.sharedVolumesAccessMode}} + hostPath: + path: "/tmp/edgex/secrets" + type: DirectoryOrCreate +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: edgex-consul-acl-token-volume +spec: + storageClassName: "" + claimRef: + name: consul-acl-token + namespace: {{ .Release.Namespace }} + capacity: + storage: 8Mi + accessModes: + - {{.Values.edgex.storage.sharedVolumesAccessMode}} + hostPath: + path: "/mnt/edgex-consul-acl-token" + type: DirectoryOrCreate +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: edgex-redis-config-volume +spec: + storageClassName: "" + claimRef: + name: redis-config + namespace: {{ .Release.Namespace }} + capacity: + storage: 8Mi + accessModes: + - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} + hostPath: + path: "/mnt/edgex-redis-config" + type: DirectoryOrCreate +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: edgex-kuiper-sources +spec: + storageClassName: "" + claimRef: + name: kuiper-sources + namespace: {{ .Release.Namespace }} + capacity: + storage: 8Mi + accessModes: + - {{.Values.edgex.storage.sharedVolumesAccessMode}} + hostPath: + path: "/mnt/edgex-kuiper-sources" + type: DirectoryOrCreate +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: edgex-kuiper-connections +spec: + storageClassName: "" + claimRef: + name: kuiper-connections + namespace: {{ .Release.Namespace }} + capacity: + storage: 8Mi + accessModes: + - {{.Values.edgex.storage.sharedVolumesAccessMode}} + hostPath: + path: "/mnt/edgex-kuiper-connections" + type: DirectoryOrCreate +{{- if (gt (.Values.edgex.replicas.natsserver | int) 0) }} +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: edgex-mqtt +spec: + storageClassName: "" + claimRef: + name: mqtt + namespace: {{ .Release.Namespace }} + capacity: + storage: 8Mi + accessModes: + - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} + hostPath: + path: "/mnt/edgex-mqtt" + type: DirectoryOrCreate +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/deployment/helm/templates/edgex-pv.yaml b/deployment/helm/templates/edgex-pv.yaml index 84a9e155..c4a581d0 100644 --- a/deployment/helm/templates/edgex-pv.yaml +++ b/deployment/helm/templates/edgex-pv.yaml @@ -1,4 +1,4 @@ -# Copyright (C) 2022 Intel Corporation +# Copyright (C) 2023 Intel Corporation # # SPDX-License-Identifier: Apache-2.0 # @@ -13,14 +13,13 @@ spec: name: consul-config namespace: {{ .Release.Namespace }} capacity: - storage: 500Mi + storage: 8Mi accessModes: - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} hostPath: path: "/mnt/edgex-consul-config" -{{- end}} + type: DirectoryOrCreate --- -{{- if .Values.edgex.storage.useHostPath }} apiVersion: v1 kind: PersistentVolume metadata: @@ -31,14 +30,13 @@ spec: name: consul-data namespace: {{ .Release.Namespace }} capacity: - storage: 500Mi + storage: 128Mi accessModes: - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} hostPath: path: "/mnt/edgex-consul-data" -{{- end }} + type: DirectoryOrCreate --- -{{- if .Values.edgex.storage.useHostPath }} apiVersion: v1 kind: PersistentVolume metadata: @@ -49,14 +47,13 @@ spec: name: db-data namespace: {{ .Release.Namespace }} capacity: - storage: 1Gi + storage: 512Mi accessModes: - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} hostPath: path: "/mnt/edgex-db" -{{- end }} + type: DirectoryOrCreate --- -{{- if .Values.edgex.storage.useHostPath }} apiVersion: v1 kind: PersistentVolume metadata: @@ -72,238 +69,94 @@ spec: - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} hostPath: path: "/mnt/edgex-kuiper-data" -{{- end }} ---- -{{- if .Values.edgex.storage.useHostPath }} -apiVersion: v1 -kind: PersistentVolume -metadata: - name: edgex-secrets-volume -spec: - storageClassName: "" - claimRef: - name: edgex-secrets - namespace: {{ .Release.Namespace }} - capacity: - storage: 8Mi - accessModes: - - {{.Values.edgex.storage.sharedVolumesAccessMode}} - hostPath: - path: "/tmp/edgex/secrets" -{{- end }} ---- -{{- if .Values.edgex.storage.useHostPath }} -apiVersion: v1 -kind: PersistentVolume -metadata: - name: edgex-init-volume -spec: - storageClassName: "" - claimRef: - name: edgex-init - namespace: {{ .Release.Namespace }} - capacity: - storage: 128Mi - accessModes: - - {{.Values.edgex.storage.sharedVolumesAccessMode}} - hostPath: - path: "/mnt/edgex-init-volume" -{{- end }} ---- -{{- if .Values.edgex.storage.useHostPath }} -apiVersion: v1 -kind: PersistentVolume -metadata: - name: edgex-vault-data-volume -spec: - storageClassName: "" - claimRef: - name: vault-file - namespace: {{ .Release.Namespace }} - capacity: - storage: 1Gi - accessModes: - - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} - hostPath: - path: "/mnt/edgex-vault-data" -{{- end }} ---- -{{- if .Values.edgex.storage.useHostPath }} -apiVersion: v1 -kind: PersistentVolume -metadata: - name: edgex-vault-logs-volume -spec: - storageClassName: "" - claimRef: - name: vault-logs - namespace: {{ .Release.Namespace }} - capacity: - storage: 1Gi - accessModes: - - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} - hostPath: - path: "/mnt/edgex-vault-logs" -{{- end }} + type: DirectoryOrCreate --- -{{- if .Values.edgex.storage.useHostPath }} -apiVersion: v1 -kind: PersistentVolume -metadata: - name: edgex-vault-config-volume -spec: - storageClassName: "" - claimRef: - name: vault-config - namespace: {{ .Release.Namespace }} - capacity: - storage: 8Mi - accessModes: - - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} - hostPath: - path: "/mnt/edgex-vault-config" -{{- end }} ---- -{{- if .Values.edgex.storage.useHostPath }} apiVersion: v1 kind: PersistentVolume metadata: - name: edgex-redis-config-volume + name: edgex-kuiper-etc spec: storageClassName: "" claimRef: - name: redis-config + name: kuiper-etc namespace: {{ .Release.Namespace }} capacity: storage: 8Mi accessModes: - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} hostPath: - path: "/mnt/edgex-redis-config" -{{- end }} ---- -{{- if .Values.edgex.storage.useHostPath }} -apiVersion: v1 -kind: PersistentVolume -metadata: - name: edgex-consul-acl-token-volume -spec: - storageClassName: "" - claimRef: - name: consul-acl-token - namespace: {{ .Release.Namespace }} - capacity: - storage: 8Mi - accessModes: - - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} - hostPath: - path: "/mnt/edgex-consul-acl-token" -{{- end }} ---- -{{- if .Values.edgex.storage.useHostPath }} -apiVersion: v1 -kind: PersistentVolume -metadata: - name: edgex-device-onvif-camera -spec: - storageClassName: "" - claimRef: - name: device-onvif-camera - namespace: {{ .Release.Namespace }} - capacity: - storage: 128Mi - accessModes: - - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} - hostPath: - path: "/mnt/edgex-device-onvif-camera" -{{- end}} ---- -{{- if .Values.edgex.storage.useHostPath }} -apiVersion: v1 -kind: PersistentVolume -metadata: - name: edgex-device-usb-camera -spec: - storageClassName: "" - claimRef: - name: device-usb-camera - namespace: {{ .Release.Namespace }} - capacity: - storage: 128Mi - accessModes: - - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} - hostPath: - path: "/mnt/edgex-device-usb-camera" -{{- end}} + path: "/mnt/edgex-kuiper-etc" + type: DirectoryOrCreate --- -{{- if .Values.edgex.storage.useHostPath }} apiVersion: v1 kind: PersistentVolume metadata: - name: edgex-app-rfid-llrp-inventory + name: edgex-kuiper-log spec: storageClassName: "" claimRef: - name: app-rfid-llrp-inventory + name: kuiper-log namespace: {{ .Release.Namespace }} capacity: storage: 128Mi accessModes: - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} hostPath: - path: "/mnt/edgex-app-rfid-llrp-inventory" -{{- end}} + path: "/mnt/edgex-kuiper-log" + type: DirectoryOrCreate --- -{{- if .Values.edgex.storage.useHostPath }} apiVersion: v1 kind: PersistentVolume metadata: - name: edgex-nats-server + name: edgex-kuiper-plugins spec: storageClassName: "" claimRef: - name: nats-server + name: kuiper-plugins namespace: {{ .Release.Namespace }} capacity: storage: 128Mi accessModes: - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} hostPath: - path: "/tmp/nats" -{{- end}} + path: "/mnt/edgex-kuiper-plugins" + type: DirectoryOrCreate +{{- if (gt (.Values.edgex.replicas.natsserver | int) 0) }} --- -{{- if .Values.edgex.storage.useHostPath }} apiVersion: v1 kind: PersistentVolume metadata: - name: kuiper-sources + name: edgex-nats-data spec: storageClassName: "" claimRef: - name: kuiper-sources + name: nats-data namespace: {{ .Release.Namespace }} capacity: storage: 128Mi accessModes: - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} hostPath: - path: "/mnt/kuiper-sources" + path: "/mnt/edgex-nats-data" + type: DirectoryOrCreate {{- end }} +{{- if (gt (.Values.edgex.replicas.appservice.rfidllrpinventory | int) 0) }} --- -{{- if .Values.edgex.storage.useHostPath }} apiVersion: v1 kind: PersistentVolume metadata: - name: kuiper-connections + name: edgex-llrp-inventory-data spec: storageClassName: "" claimRef: - name: kuiper-connections + name: llrp-inventory-data namespace: {{ .Release.Namespace }} capacity: storage: 128Mi accessModes: - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} hostPath: - path: "/mnt/kuiper-connections" + path: "/mnt/edgex-llrp-inventory-data" + type: DirectoryOrCreate {{- end }} +{{- end }} \ No newline at end of file diff --git a/deployment/helm/templates/edgex-pvc-secure.yaml b/deployment/helm/templates/edgex-pvc-secure.yaml new file mode 100644 index 00000000..a5051a47 --- /dev/null +++ b/deployment/helm/templates/edgex-pvc-secure.yaml @@ -0,0 +1,167 @@ +# Copyright (C) 2023 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 +# +{{- if .Values.edgex.security.enabled }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: edgex-init +spec: + {{- if (eq .Values.edgex.storage.useHostPath true)}} + storageClassName: "" + {{- else }} + storageClassName: "{{.Values.edgex.storage.sharedVolumesClassName}}" + {{- end }} + accessModes: + - {{.Values.edgex.storage.sharedVolumesAccessMode}} + resources: + requests: + storage: 128Mi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: vault-config +spec: + {{- if (eq .Values.edgex.storage.useHostPath true)}} + storageClassName: "" + {{- else }} + storageClassName: "{{.Values.edgex.storage.nonSharedVolumesClassName}}" + {{- end }} + accessModes: + - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} + resources: + requests: + storage: 8Mi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: vault-file +spec: + {{- if (eq .Values.edgex.storage.useHostPath true)}} + storageClassName: "" + {{- else }} + storageClassName: "{{.Values.edgex.storage.nonSharedVolumesClassName}}" + {{- end }} + accessModes: + - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} + resources: + requests: + storage: 128Mi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: vault-logs +spec: + {{- if (eq .Values.edgex.storage.useHostPath true)}} + storageClassName: "" + {{- else }} + storageClassName: "{{.Values.edgex.storage.nonSharedVolumesClassName}}" + {{- end }} + accessModes: + - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} + resources: + requests: + storage: 128Mi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: edgex-secrets +spec: + {{- if (eq .Values.edgex.storage.useHostPath true)}} + storageClassName: "" + {{- else }} + storageClassName: "{{.Values.edgex.storage.sharedVolumesClassName}}" + {{- end }} + accessModes: + - {{.Values.edgex.storage.sharedVolumesAccessMode}} + resources: + requests: + storage: 8Mi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: consul-acl-token +spec: + {{- if (eq .Values.edgex.storage.useHostPath true)}} + storageClassName: "" + {{- else }} + storageClassName: "{{.Values.edgex.storage.sharedVolumesClassName}}" + {{- end }} + accessModes: + - {{.Values.edgex.storage.sharedVolumesAccessMode}} + resources: + requests: + storage: 8Mi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: redis-config +spec: + {{- if (eq .Values.edgex.storage.useHostPath true)}} + storageClassName: "" + {{- else }} + storageClassName: "{{.Values.edgex.storage.nonSharedVolumesClassName}}" + {{- end }} + accessModes: + - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} + resources: + requests: + storage: 8Mi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: kuiper-sources +spec: + {{- if (eq .Values.edgex.storage.useHostPath true)}} + storageClassName: "" + {{- else }} + storageClassName: "{{.Values.edgex.storage.sharedVolumesClassName}}" + {{- end }} + accessModes: + - {{.Values.edgex.storage.sharedVolumesAccessMode}} + resources: + requests: + storage: 8Mi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: kuiper-connections +spec: + {{- if (eq .Values.edgex.storage.useHostPath true)}} + storageClassName: "" + {{- else }} + storageClassName: "{{.Values.edgex.storage.sharedVolumesClassName}}" + {{- end }} + accessModes: + - {{.Values.edgex.storage.sharedVolumesAccessMode}} + resources: + requests: + storage: 8Mi +{{- if (gt (.Values.edgex.replicas.mqttbroker | int) 0) }} +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: mqtt +spec: + {{- if (eq .Values.edgex.storage.useHostPath true)}} + storageClassName: "" + {{- else }} + storageClassName: "{{.Values.edgex.storage.nonSharedVolumesClassName}}" + {{- end }} + accessModes: + - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} + resources: + requests: + storage: 8Mi +{{- end }} +{{- end }} diff --git a/deployment/helm/templates/edgex-pvc.yaml b/deployment/helm/templates/edgex-pvc.yaml index c478aad0..6e2749f4 100644 --- a/deployment/helm/templates/edgex-pvc.yaml +++ b/deployment/helm/templates/edgex-pvc.yaml @@ -1,4 +1,4 @@ -# Copyright (C) 2022 Intel Corporation +# Copyright (C) 2023 Intel Corporation # # SPDX-License-Identifier: Apache-2.0 # @@ -16,7 +16,7 @@ spec: - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} resources: requests: - storage: 128Mi + storage: 8Mi --- apiVersion: v1 kind: PersistentVolumeClaim @@ -65,76 +65,11 @@ spec: resources: requests: storage: 128Mi -{{- if .Values.edgex.security.enabled }} ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: edgex-secrets -spec: - {{- if (eq .Values.edgex.storage.useHostPath true)}} - storageClassName: "" - {{- else }} - storageClassName: "{{.Values.edgex.storage.sharedVolumesClassName}}" - {{- end }} - accessModes: - - {{.Values.edgex.storage.sharedVolumesAccessMode}} - resources: - requests: - storage: 8Mi ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: edgex-init -spec: - {{- if (eq .Values.edgex.storage.useHostPath true)}} - storageClassName: "" - {{- else }} - storageClassName: "{{.Values.edgex.storage.sharedVolumesClassName}}" - {{- end }} - accessModes: - - {{.Values.edgex.storage.sharedVolumesAccessMode}} - resources: - requests: - storage: 128Mi ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: vault-file -spec: - {{- if (eq .Values.edgex.storage.useHostPath true)}} - storageClassName: "" - {{- else }} - storageClassName: "{{.Values.edgex.storage.nonSharedVolumesClassName}}" - {{- end }} - accessModes: - - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} - resources: - requests: - storage: 128Mi ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: vault-logs -spec: - {{- if (eq .Values.edgex.storage.useHostPath true)}} - storageClassName: "" - {{- else }} - storageClassName: "{{.Values.edgex.storage.nonSharedVolumesClassName}}" - {{- end }} - accessModes: - - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} - resources: - requests: - storage: 128Mi --- apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: vault-config + name: kuiper-etc spec: {{- if (eq .Values.edgex.storage.useHostPath true)}} storageClassName: "" @@ -150,39 +85,7 @@ spec: apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: redis-config -spec: - {{- if (eq .Values.edgex.storage.useHostPath true)}} - storageClassName: "" - {{- else }} - storageClassName: "{{.Values.edgex.storage.nonSharedVolumesClassName}}" - {{- end }} - accessModes: - - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} - resources: - requests: - storage: 8Mi ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: consul-acl-token -spec: - {{- if (eq .Values.edgex.storage.useHostPath true)}} - storageClassName: "" - {{- else }} - storageClassName: "{{.Values.edgex.storage.nonSharedVolumesClassName}}" - {{- end }} - accessModes: - - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} - resources: - requests: - storage: 8Mi ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: device-onvif-camera + name: kuiper-log spec: {{- if (eq .Values.edgex.storage.useHostPath true)}} storageClassName: "" @@ -198,7 +101,7 @@ spec: apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: device-usb-camera + name: kuiper-plugins spec: {{- if (eq .Values.edgex.storage.useHostPath true)}} storageClassName: "" @@ -210,43 +113,12 @@ spec: resources: requests: storage: 128Mi +{{- if (gt (.Values.edgex.replicas.natsserver | int) 0) }} --- apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: app-rfid-llrp-inventory -spec: - {{- if (eq .Values.edgex.storage.useHostPath true)}} - storageClassName: "" - {{- else }} - storageClassName: "{{.Values.edgex.storage.nonSharedVolumesClassName}}" - {{- end }} - accessModes: - - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} - resources: - requests: - storage: 128Mi ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nats-server -spec: - {{- if (eq .Values.edgex.storage.useHostPath true)}} - storageClassName: "" - {{- else }} - storageClassName: "{{.Values.edgex.storage.nonSharedVolumesClassName}}" - {{- end }} - accessModes: - - {{.Values.edgex.storage.nonSharedVolumesAccessMode}} - resources: - requests: - storage: 128Mi ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: kuiper-sources + name: nats-data spec: {{- if (eq .Values.edgex.storage.useHostPath true)}} storageClassName: "" @@ -258,11 +130,13 @@ spec: resources: requests: storage: 128Mi +{{- end }} +{{- if (gt (.Values.edgex.replicas.appservice.rfidllrpinventory | int) 0) }} --- apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: kuiper-connections + name: llrp-inventory-data spec: {{- if (eq .Values.edgex.storage.useHostPath true)}} storageClassName: "" diff --git a/deployment/helm/templates/edgex-redis/edgex-redis-deployment.yaml b/deployment/helm/templates/edgex-redis/edgex-redis-deployment.yaml index 873390b7..ef1053af 100644 --- a/deployment/helm/templates/edgex-redis/edgex-redis-deployment.yaml +++ b/deployment/helm/templates/edgex-redis/edgex-redis-deployment.yaml @@ -29,6 +29,12 @@ spec: org.edgexfoundry.service: {{ .Values.edgex.app.secretstoresetup}} topologyKey: "kubernetes.io/hostname" {{- end}} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false containers: - name: {{.Values.edgex.app.redis}} @@ -38,11 +44,18 @@ spec: command: ["/edgex-init/redis_wait_install.sh"] {{- end}} ports: - - containerPort: {{.Values.edgex.port.redis}} - name: "redis" + - containerPort: {{.Values.edgex.port.redis}} + name: "redis" + {{- if .Values.edgex.security.enabled }} + env: + - name: DATABASECONFIG_PATH + value: /run/redis/conf + - name: DATABASECONFIG_NAME + vaule: redis.conf + {{- end }} envFrom: - - configMapRef: - name: edgex-common-variables + - configMapRef: + name: edgex-common-variables securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true diff --git a/deployment/helm/templates/edgex-redis/edgex-redis-service.yaml b/deployment/helm/templates/edgex-redis/edgex-redis-service.yaml index dcbd9b1c..1cd6abbb 100644 --- a/deployment/helm/templates/edgex-redis/edgex-redis-service.yaml +++ b/deployment/helm/templates/edgex-redis/edgex-redis-service.yaml @@ -10,7 +10,7 @@ metadata: name: {{.Values.edgex.app.redis}} spec: ports: - - name: "redis-redis" + - name: "redis" port: {{.Values.edgex.port.redis}} selector: org.edgexfoundry.service: {{.Values.edgex.app.redis}} diff --git a/deployment/helm/templates/edgex-security-bootstrapper/edgex-security-bootstrapper-deployment.yaml b/deployment/helm/templates/edgex-security-bootstrapper/edgex-security-bootstrapper-deployment.yaml index 16dc7c47..40bce5f3 100644 --- a/deployment/helm/templates/edgex-security-bootstrapper/edgex-security-bootstrapper-deployment.yaml +++ b/deployment/helm/templates/edgex-security-bootstrapper/edgex-security-bootstrapper-deployment.yaml @@ -21,6 +21,12 @@ spec: labels: org.edgexfoundry.service: {{.Values.edgex.app.bootstrapper}} spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false containers: - name: {{.Values.edgex.app.bootstrapper}} diff --git a/deployment/helm/templates/edgex-security-bootstrapper/edgex-security-bootstrapper-service.yaml b/deployment/helm/templates/edgex-security-bootstrapper/edgex-security-bootstrapper-service.yaml index 852eb8b2..469fe0ec 100644 --- a/deployment/helm/templates/edgex-security-bootstrapper/edgex-security-bootstrapper-service.yaml +++ b/deployment/helm/templates/edgex-security-bootstrapper/edgex-security-bootstrapper-service.yaml @@ -11,7 +11,7 @@ metadata: name: {{.Values.edgex.app.bootstrapper}} spec: ports: - - name: "bootstrapper-http" + - name: "http" port: {{ .Values.edgex.bootstrap.port.start }} selector: org.edgexfoundry.service: {{.Values.edgex.app.bootstrapper}} diff --git a/deployment/helm/templates/edgex-security-secretstore-setup/edgex-security-secretstore-setup-deployment.yaml b/deployment/helm/templates/edgex-security-secretstore-setup/edgex-security-secretstore-setup-deployment.yaml index 4ec9c9bd..86260ca8 100644 --- a/deployment/helm/templates/edgex-security-secretstore-setup/edgex-security-secretstore-setup-deployment.yaml +++ b/deployment/helm/templates/edgex-security-secretstore-setup/edgex-security-secretstore-setup-deployment.yaml @@ -30,6 +30,12 @@ spec: org.edgexfoundry.service: {{ .Values.edgex.app.bootstrapper}} topologyKey: "kubernetes.io/hostname" {{- end}} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false containers: - name: {{.Values.edgex.app.secretstoresetup}} @@ -40,14 +46,18 @@ spec: value: "{{ .Values.edgex.security.runAsUser }}" - name: EDGEX_GROUP value: "{{ .Values.edgex.security.runAsGroup }}" - - name: ADD_SECRETSTORE_TOKENS + - name: EDGEX_ADD_SECRETSTORE_TOKENS value: {{.Values.edgex.security.addServiceTokens}} - - name: ADD_KNOWN_SECRETS + - name: EDGEX_ADD_KNOWN_SECRETS value: {{.Values.edgex.security.addKnownSecrets}} {{- if (eq .Values.edgex.features.messagebusbackend "redis") }} - name: SECUREMESSAGEBUS_TYPE value: redis - {{- end}} + {{- end }} + {{- if (eq .Values.edgex.features.messagebusbackend "mqtt") }} + - name: SECUREMESSAGEBUS_TYPE + value: mqtt + {{- end }} envFrom: - configMapRef: name: edgex-common-variables @@ -69,8 +79,10 @@ spec: name: vault-config - mountPath: /tmp/edgex/secrets name: edgex-secrets - - mountPath: /tmp/kong - name: kong-tmp + - mountPath: /tmp/kuiper-connections + name: kuiper-connections + - mountPath: /tmp/kuiper + name: kuiper-sources - mountPath: /run name: run-tmp - mountPath: /vault @@ -100,10 +112,12 @@ spec: - name: edgex-secrets persistentVolumeClaim: claimName: edgex-secrets - - name: kong-tmp - emptyDir: - medium: Memory - sizeLimit: 8Mi + - name: kuiper-sources + persistentVolumeClaim: + claimName: kuiper-sources + - name: kuiper-connections + persistentVolumeClaim: + claimName: kuiper-connections - name: run-tmp emptyDir: medium: Memory diff --git a/deployment/helm/templates/edgex-security-secretstore-setup/edgex-security-secretstore-setup-service.yaml b/deployment/helm/templates/edgex-security-secretstore-setup/edgex-security-secretstore-setup-service.yaml index 8f7322cf..d3b66e8d 100644 --- a/deployment/helm/templates/edgex-security-secretstore-setup/edgex-security-secretstore-setup-service.yaml +++ b/deployment/helm/templates/edgex-security-secretstore-setup/edgex-security-secretstore-setup-service.yaml @@ -11,7 +11,7 @@ metadata: name: {{.Values.edgex.app.secretstoresetup}} spec: ports: - - name: "secret-storesetup-http" + - name: "http" port: {{ .Values.edgex.bootstrap.port.secretstoretokensready }} selector: org.edgexfoundry.service: {{.Values.edgex.app.secretstoresetup}} diff --git a/deployment/helm/templates/edgex-support-notifications/edgex-support-notifications-deployment.yaml b/deployment/helm/templates/edgex-support-notifications/edgex-support-notifications-deployment.yaml index 99bdc5f3..aea0b842 100644 --- a/deployment/helm/templates/edgex-support-notifications/edgex-support-notifications-deployment.yaml +++ b/deployment/helm/templates/edgex-support-notifications/edgex-support-notifications-deployment.yaml @@ -29,6 +29,12 @@ spec: org.edgexfoundry.service: {{ .Values.edgex.app.secretstoresetup}} topologyKey: "kubernetes.io/hostname" {{- end}} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false containers: - name: {{.Values.edgex.app.support.notifications}} @@ -36,7 +42,7 @@ spec: imagePullPolicy: {{.Values.edgex.image.support.notifications.pullPolicy}} {{- if .Values.edgex.security.enabled }} command: ["/edgex-init/ready_to_run_wait_install.sh"] - args: ["/support-notifications", "-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"] + args: ["/support-notifications", "-cp=consul.http://edgex-core-consul:8500", "--registry"] {{- end}} ports: - containerPort: {{.Values.edgex.port.support.notifications}} @@ -50,20 +56,6 @@ spec: env: - name: SERVICE_HOST value: {{.Values.edgex.app.support.notifications}} - {{- if (eq .Values.edgex.features.messagebusbackend "nats") }} - - name: MESSAGEQUEUE_AUTHMODE - value: none - - name: MESSAGEQUEUE_HOST - value: edgex-nats-server - - name: MESSAGEQUEUE_OPTIONAL_CLIENTID - value: support-notifications - - name: MESSAGEQUEUE_PORT - value: '4222' - - name: MESSAGEQUEUE_PROTOCOL - value: tcp - - name: MESSAGEQUEUE_TYPE - value: nats-jetstream - {{end}} envFrom: - configMapRef: name: edgex-common-variables @@ -72,13 +64,13 @@ spec: readOnlyRootFilesystem: true startupProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.support.notifications}} periodSeconds: 1 failureThreshold: 120 livenessProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.support.notifications}} {{- if .Values.edgex.security.enabled }} volumeMounts: diff --git a/deployment/helm/templates/edgex-support-notifications/edgex-support-notifications-service.yaml b/deployment/helm/templates/edgex-support-notifications/edgex-support-notifications-service.yaml index 41b61aa4..396de9c9 100644 --- a/deployment/helm/templates/edgex-support-notifications/edgex-support-notifications-service.yaml +++ b/deployment/helm/templates/edgex-support-notifications/edgex-support-notifications-service.yaml @@ -10,7 +10,7 @@ metadata: name: {{.Values.edgex.app.support.notifications}} spec: ports: - - name: "support-notifications-http" + - name: "http" port: {{.Values.edgex.port.support.notifications}} selector: org.edgexfoundry.service: {{.Values.edgex.app.support.notifications}} diff --git a/deployment/helm/templates/edgex-support-scheduler/edgex-support-scheduler-deployment.yaml b/deployment/helm/templates/edgex-support-scheduler/edgex-support-scheduler-deployment.yaml index ba21fe10..3078d992 100644 --- a/deployment/helm/templates/edgex-support-scheduler/edgex-support-scheduler-deployment.yaml +++ b/deployment/helm/templates/edgex-support-scheduler/edgex-support-scheduler-deployment.yaml @@ -29,6 +29,12 @@ spec: org.edgexfoundry.service: {{ .Values.edgex.app.secretstoresetup}} topologyKey: "kubernetes.io/hostname" {{- end}} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false containers: - name: {{.Values.edgex.app.support.scheduler}} @@ -36,7 +42,7 @@ spec: imagePullPolicy: {{.Values.edgex.image.support.scheduler.pullPolicy}} {{- if .Values.edgex.security.enabled }} command: ["/edgex-init/ready_to_run_wait_install.sh"] - args: ["/support-scheduler", "-cp=consul.http://edgex-core-consul:8500", "--registry", "--confdir=/res"] + args: ["/support-scheduler", "-cp=consul.http://edgex-core-consul:8500", "--registry"] {{- end}} ports: - containerPort: {{.Values.edgex.port.support.scheduler}} @@ -57,32 +63,18 @@ spec: value: {{.Values.edgex.app.core.data}} - name: INTERVALACTIONS_SCRUBAGED_HOST value: {{.Values.edgex.app.core.data}} - {{- if (eq .Values.edgex.features.messagebusbackend "nats") }} - - name: MESSAGEQUEUE_AUTHMODE - value: none - - name: MESSAGEQUEUE_HOST - value: edgex-nats-server - - name: MESSAGEQUEUE_OPTIONAL_CLIENTID - value: support-scheduler - - name: MESSAGEQUEUE_PORT - value: '4222' - - name: MESSAGEQUEUE_PROTOCOL - value: tcp - - name: MESSAGEQUEUE_TYPE - value: nats-jetstream - {{end}} securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true startupProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.support.scheduler}} periodSeconds: 1 failureThreshold: 120 livenessProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.support.scheduler}} {{- if .Values.edgex.security.enabled }} volumeMounts: diff --git a/deployment/helm/templates/edgex-support-scheduler/edgex-support-scheduler-service.yaml b/deployment/helm/templates/edgex-support-scheduler/edgex-support-scheduler-service.yaml index deca79bd..293a14f4 100644 --- a/deployment/helm/templates/edgex-support-scheduler/edgex-support-scheduler-service.yaml +++ b/deployment/helm/templates/edgex-support-scheduler/edgex-support-scheduler-service.yaml @@ -10,7 +10,7 @@ metadata: name: {{.Values.edgex.app.support.scheduler}} spec: ports: - - name: "support-scheduler-http" + - name: "http" port: {{.Values.edgex.port.support.scheduler}} selector: org.edgexfoundry.service: {{.Values.edgex.app.support.scheduler}} diff --git a/deployment/helm/templates/edgex-ui/edgex-ui-deployment.yaml b/deployment/helm/templates/edgex-ui/edgex-ui-deployment.yaml index 419ce08a..e5b7a62d 100644 --- a/deployment/helm/templates/edgex-ui/edgex-ui-deployment.yaml +++ b/deployment/helm/templates/edgex-ui/edgex-ui-deployment.yaml @@ -20,6 +20,12 @@ spec: labels: org.edgexfoundry.service: {{.Values.edgex.app.ui}} spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false containers: - name: {{.Values.edgex.app.ui}} @@ -46,13 +52,13 @@ spec: readOnlyRootFilesystem: true startupProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.ui}} periodSeconds: 1 failureThreshold: 120 livenessProbe: httpGet: - path: /api/v2/ping + path: /api/v3/ping port: {{.Values.edgex.port.ui}} {{- if .Values.edgex.resources.ui.enforceLimits }} resources: diff --git a/deployment/helm/templates/edgex-ui/edgex-ui-service.yaml b/deployment/helm/templates/edgex-ui/edgex-ui-service.yaml index 47bb1f74..39515822 100644 --- a/deployment/helm/templates/edgex-ui/edgex-ui-service.yaml +++ b/deployment/helm/templates/edgex-ui/edgex-ui-service.yaml @@ -10,7 +10,7 @@ metadata: name: {{.Values.edgex.app.ui}} spec: ports: - - name: "ui-http" + - name: "http" port: {{.Values.edgex.port.ui}} selector: org.edgexfoundry.service: {{.Values.edgex.app.ui}} diff --git a/deployment/helm/templates/edgex-vault/edgex-vault-deployment.yaml b/deployment/helm/templates/edgex-vault/edgex-vault-deployment.yaml index fd7576db..83a29bdb 100644 --- a/deployment/helm/templates/edgex-vault/edgex-vault-deployment.yaml +++ b/deployment/helm/templates/edgex-vault/edgex-vault-deployment.yaml @@ -31,6 +31,12 @@ spec: topologyKey: "kubernetes.io/hostname" {{- end}} automountServiceAccountToken: false + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} initContainers: - name: prep-volumes image: busybox:latest diff --git a/deployment/helm/templates/edgex-vault/edgex-vault-ingress.yaml b/deployment/helm/templates/edgex-vault/edgex-vault-ingress.yaml new file mode 100644 index 00000000..ffa1e8b8 --- /dev/null +++ b/deployment/helm/templates/edgex-vault/edgex-vault-ingress.yaml @@ -0,0 +1,41 @@ +# Copyright (C) 2022 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 +# +{{- if .Values.edgex.security.enabled }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + labels: + org.edgexfoundry.service: {{.Values.edgex.app.vault}} + name: {{.Values.edgex.app.vault}} + annotations: + nginx.ingress.kubernetes.io/rewrite-target: /$1 + nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" + nginx.ingress.kubernetes.io/auth-tls-secret: "edgex/edgex-client-ca" + nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" +spec: + ingressClassName: nginx + rules: + - host: "{{.Values.edgex.security.tlsHost}}" + http: + paths: + - path: /vault/(v1/auth/userpass/login/.*) + pathType: Prefix + backend: + service: + name: {{.Values.edgex.app.vault}} + port: + name: http + - path: /vault/(v1/identity/oidc/token/.*) + pathType: Prefix + backend: + service: + name: {{.Values.edgex.app.vault}} + port: + name: http + tls: + - secretName: edgex-tls + hosts: + - "{{.Values.edgex.security.tlsHost}}" +{{- end}} diff --git a/deployment/helm/templates/edgex-vault/edgex-vault-service.yaml b/deployment/helm/templates/edgex-vault/edgex-vault-service.yaml index 9ec878c9..d29f7bb5 100644 --- a/deployment/helm/templates/edgex-vault/edgex-vault-service.yaml +++ b/deployment/helm/templates/edgex-vault/edgex-vault-service.yaml @@ -11,7 +11,7 @@ metadata: name: {{.Values.edgex.app.vault}} spec: ports: - - name: "vault-http" + - name: "http" port: 8200 selector: org.edgexfoundry.service: {{.Values.edgex.app.vault}} diff --git a/deployment/helm/tlsgen.sh b/deployment/helm/tlsgen.sh old mode 100644 new mode 100755 index e6cc9900..4a40b4fe --- a/deployment/helm/tlsgen.sh +++ b/deployment/helm/tlsgen.sh @@ -13,8 +13,8 @@ openssl req -x509 -new -key server-ca.key -subj "/CN=ServerCA" -sha384 -out serv # server (leaf, needed for nginx) openssl ecparam -genkey -name secp384r1 -noout -out server.key -openssl req -subj "/CN=edgex" -config openssl.conf -key server.key -sha384 -new -out server.req -openssl x509 -sha384 -extfile openssl.conf -extensions server_ext -CA server-ca.pem -CAkey server-ca.key -CAcreateserial -req -in server.req -days 365 -out server.pem +openssl req -subj "/CN=edgex" -addext "subjectAltName = DNS:edgex" -config openssl.conf -key server.key -sha384 -new -out server.req +openssl x509 -sha384 -extfile openssl.conf -extensions server_ext -extensions edgex_san -CA server-ca.pem -CAkey server-ca.key -CAcreateserial -req -in server.req -days 365 -out server.pem # client (CA, needed for ngnix mutual auth) diff --git a/deployment/helm/tlsinstall.sh b/deployment/helm/tlsinstall.sh old mode 100644 new mode 100755 diff --git a/deployment/helm/values.yaml b/deployment/helm/values.yaml index 6a3d86ad..bc0b7390 100644 --- a/deployment/helm/values.yaml +++ b/deployment/helm/values.yaml @@ -1,4 +1,4 @@ -# Copyright (C) 2022 Intel Corporation +# Copyright (C) 2023 Intel Corporation # # SPDX-License-Identifier: Apache-2.0 # @@ -6,6 +6,9 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +imagePullSecrets: [] +# supply a list of secret names (in the current namespace) of type docker-registry + expose: type: # Option value: ClusterIP/NodePort/LoadBalancer @@ -32,6 +35,7 @@ expose: mqtt: ClusterIP modbus: ClusterIP bacnet: ClusterIP + coap: ClusterIP snmp: ClusterIP rfidllrp: ClusterIP gpio: ClusterIP @@ -53,6 +57,7 @@ edgex: # define its label name, resource name or base of the resource name, and service name. app: core: + common_config: edgex-core-common-config-bootstrapper command: edgex-core-command data: edgex-core-data metadata: edgex-core-metadata @@ -75,6 +80,7 @@ edgex: mqtt: edgex-device-mqtt modbus: edgex-device-modbus bacnet: edgex-device-bacnet + coap: edgex-device-coap snmp: edgex-device-snmp rfidllrp: edgex-device-rfid-llrp gpio: edgex-device-gpio @@ -92,6 +98,10 @@ edgex: # image defines configuration properties for docker-image-level concerns image: core: + common_config: + repository: edgexfoundry/core-common-config-bootstrapper + tag: "2.3.0" + pullPolicy: IfNotPresent command: repository: edgexfoundry/core-command tag: "2.3.0" @@ -156,8 +166,8 @@ edgex: tag: "2.3.0" pullPolicy: IfNotPresent usbcamera: - repository: nexus3.edgexfoundry.org:10004/device-usb-camera - tag: "latest" + repository: edgexfoundry/device-usb-camera + tag: "2.3.0" pullPolicy: IfNotPresent mqtt: repository: edgexfoundry/device-mqtt @@ -171,6 +181,10 @@ edgex: repository: edgexfoundry/device-bacnet tag: "2.3.0" pullPolicy: IfNotPresent + coap: + repository: edgexfoundry/device-coap + tag: "2.3.0" + pullPolicy: IfNotPresent snmp: repository: edgexfoundry/device-snmp tag: "2.3.0" @@ -188,8 +202,8 @@ edgex: tag: "2.3.0" pullPolicy: IfNotPresent consul: - repository: consul - tag: "1.13.2" + repository: hashicorp/consul + tag: "1.15.2" pullPolicy: IfNotPresent redis: repository: redis @@ -200,13 +214,17 @@ edgex: tag: "1.7.1-alpine" pullPolicy: IfNotPresent vault: - repository: vault - tag: "1.11.4" + repository: hashicorp/vault + tag: "1.13.1" pullPolicy: IfNotPresent bootstrapper: repository: edgexfoundry/security-bootstrapper tag: "2.3.0" pullPolicy: IfNotPresent + proxysetup: + repository: edgexfoundry/security-proxy-setup + tag: "2.3.0" + pullPolicy: IfNotPresent secretstoresetup: repository: edgexfoundry/security-secretstore-setup tag: "2.3.0" @@ -246,6 +264,7 @@ edgex: usbcamera: 59983 onvifcamera: 59984 bacnet: 59980 + coap: 59988 mqtt: 59982 modbus: 59901 snmp: 59993 @@ -278,6 +297,7 @@ edgex: # replicas defines the number of replicas in a Deployment for the respective application replicas: core: + common_config: 1 command: 1 data: 1 metadata: 1 @@ -300,6 +320,7 @@ edgex: mqtt: 0 modbus: 0 bacnet: 0 + coap: 0 snmp: 0 rfidllrp: 0 gpio: 0 @@ -318,13 +339,21 @@ edgex: runAsUser: 2002 runAsGroup: 2001 tlsHost: edgex - addConsulRoles: "app-external-mqtt-trigger,app-http-export,app-metrics-influxdb,app-mqtt-export,app-rfid-llrp-inventory,app-sample,device-bacnet,device-gpio,device-modbus,device-mqtt,device-onvif-camera,device-rfid-llrp,device-snmp,device-usb-camera" - addServiceTokens: "app-external-mqtt-trigger, app-http-export, app-metrics-influxdb, app-mqtt-export, app-rfid-llrp-inventory, app-sample, device-bacnet, device-gpio, device-modbus, device-mqtt, device-onvif-camera, device-rest, device-rfid-llrp, device-snmp, device-usb-camera, device-virtual" - addKnownSecrets: "message-bus[app-mqtt-export],message-bus[app-http-export],redisdb[app-external-mqtt-trigger],redisdb[app-http-export],redisdb[app-metrics-influxdb], redisdb[app-metrics-influxdb],redisdb[app-mqtt-export],redisdb[app-rfid-llrp-inventory],redisdb[app-sample],redisdb[device-bacnet],redisdb[device-gpio],redisdb[device-modbus],redisdb[device-mqtt],redisdb[device-onvif-camera],redisdb[device-rest],redisdb[device-rfid-llrp],redisdb[device-snmp], redisdb[device-usb-camera],redisdb[device-virtual]" + addConsulRoles: "app-external-mqtt-trigger,app-http-export,app-metrics-influxdb,app-mqtt-export,app-rfid-llrp-inventory,app-sample,device-bacnet,device-coap,device-gpio,device-modbus,device-mqtt,device-onvif-camera,device-rfid-llrp,device-snmp,device-usb-camera" + addServiceTokens: "app-external-mqtt-trigger,app-http-export,app-metrics-influxdb,app-mqtt-export,app-rfid-llrp-inventory,app-sample,device-bacnet,device-coap,device-gpio,device-modbus,device-mqtt,device-onvif-camera,device-rest,device-rfid-llrp,device-snmp,device-usb-camera,device-virtual" + addKnownSecrets: "redisdb[app-external-mqtt-trigger;app-http-export;app-metrics-influxdb;app-mqtt-export;app-rfid-llrp-inventory;app-sample;device-bacnet;device-coap;device-gpio;device-modbus;device-mqtt;device-onvif-camera;device-rest;device-rfid-llrp;device-snmp;device-usb-camera;device-virtual],message-bus[app-external-mqtt-trigger;app-http-export;app-metrics-influxdb;app-mqtt-export;app-rfid-llrp-inventory;app-sample;device-bacnet;device-coap;device-gpio;device-modbus;device-mqtt;device-onvif-camera;device-rest;device-rfid-llrp;device-snmp;device-usb-camera;device-virtual]" # resources defines the cpu and memory limits and requests for the respective application resources: core: + common_config: + enforceLimits: false + limits: + cpu: 1 + memory: 512Mi + requests: + cpu: 0.5 + memory: 256Mi command: enforceLimits: false limits: @@ -480,6 +509,14 @@ edgex: requests: cpu: 0.5 memory: 256Mi + coap: + enforceLimits: false + limits: + cpu: 1 + memory: 512Mi + requests: + cpu: 0.5 + memory: 256Mi snmp: enforceLimits: false limits: