Merging changes

docs/antora.yml

@@ -1,5 +1,5 @@
 name: opennmshelmcharts
-version: '1.0.0'
+version: '1.1.0'
 title: Helm Charts (Kubernetes)
 nav:
   - modules/ROOT/nav.adoc

horizon/Chart.yaml

@@ -17,13 +17,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.1.0-beta1
+version: 1.1.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "32.0.3"
+appVersion: "32.0.4"
 
 maintainers:
   - name: The OpenNMS Group Inc.

horizon/OpenShift_README.md

@@ -0,0 +1,33 @@
+# OpenNMS Helm Charts with OpenShift: Documentation (1.1.0)
+
+OpenNMS Helm Charts makes it easier for users to run OpenNMS Horizon on a Red Hat OpenShift or Kubernetes environment. It provides a package that includes all the resources needed to deploy Horizon.
+This documentation provides basic information on how to install Horizon on Red Hat OpenShift. For information on how to use Red Hat OpenShift, refer to the [product documentation](https://access.redhat.com/documentation/en-us/openshift_container_platform/).
+
+## Limitations and Known Issues
+
+* Removing `CAP_NET_RAW` capability or setting allowPrivilegeEscalation to false will impact ICMP and auto discovery features.
+  * **WORKAROUND:** Use a Minion that is located outside of the OpenShift cluster.
+
+## Install OpenNMS Horizon on OpenShift
+> **NOTE:** By default, OpenNMS will create a ClusterRole, ClusterRoleBinding, Route, SecurityContextConstraints, and ServiceAccount. The user used to install OpenNMS must have the required permissions to make these modifications the OpenShift Cluster, including admin access. There are options to disable the creation of these elements, but if you do so, you will need to figure out a way to get the pods to work.
+
+1. Log in to OpenShift and switch to Developer view.
+2. Create a project with a unique name.
+3. Go to the Helm section.
+4. In the Create drop-down menu, select Repository.
+    * In the Create Repository page,
+    * Add a unique name and display name.
+    * Use https://opennms.github.io/helm-charts/ for the URL.
+    * Save the changes.
+5. In the Create drop-down menu, select Helm Release.
+6. Under Repository, select the newly created repository entry.
+7. Click on Horizon.
+8.	Make sure that the project name matches the name you set in step 2.
+    * Skip this step if you are setting “CreateNamespace” option to true.
+9.	Make the required modifications (for example, set the PostgreSQL information).
+10.	Click Create.
+11.	Wait for the pods to come up. This may take a few minutes.
+
+**NOTE:** The process to install the Minion is similar.
+
+

horizon/scripts/onms-core-init.sh

@@ -104,6 +104,12 @@ echo "Package: ${PKG}"
 echo "Version: ${VERSION}"
 echo "Major: ${MAJOR}"
 
+IFS=. read -r MAJOR MINOR PATCH <<<"$VERSION"
+echo "Minor: ${MINOR}"
+PATCH=${PATCH//-SNAPSHOT}
+echo "Patch: ${PATCH}"
+
+
 # Verify if Twin API is available
 USE_TWIN="false"
 if [[ "$PKG" == *"meridian"* ]]; then
@@ -112,7 +118,7 @@ if [[ "$PKG" == *"meridian"* ]]; then
     USE_TWIN=true
   fi
 else
-  echo "OpenNMS Horizon $MAJOR detected"
+  echo "OpenNMS Core $MAJOR detected"
   if (( $MAJOR > 28 )); then
     USE_TWIN=true
   fi
@@ -265,11 +271,26 @@ acknowledged-at=Sun Mar 01 00\:00\:00 EDT 2020
 EOF
 
 # Configure Database access
+USE_UPDATED_DATASOURCE=false
+if [ "${MAJOR}" -eq 32 ];then
+  if [ "${MINOR}" -gt 0 ];then
+    USE_UPDATED_DATASOURCE=true
+  elif [ "${MINOR}" -eq 0 ] && [ "${PATCH}" -ge 4 ];then
+    USE_UPDATED_DATASOURCE=true
+  else
+    USE_UPDATED_DATASOURCE=false
+  fi
+elif [ "${MAJOR}" -ge 33 ] && [ "${MAJOR}" -lt 2000 ]; then
+  USE_UPDATED_DATASOURCE=true
+else
+  USE_UPDATED_DATASOURCE=false
+fi
+echo "USE_UPDATED_DATASOURCE: $USE_UPDATED_DATASOURCE"
 cat <<EOF > ${CONFIG_DIR_OVERLAY}/opennms-datasources.xml
 <?xml version="1.0" encoding="UTF-8"?>
-<datasource-configuration xmlns:this="http://xmlns.opennms.org/xsd/config/opennms-datasources"
-  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-  xsi:schemaLocation="http://xmlns.opennms.org/xsd/config/opennms-datasources
+<datasource-configuration xmlns:this="http://xmlns.opennms.org/xsd/config/opennms-datasources" 
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+  xsi:schemaLocation="http://xmlns.opennms.org/xsd/config/opennms-datasources 
   http://www.opennms.org/xsd/config/opennms-datasources.xsd ">
 
   <connection-pool factory="org.opennms.core.db.HikariCPConnectionFactory"
@@ -279,13 +300,43 @@ cat <<EOF > ${CONFIG_DIR_OVERLAY}/opennms-datasources.xml
     maxPool="50"
     maxSize="${OPENNMS_DATABASE_CONNECTION_MAXPOOL}" />
 
-  <jdbc-data-source name="opennms"
-                    database-name="${OPENNMS_DBNAME}"
-                    class-name="org.postgresql.Driver"
+  <jdbc-data-source name="opennms" 
+                    database-name="${OPENNMS_DBNAME}" 
+                    class-name="org.postgresql.Driver" 
                     url="jdbc:postgresql://${POSTGRES_HOST}:${POSTGRES_PORT}/${OPENNMS_DBNAME}?sslmode=${POSTGRES_SSL_MODE}&amp;sslfactory=${POSTGRES_SSL_FACTORY}"
                     user-name="${OPENNMS_DBUSER}"
                     password="${OPENNMS_DBPASS}" />
 
+EOF
+if $USE_UPDATED_DATASOURCE; then
+cat <<EOF >> ${CONFIG_DIR_OVERLAY}/opennms-datasources.xml
+  <jdbc-data-source name="opennms-admin" 
+                    database-name="template1" 
+                    class-name="org.postgresql.Driver" 
+                    url="jdbc:postgresql://${POSTGRES_HOST}:${POSTGRES_PORT}/template1?sslmode=${POSTGRES_SSL_MODE}&amp;sslfactory=${POSTGRES_SSL_FACTORY}"
+                    user-name="${POSTGRES_USER}"
+                    password="${POSTGRES_PASSWORD}">
+    <connection-pool idleTimeout="600"
+                     minPool="0"
+                     maxPool="10"
+                     maxSize="${OPENNMS_DATABASE_CONNECTION_MAXPOOL}" />
+  </jdbc-data-source>
+
+  <jdbc-data-source name="opennms-monitor" 
+                    database-name="postgres" 
+                    class-name="org.postgresql.Driver" 
+                    url="jdbc:postgresql://${POSTGRES_HOST}:${POSTGRES_PORT}/postgres?sslmode=${POSTGRES_SSL_MODE}&amp;sslfactory=${POSTGRES_SSL_FACTORY}"
+                    user-name="${POSTGRES_PASSWORD}"
+                    password="${POSTGRES_PASSWORD}">
+    <connection-pool idleTimeout="600"
+                     minPool="0"
+                     maxPool="10"
+                     maxSize="${OPENNMS_DATABASE_CONNECTION_MAXPOOL}" />
+  </jdbc-data-source>
+</datasource-configuration>
+EOF
+else
+cat <<EOF >> ${CONFIG_DIR_OVERLAY}/opennms-datasources.xml
   <jdbc-data-source name="opennms-admin"
                     database-name="template1"
                     class-name="org.postgresql.Driver"
@@ -294,6 +345,7 @@ cat <<EOF > ${CONFIG_DIR_OVERLAY}/opennms-datasources.xml
                     password="${POSTGRES_PASSWORD}"/>
 </datasource-configuration>
 EOF
+fi
 
 # Enable storeByGroup to improve performance
 # RRD Strategy is enabled by default
@@ -517,10 +569,16 @@ else
 fi
 
 echo "Updating admin password"
-if [[ -e "/opt/opennms/bin/password.jar" ]];then 
- java -jar /opt/opennms/bin/password.jar "${CONFIG_DIR}/users.xml" "admin" "${OPENNMS_ADMIN_PASS}"
+if [[ -e "/opt/opennms/bin/password" ]];then 
+   cp ${CONFIG_DIR}/users.xml /opt/opennms/etc/users.xml 
+   echo "RUNAS=$(whoami)" > /opt/opennms/etc/opennms.conf
+   /opt/opennms/bin/runjava -s -q 
+   /opt/opennms/bin/password "admin" "${OPENNMS_ADMIN_PASS}"
+   rm /opt/opennms/etc/opennms.conf /opt/opennms/etc/java.conf
+   cp /opt/opennms/etc/users.xml ${CONFIG_DIR}/users.xml
 elif command -v perl   >/dev/null 2>&1; then
  perl /scripts/onms-set-admin-password.pl ${CONFIG_DIR}/users.xml admin "${OPENNMS_ADMIN_PASS}"
 else
- echo "We are unable to update Admin password. You can use the default password to login."
+ echo "We are unable to update Admin password. Exiting."
+ exit 1
 fi

horizon/templates/app-settings.configmap.yaml

@@ -60,3 +60,4 @@ data:
   GF_DATABASE_SSL_MODE: {{ (((.Values.grafana).configuration).database).sslmode | default "disable" | quote }}
   GF_DATABASE_CA_CERT_PATH: "/etc/java/jks/postgresql-ca.crt"
   GF_SESSION_PROVIDER: "postgres"
+  ON_OPENSHIFT: {{ if eq (include "onOpenShift" .) "true" }}"true"{{ else }}"false"{{ end }}

horizon/templates/grafana-helm.route.yaml

@@ -1,4 +1,4 @@
-{{- if and (eq (include "onOpenShift" .) "true") ((.Values.dependencies).route) }}
+{{- if and (eq (include "onOpenShift" .) "true") ((.Values.dependencies).route) (gt ((.Values.grafana).replicaCount|int) 0) }}
 kind: Route
 apiVersion: route.openshift.io/v1
 metadata:
@@ -31,5 +31,4 @@ status:
         - type: Admitted
           status: 'True'
       wildcardPolicy: None
-      #routerCanonicalHostname: router-default.apps-crc.testing
 {{- end }}

horizon/templates/ingress.yaml

@@ -1,3 +1,5 @@
+# TODO: Add an option to disable this
+{{- if ((.Values.ingress).className) }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
@@ -49,3 +51,4 @@ spec:
                 port:
                   number: 3000
     {{- end }}
+{{- end }}

horizon/templates/opennms-core.scc.yaml

@@ -9,17 +9,12 @@ allowHostIPC: false
 allowHostNetwork: false
 allowHostPID: false
 allowHostPorts: false
-allowPrivilegeEscalation: true
+allowPrivilegeEscalation: {{ (.Values.dependencies.securitycontext).allowPrivilegeEscalation }}
 allowPrivilegedContainer: false
-allowedCapabilities:
-- NET_BIND_SERVICE
-- NET_RAW
-- CAP_NET_RAW
+allowedCapabilities: {{ toYaml (.Values.dependencies.securitycontext).allowedCapabilities | nindent 2 }}
 apiVersion: security.openshift.io/v1
 defaultAddCapabilities:
 - NET_BIND_SERVICE
-- NET_RAW
-- CAP_NET_RAW
 fsGroup:
   type: RunAsAny
 groups: []

horizon/templates/opennms-core.statefulset.yaml

@@ -28,23 +28,29 @@ spec:
       {{- if .Values.core.configuration.alwaysRollDeployment }}
         rollme: {{ randAlphaNum 5 | quote }}
       {{- end }}
-      {{- if eq (include "onOpenShift" .) "true" }}
+      {{- if and (eq (include "onOpenShift" .) "true") ((.Values.dependencies.securitycontext).securitycontextconstraints.enabled) }}
         openshift.io/scc: {{ (.Values.dependencies.securitycontext).securitycontextconstraints.name | quote }} 
       {{- end }}
         kubectl.kubernetes.io/default-container: "onms"
     spec:
-      {{- if eq (include "onOpenShift" .) "true" }}
+      {{- if and (eq (include "onOpenShift" .) "true") ((.Values.dependencies.securitycontext).serviceaccount.enabled) }}
       serviceAccountName: {{ (.Values.dependencies.securitycontext).serviceaccount.name | quote }} 
       {{- end }}
       securityContext:
-          fsGroup: 10001
          {{- if eq (include "onOpenShift" .) "true" }}
           runAsNonRoot: true
           seccompProfile:
             type: RuntimeDefault
           capabilities:
+          {{- if has "CAP_NET_RAW" (.Values.dependencies.securitycontext).allowedCapabilities }}
             add:
-             - NET_RAW
+             - CAP_NET_RAW
+          {{- else }}
+            drop:
+             - ALL
+          {{- end }}
+         {{- else }}
+          fsGroup: 10001
          {{- end }}
       terminationGracePeriodSeconds: {{ .Values.core.terminationGracePeriodSeconds | default 120 }}
       {{- if .Values.imagePullSecrets }}
@@ -59,9 +65,11 @@ spec:
         image: {{ .Values.core.configuration.alecImage.repository }}:{{ .Values.core.configuration.alecImage.tag }}
         imagePullPolicy: {{ .Values.core.configuration.alecImage.pullPolicy }}
         command: [ cp, /plugins/opennms-alec-plugin.kar, /opennms-deploy ]
-        #securityContext: # To guarantee ownership of the KAR file so that OpenNMS won't complain.
-        #  runAsUser: 10001
-        #  runAsGroup: 10001
+        {{- if eq (include "onOpenShift" .) "false" }}
+        securityContext: # To guarantee ownership of the KAR file so that OpenNMS won't complain.
+          runAsUser: 10001
+          runAsGroup: 10001
+        {{- end }}
         volumeMounts:
         - name: deploy
           mountPath: /opennms-deploy # Required by the init script - DEPLOY_DIR
@@ -71,9 +79,11 @@ spec:
         image: {{ .Values.core.configuration.cortexTssImage.repository }}:{{ .Values.core.configuration.cortexTssImage.tag }}
         imagePullPolicy: {{ .Values.core.configuration.cortexTssImage.pullPolicy }}
         command: [ cp, /plugins/opennms-cortex-tss-plugin.kar, /opennms-deploy ]
-        #securityContext: # To guarantee ownership of the KAR file so that OpenNMS won't complain.
-        #  runAsUser: 10001
-        #  runAsGroup: 10001
+        {{- if eq (include "onOpenShift" .) "false" }}
+        securityContext: # To guarantee ownership of the KAR file so that OpenNMS won't complain.
+          runAsUser: 10001
+          runAsGroup: 10001
+        {{- end }}
         volumeMounts:
         - name: deploy
           mountPath: /opennms-deploy # Required by the init script - DEPLOY_DIR
@@ -83,15 +93,21 @@ spec:
       - name: init
         image: {{ $image }}
         imagePullPolicy: {{ .Values.core.image.pullPolicy }}
-        {{- if eq (include "onOpenShift" .) "true" }}
         securityContext:
-          fsGroup: 10001
+        {{- if eq (include "onOpenShift" .) "true" }}
           runAsNonRoot: true
           seccompProfile:
             type: RuntimeDefault
           capabilities:
+          {{- if has "CAP_NET_RAW" (.Values.dependencies.securitycontext).allowedCapabilities }}
             add:
-             - NET_RAW
+             - CAP_NET_RAW
+          {{- else }}
+            drop:
+             - ALL
+          {{- end }}
+        {{- else }}
+          fsGroup: 10001
         {{- end }}
         command: [ bash, /scripts/onms-core-init.sh ]
         envFrom:
@@ -120,16 +136,22 @@ spec:
       containers:
       - name: onms
         image: {{ $image }}
-        {{- if eq (include "onOpenShift" .) "true" }}
         securityContext:
-          fsGroup: 10001
+        {{- if eq (include "onOpenShift" .) "true" }}
           runAsNonRoot: true
           seccompProfile:
             type: RuntimeDefault
           capabilities:
+          {{- if has "CAP_NET_RAW" (.Values.dependencies.securitycontext).allowedCapabilities }}
             add:
-             - NET_RAW
-         {{- end }}
+             - CAP_NET_RAW
+          {{- else }}
+            drop:
+             - ALL
+          {{- end }}
+        {{- else }}
+          fsGroup: 10001
+        {{- end }}
         sysctls:
           - name: net.ipv4.ping_group_range
             value: 0 429496729
@@ -169,6 +191,12 @@ spec:
           mountPath: /opt/opennms/.postgresql/root.crt
           subPath: postgresql-ca.crt
         env:
+        {{- if eq (include "onOpenShift" .) "true" }}
+        {{- if or (not (has "CAP_NET_RAW" ((.Values.dependencies).securitycontext).allowedCapabilities)) (not ((.Values.dependencies).securitycontext).allowPrivilegeEscalation )  }}
+        - name: JAVA_HOME
+          value: /usr/lib/jvm/java-nocap
+        {{- end }}   
+        {{- end }}   
         {{- $opt :=  include "core.jvmOptions" . }}
         {{- if .Values.core.resources }}
         {{- with .Values.core.resources }}
@@ -187,7 +215,7 @@ spec:
         {{- else }}
         - name: JAVA_OPTS
           value: {{ $opt }}
-        {{- end }}
+        {{- end }} 
         startupProbe:
           httpGet:
             path: /opennms/login.jsp

horizon/templates/opennms-post-config.job.yaml

@@ -13,6 +13,12 @@ spec:
   template:
     spec:
       restartPolicy: Never
+      {{- if .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- range $k, $r := .Values.imagePullSecrets }}
+        - name: {{ $r.name }}
+        {{- end }}
+      {{- end }}
       containers:
       - name: init
         image: {{ printf "%s:%s" .Values.core.image.repository (.Values.core.image.tag | default .Chart.AppVersion) }}