[SO] Enable SO-Monitoring - use HTTPS and certInitializer

- SO-Monitoring service exposed as NodePort
- Certs are retrieved dynamically using certInitializer

Issue-ID: SO-2920
Signed-off-by: Krzysztof Gajewski <krzysztof.gajewski@nokia.com>
Change-Id: I04e6556bcddc3c67afc2a76c5b4fecb59a134911

6 files changed, 95 insertions, 18 deletions

diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml
index 3413c3840e..eb6d5b1e2c 100755
--- a/kubernetes/onap/values.yaml
+++ b/kubernetes/onap/values.yaml
@@ -295,6 +295,12 @@ so:
     openStackServiceTenantName: "service"
     openStackEncryptedPasswordHere: "c124921a3a0efbe579782cde8227681e"
 
+  # in order to enable static password for so-monitoring uncomment:
+  # so-monitoring:
+  #   server:
+  #     monitoring:
+  #       password: demo123456!
+
   # configure embedded mariadb
   mariadb:
     config:
diff --git a/kubernetes/so/components/so-monitoring/requirements.yaml b/kubernetes/so/components/so-monitoring/requirements.yaml
index 2eb32d00ed..29f9a9fcd0 100755
--- a/kubernetes/so/components/so-monitoring/requirements.yaml
+++ b/kubernetes/so/components/so-monitoring/requirements.yaml
@@ -1,4 +1,5 @@
 # Copyright © 2017 Amdocs, Bell Canada
+# Modifications © 2020 Nokia
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -18,3 +19,6 @@ dependencies:
     # a part of this chart's package and will not
     # be published independently to a repo (at this point)
     repository: '@local'
+  - name: soHelpers
+    version: ~6.x-0
+    repository: 'file://../soHelpers'
diff --git a/kubernetes/so/components/so-monitoring/resources/config/overrides/override.yaml b/kubernetes/so/components/so-monitoring/resources/config/overrides/override.yaml
index c2e6ad06f3..cf54fa43f8 100644
--- a/kubernetes/so/components/so-monitoring/resources/config/overrides/override.yaml
+++ b/kubernetes/so/components/so-monitoring/resources/config/overrides/override.yaml
@@ -1,8 +1,17 @@
 server:
   port: {{ index .Values.containerPort }}
+  {{- if .Values.global.aafEnabled }}
+  ssl:
+    keyStore: ${KEYSTORE}
+    keyStorePassword: ${KEYSTORE_PASSWORD}
+    trustStore: ${TRUSTSTORE}
+    trustStorePassword: ${TRUSTSTORE_PASSWORD}
+  {{- end }}
   tomcat:
     max-threads: 50
+  {{- if not .Values.global.aafEnabled }}
 ssl-enable: false
+  {{- end }}
 camunda:
   rest:
     api:
@@ -15,3 +24,12 @@ mso:
       api:
         url: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083/infraActiveRequests/
         auth: Basic YnBlbDpwYXNzd29yZDEk
+spring:
+  main:
+    allow-bean-definition-overriding: true
+  security:
+    usercredentials:
+      -
+        username: ${SO_MONITORING_USERNAME}
+        password: ${SO_MONITORING_PASSWORD}
+        role: GUI-Client
diff --git a/kubernetes/so/components/so-monitoring/templates/deployment.yaml b/kubernetes/so/components/so-monitoring/templates/deployment.yaml
index f5969738f6..9463b28271 100644
--- a/kubernetes/so/components/so-monitoring/templates/deployment.yaml
+++ b/kubernetes/so/components/so-monitoring/templates/deployment.yaml
@@ -1,5 +1,6 @@
 #  ============LICENSE_START=======================================================
 #   Copyright (C) 2018 Ericsson. All rights reserved.
+#   Modifications Copyright © 2020 Nokia
 #  ================================================================================
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -42,7 +43,7 @@ spec:
         app: {{ include "common.name" . }}
         release: {{ include "common.release" . }}
     spec:
-      initContainers:
+      initContainers: {{ include "so.certificate.container_importer" . | nindent 6 }}
       - name: so-chown
         image: alpine:3.6
         volumeMounts:
@@ -55,6 +56,21 @@ spec:
       - name: {{ include "common.name" . }}
         image: {{ include "common.repository" . }}/{{ .Values.image }}
         resources: {{ include "common.resources" . | nindent 12 }}
+        command:
+        - /bin/sh
+        args:
+        - -c
+        - |
+          export SO_MONITORING_PASSWORD=`htpasswd -bnBC 10 "" $SO_MON_PASS | tr -d ':\n' | sed 's/\$2y/\$2a/'`
+          {{- if .Values.global.aafEnabled }}
+          export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/org.onap.so.cred.props | xargs -0)
+          export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0)
+          export KEYSTORE=file://$cadi_keystore
+          export KEYSTORE_PASSWORD=$cadi_keystore_password_p12
+          export TRUSTSTORE=file://$cadi_truststore
+          export TRUSTSTORE_PASSWORD=$cadi_truststore_password
+          {{- end }}
+          /app/start-app.sh
         env:
         - name: DB_HOST
           valueFrom:
@@ -74,11 +90,16 @@ spec:
           {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }}
         - name: DB_ADMIN_PASSWORD
           {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }}
+        - name: SO_MONITORING_USERNAME
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-user-creds" "key" "login") | indent 10 }}
+        - name: SO_MON_PASS
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-user-creds" "key" "password") | indent 10 }}
+
         envFrom:
         - configMapRef:
             name: {{ include "common.fullname" . }}-configmap
         imagePullPolicy:  {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
-        volumeMounts:
+        volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }}
         - name: logs
           mountPath: /app/logs
         - name: config
@@ -101,7 +122,7 @@ spec:
         - containerPort: {{ index .Values.containerPort }}
           name: {{ .Values.service.portName }}
           protocol: TCP
-      volumes:
+      volumes: {{ include "so.certificate.volumes" . | nindent 6 }}
       - name: logs
         emptyDir: {}
       - name: config
diff --git a/kubernetes/so/components/so-monitoring/templates/service.yaml b/kubernetes/so/components/so-monitoring/templates/service.yaml
index c4c2ae9d13..660ddb8125 100644
--- a/kubernetes/so/components/so-monitoring/templates/service.yaml
+++ b/kubernetes/so/components/so-monitoring/templates/service.yaml
@@ -1,5 +1,6 @@
 #  ============LICENSE_START=======================================================
 #   Copyright (C) 2018 Ericsson. All rights reserved.
+#   Modifications © 2020 Nokia
 #  ================================================================================
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -27,9 +28,13 @@ metadata:
     release: {{ include "common.release" . }}
     heritage: {{ .Release.Service }}
 spec:
+  {{if .Values.global.aafEnabled -}}
   type: {{ .Values.service.type }}
+  {{- else -}}
+  type: ClusterIP
+  {{- end }}
   ports:
-    {{if eq .Values.service.type "NodePort" -}}
+    {{if and (eq .Values.service.type "NodePort") (.Values.global.aafEnabled) -}}
     - port: {{ .Values.service.internalPort }}
       nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
       name: {{ .Values.service.portName }}
diff --git a/kubernetes/so/components/so-monitoring/values.yaml b/kubernetes/so/components/so-monitoring/values.yaml
index e746baf1bb..9ba1d7b7d8 100644
--- a/kubernetes/so/components/so-monitoring/values.yaml
+++ b/kubernetes/so/components/so-monitoring/values.yaml
@@ -1,6 +1,7 @@
 #  ============LICENSE_START=======================================================
 #   Copyright (C) 2018 Ericsson. All rights reserved.
 #   Copyright (C) 2020 Huawei
+#   Modifications Copyright © 2020 Nokia
 #  ================================================================================
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -27,8 +28,15 @@ global:
   readinessImage: onap/oom/readiness:3.0.1
   aafAgentImage: onap/aaf/aaf_agent:2.1.20
   envsubstImage: dibi/envsubst
+  aafEnabled: true
   persistence:
     mountPath: /dockerdata-nfs
+  security:
+    aaf:
+      enabled: true
+  aaf:
+    auth:
+      header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo=
 
 #################################################################
 # Secrets metaconfig
@@ -46,25 +54,21 @@ secrets:
     login: '{{ .Values.db.adminName }}'
     password: '{{ .Values.db.adminPassword }}'
     passwordPolicy: required
+  - uid: app-user-creds
+    type: basicAuth
+    externalSecret: '{{ tpl (default "" .Values.server.monitoring.soMonitoringCredsExternalSecret) . }}'
+    login: '{{ .Values.server.monitoring.username }}'
+    password: '{{ .Values.server.monitoring.password }}'
 
 #secretsFilePaths: |
 #  - 'my file 1'
 #  - '{{ include "templateThatGeneratesFileName" . }}'
 
 #################################################################
-# AAF part
-#################################################################
-soHelpers:
-  nameOverride: so-monitoring-cert-init
-  certInitializer:
-    nameOverride: so-monitoring-cert-init
-    credsPath: /opt/app/osaaf/local
-
-#################################################################
 # Application configuration defaults.
 #################################################################
 repository: nexus3.onap.org:10001
-image: onap/so/so-monitoring:1.6.4
+image: onap/so/so-monitoring:1.7.7
 pullPolicy: Always
 
 db:
@@ -77,15 +81,34 @@ db:
 
 replicaCount: 1
 minReadySeconds: 10
-containerPort: 9091
+containerPort: &containerPort 9091
 logPath: app/logs/
 app: so-monitoring
+
+#################################################################
+# soHelpers part
+#################################################################
+soHelpers:
+  nameOverride: so-monitoring-cert-init
+  certInitializer:
+    nameOverride: so-monitoring-cert-init
+    credsPath: /opt/app/osaaf/local
+  cadi:
+    apiEnforcement: org.onap.so.monitoringPerm
+  containerPort: *containerPort
+
+server:
+  monitoring:
+    username: demo
+    # password: demo123456!
+    # soMonitoringCredsExternalSecret: some secret
+
 service:
 #Since this is a feature for monitoring the service type is changed to internal, users can change it to NodePort on need basis...
-    type: ClusterIP
+    type: NodePort
     nodePort: 24
-    internalPort: 9091
-    externalPort: 9091
+    internalPort: *containerPort
+    externalPort: *containerPort
     portName: so-monitor-port
 updateStrategy:
     type: RollingUpdate