From c030b48b838ee084269bb77df917341c1b5e9d77 Mon Sep 17 00:00:00 2001 From: Joanna Jeremicz Date: Mon, 13 Sep 2021 15:07:02 +0200 Subject: Add VES manual Helm installation guide - Authentication Support section - External TLS section Issue-ID: DCAEGEN2-2630 Signed-off-by: Joanna Jeremicz Change-Id: Iccdbe2a278ad2818b180dfdf4ccdb321d66f8bf3 --- docs/sections/services/ves-http/index.rst | 1 + .../services/ves-http/installation-helm.rst | 79 ++++++++++++++++++++++ docs/sections/tls_enablement.rst | 72 +++++++++++++++++++- 3 files changed, 150 insertions(+), 2 deletions(-) create mode 100644 docs/sections/services/ves-http/installation-helm.rst (limited to 'docs/sections') diff --git a/docs/sections/services/ves-http/index.rst b/docs/sections/services/ves-http/index.rst index 5b56d44f..7f444247 100644 --- a/docs/sections/services/ves-http/index.rst +++ b/docs/sections/services/ves-http/index.rst @@ -23,6 +23,7 @@ VES Collector (HTTP) overview and functions ./configuration.rst ./delivery.rst ./installation.rst + ./installation-helm.rst ./tls-authentication.rst ./stnd-defined-validation.rst diff --git a/docs/sections/services/ves-http/installation-helm.rst b/docs/sections/services/ves-http/installation-helm.rst new file mode 100644 index 00000000..0a4cd9a9 --- /dev/null +++ b/docs/sections/services/ves-http/installation-helm.rst @@ -0,0 +1,79 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. _ves-installation-helm: + +VES Collector Helm Installation +=============================== + +Authentication Support - Helm based deployment +---------------------------------------------- + +VES Collector support following authentication types + + * *auth.method=noAuth* - no security (http) + * *auth.method=certBasicAuth* - is used to enable mutual TLS authentication or/and basic HTTPs authentication + +Default ONAP deployed VESCollector is configured for "certBasicAuth". + +The default behavior can be changed by upgrading dcaegen2-services deployment with custom values: + .. code-block:: bash + + helm -n onap upgrade -dcaegen2-services oom/kubernetes/dcaegen2-services --reuse-values --values + +For example: + .. code-block:: bash + + helm -n onap upgrade dev-dcaegen2-services oom/kubernetes/dcaegen2-services --reuse-values --values new-config.yaml + +Where the contents of ``new-config.yaml`` file is: + .. code-block:: bash + + dcae-ves-collector: + applicationConfig: + auth.method: "noAuth" + +For small changes like this, it is also possible to inline the new value: + .. code-block:: bash + + helm -n onap upgrade dev-dcaegen2-services oom/kubernetes/dcaegen2-services --reuse-values --set dcae-ves-collector.applicationConfig.auth.method="noAuth" + +After the upgrade, the new auth method value should be visible inside dev-dcae-ves-collector-application-config-configmap Config-Map. +It can be verified by running: + .. code-block:: bash + + kubectl -n onap get cm -o yaml + +For VES Collector: + .. code-block:: bash + + kubectl -n onap get cm dev-dcae-ves-collector-application-config-configmap -o yaml + +Using external TLS certificates obtained using CMP v2 protocol +-------------------------------------------------------------- + +In order to use the X.509 certificates obtained from the CMP v2 server (so called "operator`s certificates"), refer to the following description: + +:ref:`Enabling TLS with external x.509 certificates ` + +Example values for VES Collector: + .. code-block:: bash + + global: + cmpv2Enabled: true + dcae-ves-collector: + useCmpv2Certificates: true + certificates: + - mountPath: /opt/app/dcae-certificate/external + commonName: dcae-ves-collector + dnsNames: + - dcae-ves-collector + - ves-collector + - ves + keystore: + outputType: + - jks + passwordSecretRef: + name: ves-cmpv2-keystore-password + key: password + create: true + diff --git a/docs/sections/tls_enablement.rst b/docs/sections/tls_enablement.rst index bd907697..e5dc3d50 100644 --- a/docs/sections/tls_enablement.rst +++ b/docs/sections/tls_enablement.rst @@ -113,8 +113,8 @@ that is available in R6 but is not currently being used. k8splugin version 2.0.0 uses an init container to supply the CA certificates. -External TLS Support --------------------- +External TLS Support - using Cloudify +------------------------------------- External TLS support was introduced in order to integrate DCAE with CertService to acquire operator certificates meant to protect external traffic between DCAE's components (VES collector, HV-VES, RestConf collector and DFC) and xNFs. For that reason K8s plugin which creates K8s resources from Cloudify blueprints was enhanced with new TLS properties support. New TLS properties are meant to control CertService's client call in init containers section and environment variables which are passed to it. @@ -216,3 +216,71 @@ From k8splugin 3.4.1 when external TLS is enabled (use_external_tls=true), keyst * ``trust.jks.bak``: The (original) file with the AAF CA certificate only. * ``trust.pass``: A text file with a single line that contains the password for ``trust.jks`` and ``trust.jks.bak`` file. * ``cacert.pem``: The AAF CA certificate, in PEM form. + +.. _external-tls-helm: + +External TLS Support - Helm based deployment +-------------------------------------------- + +CMPv2 certificates can be enabled and configured via helm values. The feature is switched on only when: + * ``global.cmpv2Enabled`` flag is set to true + * ``certDirectory`` directory where TLS certs should be stored is set (in a specific component) + * flag ``useCmpv2Certificates`` is set to true (in a specific component) + +Default values for certificates are defined in ``global.certificate.default`` and can be overriden during onap installation process. + + .. code-block:: yaml + + global: + certificate: + default: + renewBefore: 720h #30 days + duration: 8760h #365 days + subject: + organization: "Linux-Foundation" + country: "US" + locality: "San-Francisco" + province: "California" + organizationalUnit: "ONAP" + issuer: + group: certmanager.onap.org + kind: CMPv2Issuer + name: cmpv2-issuer-onap + +CMPv2 settings can be changed in Helm values. + * ``mountPath`` - the directory within the container where certificates should be mounted + * ``commonName`` - indicates common name which should be present in certificate + * ``dnsNames`` - list of DNS names which should be present in certificate + * ``ipAddresses`` - list of IP addresses which should be present in certificate + * ``uris`` - list of uris which should be present in certificate + * ``emailAddresses`` - list of email addresses which should be present in certificate + * ``outputType`` - indicates certificate output type (jks or p12) + + .. code-block:: yaml + + certificates: + - mountPath: + commonName: + dnsNames: + - + - + ... + ipAddresses: + ... + uris: + ... + emailAddresses: + ... + keystore: + outputType: + - + passwordSecretRef: + name: + key: + create: + +The values can be changed by upgrading a component with modified values, eg. + + .. code-block:: bash + + helm -n onap upgrade --values -- cgit 1.2.3-korg