From 9ab2e0ba160020d68d31dce54eb0857e1ea2a2d0 Mon Sep 17 00:00:00 2001 From: Tommy Carpenter Date: Wed, 25 Jul 2018 08:49:20 -0400 Subject: Add self signed cert in Dockerfile Change-Id: Ie013fe125e5b76cf7243a51f25d2d933283a0f86 Issue-ID: DCAEGEN2-562 Signed-off-by: Tommy Carpenter --- Changelog.md | 3 +++ Dockerfile | 7 +++++++ README.md | 40 +++++++++++++++++++++++++--------------- app/app/pom.xml | 4 ++-- app/app/setup.py | 2 +- app/app/tox.ini | 1 - app/pom.xml | 4 ++-- pom.xml | 2 +- tox-local.ini | 2 +- 9 files changed, 42 insertions(+), 23 deletions(-) diff --git a/Changelog.md b/Changelog.md index 9a83c20..d1c2fac 100644 --- a/Changelog.md +++ b/Changelog.md @@ -4,6 +4,9 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). +## [2.2.3] - 7/25/2018 +* By request, include a self signed cert so the image always comes up. + ## [2.2.2] - 7/9/2018 * Add EELF metrics log and logging statements * Fixed a redundant Consul call where client.resolve_all did not need to call the transaction API twice diff --git a/Dockerfile b/Dockerfile index ae2f079..6c783f0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,9 +15,16 @@ RUN mkdir -p /etc/nginx/ssl COPY nginxhttps.conf /etc/nginx/conf.d/nginxhttps.conf +#443 is https, 10000 is http +# in the future, hopefully http can go away completely ENV LISTEN_PORT 10000 EXPOSE 443 EXPOSE 10000 +# Mount a self signed certificate that should be overwritten upon Run +RUN apt-get update && \ + apt-get install -y openssl && \ + openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt -subj "/C=US/ST=NJ/L=foo/O=ONAP/OU=ONAP/CN=configbinding" + #this is a registrator flag that tells it to ignore 80 from service discovery. Nothing is listening on 80, but the parent Dockerfile here exposes it. This container is internally listening on 10000 and 443. ENV SERVICE_80_IGNORE true diff --git a/README.md b/README.md index cffbe73..6cc17c4 100644 --- a/README.md +++ b/README.md @@ -15,13 +15,7 @@ There is also a "dmaap key", which is the same concept, except what gets injecte In addition, this service provides the capability to retrieve either the DTI events (not history) or the policies for a given service_component. # Usage -hit `url_of_this/service_component/service_component_name` and you are returned your bound config. - -hit `url_of_this/dtievents/service_component_name` and you are returned the dti events for your service_component. - -hit `url_of_this/policies/service_component_name` and you are returned the policies for your service_component. - -(Note: there is also a backdoor in the `client` module that allows you to pass in a direct JSON and a direct rels, but this isn't exposed via the HTTP API as of now) +See the Swagger spec. # Assumptions 1. `CONSUL_HOST` is set as an environmental variable where this binding service is run. If it is not, it defaults to the Rework Consul which is probably not what you want. @@ -47,24 +41,40 @@ X's configuration: This project uses https://hub.docker.com/r/tiangolo/uwsgi-nginx-flask/ This is a solution that runs a productionalized setup using NGINX+uwsgi+Flask (Flask is not meant to be run as a real webserver per their docs). This project requires the app/app structure. Tox still works from the root due to tox magic. -# Testing -You need tox: +This structure, combined with Sonar limitations, leads to an unfortunate need of having three nested poms. There is a top level pom, a tiny pom in /app, and the "main" pom in /app/app. + +# Development +## Version changes +An unforunate consequence of the nested poms is that development changes require a version bump in several places. They are: +1. top level pom +2. pom in /app +3. pom in /app/app +4. setup.py in /app/app +5. Changelod.md + +Additionally, if the development leads to an API change, +6. swagger.yaml in /app/app + +## Testing +You need `tox`. + +To recreate the tox that the ONAP build process calls, from /app/app, *not in a virtual env*, just run: ``` -pip install tox +tox ``` -Then from the root dir, *not in a virtual env*, just run: + +For local development, there is a tox that outputs to an html website that is easier to read and navigate then xml. From the *root*, run ``` -tox +tox -c tox-local.ini ``` -You may have to alter the tox.ini for the python envs you wish to test with. -# Deployment information +# Deployment ## Ports, HTTPS key/cert location The CBS frontend (NGINX) exposes 10000 and 443. It runs HTTP on 10000 and HTTPS on 443. 80 is also exposed by the parent Dockerfile but nothing is listening there so it can be ignored. -If you wish to use HTTPS, it expects a key to be mounted at `/etc/nginx/ssl/nginx.key` and a cert to be mounted at `/etc/nginx/ssl/nginx.crt`. For example, a snippet from a `docker run` command: +The dockerimage mounts it's own self signed certificate. If deploying into a production level scenario, *you should overwrite this cert!*! It expects a key to be mounted at `/etc/nginx/ssl/nginx.key` and a cert to be mounted at `/etc/nginx/ssl/nginx.crt`. For example, a snippet from a `docker run` command: ``` ... -v /host/path/to/nginx.key:/etc/nginx/ssl/nginx.key -v /host/path/to/nginx.crt:/etc/nginx/ssl/nginx.crt ... diff --git a/app/app/pom.xml b/app/app/pom.xml index 133c9b5..806098d 100644 --- a/app/app/pom.xml +++ b/app/app/pom.xml @@ -24,13 +24,13 @@ ECOMP is a trademark and service mark of AT&T Intellectual Property. org.onap.dcaegen2.platform.configbinding app - 2.2.2-SNAPSHOT + 2.2.3-SNAPSHOT org.onap.dcaegen2.platform.configbinding app-app dcaegen2-platform-configbinding-app-app - 2.2.2-SNAPSHOT + 2.2.3-SNAPSHOT http://maven.apache.org UTF-8 diff --git a/app/app/setup.py b/app/app/setup.py index afca622..237f7c4 100644 --- a/app/app/setup.py +++ b/app/app/setup.py @@ -20,7 +20,7 @@ from setuptools import setup, find_packages setup( name='config_binding_service', - version='2.2.2', + version='2.2.3', packages=find_packages(exclude=["tests.*", "tests"]), author="Tommy Carpenter", author_email="tommy@research.att.com", diff --git a/app/app/tox.ini b/app/app/tox.ini index 7b42d9b..c58161e 100644 --- a/app/app/tox.ini +++ b/app/app/tox.ini @@ -1,7 +1,6 @@ # content of: tox.ini , put in same dir as setup.py [tox] envlist = py36,flake8 -#setupdir=app/app [testenv] deps= diff --git a/app/pom.xml b/app/pom.xml index 4f5506b..52387e6 100644 --- a/app/pom.xml +++ b/app/pom.xml @@ -23,14 +23,14 @@ ECOMP is a trademark and service mark of AT&T Intellectual Property. org.onap.dcaegen2.platform configbinding - 2.2.2-SNAPSHOT + 2.2.3-SNAPSHOT org.onap.dcaegen2.platform.configbinding app dcaegen2-platform-configbinding-app - 2.2.2-SNAPSHOT + 2.2.3-SNAPSHOT http://maven.apache.org pom diff --git a/pom.xml b/pom.xml index a4df1f9..2eef1f0 100644 --- a/pom.xml +++ b/pom.xml @@ -29,7 +29,7 @@ ECOMP is a trademark and service mark of AT&T Intellectual Property. org.onap.dcaegen2.platform configbinding dcaegen2-platform-configbinding - 2.2.2-SNAPSHOT + 2.2.3-SNAPSHOT http://maven.apache.org pom diff --git a/tox-local.ini b/tox-local.ini index f4a3f65..be6fb90 100644 --- a/tox-local.ini +++ b/tox-local.ini @@ -1,6 +1,6 @@ # content of: tox.ini , put in same dir as setup.py [tox] -envlist = py37,flake8 +envlist = py36,flake8 setupdir=app/app [testenv] -- cgit 1.2.3-korg