Add configuration of external tls init container - CMPv2

- Add configuration of certificates exists in secret - Add configuration of secret contains passwords Issue-ID: OOM-2712 Signed-off-by: Tomasz Wrobel <tomasz.wrobel@nokia.com> Change-Id: I4e0d6fb3717fdf19b5110a83d9273fd7bcf75757
author: Tomasz Wrobel <tomasz.wrobel@nokia.com> 2021-03-29 11:50:57 +0200
committer: Tomasz Wrobel <tomasz.wrobel@nokia.com> 2021-04-09 13:08:42 +0200
commit: 495e8f8283bd6dfb7b4d4f822b06291a7cf04205 (patch)
tree: 7e6e5ea2b7e7e8d060ea5a4c10389776355bbe4f
parent: e5f88ea35d88fc4c956d3a7356bc751a0bb11f2d (diff)
8 files changed, 82 insertions, 24 deletions
diff --git a/k8s/ChangeLog.md b/k8s/ChangeLog.md
index 67d3d14..76a2449 100644
--- a/k8s/ChangeLog.md
+++ b/k8s/ChangeLog.md
@@ -5,6 +5,15 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [3.9.0]
+* OOM-2712 Add a configuration of certificates for communication between external-tls init container and CertService API
+
+## [3.8.0]
+* Update policy lib to 2.5.1
+
+## [3.7.0]
+* Update to python3 version of policy lib
+
 ## [3.6.0]
 * DCAEGEN2-2440  - Add integration with cert-manager. 
 * Enable creation of certificate custom resource instead cert-service-client container, 
diff --git a/k8s/configure/configure.py b/k8s/configure/configure.py
index 142e2ec..d661631 100644
--- a/k8s/configure/configure.py
+++ b/k8s/configure/configure.py
@@ -48,8 +48,12 @@ EXT_TLS_STATE = "California"
 EXT_TLS_ORGANIZATIONAL_UNIT = "ONAP"
 EXT_TLS_LOCATION = "San-Francisco"
 EXT_TLS_CERT_SECRET_NAME = "oom-cert-service-client-tls-secret"
-EXT_TLS_KEYSTORE_PASSWORD = "secret"
-EXT_TLS_TRUSTSTORE_PASSWORD = "secret"
+EXT_TLS_KEYSTORE_PASSWORD_SECRET_NAME = "oom-cert-service-keystore-password"
+EXT_TLS_TRUSTSTORE_PASSWORD_SECRET_NAME = "oom-cert-service-truststore-password"
+EXT_TLS_KEYSTORE_SECRET_KEY = "keystore.jks"
+EXT_TLS_TRUSTSTORE_SECRET_KEY = "truststore.jks"
+EXT_TLS_KEYSTORE_PASSWORD_SECRET_KEY = "password"
+EXT_TLS_TRUSTSTORE_PASSWORD_SECRET_KEY = "password"
 
 CERT_POST_PROCESSOR_IMAGE = "nexus3.onap.org:10001/onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.1.0"
 CBS_BASE_URL = "https://config-binding-service:10443/service_component_all"
@@ -88,8 +92,13 @@ def _set_defaults():
             "organizational_unit" : EXT_TLS_ORGANIZATIONAL_UNIT,  # Organizational unit name, for which certificate will be created
             "location" : EXT_TLS_LOCATION,                        # Location name, for which certificate will be created
             "cert_secret_name": EXT_TLS_CERT_SECRET_NAME,         # Name of secret containing keystore and truststore for secure communication of Cert Service Client and Cert Service
-            "keystore_password" : EXT_TLS_KEYSTORE_PASSWORD,      # Password to keystore file
-            "truststore_password" : EXT_TLS_TRUSTSTORE_PASSWORD   # Password to truststore file
+            "keystore_secret_key" : EXT_TLS_KEYSTORE_SECRET_KEY,  # Key for keystore value exists in secret (cert_secret_name)
+            "truststore_secret_key" : EXT_TLS_TRUSTSTORE_SECRET_KEY,   # Key for truststore value exists in secret (cert_secret_name)
+            "keystore_password_secret_name": EXT_TLS_KEYSTORE_PASSWORD_SECRET_NAME, # Name of secret containing password for keystore for secure communication of Cert Service Client and Cert Service
+            "truststore_password_secret_name": EXT_TLS_TRUSTSTORE_PASSWORD_SECRET_NAME, # Name of secret containing password for truststore for secure communication of Cert Service Client and Cert Service
+            "keystore_password_secret_key" : EXT_TLS_KEYSTORE_PASSWORD_SECRET_KEY,      # Key for keystore password value exists in secret (keystore_password_secret_name)
+            "truststore_password_secret_key" : EXT_TLS_TRUSTSTORE_PASSWORD_SECRET_KEY   # Key for truststore password value exists in secret (truststore_password_secret_name)
+
         },
         "cert_post_processor": {
             "image_tag": CERT_POST_PROCESSOR_IMAGE      # Docker image to use for cert post processor init container
diff --git a/k8s/k8sclient/k8sclient.py b/k8s/k8sclient/k8sclient.py
index 2b9811f..ed8282f 100644
--- a/k8s/k8sclient/k8sclient.py
+++ b/k8s/k8sclient/k8sclient.py
@@ -50,8 +50,6 @@ PORTS = re.compile("^([0-9]+)(/(udp|UDP|tcp|TCP))?:([0-9]+)$")
 
 # Constants for external_cert
 MOUNT_PATH = "/etc/onap/oom/certservice/certs/"
-KEYSTORE_PATH = MOUNT_PATH + "certServiceClient-keystore.jks"
-TRUSTSTORE_PATH = MOUNT_PATH + "truststore.jks"
 DEFAULT_CERT_TYPE = "p12"
 
 
@@ -162,10 +160,18 @@ def _create_container_object(name, image, always_pull, **kwargs):
     # Copy any passed in environment variables
     env = kwargs.get('env') or {}
     env_vars = [client.V1EnvVar(name=k, value=env[k]) for k in env]
+
     # Add POD_IP with the IP address of the pod running the container
     pod_ip = client.V1EnvVarSource(field_ref=client.V1ObjectFieldSelector(field_path="status.podIP"))
     env_vars.append(client.V1EnvVar(name="POD_IP", value_from=pod_ip))
 
+    # Add envs from Secret
+    if 'env_from_secret' in kwargs:
+        for env in kwargs.get('env_from_secret').values():
+            secret_key_selector = client.V1SecretKeySelector(key=env["secret_key"], name=env["secret_name"])
+            env_var_source = client.V1EnvVarSource(secret_key_ref=secret_key_selector)
+            env_vars.append(client.V1EnvVar(name=env["env_name"], value_from=env_var_source))
+
     # If a health check is specified, create a readiness/liveness probe
     # (For an HTTP-based check, we assume it's at the first container port)
     readiness = kwargs.get('readiness')
@@ -419,10 +425,14 @@ def _add_external_tls_init_container(ctx, init_containers, volumes, external_cer
     ctx.logger.info("Creating init container: external TLS \n  * [" + docker_image + "]")
 
     env = {}
+    env_from_secret = {}
     output_path = external_cert.get("external_cert_directory")
     if not output_path.endswith('/'):
         output_path += '/'
 
+    keystore_secret_key = external_tls_config.get("keystore_secret_key")
+    truststore_secret_key = external_tls_config.get("truststore_secret_key")
+
     env["REQUEST_URL"] = external_tls_config.get("request_url")
     env["REQUEST_TIMEOUT"] = external_tls_config.get("timeout")
     env["OUTPUT_PATH"] = output_path + "external"
@@ -435,21 +445,39 @@ def _add_external_tls_init_container(ctx, init_containers, volumes, external_cer
     env["STATE"] = external_tls_config.get("state")
     env["COUNTRY"] = external_tls_config.get("country")
     env["SANS"] = external_cert.get("external_certificate_parameters").get("sans")
-    env["KEYSTORE_PATH"] = KEYSTORE_PATH
-    env["KEYSTORE_PASSWORD"] = external_tls_config.get("keystore_password")
-    env["TRUSTSTORE_PATH"] = TRUSTSTORE_PATH
-    env["TRUSTSTORE_PASSWORD"] = external_tls_config.get("truststore_password")
-
+    env["KEYSTORE_PATH"] = MOUNT_PATH + keystore_secret_key
+    env["TRUSTSTORE_PATH"] = MOUNT_PATH + truststore_secret_key
+    env_from_secret["KEYSTORE_PASSWORD"] = \
+        {"env_name": "KEYSTORE_PASSWORD",
+         "secret_name": external_tls_config.get("keystore_password_secret_name"),
+         "secret_key": external_tls_config.get("keystore_password_secret_key")}
+    env_from_secret["TRUSTSTORE_PASSWORD"] = \
+        {"env_name": "TRUSTSTORE_PASSWORD",
+         "secret_name": external_tls_config.get("truststore_password_secret_name"),
+         "secret_key": external_tls_config.get("truststore_password_secret_key")}
     # Create the volumes and volume mounts
-    sec = client.V1SecretVolumeSource(secret_name=external_tls_config.get("cert_secret_name"))
-    volumes.append(client.V1Volume(name="tls-volume", secret=sec))
+    projected_volume = _create_projected_tls_volume(external_tls_config.get("cert_secret_name"),
+                                                    keystore_secret_key,
+                                                    truststore_secret_key)
+
+    volumes.append(client.V1Volume(name="tls-volume", projected=projected_volume))
     init_volume_mounts = [
         client.V1VolumeMount(name="tls-info", mount_path=external_cert.get("external_cert_directory")),
         client.V1VolumeMount(name="tls-volume", mount_path=MOUNT_PATH)]
 
     # Create the init container
     init_containers.append(
-        _create_container_object("cert-service-client", docker_image, False, volume_mounts=init_volume_mounts, env=env))
+        _create_container_object("cert-service-client", docker_image, False, volume_mounts=init_volume_mounts, env=env, env_from_secret=env_from_secret))
+
+
+def _create_projected_tls_volume(secret_name, keystore_secret_key, truststore_secret_key):
+    items = [
+        client.V1KeyToPath(key=keystore_secret_key, path=keystore_secret_key),
+        client.V1KeyToPath(key=truststore_secret_key, path=truststore_secret_key)]
+    secret_projection = client.V1SecretProjection(name=secret_name, items=items)
+    volume_projection = [client.V1VolumeProjection(secret=secret_projection)]
+    projected_volume = client.V1ProjectedVolumeSource(sources=volume_projection)
+    return projected_volume
 
 
 def _add_cert_post_processor_init_container(ctx, init_containers, tls_info, tls_config, external_cert,
diff --git a/k8s/k8splugin_types.yaml b/k8s/k8splugin_types.yaml
index 945ed85..0389d14 100644
--- a/k8s/k8splugin_types.yaml
+++ b/k8s/k8splugin_types.yaml
@@ -24,7 +24,7 @@ plugins:
   k8s:
     executor: 'central_deployment_agent'
     package_name: k8splugin
-    package_version: 3.8.0
+    package_version: 3.9.0
 
 data_types:
 
diff --git a/k8s/pom.xml b/k8s/pom.xml
index 7a14297..83b2318 100644
--- a/k8s/pom.xml
+++ b/k8s/pom.xml
@@ -29,7 +29,7 @@ limitations under the License.
   <groupId>org.onap.dcaegen2.platform.plugins</groupId>
   <artifactId>k8s</artifactId>
   <name>k8s-plugin</name>
-  <version>3.8.0-SNAPSHOT</version>
+  <version>3.9.0-SNAPSHOT</version>
   <url>http://maven.apache.org</url>
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
diff --git a/k8s/setup.py b/k8s/setup.py
index 47dc38c..97a7408 100644
--- a/k8s/setup.py
+++ b/k8s/setup.py
@@ -24,8 +24,8 @@ from setuptools import setup
 setup(
     name='k8splugin',
     description='Cloudify plugin for containerized components deployed using Kubernetes',
-    version="3.8.0",
-    author='J. F. Lucas, Michael Hwang, Tommy Carpenter, Joanna Jeremicz, Sylwia Jakubek, Jan Malkiewicz, Remigiusz Janeczek, Piotr Marcinkiewicz',
+    version="3.9.0",
+    author='J. F. Lucas, Michael Hwang, Tommy Carpenter, Joanna Jeremicz, Sylwia Jakubek, Jan Malkiewicz, Remigiusz Janeczek, Piotr Marcinkiewicz, Tomasz Wrobel',
     packages=['k8splugin','k8sclient','configure'],
     zip_safe=False,
     install_requires=[
diff --git a/k8s/tests/common.py b/k8s/tests/common.py
index 19d94d6..3bd2db1 100644
--- a/k8s/tests/common.py
+++ b/k8s/tests/common.py
@@ -105,15 +105,22 @@ def verify_external_cert(dep):
         "STATE": "California",
         "COUNTRY": "US",
         "SANS": "mysans",
-        "KEYSTORE_PATH": "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks",
-        "KEYSTORE_PASSWORD": "secret1",
-        "TRUSTSTORE_PATH": "/etc/onap/oom/certservice/certs/truststore.jks",
-        "TRUSTSTORE_PASSWORD": "secret2"}
+        "KEYSTORE_PATH": "/etc/onap/oom/certservice/certs/keystore.jks",
+        "TRUSTSTORE_PATH": "/etc/onap/oom/certservice/certs/truststore.jks"}
+
 
     envs = {k.name: k.value for k in cert_container.env}
     for k in expected_envs:
         assert (k in envs and expected_envs[k] == envs[k])
 
+    envs_from_source = {k.name: k.value_from for k in cert_container.env}
+    expected_secret_key_ref = {
+        "KEYSTORE_PASSWORD": "oom-cert-service-client-tls-secret-password",
+        "TRUSTSTORE_PASSWORD": "oom-cert-service-client-tls-secret-password"
+    }
+    for key, value in expected_secret_key_ref.items():
+        assert (key in envs_from_source and str(envs_from_source[key]).__contains__(value))
+
 
 def verify_cert_post_processor(dep):
     cert_container = dep.spec.template.spec.init_containers[2]
diff --git a/k8s/tests/test_k8sclient_deploy.py b/k8s/tests/test_k8sclient_deploy.py
index cd00f37..94957a6 100644
--- a/k8s/tests/test_k8sclient_deploy.py
+++ b/k8s/tests/test_k8sclient_deploy.py
@@ -50,8 +50,13 @@ K8S_CONFIGURATION = {
         "state": "California",
         "organizational_unit": "ONAP",
         "location": "San-Francisco",
-        "keystore_password": "secret1",
-        "truststore_password": "secret2"
+        "cert_secret_name": "oom-cert-service-client-tls-secret",
+        "keystore_secret_key" : "keystore.jks",
+        "truststore_secret_key" : "truststore.jks",
+        "keystore_password_secret_name": "oom-cert-service-client-tls-secret-password",
+        "truststore_password_secret_name": "oom-cert-service-client-tls-secret-password",
+        "keystore_password_secret_key" : "password",
+        "truststore_password_secret_key" : "password"
     },
     "cert_post_processor": {
         "image_tag": "repo/oom-cert-post-processor:2.1.0"
author	Tomasz Wrobel <tomasz.wrobel@nokia.com>	2021-03-29 11:50:57 +0200
committer	Tomasz Wrobel <tomasz.wrobel@nokia.com>	2021-04-09 13:08:42 +0200
commit	495e8f8283bd6dfb7b4d4f822b06291a7cf04205 (patch)
tree	7e6e5ea2b7e7e8d060ea5a4c10389776355bbe4f
parent	e5f88ea35d88fc4c956d3a7356bc751a0bb11f2d (diff)