Provide cacert in JKS format for clients

Issue-ID: DCAEGEN2-1938 Signed-off-by: Jack Lucas <jflucas@research.att.com> Change-Id: Ic9a852bb058075b2b03aa6382ed33e23a4cca8b5
author: Jack Lucas <jflucas@research.att.com> 2020-02-03 17:11:07 -0500
committer: Jack Lucas <jflucas@research.att.com> 2020-02-25 17:46:43 -0500
commit: 52b94c834d1c0252873ca4ced0ba3818648eccfe (patch)
tree: 3cd5484eaacf9fc578c6761d4b29c98c9bb87b46
parent: c7a8e732d235d0b8ce714f5153d37d2364c9a01c (diff)
8 files changed, 40 insertions, 55 deletions
diff --git a/k8s/configure/configure.py b/k8s/configure/configure.py
index 959c215..d51b87b 100644
--- a/k8s/configure/configure.py
+++ b/k8s/configure/configure.py
@@ -1,7 +1,7 @@
 # ============LICENSE_START=======================================================
 # org.onap.dcae
 # ================================================================================
-# Copyright (c) 2018-2019 AT&T Intellectual Property. All rights reserved.
+# Copyright (c) 2018-2020 AT&T Intellectual Property. All rights reserved.
 # Copyright (c) 2019 Pantheon.tech. All rights reserved.
 # ================================================================================
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -16,8 +16,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # ============LICENSE_END=========================================================
-#
-# ECOMP is a trademark and service mark of AT&T Intellectual Property.
 
 _CONFIG_PATH = "/opt/onap/config.txt"   # Path to config file on the Cloudify Manager host
 _CONSUL_KEY = "k8s-plugin"              # Key under which CM configuration is stored in Consul
@@ -26,6 +24,7 @@ _CONSUL_KEY = "k8s-plugin"              # Key under which CM configuration is st
 DCAE_NAMESPACE = "dcae"
 CONSUL_DNS_NAME = "consul"
 DEFAULT_K8S_LOCATION = "central"
+DEFAULT_MAX_WAIT = 1800
 
 FB_LOG_PATH = "/var/log/onap"
 FB_DATA_PATH = "/usr/share/filebeat/data"
@@ -34,9 +33,9 @@ FB_CONFIG_SUBPATH = "filebeat.yml"
 FB_CONFIG_MAP = "filebeat-conf"
 FB_IMAGE = "docker.elastic.co/beats/filebeat:5.5.0"
 
-TLS_CERT_PATH = "/opt/tls/shared"
-TLS_IMAGE = "nexus3.onap.org:10001/onap/org.onap.dcaegen2.deployments.tls-init-container:1.0.0"
-TLS_CA_CERT_PATH = "/opt/dcae/cacert/cacert.pem"
+TLS_CERT_PATH = "/opt/app/osaaf"
+TLS_IMAGE = "nexus3.onap.org:10001/onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0"
+TLS_COMP_CERT_PATH = "/opt/dcae/cacert"
 TLS_CA_CONFIGMAP = "dcae-cacert-configmap"
 
 CBS_BASE_URL = "https://config-binding-service:10443/service_component_all"
@@ -48,6 +47,7 @@ def _set_defaults():
         "consul_dns_name" : CONSUL_DNS_NAME,            # k8s internal DNS name for Consul
         "default_k8s_location" : DEFAULT_K8S_LOCATION,  # default k8s location to deploy components
         "image_pull_secrets" : [],                      # list of k8s secrets for accessing Docker registries
+        "max_wait": DEFAULT_MAX_WAIT,                   # Default maximum time to wait for component to become healthy (secs)
         "filebeat": {                                   # Configuration for setting up filebeat container
             "log_path" : FB_LOG_PATH,                   # mount point for log volume in filebeat container
             "data_path" : FB_DATA_PATH,                 # mount point for data volume in filebeat container
@@ -59,8 +59,7 @@ def _set_defaults():
         "tls": {                                        # Configuration for setting up TLS
             "cert_path" : TLS_CERT_PATH,                # mount point for certificate volume in TLS init container
             "image": TLS_IMAGE,                         # Docker image to use for TLS init container
-            "component_ca_cert_path": TLS_CA_CERT_PATH, # Mount point for CA cert for components that are clients only
-            "ca_cert_configmap": TLS_CA_CONFIGMAP       # ConfigMap holding CA cert for components that are clients only
+            "component_cert_dir": TLS_COMP_CERT_PATH    # default mount point for certificate volume in component container
         },
         "cbs": {
             "base_url" : CBS_BASE_URL                   # URL prefix for accessing config binding service
diff --git a/k8s/k8s-node-type.yaml b/k8s/k8s-node-type.yaml
index 352acce..c14623a 100644
--- a/k8s/k8s-node-type.yaml
+++ b/k8s/k8s-node-type.yaml
@@ -23,7 +23,7 @@ plugins:
   k8s:
     executor: 'central_deployment_agent'
     package_name: k8splugin
-    package_version: 1.7.2
+    package_version: 2.0.0
 
 data_types:
 
diff --git a/k8s/k8sclient/k8sclient.py b/k8s/k8sclient/k8sclient.py
index 9aeec24..bd83322 100644
--- a/k8s/k8sclient/k8sclient.py
+++ b/k8s/k8sclient/k8sclient.py
@@ -1,7 +1,7 @@
 # ============LICENSE_START=======================================================
 # org.onap.dcae
 # ================================================================================
-# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved.
+# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved.
 # Copyright (c) 2020 Pantheon.tech. All rights reserved.
 # ================================================================================
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -298,33 +298,25 @@ def _add_elk_logging_sidecar(containers, volumes, volume_mounts, component_name,
     containers.append(_create_container_object("filebeat", filebeat["image"], False, volume_mounts=sidecar_volume_mounts))
 
 def _add_tls_init_container(init_containers, volumes, volume_mounts, tls_info, tls_config):
-    #   Two different ways of doing this, depending on whether the container will act as a TLS server or as a client only
-    #   If a server, then tls_info will be passed, and tls_info["use_tls"] will be set to true.  We create an InitContainer
-    #   that sets up the CA cert, the server cert, and the keys.
-    #   If a client only, only the CA cert is needed.  We mount the CA cert from a ConfigMap that has been created as part
-    #   of the installation process. If there is cert_directory information in tls_info, we use that directory in the mount path.
-    #   Otherwise, we use the configured default path in tls_config.
-    cert_directory = None
-    if tls_info:
-        cert_directory = tls_info.get("cert_directory")
-        if cert_directory and tls_info.get("use_tls"):
-            # Use an InitContainer to set up the certificate information
-            # Create the certificate volume and volume mounts
-            volumes.append(client.V1Volume(name="tls-info", empty_dir=client.V1EmptyDirVolumeSource()))
-            volume_mounts.append(client.V1VolumeMount(name="tls-info", mount_path=cert_directory))
-            init_volume_mounts = [client.V1VolumeMount(name="tls-info", mount_path=tls_config["cert_path"])]
-
-            # Just create the init container
-            init_containers.append(_create_container_object("init-tls", tls_config["image"], False, volume_mounts=init_volume_mounts))
-            return
-
-    # Use a config map
-    # Create the CA cert volume
-    volumes.append(client.V1Volume(name="tls-cacert", config_map=client.V1ConfigMapVolumeSource(name=tls_config["ca_cert_configmap"])))
-
-    # Create the volume mount
-    mount_path = cert_directory or os.path.dirname(tls_config["component_ca_cert_path"])
-    volume_mounts.append(client.V1VolumeMount(name="tls-cacert", mount_path=mount_path))
+    #   Adds an InitContainer to the pod to set up TLS certificate information.  For components that act as a
+    #   server(tls_info["use_tls"] is True), the InitContainer will populate a directory with server and CA certificate
+    #   materials in various formats.   For other components (tls_info["use_tls"] is False, or tls_info is not specified),
+    #   the InitContainer will populate a directory with CA certificate materials in PEM and JKS formats.
+    #   In either case, the certificate directory is mounted onto the component container filesystem at the location
+    #   specified by tls_info["component_cert_dir"], if present, otherwise at the configured default mount point
+    #   (tls_config["component_cert_dir"]).
+
+    cert_directory = tls_info.get("cert_directory") or tls_config.get("component_cert_dir")
+    env = {}
+    env["TLS_SERVER"] = "true" if tls_info.get("use_tls") else "false"
+
+    # Create the certificate volume and volume mounts
+    volumes.append(client.V1Volume(name="tls-info", empty_dir=client.V1EmptyDirVolumeSource()))
+    volume_mounts.append(client.V1VolumeMount(name="tls-info", mount_path=cert_directory))
+    init_volume_mounts = [client.V1VolumeMount(name="tls-info", mount_path=tls_config["cert_path"])]
+
+    # Create the init container
+    init_containers.append(_create_container_object("init-tls", tls_config["image"], False, volume_mounts=init_volume_mounts, env=env))
 
 def _process_port_map(port_map):
     service_ports = []      # Ports exposed internally on the k8s network
@@ -444,8 +436,7 @@ def deploy(namespace, component_name, image, replicas, always_pull, k8sconfig, *
         - tls: a dictionary of TLS-related information:
             "cert_path": mount point for certificate volume in init container
             "image": Docker image to use for TLS init container
-            "component_ca_cert_path" : mount point for CA cert for client-only containers
-            "ca_cert_configmap": the name of the ConfigMap where the CA cert is stored
+            "component_cert_dir" : default mount point for certs
     kwargs may have:
         - volumes:  array of volume objects, where a volume object is:
             {"host":{"path": "/path/on/host"}, "container":{"bind":"/path/on/container","mode":"rw_or_ro"}
diff --git a/k8s/k8splugin/tasks.py b/k8s/k8splugin/tasks.py
index eff7d43..21f70c1 100644
--- a/k8s/k8splugin/tasks.py
+++ b/k8s/k8splugin/tasks.py
@@ -1,7 +1,7 @@
 # ============LICENSE_START=======================================================
 # org.onap.dcae
 # ================================================================================
-# Copyright (c) 2017-2019 AT&T Intellectual Property. All rights reserved.
+# Copyright (c) 2017-2020 AT&T Intellectual Property. All rights reserved.
 # Copyright (c) 2020 Pantheon.tech. All rights reserved.
 # ================================================================================
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -16,8 +16,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # ============LICENSE_END=========================================================
-#
-# ECOMP is a trademark and service mark of AT&T Intellectual Property.
 
 # Lifecycle interface calls for containerized components
 
@@ -43,9 +41,9 @@ plugin_conf = configure.configure()
 CONSUL_HOST = plugin_conf.get("consul_host")
 CONSUL_INTERNAL_NAME = plugin_conf.get("consul_dns_name")
 DCAE_NAMESPACE = plugin_conf.get("namespace")
-DEFAULT_MAX_WAIT = plugin_conf.get("max_wait", 1800)
+DEFAULT_MAX_WAIT = plugin_conf.get("max_wait")
 DEFAULT_K8S_LOCATION = plugin_conf.get("default_k8s_location")
-COMPONENT_CA_CERT_PATH = plugin_conf.get("tls").get("component_ca_cert_path")
+COMPONENT_CERT_DIR = plugin_conf.get("tls",{}).get("component_cert_dir")
 CBS_BASE_URL = plugin_conf.get("cbs").get("base_url")
 
 # Used to construct delivery urls for data router subscribers. Data router in FTL
@@ -268,10 +266,11 @@ def _create_and_start_container(container_name, image, **kwargs):
         - liveness: object with information needed to create a liveness check
         - k8s_location: name of the Kubernetes location (cluster) where the component is to be deployed
     '''
-    tls_info = kwargs.get("tls_info")
+    tls_info = kwargs.get("tls_info") or {}
+    cert_dir = tls_info.get("cert_directory") or COMPONENT_CERT_DIR
     env = { "CONSUL_HOST": CONSUL_INTERNAL_NAME,
             "CONFIG_BINDING_SERVICE": "config-binding-service",
-            "DCAE_CA_CERTPATH" : "{0}/cacert.pem".format(tls_info["cert_directory"]) if (tls_info and tls_info["cert_directory"]) else COMPONENT_CA_CERT_PATH,
+            "DCAE_CA_CERTPATH" : "{0}/cacert.pem".format(cert_dir),
             "CBS_CONFIG_URL" : "{0}/{1}".format(CBS_BASE_URL, container_name)
           }
     env.update(kwargs.get("envs", {}))
diff --git a/k8s/pom.xml b/k8s/pom.xml
index b83fc87..5193e71 100644
--- a/k8s/pom.xml
+++ b/k8s/pom.xml
@@ -16,8 +16,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 ============LICENSE_END=========================================================
-
-ECOMP is a trademark and service mark of AT&T Intellectual Property.
 -->
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
   <modelVersion>4.0.0</modelVersion>
@@ -29,7 +27,7 @@ ECOMP is a trademark and service mark of AT&T Intellectual Property.
   <groupId>org.onap.dcaegen2.platform.plugins</groupId>
   <artifactId>k8s</artifactId>
   <name>k8s-plugin</name>
-  <version>1.7.2-SNAPSHOT</version>
+  <version>2.0.0-SNAPSHOT</version>
   <url>http://maven.apache.org</url>
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
diff --git a/k8s/requirements.txt b/k8s/requirements.txt
index 2a94ae6..6d72e4a 100644
--- a/k8s/requirements.txt
+++ b/k8s/requirements.txt
@@ -1,3 +1,4 @@
+setuptools<45.0.0
 python-consul>=0.6.0
 onap-dcae-dcaepolicy-lib>=2.4.1
 kubernetes>=9.0.0
diff --git a/k8s/setup.py b/k8s/setup.py
index 0b4f366..15a34ab 100644
--- a/k8s/setup.py
+++ b/k8s/setup.py
@@ -1,7 +1,7 @@
 # ============LICENSE_START=======================================================
 # org.onap.dcae
 # ================================================================================
-# Copyright (c) 2017-2019 AT&T Intellectual Property. All rights reserved.
+# Copyright (c) 2017-2020 AT&T Intellectual Property. All rights reserved.
 # Copyright (c) 2020 Pantheon.tech. All rights reserved.
 # ================================================================================
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -16,15 +16,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # ============LICENSE_END=========================================================
-#
-# ECOMP is a trademark and service mark of AT&T Intellectual Property.
 
 from setuptools import setup
 
 setup(
     name='k8splugin',
     description='Cloudify plugin for containerized components deployed using Kubernetes',
-    version="1.7.2",
+    version="2.0.0",
     author='J. F. Lucas, Michael Hwang, Tommy Carpenter',
     packages=['k8splugin','k8sclient','msb','configure'],
     zip_safe=False,
diff --git a/k8s/tests/common.py b/k8s/tests/common.py
index c696f41..02b57e6 100644
--- a/k8s/tests/common.py
+++ b/k8s/tests/common.py
@@ -33,8 +33,7 @@ def _set_k8s_configuration():
         "tls" : {
             "cert_path": "/opt/certs",
             "image": "tlsrepo/tls-init-container:1.2.3",
-            "component_ca_cert_path": "/opt/dcae/cacert/cacert.pem",
-            "ca_cert_configmap": "dcae-cacert-configmap"
+            "component_cert_dir": "/opt/dcae/cacert"
         },
         "cbs": {
             "base_url": "https://config-binding-service:10443/service_component_all/test-component"
author	Jack Lucas <jflucas@research.att.com>	2020-02-03 17:11:07 -0500
committer	Jack Lucas <jflucas@research.att.com>	2020-02-25 17:46:43 -0500
commit	52b94c834d1c0252873ca4ced0ba3818648eccfe (patch)
tree	3cd5484eaacf9fc578c6761d4b29c98c9bb87b46
parent	c7a8e732d235d0b8ce714f5153d37d2364c9a01c (diff)