From 495e8f8283bd6dfb7b4d4f822b06291a7cf04205 Mon Sep 17 00:00:00 2001 From: Tomasz Wrobel Date: Mon, 29 Mar 2021 11:50:57 +0200 Subject: Add configuration of external tls init container - CMPv2 - Add configuration of certificates exists in secret - Add configuration of secret contains passwords Issue-ID: OOM-2712 Signed-off-by: Tomasz Wrobel Change-Id: I4e0d6fb3717fdf19b5110a83d9273fd7bcf75757 --- k8s/ChangeLog.md | 9 +++++++ k8s/configure/configure.py | 17 ++++++++++---- k8s/k8sclient/k8sclient.py | 48 ++++++++++++++++++++++++++++++-------- k8s/k8splugin_types.yaml | 2 +- k8s/pom.xml | 2 +- k8s/setup.py | 4 ++-- k8s/tests/common.py | 15 ++++++++---- k8s/tests/test_k8sclient_deploy.py | 9 +++++-- 8 files changed, 82 insertions(+), 24 deletions(-) diff --git a/k8s/ChangeLog.md b/k8s/ChangeLog.md index 67d3d14..76a2449 100644 --- a/k8s/ChangeLog.md +++ b/k8s/ChangeLog.md @@ -5,6 +5,15 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). +## [3.9.0] +* OOM-2712 Add a configuration of certificates for communication between external-tls init container and CertService API + +## [3.8.0] +* Update policy lib to 2.5.1 + +## [3.7.0] +* Update to python3 version of policy lib + ## [3.6.0] * DCAEGEN2-2440 - Add integration with cert-manager. * Enable creation of certificate custom resource instead cert-service-client container, diff --git a/k8s/configure/configure.py b/k8s/configure/configure.py index 142e2ec..d661631 100644 --- a/k8s/configure/configure.py +++ b/k8s/configure/configure.py @@ -48,8 +48,12 @@ EXT_TLS_STATE = "California" EXT_TLS_ORGANIZATIONAL_UNIT = "ONAP" EXT_TLS_LOCATION = "San-Francisco" EXT_TLS_CERT_SECRET_NAME = "oom-cert-service-client-tls-secret" -EXT_TLS_KEYSTORE_PASSWORD = "secret" -EXT_TLS_TRUSTSTORE_PASSWORD = "secret" +EXT_TLS_KEYSTORE_PASSWORD_SECRET_NAME = "oom-cert-service-keystore-password" +EXT_TLS_TRUSTSTORE_PASSWORD_SECRET_NAME = "oom-cert-service-truststore-password" +EXT_TLS_KEYSTORE_SECRET_KEY = "keystore.jks" +EXT_TLS_TRUSTSTORE_SECRET_KEY = "truststore.jks" +EXT_TLS_KEYSTORE_PASSWORD_SECRET_KEY = "password" +EXT_TLS_TRUSTSTORE_PASSWORD_SECRET_KEY = "password" CERT_POST_PROCESSOR_IMAGE = "nexus3.onap.org:10001/onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.1.0" CBS_BASE_URL = "https://config-binding-service:10443/service_component_all" @@ -88,8 +92,13 @@ def _set_defaults(): "organizational_unit" : EXT_TLS_ORGANIZATIONAL_UNIT, # Organizational unit name, for which certificate will be created "location" : EXT_TLS_LOCATION, # Location name, for which certificate will be created "cert_secret_name": EXT_TLS_CERT_SECRET_NAME, # Name of secret containing keystore and truststore for secure communication of Cert Service Client and Cert Service - "keystore_password" : EXT_TLS_KEYSTORE_PASSWORD, # Password to keystore file - "truststore_password" : EXT_TLS_TRUSTSTORE_PASSWORD # Password to truststore file + "keystore_secret_key" : EXT_TLS_KEYSTORE_SECRET_KEY, # Key for keystore value exists in secret (cert_secret_name) + "truststore_secret_key" : EXT_TLS_TRUSTSTORE_SECRET_KEY, # Key for truststore value exists in secret (cert_secret_name) + "keystore_password_secret_name": EXT_TLS_KEYSTORE_PASSWORD_SECRET_NAME, # Name of secret containing password for keystore for secure communication of Cert Service Client and Cert Service + "truststore_password_secret_name": EXT_TLS_TRUSTSTORE_PASSWORD_SECRET_NAME, # Name of secret containing password for truststore for secure communication of Cert Service Client and Cert Service + "keystore_password_secret_key" : EXT_TLS_KEYSTORE_PASSWORD_SECRET_KEY, # Key for keystore password value exists in secret (keystore_password_secret_name) + "truststore_password_secret_key" : EXT_TLS_TRUSTSTORE_PASSWORD_SECRET_KEY # Key for truststore password value exists in secret (truststore_password_secret_name) + }, "cert_post_processor": { "image_tag": CERT_POST_PROCESSOR_IMAGE # Docker image to use for cert post processor init container diff --git a/k8s/k8sclient/k8sclient.py b/k8s/k8sclient/k8sclient.py index 2b9811f..ed8282f 100644 --- a/k8s/k8sclient/k8sclient.py +++ b/k8s/k8sclient/k8sclient.py @@ -50,8 +50,6 @@ PORTS = re.compile("^([0-9]+)(/(udp|UDP|tcp|TCP))?:([0-9]+)$") # Constants for external_cert MOUNT_PATH = "/etc/onap/oom/certservice/certs/" -KEYSTORE_PATH = MOUNT_PATH + "certServiceClient-keystore.jks" -TRUSTSTORE_PATH = MOUNT_PATH + "truststore.jks" DEFAULT_CERT_TYPE = "p12" @@ -162,10 +160,18 @@ def _create_container_object(name, image, always_pull, **kwargs): # Copy any passed in environment variables env = kwargs.get('env') or {} env_vars = [client.V1EnvVar(name=k, value=env[k]) for k in env] + # Add POD_IP with the IP address of the pod running the container pod_ip = client.V1EnvVarSource(field_ref=client.V1ObjectFieldSelector(field_path="status.podIP")) env_vars.append(client.V1EnvVar(name="POD_IP", value_from=pod_ip)) + # Add envs from Secret + if 'env_from_secret' in kwargs: + for env in kwargs.get('env_from_secret').values(): + secret_key_selector = client.V1SecretKeySelector(key=env["secret_key"], name=env["secret_name"]) + env_var_source = client.V1EnvVarSource(secret_key_ref=secret_key_selector) + env_vars.append(client.V1EnvVar(name=env["env_name"], value_from=env_var_source)) + # If a health check is specified, create a readiness/liveness probe # (For an HTTP-based check, we assume it's at the first container port) readiness = kwargs.get('readiness') @@ -419,10 +425,14 @@ def _add_external_tls_init_container(ctx, init_containers, volumes, external_cer ctx.logger.info("Creating init container: external TLS \n * [" + docker_image + "]") env = {} + env_from_secret = {} output_path = external_cert.get("external_cert_directory") if not output_path.endswith('/'): output_path += '/' + keystore_secret_key = external_tls_config.get("keystore_secret_key") + truststore_secret_key = external_tls_config.get("truststore_secret_key") + env["REQUEST_URL"] = external_tls_config.get("request_url") env["REQUEST_TIMEOUT"] = external_tls_config.get("timeout") env["OUTPUT_PATH"] = output_path + "external" @@ -435,21 +445,39 @@ def _add_external_tls_init_container(ctx, init_containers, volumes, external_cer env["STATE"] = external_tls_config.get("state") env["COUNTRY"] = external_tls_config.get("country") env["SANS"] = external_cert.get("external_certificate_parameters").get("sans") - env["KEYSTORE_PATH"] = KEYSTORE_PATH - env["KEYSTORE_PASSWORD"] = external_tls_config.get("keystore_password") - env["TRUSTSTORE_PATH"] = TRUSTSTORE_PATH - env["TRUSTSTORE_PASSWORD"] = external_tls_config.get("truststore_password") - + env["KEYSTORE_PATH"] = MOUNT_PATH + keystore_secret_key + env["TRUSTSTORE_PATH"] = MOUNT_PATH + truststore_secret_key + env_from_secret["KEYSTORE_PASSWORD"] = \ + {"env_name": "KEYSTORE_PASSWORD", + "secret_name": external_tls_config.get("keystore_password_secret_name"), + "secret_key": external_tls_config.get("keystore_password_secret_key")} + env_from_secret["TRUSTSTORE_PASSWORD"] = \ + {"env_name": "TRUSTSTORE_PASSWORD", + "secret_name": external_tls_config.get("truststore_password_secret_name"), + "secret_key": external_tls_config.get("truststore_password_secret_key")} # Create the volumes and volume mounts - sec = client.V1SecretVolumeSource(secret_name=external_tls_config.get("cert_secret_name")) - volumes.append(client.V1Volume(name="tls-volume", secret=sec)) + projected_volume = _create_projected_tls_volume(external_tls_config.get("cert_secret_name"), + keystore_secret_key, + truststore_secret_key) + + volumes.append(client.V1Volume(name="tls-volume", projected=projected_volume)) init_volume_mounts = [ client.V1VolumeMount(name="tls-info", mount_path=external_cert.get("external_cert_directory")), client.V1VolumeMount(name="tls-volume", mount_path=MOUNT_PATH)] # Create the init container init_containers.append( - _create_container_object("cert-service-client", docker_image, False, volume_mounts=init_volume_mounts, env=env)) + _create_container_object("cert-service-client", docker_image, False, volume_mounts=init_volume_mounts, env=env, env_from_secret=env_from_secret)) + + +def _create_projected_tls_volume(secret_name, keystore_secret_key, truststore_secret_key): + items = [ + client.V1KeyToPath(key=keystore_secret_key, path=keystore_secret_key), + client.V1KeyToPath(key=truststore_secret_key, path=truststore_secret_key)] + secret_projection = client.V1SecretProjection(name=secret_name, items=items) + volume_projection = [client.V1VolumeProjection(secret=secret_projection)] + projected_volume = client.V1ProjectedVolumeSource(sources=volume_projection) + return projected_volume def _add_cert_post_processor_init_container(ctx, init_containers, tls_info, tls_config, external_cert, diff --git a/k8s/k8splugin_types.yaml b/k8s/k8splugin_types.yaml index 945ed85..0389d14 100644 --- a/k8s/k8splugin_types.yaml +++ b/k8s/k8splugin_types.yaml @@ -24,7 +24,7 @@ plugins: k8s: executor: 'central_deployment_agent' package_name: k8splugin - package_version: 3.8.0 + package_version: 3.9.0 data_types: diff --git a/k8s/pom.xml b/k8s/pom.xml index 7a14297..83b2318 100644 --- a/k8s/pom.xml +++ b/k8s/pom.xml @@ -29,7 +29,7 @@ limitations under the License. org.onap.dcaegen2.platform.plugins k8s k8s-plugin - 3.8.0-SNAPSHOT + 3.9.0-SNAPSHOT http://maven.apache.org UTF-8 diff --git a/k8s/setup.py b/k8s/setup.py index 47dc38c..97a7408 100644 --- a/k8s/setup.py +++ b/k8s/setup.py @@ -24,8 +24,8 @@ from setuptools import setup setup( name='k8splugin', description='Cloudify plugin for containerized components deployed using Kubernetes', - version="3.8.0", - author='J. F. Lucas, Michael Hwang, Tommy Carpenter, Joanna Jeremicz, Sylwia Jakubek, Jan Malkiewicz, Remigiusz Janeczek, Piotr Marcinkiewicz', + version="3.9.0", + author='J. F. Lucas, Michael Hwang, Tommy Carpenter, Joanna Jeremicz, Sylwia Jakubek, Jan Malkiewicz, Remigiusz Janeczek, Piotr Marcinkiewicz, Tomasz Wrobel', packages=['k8splugin','k8sclient','configure'], zip_safe=False, install_requires=[ diff --git a/k8s/tests/common.py b/k8s/tests/common.py index 19d94d6..3bd2db1 100644 --- a/k8s/tests/common.py +++ b/k8s/tests/common.py @@ -105,15 +105,22 @@ def verify_external_cert(dep): "STATE": "California", "COUNTRY": "US", "SANS": "mysans", - "KEYSTORE_PATH": "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks", - "KEYSTORE_PASSWORD": "secret1", - "TRUSTSTORE_PATH": "/etc/onap/oom/certservice/certs/truststore.jks", - "TRUSTSTORE_PASSWORD": "secret2"} + "KEYSTORE_PATH": "/etc/onap/oom/certservice/certs/keystore.jks", + "TRUSTSTORE_PATH": "/etc/onap/oom/certservice/certs/truststore.jks"} + envs = {k.name: k.value for k in cert_container.env} for k in expected_envs: assert (k in envs and expected_envs[k] == envs[k]) + envs_from_source = {k.name: k.value_from for k in cert_container.env} + expected_secret_key_ref = { + "KEYSTORE_PASSWORD": "oom-cert-service-client-tls-secret-password", + "TRUSTSTORE_PASSWORD": "oom-cert-service-client-tls-secret-password" + } + for key, value in expected_secret_key_ref.items(): + assert (key in envs_from_source and str(envs_from_source[key]).__contains__(value)) + def verify_cert_post_processor(dep): cert_container = dep.spec.template.spec.init_containers[2] diff --git a/k8s/tests/test_k8sclient_deploy.py b/k8s/tests/test_k8sclient_deploy.py index cd00f37..94957a6 100644 --- a/k8s/tests/test_k8sclient_deploy.py +++ b/k8s/tests/test_k8sclient_deploy.py @@ -50,8 +50,13 @@ K8S_CONFIGURATION = { "state": "California", "organizational_unit": "ONAP", "location": "San-Francisco", - "keystore_password": "secret1", - "truststore_password": "secret2" + "cert_secret_name": "oom-cert-service-client-tls-secret", + "keystore_secret_key" : "keystore.jks", + "truststore_secret_key" : "truststore.jks", + "keystore_password_secret_name": "oom-cert-service-client-tls-secret-password", + "truststore_password_secret_name": "oom-cert-service-client-tls-secret-password", + "keystore_password_secret_key" : "password", + "truststore_password_secret_key" : "password" }, "cert_post_processor": { "image_tag": "repo/oom-cert-post-processor:2.1.0" -- cgit 1.2.3-korg