From 52b94c834d1c0252873ca4ced0ba3818648eccfe Mon Sep 17 00:00:00 2001 From: Jack Lucas Date: Mon, 3 Feb 2020 17:11:07 -0500 Subject: Provide cacert in JKS format for clients Issue-ID: DCAEGEN2-1938 Signed-off-by: Jack Lucas Change-Id: Ic9a852bb058075b2b03aa6382ed33e23a4cca8b5 --- k8s/configure/configure.py | 15 +++++++------- k8s/k8s-node-type.yaml | 2 +- k8s/k8sclient/k8sclient.py | 51 +++++++++++++++++++--------------------------- k8s/k8splugin/tasks.py | 13 ++++++------ k8s/pom.xml | 4 +--- k8s/requirements.txt | 1 + k8s/setup.py | 6 ++---- k8s/tests/common.py | 3 +-- 8 files changed, 40 insertions(+), 55 deletions(-) diff --git a/k8s/configure/configure.py b/k8s/configure/configure.py index 959c215..d51b87b 100644 --- a/k8s/configure/configure.py +++ b/k8s/configure/configure.py @@ -1,7 +1,7 @@ # ============LICENSE_START======================================================= # org.onap.dcae # ================================================================================ -# Copyright (c) 2018-2019 AT&T Intellectual Property. All rights reserved. +# Copyright (c) 2018-2020 AT&T Intellectual Property. All rights reserved. # Copyright (c) 2019 Pantheon.tech. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -16,8 +16,6 @@ # See the License for the specific language governing permissions and # limitations under the License. # ============LICENSE_END========================================================= -# -# ECOMP is a trademark and service mark of AT&T Intellectual Property. _CONFIG_PATH = "/opt/onap/config.txt" # Path to config file on the Cloudify Manager host _CONSUL_KEY = "k8s-plugin" # Key under which CM configuration is stored in Consul @@ -26,6 +24,7 @@ _CONSUL_KEY = "k8s-plugin" # Key under which CM configuration is st DCAE_NAMESPACE = "dcae" CONSUL_DNS_NAME = "consul" DEFAULT_K8S_LOCATION = "central" +DEFAULT_MAX_WAIT = 1800 FB_LOG_PATH = "/var/log/onap" FB_DATA_PATH = "/usr/share/filebeat/data" @@ -34,9 +33,9 @@ FB_CONFIG_SUBPATH = "filebeat.yml" FB_CONFIG_MAP = "filebeat-conf" FB_IMAGE = "docker.elastic.co/beats/filebeat:5.5.0" -TLS_CERT_PATH = "/opt/tls/shared" -TLS_IMAGE = "nexus3.onap.org:10001/onap/org.onap.dcaegen2.deployments.tls-init-container:1.0.0" -TLS_CA_CERT_PATH = "/opt/dcae/cacert/cacert.pem" +TLS_CERT_PATH = "/opt/app/osaaf" +TLS_IMAGE = "nexus3.onap.org:10001/onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0" +TLS_COMP_CERT_PATH = "/opt/dcae/cacert" TLS_CA_CONFIGMAP = "dcae-cacert-configmap" CBS_BASE_URL = "https://config-binding-service:10443/service_component_all" @@ -48,6 +47,7 @@ def _set_defaults(): "consul_dns_name" : CONSUL_DNS_NAME, # k8s internal DNS name for Consul "default_k8s_location" : DEFAULT_K8S_LOCATION, # default k8s location to deploy components "image_pull_secrets" : [], # list of k8s secrets for accessing Docker registries + "max_wait": DEFAULT_MAX_WAIT, # Default maximum time to wait for component to become healthy (secs) "filebeat": { # Configuration for setting up filebeat container "log_path" : FB_LOG_PATH, # mount point for log volume in filebeat container "data_path" : FB_DATA_PATH, # mount point for data volume in filebeat container @@ -59,8 +59,7 @@ def _set_defaults(): "tls": { # Configuration for setting up TLS "cert_path" : TLS_CERT_PATH, # mount point for certificate volume in TLS init container "image": TLS_IMAGE, # Docker image to use for TLS init container - "component_ca_cert_path": TLS_CA_CERT_PATH, # Mount point for CA cert for components that are clients only - "ca_cert_configmap": TLS_CA_CONFIGMAP # ConfigMap holding CA cert for components that are clients only + "component_cert_dir": TLS_COMP_CERT_PATH # default mount point for certificate volume in component container }, "cbs": { "base_url" : CBS_BASE_URL # URL prefix for accessing config binding service diff --git a/k8s/k8s-node-type.yaml b/k8s/k8s-node-type.yaml index 352acce..c14623a 100644 --- a/k8s/k8s-node-type.yaml +++ b/k8s/k8s-node-type.yaml @@ -23,7 +23,7 @@ plugins: k8s: executor: 'central_deployment_agent' package_name: k8splugin - package_version: 1.7.2 + package_version: 2.0.0 data_types: diff --git a/k8s/k8sclient/k8sclient.py b/k8s/k8sclient/k8sclient.py index 9aeec24..bd83322 100644 --- a/k8s/k8sclient/k8sclient.py +++ b/k8s/k8sclient/k8sclient.py @@ -1,7 +1,7 @@ # ============LICENSE_START======================================================= # org.onap.dcae # ================================================================================ -# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved. +# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. # Copyright (c) 2020 Pantheon.tech. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -298,33 +298,25 @@ def _add_elk_logging_sidecar(containers, volumes, volume_mounts, component_name, containers.append(_create_container_object("filebeat", filebeat["image"], False, volume_mounts=sidecar_volume_mounts)) def _add_tls_init_container(init_containers, volumes, volume_mounts, tls_info, tls_config): - # Two different ways of doing this, depending on whether the container will act as a TLS server or as a client only - # If a server, then tls_info will be passed, and tls_info["use_tls"] will be set to true. We create an InitContainer - # that sets up the CA cert, the server cert, and the keys. - # If a client only, only the CA cert is needed. We mount the CA cert from a ConfigMap that has been created as part - # of the installation process. If there is cert_directory information in tls_info, we use that directory in the mount path. - # Otherwise, we use the configured default path in tls_config. - cert_directory = None - if tls_info: - cert_directory = tls_info.get("cert_directory") - if cert_directory and tls_info.get("use_tls"): - # Use an InitContainer to set up the certificate information - # Create the certificate volume and volume mounts - volumes.append(client.V1Volume(name="tls-info", empty_dir=client.V1EmptyDirVolumeSource())) - volume_mounts.append(client.V1VolumeMount(name="tls-info", mount_path=cert_directory)) - init_volume_mounts = [client.V1VolumeMount(name="tls-info", mount_path=tls_config["cert_path"])] - - # Just create the init container - init_containers.append(_create_container_object("init-tls", tls_config["image"], False, volume_mounts=init_volume_mounts)) - return - - # Use a config map - # Create the CA cert volume - volumes.append(client.V1Volume(name="tls-cacert", config_map=client.V1ConfigMapVolumeSource(name=tls_config["ca_cert_configmap"]))) - - # Create the volume mount - mount_path = cert_directory or os.path.dirname(tls_config["component_ca_cert_path"]) - volume_mounts.append(client.V1VolumeMount(name="tls-cacert", mount_path=mount_path)) + # Adds an InitContainer to the pod to set up TLS certificate information. For components that act as a + # server(tls_info["use_tls"] is True), the InitContainer will populate a directory with server and CA certificate + # materials in various formats. For other components (tls_info["use_tls"] is False, or tls_info is not specified), + # the InitContainer will populate a directory with CA certificate materials in PEM and JKS formats. + # In either case, the certificate directory is mounted onto the component container filesystem at the location + # specified by tls_info["component_cert_dir"], if present, otherwise at the configured default mount point + # (tls_config["component_cert_dir"]). + + cert_directory = tls_info.get("cert_directory") or tls_config.get("component_cert_dir") + env = {} + env["TLS_SERVER"] = "true" if tls_info.get("use_tls") else "false" + + # Create the certificate volume and volume mounts + volumes.append(client.V1Volume(name="tls-info", empty_dir=client.V1EmptyDirVolumeSource())) + volume_mounts.append(client.V1VolumeMount(name="tls-info", mount_path=cert_directory)) + init_volume_mounts = [client.V1VolumeMount(name="tls-info", mount_path=tls_config["cert_path"])] + + # Create the init container + init_containers.append(_create_container_object("init-tls", tls_config["image"], False, volume_mounts=init_volume_mounts, env=env)) def _process_port_map(port_map): service_ports = [] # Ports exposed internally on the k8s network @@ -444,8 +436,7 @@ def deploy(namespace, component_name, image, replicas, always_pull, k8sconfig, * - tls: a dictionary of TLS-related information: "cert_path": mount point for certificate volume in init container "image": Docker image to use for TLS init container - "component_ca_cert_path" : mount point for CA cert for client-only containers - "ca_cert_configmap": the name of the ConfigMap where the CA cert is stored + "component_cert_dir" : default mount point for certs kwargs may have: - volumes: array of volume objects, where a volume object is: {"host":{"path": "/path/on/host"}, "container":{"bind":"/path/on/container","mode":"rw_or_ro"} diff --git a/k8s/k8splugin/tasks.py b/k8s/k8splugin/tasks.py index eff7d43..21f70c1 100644 --- a/k8s/k8splugin/tasks.py +++ b/k8s/k8splugin/tasks.py @@ -1,7 +1,7 @@ # ============LICENSE_START======================================================= # org.onap.dcae # ================================================================================ -# Copyright (c) 2017-2019 AT&T Intellectual Property. All rights reserved. +# Copyright (c) 2017-2020 AT&T Intellectual Property. All rights reserved. # Copyright (c) 2020 Pantheon.tech. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -16,8 +16,6 @@ # See the License for the specific language governing permissions and # limitations under the License. # ============LICENSE_END========================================================= -# -# ECOMP is a trademark and service mark of AT&T Intellectual Property. # Lifecycle interface calls for containerized components @@ -43,9 +41,9 @@ plugin_conf = configure.configure() CONSUL_HOST = plugin_conf.get("consul_host") CONSUL_INTERNAL_NAME = plugin_conf.get("consul_dns_name") DCAE_NAMESPACE = plugin_conf.get("namespace") -DEFAULT_MAX_WAIT = plugin_conf.get("max_wait", 1800) +DEFAULT_MAX_WAIT = plugin_conf.get("max_wait") DEFAULT_K8S_LOCATION = plugin_conf.get("default_k8s_location") -COMPONENT_CA_CERT_PATH = plugin_conf.get("tls").get("component_ca_cert_path") +COMPONENT_CERT_DIR = plugin_conf.get("tls",{}).get("component_cert_dir") CBS_BASE_URL = plugin_conf.get("cbs").get("base_url") # Used to construct delivery urls for data router subscribers. Data router in FTL @@ -268,10 +266,11 @@ def _create_and_start_container(container_name, image, **kwargs): - liveness: object with information needed to create a liveness check - k8s_location: name of the Kubernetes location (cluster) where the component is to be deployed ''' - tls_info = kwargs.get("tls_info") + tls_info = kwargs.get("tls_info") or {} + cert_dir = tls_info.get("cert_directory") or COMPONENT_CERT_DIR env = { "CONSUL_HOST": CONSUL_INTERNAL_NAME, "CONFIG_BINDING_SERVICE": "config-binding-service", - "DCAE_CA_CERTPATH" : "{0}/cacert.pem".format(tls_info["cert_directory"]) if (tls_info and tls_info["cert_directory"]) else COMPONENT_CA_CERT_PATH, + "DCAE_CA_CERTPATH" : "{0}/cacert.pem".format(cert_dir), "CBS_CONFIG_URL" : "{0}/{1}".format(CBS_BASE_URL, container_name) } env.update(kwargs.get("envs", {})) diff --git a/k8s/pom.xml b/k8s/pom.xml index b83fc87..5193e71 100644 --- a/k8s/pom.xml +++ b/k8s/pom.xml @@ -16,8 +16,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. ============LICENSE_END========================================================= - -ECOMP is a trademark and service mark of AT&T Intellectual Property. --> 4.0.0 @@ -29,7 +27,7 @@ ECOMP is a trademark and service mark of AT&T Intellectual Property. org.onap.dcaegen2.platform.plugins k8s k8s-plugin - 1.7.2-SNAPSHOT + 2.0.0-SNAPSHOT http://maven.apache.org UTF-8 diff --git a/k8s/requirements.txt b/k8s/requirements.txt index 2a94ae6..6d72e4a 100644 --- a/k8s/requirements.txt +++ b/k8s/requirements.txt @@ -1,3 +1,4 @@ +setuptools<45.0.0 python-consul>=0.6.0 onap-dcae-dcaepolicy-lib>=2.4.1 kubernetes>=9.0.0 diff --git a/k8s/setup.py b/k8s/setup.py index 0b4f366..15a34ab 100644 --- a/k8s/setup.py +++ b/k8s/setup.py @@ -1,7 +1,7 @@ # ============LICENSE_START======================================================= # org.onap.dcae # ================================================================================ -# Copyright (c) 2017-2019 AT&T Intellectual Property. All rights reserved. +# Copyright (c) 2017-2020 AT&T Intellectual Property. All rights reserved. # Copyright (c) 2020 Pantheon.tech. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); @@ -16,15 +16,13 @@ # See the License for the specific language governing permissions and # limitations under the License. # ============LICENSE_END========================================================= -# -# ECOMP is a trademark and service mark of AT&T Intellectual Property. from setuptools import setup setup( name='k8splugin', description='Cloudify plugin for containerized components deployed using Kubernetes', - version="1.7.2", + version="2.0.0", author='J. F. Lucas, Michael Hwang, Tommy Carpenter', packages=['k8splugin','k8sclient','msb','configure'], zip_safe=False, diff --git a/k8s/tests/common.py b/k8s/tests/common.py index c696f41..02b57e6 100644 --- a/k8s/tests/common.py +++ b/k8s/tests/common.py @@ -33,8 +33,7 @@ def _set_k8s_configuration(): "tls" : { "cert_path": "/opt/certs", "image": "tlsrepo/tls-init-container:1.2.3", - "component_ca_cert_path": "/opt/dcae/cacert/cacert.pem", - "ca_cert_configmap": "dcae-cacert-configmap" + "component_cert_dir": "/opt/dcae/cacert" }, "cbs": { "base_url": "https://config-binding-service:10443/service_component_all/test-component" -- cgit 1.2.3-korg