From 616e85c8a4430591257165eac39534501992d4bd Mon Sep 17 00:00:00 2001 From: Piotr Marcinkiewicz Date: Tue, 29 Sep 2020 12:59:08 +0200 Subject: [k8splugin] Update plugin to use OOM CertService - Replace AAF CertService with OOM CertService - Rename truststore merger init container to cert post processor Issue-ID: OOM-2526 Signed-off-by: Piotr Marcinkiewicz Change-Id: If3aecb9c62970e338c694ff7ae2dadf94c4daa8b --- k8s/ChangeLog.md | 4 ++++ k8s/configure/configure.py | 12 ++++++------ k8s/k8sclient/k8sclient.py | 16 ++++++++-------- k8s/k8splugin_types.yaml | 2 +- k8s/pom.xml | 2 +- k8s/setup.py | 4 ++-- k8s/tests/common.py | 20 ++++++++++---------- k8s/tests/test_k8sclient_deploy.py | 4 ++-- 8 files changed, 34 insertions(+), 30 deletions(-) diff --git a/k8s/ChangeLog.md b/k8s/ChangeLog.md index 7d2f4ea..5c95e64 100644 --- a/k8s/ChangeLog.md +++ b/k8s/ChangeLog.md @@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). +## [3.4.3] +* OOM-2526 - Replace AAF CertService with OOM CertService +* Rename truststore merger init container to cert post processor + ## [3.4.1] * DCAEGEN2-2253 - Add support to move CMPv2 keystore in place of AAF CertMan keystore * Make secret for cert-service-client container configurable diff --git a/k8s/configure/configure.py b/k8s/configure/configure.py index dc21dd9..481e02e 100644 --- a/k8s/configure/configure.py +++ b/k8s/configure/configure.py @@ -39,19 +39,19 @@ TLS_IMAGE = "nexus3.onap.org:10001/onap/org.onap.dcaegen2.deployments.tls-init-c TLS_COMP_CERT_PATH = "/opt/dcae/cacert" TLS_CA_CONFIGMAP = "dcae-cacert-configmap" -EXT_TLS_IMAGE = "nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:1.2.0" -EXT_TLS_REQUEST_URL = "https://aaf-cert-service:8443/v1/certificate/" +EXT_TLS_IMAGE = "nexus3.onap.org:10001/onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.1.0" +EXT_TLS_REQUEST_URL = "https://oom-cert-service:8443/v1/certificate/" EXT_TLS_TIMEOUT = "30000" EXT_TLS_COUNTRY = "US" EXT_TLS_ORGANIZATION = "Linux-Foundation" EXT_TLS_STATE = "California" EXT_TLS_ORGANIZATIONAL_UNIT = "ONAP" EXT_TLS_LOCATION = "San-Francisco" -EXT_TLS_CERT_SECRET_NAME = "aaf-cert-service-client-tls-secret" +EXT_TLS_CERT_SECRET_NAME = "oom-cert-service-client-tls-secret" EXT_TLS_KEYSTORE_PASSWORD = "secret" EXT_TLS_TRUSTSTORE_PASSWORD = "secret" -TRUST_STORE_MERGER_IMAGE = "nexus3.onap.org:10001/onap/org.onap.dcae.truststore-merger:1.2.0" +CERT_POST_PROCESSOR_IMAGE = "nexus3.onap.org:10001/onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.1.0" CBS_BASE_URL = "https://config-binding-service:10443/service_component_all" def _set_defaults(): @@ -88,8 +88,8 @@ def _set_defaults(): "keystore_password" : EXT_TLS_KEYSTORE_PASSWORD, # Password to keystore file "truststore_password" : EXT_TLS_TRUSTSTORE_PASSWORD # Password to truststore file }, - "truststore_merger": { - "image_tag": TRUST_STORE_MERGER_IMAGE + "cert_post_processor": { + "image_tag": CERT_POST_PROCESSOR_IMAGE # Docker image to use for cert post processor init container }, "cbs": { "base_url" : CBS_BASE_URL # URL prefix for accessing config binding service diff --git a/k8s/k8sclient/k8sclient.py b/k8s/k8sclient/k8sclient.py index 68feaec..cd17999 100644 --- a/k8s/k8sclient/k8sclient.py +++ b/k8s/k8sclient/k8sclient.py @@ -45,7 +45,7 @@ FACTORS = {None: 1, "s": 1, "m": 60, "h": 3600} PORTS = re.compile("^([0-9]+)(/(udp|UDP|tcp|TCP))?:([0-9]+)$") # Constants for external_cert -MOUNT_PATH = "/etc/onap/aaf/certservice/certs/" +MOUNT_PATH = "/etc/onap/oom/certservice/certs/" KEYSTORE_PATH = MOUNT_PATH + "certServiceClient-keystore.jks" TRUSTSTORE_PATH = MOUNT_PATH + "truststore.jks" DEFAULT_CERT_TYPE = "p12" @@ -366,10 +366,10 @@ def _add_external_tls_init_container(ctx, init_containers, volumes, external_cer init_containers.append(_create_container_object("cert-service-client", docker_image, False, volume_mounts=init_volume_mounts, env=env)) -def _add_truststore_merger_init_container(ctx, init_containers, tls_info, tls_config, external_cert, truststore_merger_config): +def _add_cert_post_processor_init_container(ctx, init_containers, tls_info, tls_config, external_cert, cert_post_processor_config): # Adds an InitContainer to the pod to merge TLS and external TLS truststore into single file. - docker_image = truststore_merger_config["image_tag"] - ctx.logger.info("Creating init container: truststore merger \n * [" + docker_image + "]") + docker_image = cert_post_processor_config["image_tag"] + ctx.logger.info("Creating init container: cert post processor \n * [" + docker_image + "]") tls_cert_dir = tls_info.get("cert_directory") or tls_config.get("component_cert_dir") if not tls_cert_dir.endswith('/'): @@ -401,7 +401,7 @@ def _add_truststore_merger_init_container(ctx, init_containers, tls_info, tls_co init_volume_mounts = [client.V1VolumeMount(name="tls-info", mount_path=tls_cert_dir)] # Create the init container - init_containers.append(_create_container_object("truststore-merger", docker_image, False, volume_mounts=init_volume_mounts, env=env)) + init_containers.append(_create_container_object("cert-post-processor", docker_image, False, volume_mounts=init_volume_mounts, env=env)) def _get_file_extension(output_type): @@ -546,8 +546,8 @@ def deploy(ctx, namespace, component_name, image, replicas, always_pull, k8sconf "cert_path": mount point for certificate volume in init container "image": Docker image to use for TLS init container "component_cert_dir" : default mount point for certs - - truststore-merger: a dictionary of trustore-merger information: - "image_tag": docker image to use for truststore-merger init container + - cert_post_processor: a dictionary of cert_post_processor information: + "image_tag": docker image to use for cert-post-processor init container kwargs may have: - volumes: array of volume objects, where a volume object is: {"host":{"path": "/path/on/host"}, "container":{"bind":"/path/on/container","mode":"rw_or_ro"} @@ -623,7 +623,7 @@ def deploy(ctx, namespace, component_name, image, replicas, always_pull, k8sconf external_cert = kwargs.get("external_cert") if external_cert and external_cert.get("use_external_tls"): _add_external_tls_init_container(ctx, init_containers, volumes, external_cert, k8sconfig.get("external_cert")) - _add_truststore_merger_init_container(ctx, init_containers, kwargs.get("tls_info") or {}, k8sconfig.get("tls"), external_cert, k8sconfig.get("truststore_merger")) + _add_cert_post_processor_init_container(ctx, init_containers, kwargs.get("tls_info") or {}, k8sconfig.get("tls"), external_cert, k8sconfig.get("cert_post_processor")) # Create the container for the component # Make it the first container in the pod diff --git a/k8s/k8splugin_types.yaml b/k8s/k8splugin_types.yaml index d216e31..93a3262 100644 --- a/k8s/k8splugin_types.yaml +++ b/k8s/k8splugin_types.yaml @@ -24,7 +24,7 @@ plugins: k8s: executor: 'central_deployment_agent' package_name: k8splugin - package_version: 3.4.2 + package_version: 3.4.3 data_types: diff --git a/k8s/pom.xml b/k8s/pom.xml index 9b47a6e..0a0c8ff 100644 --- a/k8s/pom.xml +++ b/k8s/pom.xml @@ -29,7 +29,7 @@ limitations under the License. org.onap.dcaegen2.platform.plugins k8s k8s-plugin - 3.4.2-SNAPSHOT + 3.4.3-SNAPSHOT http://maven.apache.org UTF-8 diff --git a/k8s/setup.py b/k8s/setup.py index 282aef8..208bcc7 100644 --- a/k8s/setup.py +++ b/k8s/setup.py @@ -24,8 +24,8 @@ from setuptools import setup setup( name='k8splugin', description='Cloudify plugin for containerized components deployed using Kubernetes', - version="3.4.2", - author='J. F. Lucas, Michael Hwang, Tommy Carpenter, Joanna Jeremicz, Sylwia Jakubek, Jan Malkiewicz, Remigiusz Janeczek', + version="3.4.3", + author='J. F. Lucas, Michael Hwang, Tommy Carpenter, Joanna Jeremicz, Sylwia Jakubek, Jan Malkiewicz, Remigiusz Janeczek, Piotr Marcinkiewicz', packages=['k8splugin','k8sclient','configure'], zip_safe=False, install_requires=[ diff --git a/k8s/tests/common.py b/k8s/tests/common.py index 91d4d41..d135b73 100644 --- a/k8s/tests/common.py +++ b/k8s/tests/common.py @@ -37,7 +37,7 @@ def _set_k8s_configuration(): "component_cert_dir": "/opt/dcae/cacert" }, "external_cert": { - "image_tag": "repo/aaf-certservice-client:1.2.3", + "image_tag": "repo/oom-certservice-client:2.1.0", "request_url" : "https://request:1010/url", "timeout" : "30000", "country" : "US", @@ -48,8 +48,8 @@ def _set_k8s_configuration(): "keystore_password" : "secret1", "truststore_password" : "secret2" }, - "truststore_merger": { - "image_tag": "repo/oom-truststore-merger:1.2.3" + "cert_post_processor": { + "image_tag": "repo/oom-cert-post-processor:2.1.0" }, "cbs": { "base_url": "https://config-binding-service:10443/service_component_all/test-component" @@ -133,13 +133,13 @@ def verify_common(dep, deployment_description): def verify_external_cert(dep): cert_container = dep.spec.template.spec.init_containers[1] print(cert_container) - assert cert_container.image == "repo/aaf-certservice-client:1.2.3" + assert cert_container.image == "repo/oom-certservice-client:2.1.0" assert cert_container.name == "cert-service-client" assert len(cert_container.volume_mounts) == 2 assert cert_container.volume_mounts[0].name == "tls-info" assert cert_container.volume_mounts[0].mount_path == "/path/to/container/cert/directory/" assert cert_container.volume_mounts[1].name == "tls-volume" - assert cert_container.volume_mounts[1].mount_path == "/etc/onap/aaf/certservice/certs/" + assert cert_container.volume_mounts[1].mount_path == "/etc/onap/oom/certservice/certs/" expected_envs = { "REQUEST_URL": "https://request:1010/url", @@ -154,20 +154,20 @@ def verify_external_cert(dep): "STATE": "California", "COUNTRY": "US", "SANS": "mysans", - "KEYSTORE_PATH": "/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks", + "KEYSTORE_PATH": "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks", "KEYSTORE_PASSWORD": "secret1", - "TRUSTSTORE_PATH": "/etc/onap/aaf/certservice/certs/truststore.jks", + "TRUSTSTORE_PATH": "/etc/onap/oom/certservice/certs/truststore.jks", "TRUSTSTORE_PASSWORD": "secret2"} envs = {k.name: k.value for k in cert_container.env} for k in expected_envs: assert (k in envs and expected_envs[k] == envs[k]) -def verify_truststore_merger(dep): +def verify_cert_post_processor(dep): cert_container = dep.spec.template.spec.init_containers[2] print(cert_container) - assert cert_container.image == "repo/oom-truststore-merger:1.2.3" - assert cert_container.name == "truststore-merger" + assert cert_container.image == "repo/oom-cert-post-processor:2.1.0" + assert cert_container.name == "cert-post-processor" assert len(cert_container.volume_mounts) == 1 assert cert_container.volume_mounts[0].name == "tls-info" assert cert_container.volume_mounts[0].mount_path == "/opt/dcae/cacert/" diff --git a/k8s/tests/test_k8sclient_deploy.py b/k8s/tests/test_k8sclient_deploy.py index a325b68..b710a79 100644 --- a/k8s/tests/test_k8sclient_deploy.py +++ b/k8s/tests/test_k8sclient_deploy.py @@ -25,7 +25,7 @@ import pytest from common import do_deploy from common import do_deploy_ext from common import verify_external_cert -from common import verify_truststore_merger +from common import verify_cert_post_processor def test_deploy_full_tls(mockk8sapi): ''' Deploy component with a full TLS configuration, to act as a server ''' @@ -68,6 +68,6 @@ def test_deploy_external_cert(mockk8sapi): # Make sure all of the external init container parameters are correct verify_external_cert(dep) - verify_truststore_merger(dep) + verify_cert_post_processor(dep) -- cgit 1.2.3-korg