From bd7d70b16ffce30e31acd0bf1013b1392ca5fb81 Mon Sep 17 00:00:00 2001 From: Joanna Jeremicz Date: Fri, 26 Jun 2020 16:53:53 +0200 Subject: Add support to request certificates from CMPv2 server in DCAE cloudify blueprints If the blueprint specifies that the component uses external TLS via the `external_cert` property, the `Deployment` includes an additional init container and the component's container. The init container populates the external TLS certificate artifacts in mounted volume. The container requires CMPv2 CertService to work properly. Issue-ID: DCAEGEN2-2252 Signed-off-by: Joanna Jeremicz Change-Id: I90cb79120ffaf634fc1f5b8a03a83abb30deb2b7 --- k8s/tests/common.py | 63 ++++++++++++++++++++++++++++++++++++++ k8s/tests/test_k8sclient_deploy.py | 21 +++++++++++++ 2 files changed, 84 insertions(+) (limited to 'k8s/tests') diff --git a/k8s/tests/common.py b/k8s/tests/common.py index 1801433..9778d1f 100644 --- a/k8s/tests/common.py +++ b/k8s/tests/common.py @@ -3,6 +3,7 @@ # ================================================================================ # Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. # Copyright (c) 2020 Pantheon.tech. All rights reserved. +# Copyright (c) 2020 Nokia. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -35,6 +36,18 @@ def _set_k8s_configuration(): "image": "tlsrepo/tls-init-container:1.2.3", "component_cert_dir": "/opt/dcae/cacert" }, + "external_cert": { + "image_tag": "repo/aaf-certservice-client:1.2.3", + "request_url" : "https://request:1010/url", + "timeout" : "30000", + "country" : "US", + "organization" : "Linux-Foundation", + "state" : "California", + "organizational_unit" : "ONAP", + "location" : "San-Francisco", + "keystore_password" : "secret1", + "truststore_password" : "secret2" + }, "cbs": { "base_url": "https://config-binding-service:10443/service_component_all/test-component" } @@ -114,6 +127,38 @@ def verify_common(dep, deployment_description): # Needs to be correctly labeled so that the Service can find it assert dep.spec.template.metadata.labels["app"] == "testcomponent" +def verify_external_cert(dep): + cert_container = dep.spec.template.spec.init_containers[1] + print(cert_container) + assert cert_container.image == "repo/aaf-certservice-client:1.2.3" + assert cert_container.name == "cert-service-client" + assert len(cert_container.volume_mounts) == 2 + assert cert_container.volume_mounts[0].name == "tls-info" + assert cert_container.volume_mounts[0].mount_path == "/path/to/container/cert/directory/" + assert cert_container.volume_mounts[1].name == "tls-volume" + assert cert_container.volume_mounts[1].mount_path == "/etc/onap/aaf/certservice/certs/" + + expected_envs = { + "REQUEST_URL": "https://request:1010/url", + "REQUEST_TIMEOUT": "30000", + "OUTPUT_PATH": "/path/to/container/cert/directory/external", + "OUTPUT_TYPE": "P12", + "CA_NAME": "myname", + "COMMON_NAME": "mycommonname", + "ORGANIZATION": "Linux-Foundation", + "ORGANIZATION_UNIT": "ONAP", + "LOCATION": "San-Francisco", + "STATE": "California", + "COUNTRY": "US", + "SANS": "mysans", + "KEYSTORE_PATH": "/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks", + "KEYSTORE_PASSWORD": "secret1", + "TRUSTSTORE_PATH": "/etc/onap/aaf/certservice/certs/truststore.jks", + "TRUSTSTORE_PASSWORD": "secret2"} + + envs = {k.name: k.value for k in cert_container.env} + for k in expected_envs: + assert (k in envs and expected_envs[k] == envs[k]) def do_deploy(tls_info=None): ''' Common deployment operations ''' @@ -133,3 +178,21 @@ def do_deploy(tls_info=None): verify_common(dep, deployment_description) return dep, deployment_description + + +def do_deploy_ext(ext_tls_info): + ''' Common deployment operations ''' + import k8sclient.k8sclient + + k8s_test_config = _set_k8s_configuration() + + kwargs = _set_common_kwargs() + kwargs['resources'] = _set_resources() + kwargs["external_cert"] = ext_tls_info + + dep, deployment_description = k8sclient.k8sclient.deploy("k8stest", "testcomponent", "example.com/testcomponent:1.4.3", 1, False, k8s_test_config, **kwargs) + + # Make sure all of the basic k8s parameters are correct + verify_common(dep, deployment_description) + + return dep, deployment_description diff --git a/k8s/tests/test_k8sclient_deploy.py b/k8s/tests/test_k8sclient_deploy.py index 3755855..30490a6 100644 --- a/k8s/tests/test_k8sclient_deploy.py +++ b/k8s/tests/test_k8sclient_deploy.py @@ -2,6 +2,7 @@ # org.onap.dcae # ================================================================================ # Copyright (c) 2018-2020 AT&T Intellectual Property. All rights reserved. +# Copyright (c) 2020 Nokia. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,6 +23,8 @@ import pytest from common import do_deploy +from common import do_deploy_ext +from common import verify_external_cert def test_deploy_full_tls(mockk8sapi): ''' Deploy component with a full TLS configuration, to act as a server ''' @@ -46,3 +49,21 @@ def test_deploy_no_tls_info(mockk8sapi): app_container = dep.spec.template.spec.containers[0] assert app_container.volume_mounts[2].mount_path == "/opt/dcae/cacert" + +def test_deploy_external_cert(mockk8sapi): + ''' Deploy component with external TLS configuration ''' + + dep, deployment_description = do_deploy_ext({"external_cert_directory": "/path/to/container/cert/directory/", + "use_external_tls": True, + "cert_type": "P12", + "ca_name": "myname", + "external_certificate_parameters": { + "common_name": "mycommonname", + "sans": "mysans"} + }) + + app_container = dep.spec.template.spec.containers[0] + assert app_container.volume_mounts[2].mount_path == "/opt/dcae/cacert" + + # Make sure all of the external init container parameters are correct + verify_external_cert(dep) -- cgit 1.2.3-korg