From 75758e6b5202c3a913c7a3509c3596a11c6270ad Mon Sep 17 00:00:00 2001 From: Joanna Jeremicz Date: Wed, 29 Jul 2020 12:20:10 +0200 Subject: Certificates from CMPv2 server - handle incorrect blueprint K8splugin will stop without deployment creation when external_cert does not contain all the required parameters Bugfix: K8splugin will not create cert-service-client init container by default Issue-ID: DCAEGEN2-2252 DCAEGEN2-2380 Signed-off-by: Joanna Jeremicz Change-Id: Ibb6ada925ad8c7f1609e01ba9021a7dbcf0fe644 --- k8s/ChangeLog.md | 5 +++++ k8s/k8splugin/tasks.py | 19 +++++++++++++++++++ k8s/k8splugin_types.yaml | 4 ++-- k8s/pom.xml | 2 +- k8s/setup.py | 2 +- 5 files changed, 28 insertions(+), 4 deletions(-) (limited to 'k8s') diff --git a/k8s/ChangeLog.md b/k8s/ChangeLog.md index 16300b0..d7b1da6 100644 --- a/k8s/ChangeLog.md +++ b/k8s/ChangeLog.md @@ -5,6 +5,11 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). +## [3.3.0] +* DCAEGEN2-2252 - Add support to request certificates from CMPv2 server in DCAE cloudify blueprints + - handle incorrect blueprint +* DCAEGEN2-2380 - K8splugin should not create cert-service-client init container by default + ## [3.2.0] * DCAEGEN2-2309 - Adapt with K8S 1.17 version of APIs diff --git a/k8s/k8splugin/tasks.py b/k8s/k8splugin/tasks.py index 57fb8fb..e03e4d2 100644 --- a/k8s/k8splugin/tasks.py +++ b/k8s/k8splugin/tasks.py @@ -59,6 +59,14 @@ K8S_DEPLOYMENT = "k8s_deployment" RESOURCE_KW = "resource_config" LOCATION_ID = "location_id" +# External cert parameters +EXT_CERT_DIR = "external_cert_directory" +EXT_CA_NAME = "ca_name" +EXT_CERT_PARAMS = "external_certificate_parameters" +EXT_COMMON_NAME = "common_name" +EXT_CERT_ERROR_MESSAGE = "Provided blueprint is incorrect. It specifies external_cert without all the required parameters. " \ + "Required parameters are: {0}, {1}, {2}.{3}".format(EXT_CERT_DIR, EXT_CA_NAME, EXT_CERT_PARAMS, EXT_COMMON_NAME) + # Utility methods # Lifecycle interface calls for dcae.nodes.DockerContainer @@ -227,6 +235,14 @@ def _verify_k8s_deployment(location, service_component_name, max_wait): return True +def _fail_if_external_cert_incorrect(external_cert): + if not (external_cert.get(EXT_CERT_DIR) + and external_cert.get(EXT_CA_NAME) + and external_cert.get(EXT_CERT_PARAMS) + and external_cert.get(EXT_CERT_PARAMS).get(EXT_COMMON_NAME)): + ctx.logger.error(EXT_CERT_ERROR_MESSAGE) + raise NonRecoverableError(EXT_CERT_ERROR_MESSAGE) + def _create_and_start_container(container_name, image, **kwargs): ''' This will create a k8s Deployment and, if needed, a k8s Service or two. @@ -262,6 +278,9 @@ def _create_and_start_container(container_name, image, **kwargs): - k8s_location: name of the Kubernetes location (cluster) where the component is to be deployed ''' tls_info = kwargs.get("tls_info") or {} + external_cert = kwargs.get("external_cert") + if external_cert and external_cert.get("use_external_tls"): + _fail_if_external_cert_incorrect(external_cert) cert_dir = tls_info.get("cert_directory") or COMPONENT_CERT_DIR env = { "CONSUL_HOST": CONSUL_INTERNAL_NAME, "CONFIG_BINDING_SERVICE": "config-binding-service", diff --git a/k8s/k8splugin_types.yaml b/k8s/k8splugin_types.yaml index ff649df..5d354f7 100644 --- a/k8s/k8splugin_types.yaml +++ b/k8s/k8splugin_types.yaml @@ -23,7 +23,7 @@ plugins: k8s: executor: 'central_deployment_agent' package_name: k8splugin - package_version: 3.2.0 + package_version: 3.3.0 data_types: @@ -100,7 +100,7 @@ data_types: Flag indicating whether external TLS is to be used type: boolean required: false - default: true + default: false ca_name: description: > Name of Certificate Authority configured on CertService side diff --git a/k8s/pom.xml b/k8s/pom.xml index 8a541d4..c91dcbf 100644 --- a/k8s/pom.xml +++ b/k8s/pom.xml @@ -28,7 +28,7 @@ limitations under the License. org.onap.dcaegen2.platform.plugins k8s k8s-plugin - 3.2.0-SNAPSHOT + 3.3.0-SNAPSHOT http://maven.apache.org UTF-8 diff --git a/k8s/setup.py b/k8s/setup.py index da3a7d3..7ff694b 100644 --- a/k8s/setup.py +++ b/k8s/setup.py @@ -23,7 +23,7 @@ from setuptools import setup setup( name='k8splugin', description='Cloudify plugin for containerized components deployed using Kubernetes', - version="3.2.0", + version="3.3.0", author='J. F. Lucas, Michael Hwang, Tommy Carpenter, Joanna Jeremicz, Sylwia Jakubek', packages=['k8splugin','k8sclient','configure'], zip_safe=False, -- cgit 1.2.3-korg