From f14264024fc0d3103922360d2e7bb6dce114bf09 Mon Sep 17 00:00:00 2001 From: Michael Hwang Date: Wed, 17 Jul 2019 23:24:36 -0400 Subject: Support calling inventory using HTTPS Issue-ID: DCAEGEN2-1597 Change-Id: Ie1dc18ad753e5f43223ce699dfbceb1649dc6235 Signed-off-by: Michael Hwang --- ChangeLog.md | 3 ++- README.md | 11 +++++++++++ pom.xml | 8 ++++++-- project.clj | 2 +- resources/sch.sh | 47 +++++++++++++++++++++++++++++++++++++++++++++++ version.properties | 2 +- 6 files changed, 68 insertions(+), 5 deletions(-) create mode 100755 resources/sch.sh diff --git a/ChangeLog.md b/ChangeLog.md index 71de2fc..80e80cf 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -5,10 +5,11 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). -## [] +## [1.3.0] * Add non-root user in Docker image so that the inventory service can be run in non-privileged mode for security reasons DCAEGEN2-1555 * Change base image to alpine based DCAEGEN2-1566 +* Support calling inventory using HTTPS DCAEGEN2-1597 ## [1.1.3] diff --git a/README.md b/README.md index 540d0e9..4128632 100644 --- a/README.md +++ b/README.md @@ -43,3 +43,14 @@ Usage of production mode when config is remote stored in Consul: ``` java -jar dcae-service-change-handler-0.1.0.jar prod http://consul:8500/v1/kv/service-change-handler?raw=true ``` + +#### Use script + +[`sch.sh`](resources/sch.sh) is a script to run service change handler that connects with inventory using HTTPS. The script attempts to add a custom CA cert to the OS's key store `/etc/ssl/certs/java/cacerts` and then launches service change handler. The custom CA cert is used to validate the server-side cert provided by inventory at runtime. + +The script uses the following environment variables: + +Name | Description | Default +---- | ----------- | ------- +`PATH_TO_CACERT` | Local file path to the CA cert that needs to be added to the keystore | `/opt/cert/cacert.pem` +`SCH_ARGS` | Args to be passed into the SCH run command | `prod http://consul:8500/v1/kv/service-change-handler?raw=true` diff --git a/pom.xml b/pom.xml index 82975c3..172a81d 100644 --- a/pom.xml +++ b/pom.xml @@ -29,7 +29,7 @@ ECOMP is a trademark and service mark of AT&T Intellectual Property. org.onap.dcaegen2.platform servicechange-handler - 1.2.0-SNAPSHOT + 1.3.0-SNAPSHOT jar @@ -224,12 +224,15 @@ ECOMP is a trademark and service mark of AT&T Intellectual Property. openjdk:8-jre-alpine sch + apk update + apk add bash + chmod 666 /etc/ssl/certs/java/cacerts addgroup -S sch adduser -S -G sch sch - ["java", "-jar", "/opt/servicechange-handler.jar", "prod", "http://consul:8500/v1/kv/service-change-handler?raw=true"] + ["sch.sh"] @@ -241,6 +244,7 @@ ECOMP is a trademark and service mark of AT&T Intellectual Property. /opt ${project.basedir}/resources health.sh + sch.sh diff --git a/project.clj b/project.clj index 3731a39..d1b95a8 100644 --- a/project.clj +++ b/project.clj @@ -21,7 +21,7 @@ ; Using lein for REPL and testing because couldn't get Maven clojure plugin to work ; for these functional areas. -(defproject service-change-handler "0.1.0" +(defproject service-change-handler "1.3.0" :description "Service change handler" :dependencies [[org.clojure/clojure "1.8.0"] [cheshire/cheshire "5.8.0"] diff --git a/resources/sch.sh b/resources/sch.sh new file mode 100755 index 0000000..0a68858 --- /dev/null +++ b/resources/sch.sh @@ -0,0 +1,47 @@ +#!/bin/bash +# ================================================================================ +# Copyright (c) 2017-2019 AT&T Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +# +# ECOMP is a trademark and service mark of AT&T Intellectual Property. + +# The following variables are checked if set, if not set then an error is raised +# PATH_TO_CACERT is the full file path to the cacert that must be added to the +# existing keystore +if [ -z "$PATH_TO_CACERT" ]; then + # TODO: Make this variable not required and thus not do the keytool call + echo "Missing required environment variable: PATH_TO_CACERT" + echo "Please set this variable to the full local path of the CA cert pem file that is to be added" + echo "Example: PATH_TO_CACERT=/opt/cert/cacert.pem" + exit 1 +fi + +# SCH_ARGS are all the args to be passed into the SCH java run command +if [ -z "$SCH_ARGS" ]; then + echo "Missing required environment variable: SCH_ARGS" + echo "Please set this variable to the command-line args to be used to run service change handler" + echo "Example: SCH_ARGS=prod /opt/config.json" + echo "Example: SCH_ARGS=prod http://consul:8500/v1/kv/service-change-handler?raw=true" + exit 1 +fi + +# Add the cacert to validate inventory's cert to support TLS. This command is +# allowed to fail when there is no need for https. +# NOTE: This user must have permission to write to /etc/ssl/certs/java/cacerts +keytool -importcert -file $PATH_TO_CACERT -keystore /etc/ssl/certs/java/cacerts -alias "inventory" -noprompt -storepass changeit + +# Now launch SCH +java -jar /opt/servicechange-handler.jar $SCH_ARGS + diff --git a/version.properties b/version.properties index 00ef564..7d6815b 100644 --- a/version.properties +++ b/version.properties @@ -1,5 +1,5 @@ major=1 -minor=2 +minor=3 patch=0 base_version=${major}.${minor}.${patch} release_version=${base_version} -- cgit 1.2.3-korg