From d2da2cc4bd18fe33124dd105608443c10f981a2d Mon Sep 17 00:00:00 2001 From: Filip Krzywka Date: Wed, 20 Mar 2019 10:42:19 +0100 Subject: Update HV-VES testsuites This commit follows related changes made in DCAEGEN2-1340 and overall DCAEGEN2-1151 story. - use configuration files instead of command line parameters - organize collector volumes for ease of use - move environment variables to .env file for reuse - removed redundant aliases in ves-hv-network Change-Id: I782db9d0996308810834c322906ab861be183193 Issue-ID: DCAEGEN2-1340 Signed-off-by: Filip Krzywka --- plans/dcaegen2-collectors-hv-ves/testsuites/.env | 6 ++- .../collector/configuration/insecure.json | 28 ++++++++++ .../testsuites/collector/configuration/secure.json | 34 +++++++++++++ .../testsuites/collector/ssl/.gitignore | 6 +++ .../testsuites/collector/ssl/Makefile-openssl | 41 +++++++++++++++ .../testsuites/collector/ssl/README.md | 54 ++++++++++++++++++++ .../testsuites/collector/ssl/gen-certs.sh | 59 ++++++++++++++++++++++ .../testsuites/docker-compose.yml | 36 ++++++------- .../dcaegen2-collectors-hv-ves/testsuites/setup.sh | 4 +- .../testsuites/ssl/.gitignore | 6 --- .../testsuites/ssl/Makefile-openssl | 41 --------------- .../testsuites/ssl/README.md | 54 -------------------- .../testsuites/ssl/gen-certs.sh | 59 ---------------------- .../testsuites/teardown.sh | 4 +- 14 files changed, 246 insertions(+), 186 deletions(-) create mode 100644 plans/dcaegen2-collectors-hv-ves/testsuites/collector/configuration/insecure.json create mode 100644 plans/dcaegen2-collectors-hv-ves/testsuites/collector/configuration/secure.json create mode 100644 plans/dcaegen2-collectors-hv-ves/testsuites/collector/ssl/.gitignore create mode 100644 plans/dcaegen2-collectors-hv-ves/testsuites/collector/ssl/Makefile-openssl create mode 100644 plans/dcaegen2-collectors-hv-ves/testsuites/collector/ssl/README.md create mode 100755 plans/dcaegen2-collectors-hv-ves/testsuites/collector/ssl/gen-certs.sh delete mode 100644 plans/dcaegen2-collectors-hv-ves/testsuites/ssl/.gitignore delete mode 100644 plans/dcaegen2-collectors-hv-ves/testsuites/ssl/Makefile-openssl delete mode 100644 plans/dcaegen2-collectors-hv-ves/testsuites/ssl/README.md delete mode 100755 plans/dcaegen2-collectors-hv-ves/testsuites/ssl/gen-certs.sh (limited to 'plans') diff --git a/plans/dcaegen2-collectors-hv-ves/testsuites/.env b/plans/dcaegen2-collectors-hv-ves/testsuites/.env index 7e2fffcf..1558083f 100644 --- a/plans/dcaegen2-collectors-hv-ves/testsuites/.env +++ b/plans/dcaegen2-collectors-hv-ves/testsuites/.env @@ -9,4 +9,8 @@ DCAE_APP_SIMULATOR_IMAGE=hv-collector-dcae-app-simulator HV_VES_VERSION=1.1-SNAPSHOT HV_VES_HEALTHCHECK_CMD=curl --request GET --fail --silent --show-error localhost:6060/health/ready && nc -vz localhost 6061 -HV_VES_MAIN_CLASS=org.onap.dcae.collectors.veshv.main.MainKt + +JAVA_OPTS=-Dio.netty.leakDetection.level=paranoid +CONSUL_HOST=consul-server +CONFIG_BINDING_SERVICE=cbs +HV_VES_HOSTNAME=dcae-hv-ves-collector \ No newline at end of file diff --git a/plans/dcaegen2-collectors-hv-ves/testsuites/collector/configuration/insecure.json b/plans/dcaegen2-collectors-hv-ves/testsuites/collector/configuration/insecure.json new file mode 100644 index 00000000..9af02ffd --- /dev/null +++ b/plans/dcaegen2-collectors-hv-ves/testsuites/collector/configuration/insecure.json @@ -0,0 +1,28 @@ +{ + "server": { + "listenPort": 6061, + "idleTimeoutSec": 60, + "maxPayloadSizeBytes": 1048576 + }, + "cbs": { + "firstRequestDelaySec": 5, + "requestIntervalSec": 10 + }, + "security": { + "sslDisable": true + }, + "collector": { + "maxRequestSizeBytes": 1048576, + "kafkaServers": [ + "kafka:9092" + ], + "routing": [ + { + "fromDomain": "perf3gpp", + "toTopic": "TEST_HV_VES_PERF3GPP" + } + ], + "dummyMode": false + }, + "logLevel": "DEBUG" +} \ No newline at end of file diff --git a/plans/dcaegen2-collectors-hv-ves/testsuites/collector/configuration/secure.json b/plans/dcaegen2-collectors-hv-ves/testsuites/collector/configuration/secure.json new file mode 100644 index 00000000..5aa2b0aa --- /dev/null +++ b/plans/dcaegen2-collectors-hv-ves/testsuites/collector/configuration/secure.json @@ -0,0 +1,34 @@ +{ + "server": { + "listenPort": 6061, + "idleTimeoutSec": 60, + "maxPayloadSizeBytes": 1048576 + }, + "cbs": { + "firstRequestDelaySec": 5, + "requestIntervalSec": 10 + }, + "security": { + "sslDisable": false, + "keys": { + "keyStoreFile": "/etc/hv-ves/ssl/server.p12", + "keyStorePassword": "onaponap", + "trustStoreFile": "/etc/hv-ves/ssl/trust.p12", + "trustStorePassword": "onaponap" + } + }, + "collector": { + "maxRequestSizeBytes": 1048576, + "kafkaServers": [ + "kafka:9092" + ], + "routing": [ + { + "fromDomain": "perf3gpp", + "toTopic": "TEST_HV_VES_PERF3GPP" + } + ], + "dummyMode": false + }, + "logLevel": "DEBUG" +} \ No newline at end of file diff --git a/plans/dcaegen2-collectors-hv-ves/testsuites/collector/ssl/.gitignore b/plans/dcaegen2-collectors-hv-ves/testsuites/collector/ssl/.gitignore new file mode 100644 index 00000000..0729569c --- /dev/null +++ b/plans/dcaegen2-collectors-hv-ves/testsuites/collector/ssl/.gitignore @@ -0,0 +1,6 @@ +*.crt +*.key +*.srl +*.csr +*.pkcs12 +*.p12 diff --git a/plans/dcaegen2-collectors-hv-ves/testsuites/collector/ssl/Makefile-openssl b/plans/dcaegen2-collectors-hv-ves/testsuites/collector/ssl/Makefile-openssl new file mode 100644 index 00000000..a32d30dd --- /dev/null +++ b/plans/dcaegen2-collectors-hv-ves/testsuites/collector/ssl/Makefile-openssl @@ -0,0 +1,41 @@ +FILE=sample +PASSWD=onaponap +CA_PASSWD=onaponap +SUBJ=/C=PL/ST=DL/L=Wroclaw/O=Nokia/OU=MANO +CA=trust + +sign: $(FILE).crt + +clean: + rm -f *.crt *.key *.srl *.csr *.pkcs12 + +generate-ca-certificate: $(CA).crt + +generate-private-key: $(FILE).key + +create-public-key: $(FILE).pub + +create-sign-request: $(FILE).csr + +create-key-store: $(FILE).ks.pkcs12 + +create-trust-store: $(CA).crt + openssl pkcs12 -export -in $(CA).crt -CAfile $(CA).crt -out $(CA).pkcs12 -nokeys -noiter -nomaciter -passout pass:$(PASSWD) + +$(CA).crt: + openssl req -new -x509 -keyout $(CA).key -out $(CA).crt -days 365 -passout pass:$(CA_PASSWD) -subj "$(SUBJ)" + +$(FILE).key: + openssl genpkey -algorithm RSA -out $(FILE).key -pkeyopt rsa_keygen_bits:2048 + +$(FILE).pub: $(FILE).key + openssl x509 -req -days 360 -in client.csr -CA $(CA).crt -CAkey $(CA).key -CAcreateserial -out client.crt + +$(FILE).csr: $(FILE).key + openssl req -new -sha256 -key $(FILE).key -out $(FILE).csr -subj "$(SUBJ)" + +$(FILE).crt: $(CA).crt $(FILE).csr + openssl x509 -req -days 360 -in $(FILE).csr -CA $(CA).crt -CAkey $(CA).key -out $(FILE).crt -CAcreateserial -passin pass:$(CA_PASSWD) + +$(FILE).ks.pkcs12: $(FILE).key $(FILE).crt $(CA).crt + openssl pkcs12 -export -in $(FILE).crt -inkey $(FILE).key -CAfile $(CA).crt -out $(FILE).ks.pkcs12 -noiter -nomaciter -passout pass:$(PASSWD) diff --git a/plans/dcaegen2-collectors-hv-ves/testsuites/collector/ssl/README.md b/plans/dcaegen2-collectors-hv-ves/testsuites/collector/ssl/README.md new file mode 100644 index 00000000..c2819d24 --- /dev/null +++ b/plans/dcaegen2-collectors-hv-ves/testsuites/collector/ssl/README.md @@ -0,0 +1,54 @@ +# Generating SSL certificates + +## Java keytool way (recommended) + +To generate: + +```shell +./gen-certs.sh +``` + +To clean (remove generated files): + +```shell +./gen-certs.sh clean +``` + +## OpenSSL way (currently might not work) + +> Add `-f Makefile-openssl` to each command + +Typical usage: + +```shell +make FILE=client +make FILE=server +``` + +or (to generate PKCS12 key and trust stores): + +```shell +make create-key-store FILE=client +make create-key-store FILE=server +make create-trust-store +``` + +Will generate CA certificate and signed client and server certificates. + +More "low-level" usage: + +```shell +make generate-ca-certificate +make generate-private-key FILE=client +make sign FILE=client +``` + +# Connecting to a server + +First generate *client* and *server* certificates. Then start a server with it's cert and make ca.crt a trusted certification authority. + +After that you can: + +```shell +./connect.sh client localhost:8600 < file_with_a_data_to_be_sent.dat +``` diff --git a/plans/dcaegen2-collectors-hv-ves/testsuites/collector/ssl/gen-certs.sh b/plans/dcaegen2-collectors-hv-ves/testsuites/collector/ssl/gen-certs.sh new file mode 100755 index 00000000..34572f7a --- /dev/null +++ b/plans/dcaegen2-collectors-hv-ves/testsuites/collector/ssl/gen-certs.sh @@ -0,0 +1,59 @@ +#!/usr/bin/env bash + +set -eu -o pipefail -o xtrace + +STORE_PASS=onaponap +CN_PREFIX=dcaegen2-hvves +DNAME_PREFIX="C=PL,ST=DL,L=Wroclaw,O=Nokia,OU=MANO,CN=${CN_PREFIX}" + +store_opts="-storetype PKCS12 -storepass ${STORE_PASS} -noprompt" + +function gen_key() { + local key_name="$1" + local ca="$2" + local keystore="-keystore ${key_name}.p12 ${store_opts}" + keytool -genkey -alias ${key_name} \ + ${keystore} \ + -keyalg RSA \ + -validity 730 \ + -keysize 2048 \ + -dname "${DNAME_PREFIX}-${key_name}" + keytool -import -trustcacerts -alias ${ca} -file ${ca}.crt ${keystore} + + keytool -certreq -alias ${key_name} -keyalg RSA ${keystore} | \ + keytool -alias ${ca} -gencert -ext "san=dns:${CN_PREFIX}-${ca}" ${store_opts} -keystore ${ca}.p12 | \ + keytool -alias ${key_name} -importcert ${keystore} +} + + +function gen_ca() { + local ca="$1" + keytool -genkeypair ${store_opts} -alias ${ca} -dname "${DNAME_PREFIX}-${ca}" -keystore ${ca}.p12 + keytool -export -alias ${ca} -file ${ca}.crt ${store_opts} -keystore ${ca}.p12 +} + +function gen_truststore() { + local name="$1" + local trusted_ca="$2" + keytool -import -trustcacerts -alias ca -file ${trusted_ca}.crt ${store_opts} -keystore ${name}.p12 +} + +function clean() { + rm -f *.crt *.p12 +} + +if [[ $# -eq 0 ]]; then + gen_ca ca + gen_ca untrustedca + gen_truststore trust ca + gen_truststore untrustedtrust untrustedca + gen_key client ca + gen_key server ca + gen_key untrustedclient untrustedca +elif [[ $1 == "clean" ]]; then + clean +else + echo "usage: $0 [clean]" + exit 1 +fi + diff --git a/plans/dcaegen2-collectors-hv-ves/testsuites/docker-compose.yml b/plans/dcaegen2-collectors-hv-ves/testsuites/docker-compose.yml index ac07eb78..32b39438 100644 --- a/plans/dcaegen2-collectors-hv-ves/testsuites/docker-compose.yml +++ b/plans/dcaegen2-collectors-hv-ves/testsuites/docker-compose.yml @@ -56,13 +56,14 @@ services: ports: - "10000:10000" environment: - CONSUL_HOST: "consul-server" + - CONSUL_HOST depends_on: - consul-server networks: ves-hv-default: aliases: - cbs + # # DCAE HV VES Collector # @@ -72,22 +73,19 @@ services: ports: - "6060:6060" - "6061:6061/tcp" - command: ["--listen-port", "6061", - "--kafka-bootstrap-servers", "kafka:9092", - "--key-store-password", "onaponap", - "--trust-store-password", "onaponap"] + command: ["--configuration-file", "/etc/hv-ves/configuration/secure.json"] environment: - JAVA_OPTS: "-Dio.netty.leakDetection.level=paranoid" - CONSUL_HOST: "consul-server" - CONFIG_BINDING_SERVICE: "cbs" - HOSTNAME: "dcae-hv-ves-collector" + - JAVA_OPTS + - HOSTNAME=${HV_VES_HOSTNAME} + - CONSUL_HOST + - CONFIG_BINDING_SERVICE healthcheck: interval: 10s timeout: 5s retries: 2 test: ${HV_VES_HEALTHCHECK_CMD} volumes: - - ./ssl/:/etc/ves-hv/ + - ./collector/:/etc/hv-ves/ depends_on: - config-binding-service - kafka @@ -99,21 +97,19 @@ services: ports: - "7060:6060" - "7061:6061/tcp" - command: ["--listen-port", "6061", - "--kafka-bootstrap-servers", "kafka:9092", - "--ssl-disable"] + command: ["--configuration-file", "/etc/hv-ves/configuration/insecure.json"] environment: - JAVA_OPTS: "-Dio.netty.leakDetection.level=paranoid" - CONSUL_HOST: "consul-server" - CONFIG_BINDING_SERVICE: "cbs" - HOSTNAME: "dcae-hv-ves-collector" + - JAVA_OPTS + - HOSTNAME=${HV_VES_HOSTNAME} + - CONSUL_HOST + - CONFIG_BINDING_SERVICE healthcheck: interval: 10s timeout: 5s retries: 2 test: ${HV_VES_HEALTHCHECK_CMD} volumes: - - ./ssl/:/etc/ves-hv/ + - ./collector/:/etc/hv-ves/ depends_on: - config-binding-service - kafka @@ -133,7 +129,5 @@ services: depends_on: - kafka networks: - ves-hv-default: - aliases: - - dcae-app-simulator + - ves-hv-default diff --git a/plans/dcaegen2-collectors-hv-ves/testsuites/setup.sh b/plans/dcaegen2-collectors-hv-ves/testsuites/setup.sh index 587b2680..0925e3b6 100755 --- a/plans/dcaegen2-collectors-hv-ves/testsuites/setup.sh +++ b/plans/dcaegen2-collectors-hv-ves/testsuites/setup.sh @@ -29,9 +29,9 @@ export CONTAINERS_NETWORK=ves-hv-default echo "Creating network for containers: ${CONTAINERS_NETWORK}" docker network create ${CONTAINERS_NETWORK} -cd ssl +cd collector/ssl ./gen-certs.sh -cd .. +cd ../.. docker-compose up -d diff --git a/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/.gitignore b/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/.gitignore deleted file mode 100644 index 0729569c..00000000 --- a/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/.gitignore +++ /dev/null @@ -1,6 +0,0 @@ -*.crt -*.key -*.srl -*.csr -*.pkcs12 -*.p12 diff --git a/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/Makefile-openssl b/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/Makefile-openssl deleted file mode 100644 index a32d30dd..00000000 --- a/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/Makefile-openssl +++ /dev/null @@ -1,41 +0,0 @@ -FILE=sample -PASSWD=onaponap -CA_PASSWD=onaponap -SUBJ=/C=PL/ST=DL/L=Wroclaw/O=Nokia/OU=MANO -CA=trust - -sign: $(FILE).crt - -clean: - rm -f *.crt *.key *.srl *.csr *.pkcs12 - -generate-ca-certificate: $(CA).crt - -generate-private-key: $(FILE).key - -create-public-key: $(FILE).pub - -create-sign-request: $(FILE).csr - -create-key-store: $(FILE).ks.pkcs12 - -create-trust-store: $(CA).crt - openssl pkcs12 -export -in $(CA).crt -CAfile $(CA).crt -out $(CA).pkcs12 -nokeys -noiter -nomaciter -passout pass:$(PASSWD) - -$(CA).crt: - openssl req -new -x509 -keyout $(CA).key -out $(CA).crt -days 365 -passout pass:$(CA_PASSWD) -subj "$(SUBJ)" - -$(FILE).key: - openssl genpkey -algorithm RSA -out $(FILE).key -pkeyopt rsa_keygen_bits:2048 - -$(FILE).pub: $(FILE).key - openssl x509 -req -days 360 -in client.csr -CA $(CA).crt -CAkey $(CA).key -CAcreateserial -out client.crt - -$(FILE).csr: $(FILE).key - openssl req -new -sha256 -key $(FILE).key -out $(FILE).csr -subj "$(SUBJ)" - -$(FILE).crt: $(CA).crt $(FILE).csr - openssl x509 -req -days 360 -in $(FILE).csr -CA $(CA).crt -CAkey $(CA).key -out $(FILE).crt -CAcreateserial -passin pass:$(CA_PASSWD) - -$(FILE).ks.pkcs12: $(FILE).key $(FILE).crt $(CA).crt - openssl pkcs12 -export -in $(FILE).crt -inkey $(FILE).key -CAfile $(CA).crt -out $(FILE).ks.pkcs12 -noiter -nomaciter -passout pass:$(PASSWD) diff --git a/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/README.md b/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/README.md deleted file mode 100644 index c2819d24..00000000 --- a/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/README.md +++ /dev/null @@ -1,54 +0,0 @@ -# Generating SSL certificates - -## Java keytool way (recommended) - -To generate: - -```shell -./gen-certs.sh -``` - -To clean (remove generated files): - -```shell -./gen-certs.sh clean -``` - -## OpenSSL way (currently might not work) - -> Add `-f Makefile-openssl` to each command - -Typical usage: - -```shell -make FILE=client -make FILE=server -``` - -or (to generate PKCS12 key and trust stores): - -```shell -make create-key-store FILE=client -make create-key-store FILE=server -make create-trust-store -``` - -Will generate CA certificate and signed client and server certificates. - -More "low-level" usage: - -```shell -make generate-ca-certificate -make generate-private-key FILE=client -make sign FILE=client -``` - -# Connecting to a server - -First generate *client* and *server* certificates. Then start a server with it's cert and make ca.crt a trusted certification authority. - -After that you can: - -```shell -./connect.sh client localhost:8600 < file_with_a_data_to_be_sent.dat -``` diff --git a/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/gen-certs.sh b/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/gen-certs.sh deleted file mode 100755 index 34572f7a..00000000 --- a/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/gen-certs.sh +++ /dev/null @@ -1,59 +0,0 @@ -#!/usr/bin/env bash - -set -eu -o pipefail -o xtrace - -STORE_PASS=onaponap -CN_PREFIX=dcaegen2-hvves -DNAME_PREFIX="C=PL,ST=DL,L=Wroclaw,O=Nokia,OU=MANO,CN=${CN_PREFIX}" - -store_opts="-storetype PKCS12 -storepass ${STORE_PASS} -noprompt" - -function gen_key() { - local key_name="$1" - local ca="$2" - local keystore="-keystore ${key_name}.p12 ${store_opts}" - keytool -genkey -alias ${key_name} \ - ${keystore} \ - -keyalg RSA \ - -validity 730 \ - -keysize 2048 \ - -dname "${DNAME_PREFIX}-${key_name}" - keytool -import -trustcacerts -alias ${ca} -file ${ca}.crt ${keystore} - - keytool -certreq -alias ${key_name} -keyalg RSA ${keystore} | \ - keytool -alias ${ca} -gencert -ext "san=dns:${CN_PREFIX}-${ca}" ${store_opts} -keystore ${ca}.p12 | \ - keytool -alias ${key_name} -importcert ${keystore} -} - - -function gen_ca() { - local ca="$1" - keytool -genkeypair ${store_opts} -alias ${ca} -dname "${DNAME_PREFIX}-${ca}" -keystore ${ca}.p12 - keytool -export -alias ${ca} -file ${ca}.crt ${store_opts} -keystore ${ca}.p12 -} - -function gen_truststore() { - local name="$1" - local trusted_ca="$2" - keytool -import -trustcacerts -alias ca -file ${trusted_ca}.crt ${store_opts} -keystore ${name}.p12 -} - -function clean() { - rm -f *.crt *.p12 -} - -if [[ $# -eq 0 ]]; then - gen_ca ca - gen_ca untrustedca - gen_truststore trust ca - gen_truststore untrustedtrust untrustedca - gen_key client ca - gen_key server ca - gen_key untrustedclient untrustedca -elif [[ $1 == "clean" ]]; then - clean -else - echo "usage: $0 [clean]" - exit 1 -fi - diff --git a/plans/dcaegen2-collectors-hv-ves/testsuites/teardown.sh b/plans/dcaegen2-collectors-hv-ves/testsuites/teardown.sh index fe922ed0..28f10334 100755 --- a/plans/dcaegen2-collectors-hv-ves/testsuites/teardown.sh +++ b/plans/dcaegen2-collectors-hv-ves/testsuites/teardown.sh @@ -1,8 +1,8 @@ #!/usr/bin/env bash -cd ssl +cd collector/ssl ./gen-certs.sh clean -cd .. +cd ../.. COMPOSE_LOGS_FILE=${WORKSPACE}/archives/containers_logs/docker-compose.log docker-compose logs > ${COMPOSE_LOGS_FILE} -- cgit 1.2.3-korg