From 39d73bc539d9f3e72e167a51a6fecf58e04265ac Mon Sep 17 00:00:00 2001 From: Michal Ptacek Date: Mon, 15 Oct 2018 15:27:29 +0200 Subject: Core of ONAP offline installer Seed code for ONAP offline installer. This includes core of the installer without downloading parts. Those will come in subsequent commits. Change-Id: I0d5c8c3c8c911ae11a0e558d5df94b6889af4435 Signed-off-by: Michal Ptacek Signed-off-by: Samuli Silvius Issue-ID: INT-691 --- onap-offline/cfg/cacert.cnf | 113 +++++++++++++++++++++ onap-offline/cfg/full_depl_values.yaml | 160 ++++++++++++++++++++++++++++++ onap-offline/cfg/nexus_cert.cnf | 33 ++++++ onap-offline/cfg/nginx.conf | 110 ++++++++++++++++++++ onap-offline/cfg/reduced_depl_values.yaml | 159 +++++++++++++++++++++++++++++ onap-offline/cfg/v3.ext | 24 +++++ 6 files changed, 599 insertions(+) create mode 100644 onap-offline/cfg/cacert.cnf create mode 100644 onap-offline/cfg/full_depl_values.yaml create mode 100644 onap-offline/cfg/nexus_cert.cnf create mode 100644 onap-offline/cfg/nginx.conf create mode 100644 onap-offline/cfg/reduced_depl_values.yaml create mode 100644 onap-offline/cfg/v3.ext (limited to 'onap-offline/cfg') diff --git a/onap-offline/cfg/cacert.cnf b/onap-offline/cfg/cacert.cnf new file mode 100644 index 0000000..a6917ca --- /dev/null +++ b/onap-offline/cfg/cacert.cnf @@ -0,0 +1,113 @@ +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations. +dir = ./ +certs = $dir/certs +crl_dir = $dir/crl +new_certs_dir = $dir/newcerts +database = $dir/index.txt +serial = $dir/serial +RANDFILE = $dir/private/.rand + +# The root key and root certificate. +private_key = $dir/private/ca.key.pem +certificate = $dir/certs/ca.cert.pem + +# For certificate revocation lists. +crlnumber = $dir/crlnumber +crl = $dir/crl/ca.crl.pem +crl_extensions = crl_ext +default_crl_days = 30 + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +name_opt = ca_default +cert_opt = ca_default +default_days = 3750 +preserve = no +policy = policy_strict + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +organizationName = match +commonName = supplied + +[ policy_loose ] +# Allow the intermediate CA to sign a more diverse range of certificates. +# See the POLICY FORMAT section of the `ca` man page. +countryName = optional +localityName = optional +organizationName = optional +commonName = supplied + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 4096 +distinguished_name = req_distinguished_name +string_mask = utf8only +prompt = no + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +# Extension to add when the -x509 option is used. +x509_extensions = v3_ca + +[ req_distinguished_name ] +# Optionally, specify some defaults. +countryName = PL +localityName = Krakow +organizationName = Samsung +commonName = onap + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ usr_cert ] +# Extensions for client certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = client, email +nsComment = "OpenSSL Generated Client Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection + +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth + +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). +authorityKeyIdentifier=keyid:always + +[ ocsp ] +# Extension for OCSP signing certificates (`man ocsp`). +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, digitalSignature +extendedKeyUsage = critical, OCSPSigning diff --git a/onap-offline/cfg/full_depl_values.yaml b/onap-offline/cfg/full_depl_values.yaml new file mode 100644 index 0000000..e50820a --- /dev/null +++ b/onap-offline/cfg/full_depl_values.yaml @@ -0,0 +1,160 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration overrides. +# +# These overrides will affect all helm charts (ie. applications) +# that are listed below and are 'enabled'. +################################################################# +global: + # Change to an unused port prefix range to prevent port conflicts + # with other instances running within the same k8s cluster + nodePortPrefix: 302 + + # ONAP Repository + # Uncomment the following to enable the use of a single docker + # repository but ONLY if your repository mirrors all ONAP + # docker images. This includes all images from dockerhub and + # any other repository that hosts images for ONAP components. + #repository: nexus3.onap.org:10001 + repositoryCred: + user: docker + password: docker + + # readiness check - temporary repo until images migrated to nexus3 + readinessRepository: oomk8s + # logging agent - temporary repo until images migrated to nexus3 + loggingRepository: docker.elastic.co + + # image pull policy + #pullPolicy: Always + pullPolicy: IfNotPresent + + # default mount path root directory referenced + # by persistent volumes and log files + persistence: + mountPath: /dockerdata-nfs + + # flag to enable debugging - application support required + debugEnabled: false + +# Repository for creation of nexus3.onap.org secret +repository: nexus3.onap.org:10001 + + +################################################################# +# Enable/disable and configure helm charts (ie. applications) +# to customize the ONAP deployment. +################################################################# +aaf: + enabled: true +aai: + enabled: true +aaiadapter: + enabled: false +appc: + enabled: true + config: + openStackType: OpenStackProvider + openStackName: OpenStack + openStackKeyStoneUrl: FILL-ME + openStackServiceTenantName: FILL-ME + openStackDomain: FILL-ME + openStackUserName: FILL-ME + openStackEncryptedPassword: FILL-ME +clamp: + enabled: true +cli: + enabled: true +consul: + enabled: true +dcaegen2: + enabled: true +dmaap: + enabled: true +esr: + enabled: true +log: + enabled: true +sniro-emulator: + enabled: true +oof: + enabled: true +msb: + enabled: true +multicloud: + enabled: true +nbi: + enabled: true + config: + # openstack configuration + openStackUserName: "FILL-ME" + openStackRegion: "FILL-ME" + openStackKeyStoneUrl: "FILL-ME" + openStackServiceTenantName: "FILL-ME" + openStackEncryptedPasswordHere: "FILL-ME" +policy: + enabled: true +portal: + enabled: true +robot: + enabled: true +sdc: + enabled: true +sdnc: + enabled: true + + replicaCount: 1 + + config: + enableClustering: false + + mysql: + disableNfsProvisioner: true + replicaCount: 1 +so: + enabled: true + + replicaCount: 1 + + liveness: + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + + # so server configuration + config: + # message router configuration + dmaapTopic: "AUTO" + # openstack configuration + openStackUserName: "FILL-ME" + openStackRegion: "FILL-ME" + openStackKeyStoneUrl: "FILL-ME" + openStackServiceTenantName: "FILL-ME" + openStackEncryptedPasswordHere: "FILL-ME" + + # configure embedded mariadb + mariadb: + config: + mariadbRootPassword: password +uui: + enabled: true +vfc: + enabled: true +vid: + enabled: true +vnfsdk: + enabled: true + diff --git a/onap-offline/cfg/nexus_cert.cnf b/onap-offline/cfg/nexus_cert.cnf new file mode 100644 index 0000000..ab8d547 --- /dev/null +++ b/onap-offline/cfg/nexus_cert.cnf @@ -0,0 +1,33 @@ +[ req ] +default_bits = 4096 +default_keyfile = server-key.pem +distinguished_name = dn +#req_extensions = v3_req +x509_extensions = v3_req +string_mask = utf8only +prompt = no +default_md = sha256 + +[ dn ] + +countryName = PL +localityName = Krakow +organizationName = Samsung +commonName = registry-1.docker.io +#emailAddress + +[ v3_req ] + +#subjectKeyIdentifier = hash +#authorityKeyIdentifier = keyid,issuer + +basicConstraints = CA:FALSE +keyUsage = critical, keyAgreement, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +# does not work here because of bug in openssl +#subjectAltName = @alternate_names +nsComment = "OpenSSL Generated Certificate" + +#[ alternate_names ] + +#DNS.4 = ftp.example.com diff --git a/onap-offline/cfg/nginx.conf b/onap-offline/cfg/nginx.conf new file mode 100644 index 0000000..6656855 --- /dev/null +++ b/onap-offline/cfg/nginx.conf @@ -0,0 +1,110 @@ +worker_processes 2; + +events { + worker_connections 1024; +} + +http { + error_log /var/log/nginx/error.log debug; + access_log /var/log/nginx/access.log; + + proxy_intercept_errors on; + proxy_send_timeout 120; + proxy_read_timeout 300; + + upstream nexus { + server nexus:8081; + } + + upstream registry { + server nexus:8082; + } + +# http simulations + server { + listen 80; + listen 443 ssl; + server_name _; + ssl_certificate /etc/nginx/certs/nexus_server.crt; + ssl_certificate_key /etc/nginx/certs/nexus_server.key; + + keepalive_timeout 5 5; + + location / { + root /srv/http/$host; + index index.html; + } + } + +# nexus simulations + server { + listen 80; + listen 443 ssl; + server_name nexus.student12 gcr.io registry-1.docker.io docker.io registry.npmjs.org nexus3.onap.org docker.elastic.co registry.hub.docker.com repo.maven.apache.org repo1.maven.org; + ssl_certificate /etc/nginx/certs/nexus_server.crt; + ssl_certificate_key /etc/nginx/certs/nexus_server.key; + + keepalive_timeout 5 5; + proxy_buffering off; + + # allow large uploads + client_max_body_size 3G; + + location /maven2 { + rewrite /maven2/(.*) /repository/maven2/$1 break; + # redirect to docker registry + proxy_pass http://nexus; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + location / { + # redirect to docker registry + if ($http_user_agent ~ docker ) { + proxy_pass http://registry; + } + proxy_pass http://nexus; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + } + +# git simulations + server { + listen 80; + listen 443 ssl; + server_name gerrit.onap.org git.rancher.io github.com; + ssl_certificate /etc/nginx/certs/nexus_server.crt; + ssl_certificate_key /etc/nginx/certs/nexus_server.key; + + keepalive_timeout 5 5; + proxy_buffering off; + + location / { + try_files $uri $uri/ @git; + } + + location @git { + + # Set chunks to unlimited, as the body's can be huge + client_max_body_size 0; + + fastcgi_param SCRIPT_FILENAME /usr/libexec/git-core/git-http-backend; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + fastcgi_param PATH_INFO $uri; + + include fastcgi_params; + + fastcgi_param GIT_HTTP_EXPORT_ALL ""; + fastcgi_param GIT_PROJECT_ROOT /srv/git/$host/; + + # Forward REMOTE_USER as we want to know when we are authenticated + fastcgi_param REMOTE_USER $remote_user; + + fastcgi_pass unix:/var/run/fcgiwrap.socket; + } + } +} diff --git a/onap-offline/cfg/reduced_depl_values.yaml b/onap-offline/cfg/reduced_depl_values.yaml new file mode 100644 index 0000000..bfa5fd6 --- /dev/null +++ b/onap-offline/cfg/reduced_depl_values.yaml @@ -0,0 +1,159 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration overrides. +# +# These overrides will affect all helm charts (ie. applications) +# that are listed below and are 'enabled'. +################################################################# +global: + # Change to an unused port prefix range to prevent port conflicts + # with other instances running within the same k8s cluster + nodePortPrefix: 302 + + # ONAP Repository + # Uncomment the following to enable the use of a single docker + # repository but ONLY if your repository mirrors all ONAP + # docker images. This includes all images from dockerhub and + # any other repository that hosts images for ONAP components. + #repository: nexus3.onap.org:10001 + repositoryCred: + user: docker + password: docker + + # readiness check - temporary repo until images migrated to nexus3 + readinessRepository: oomk8s + # logging agent - temporary repo until images migrated to nexus3 + loggingRepository: docker.elastic.co + + # image pull policy + #pullPolicy: Always + pullPolicy: IfNotPresent + + # default mount path root directory referenced + # by persistent volumes and log files + persistence: + mountPath: /dockerdata-nfs + + # flag to enable debugging - application support required + debugEnabled: false + +# Repository for creation of nexus3.onap.org secret +repository: nexus3.onap.org:10001 + + +################################################################# +# Enable/disable and configure helm charts (ie. applications) +# to customize the ONAP deployment. +################################################################# +aaf: + enabled: false +aai: + enabled: false +aaiadapter: + enabled: true +appc: + enabled: true + config: + openStackType: OpenStackProvider + openStackName: OpenStack + openStackKeyStoneUrl: FILL-ME + openStackServiceTenantName: FILL-ME + openStackDomain: FILL-ME + openStackUserName: FILL-ME + openStackEncryptedPassword: FILL-ME +clamp: + enabled: false +cli: + enabled: false +consul: + enabled: true +dcaegen2: + enabled: true +dmaap: + enabled: true +esr: + enabled: false +log: + enabled: true +sniro-emulator: + enabled: false +oof: + enabled: false +msb: + enabled: true +multicloud: + enabled: false +nbi: + enabled: false + config: + # openstack configuration + openStackUserName: "FILL-ME" + openStackRegion: "FILL-ME" + openStackKeyStoneUrl: "FILL-ME" + openStackServiceTenantName: "FILL-ME" + openStackEncryptedPasswordHere: "FILL-ME" +policy: + enabled: true +portal: + enabled: false +robot: + enabled: true +sdc: + enabled: true +sdnc: + enabled: false + + replicaCount: 1 + + config: + enableClustering: false + + mysql: + disableNfsProvisioner: true + replicaCount: 1 +so: + enabled: false + + replicaCount: 1 + + liveness: + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + + # so server configuration + config: + # message router configuration + dmaapTopic: "AUTO" + # openstack configuration + openStackUserName: "FILL-ME" + openStackRegion: "FILL-ME" + openStackKeyStoneUrl: "FILL-ME" + openStackServiceTenantName: "FILL-ME" + openStackEncryptedPasswordHere: "FILL-ME" + + # configure embedded mariadb + mariadb: + config: + mariadbRootPassword: password +uui: + enabled: false +vfc: + enabled: false +vid: + enabled: false +vnfsdk: + enabled: false diff --git a/onap-offline/cfg/v3.ext b/onap-offline/cfg/v3.ext new file mode 100644 index 0000000..b4a6e43 --- /dev/null +++ b/onap-offline/cfg/v3.ext @@ -0,0 +1,24 @@ +authorityKeyIdentifier=keyid,issuer +basicConstraints=CA:FALSE +keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment +subjectAltName = @alt_names + +[alt_names] +DNS.1 = nexus.student12 +DNS.2 = gcr.io +DNS.3 = git.rancher.io +DNS.4 = gerrit.onap.org +DNS.5 = registry-1.docker.io +DNS.6 = docker.io +DNS.7 = registry.npmjs.org +DNS.8 = nexus3.onap.org +DNS.9 = nexus.onap.org +DNS.10 = docker.elastic.co +DNS.11 = www.getcloudify.org +DNS.12 = registry.hub.docker.com +DNS.13 = github.com +DNS.14 = repo.maven.apache.org +DNS.15 = www.springframework.org +DNS.16 = repo1.maven.org +DNS.17 = git.onap.org + -- cgit 1.2.3-korg