From a90de0bd08de449a3b988efbdcb66a66973d1e0f Mon Sep 17 00:00:00 2001 From: Krzysztof Kuzmicki Date: Mon, 24 Jan 2022 08:52:51 +0100 Subject: Add cert manager support to netconf simulator Issue-ID: INT-2051 Signed-off-by: Krzysztof Kuzmicki Change-Id: Iebae4cdce78744492a5a7fb53ddcd1db7fd2585d --- helm/netconf/resources/set-up-netopeer.sh | 65 ++++++++++++++++++++++++++++ helm/netconf/templates/_helpers.tpl | 41 ++++++++++++++++++ helm/netconf/templates/certificate.yaml | 70 +++++++++++++++++++++++++++++++ helm/netconf/templates/configmap.yaml | 25 +++++++++++ helm/netconf/templates/deployment.yaml | 54 ++++++++++++++++++++++++ helm/netconf/templates/secret.yaml | 34 +++++++++++++++ helm/netconf/templates/service.yaml | 15 +++++++ helm/netconf/values.yaml | 68 ++++++++++++++++++++++++++++-- helm/ves-client/values_cmpv2.yaml | 3 +- 9 files changed, 371 insertions(+), 4 deletions(-) create mode 100644 helm/netconf/resources/set-up-netopeer.sh create mode 100644 helm/netconf/templates/certificate.yaml create mode 100644 helm/netconf/templates/configmap.yaml create mode 100644 helm/netconf/templates/secret.yaml diff --git a/helm/netconf/resources/set-up-netopeer.sh b/helm/netconf/resources/set-up-netopeer.sh new file mode 100644 index 0000000..20a52c3 --- /dev/null +++ b/helm/netconf/resources/set-up-netopeer.sh @@ -0,0 +1,65 @@ +#!/bin/bash +### +# ============LICENSE_START======================================================= +# Netconf Server +# ================================================================================ +# Copyright (C) 2022 Nokia. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +### + +echo "[INFO] Starting NETCONF Server app configuration ..." + + if [ "$#" -gt 1 ]; then + + ## Set up variable + cert_service_cert_dir=/tmp/certs + SCRIPTS_DIR=$PWD/"$(dirname $0)" + enable_tls=${ENABLE_TLS:-false} + kafka_host_name=${KAFKA_HOST_NAME:-"localhost"} + kafka_port=${KAFKA_PORT:-9092} + kafka_topic=${KAFKA_TOPIC=-"config:1:1"} + models_config_path=$1 + models_configuration_file_name=${MODELS_CONFIGURATION_FILE_NAME:-models-configuration.ini} + + ## Install all modules from given directory + $SCRIPTS_DIR/install-all-module-from-directory.sh $1 + + ## If TLS is enabled start initializing certificates + if [[ "$enable_tls" == "true" ]]; then + if [ "$#" -ge 2 ]; then + echo "[INFO] Initializing TLS" + if [ -d "$cert_service_cert_dir" ]; then + echo "[INFO] Preparing certificates when certificates are from onap cert manager" + cp -rL /tmp/certs/* /resources/certs/ + openssl x509 -pubkey -noout -in /resources/certs/server.crt > /resources/certs/server_pub.key + fi + $SCRIPTS_DIR/install-tls-with-custom-certificates.sh $SCRIPTS_DIR/tls $2 + else + echo "[ERROR] Missing second argument: path to file with certificates for TLS." + fi + fi + + echo "[INFO] NETCONF Server configuration finished." + + ## Run netconf server application + $SCRIPTS_DIR/run-netconf-server-application.sh $models_config_path $models_configuration_file_name $kafka_host_name $kafka_port $kafka_topic + + ## Run sysrepo supervisor + echo "[INFO] Starting Netopeer Server ..." + /usr/bin/supervisord -c /etc/supervisord.conf + + else + echo "[ERROR] Unable to configure application. Provide all required arguments." + fi diff --git a/helm/netconf/templates/_helpers.tpl b/helm/netconf/templates/_helpers.tpl index 1b0ef5c..2b620b9 100644 --- a/helm/netconf/templates/_helpers.tpl +++ b/helm/netconf/templates/_helpers.tpl @@ -1,3 +1,19 @@ +{{/* +# Copyright © 2022 Nokia. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{/* vim: set filetype=mustache: */}} {{/* Expand the name of the chart. @@ -51,3 +67,28 @@ app.kubernetes.io/name: {{ include "netconf-server.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} +{{/* +Define dns names in certificate +*/}} +{{- define "netconf.serverCertificates.dnsNames" -}} +{{- range $dnsName := $.Values.serverCertificates.dnsNames }} +- {{ $dnsName }} +{{- end }} +{{- end }} + +{{/* +Define dns names in certificate +*/}} +{{- define "netconf.clientCertificates.dnsNames" -}} +{{- range $dnsName := $.Values.clientCertificates.dnsNames }} +- {{ $dnsName }} +{{- end }} +{{- end }} + +{{/* +Common namespace +*/}} +{{- define "netconf.namespace" -}} + {{- default .Release.Namespace .Values.nsPrefix -}} +{{- end -}} + diff --git a/helm/netconf/templates/certificate.yaml b/helm/netconf/templates/certificate.yaml new file mode 100644 index 0000000..00c147b --- /dev/null +++ b/helm/netconf/templates/certificate.yaml @@ -0,0 +1,70 @@ +# Copyright © 2022 Nokia. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.config.certService.enabled }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + namespace: {{ include "netconf.namespace" . }} + name: '{{ .Values.clientCertificates.name }}-cert' +spec: + commonName: {{ .Values.clientCertificates.commonName }} + secretName: '{{ .Values.clientCertificates.name }}-secret' + renewBefore: {{ .Values.clientCertificates.renewBefore }} + duration: {{ .Values.clientCertificates.duration }} + subject: + organizations: + - {{ .Values.clientCertificates.subject.organization }} + countries: + - {{ .Values.clientCertificates.subject.country }} + localities: + - {{ .Values.clientCertificates.subject.locality }} + provinces: + - {{ .Values.clientCertificates.subject.province }} + organizationalUnits: + - {{ .Values.clientCertificates.subject.organizationalUnit }} + issuerRef: + group: {{ .Values.clientCertificates.issuerRef.group }} + kind: {{ .Values.clientCertificates.issuerRef.kind }} + name: {{ .Values.clientCertificates.issuerRef.name }} + dnsNames: {{ include "netconf.clientCertificates.dnsNames" . | indent 4 }} + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + namespace: {{ include "netconf.namespace" . }} + name: '{{ .Values.serverCertificates.name }}-cert' +spec: + commonName: {{ .Values.serverCertificates.commonName }} + secretName: '{{ .Values.serverCertificates.name }}-secret' + renewBefore: {{ .Values.serverCertificates.renewBefore }} + duration: {{ .Values.serverCertificates.duration }} + subject: + organizations: + - {{ .Values.serverCertificates.subject.organization }} + countries: + - {{ .Values.serverCertificates.subject.country }} + localities: + - {{ .Values.serverCertificates.subject.locality }} + provinces: + - {{ .Values.serverCertificates.subject.province }} + organizationalUnits: + - {{ .Values.serverCertificates.subject.organizationalUnit }} + issuerRef: + group: {{ .Values.serverCertificates.issuerRef.group }} + kind: {{ .Values.serverCertificates.issuerRef.kind }} + name: {{ .Values.serverCertificates.issuerRef.name }} + dnsNames: {{ include "netconf.serverCertificates.dnsNames" . | indent 4 }} +{{- end }} diff --git a/helm/netconf/templates/configmap.yaml b/helm/netconf/templates/configmap.yaml new file mode 100644 index 0000000..900f43a --- /dev/null +++ b/helm/netconf/templates/configmap.yaml @@ -0,0 +1,25 @@ +# Copyright © 2022 Nokia. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.config.certService.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "netconf-server.fullname" . }}-prep-certs + namespace: {{ include "netconf.namespace" . }} + labels: + {{- include "netconf-server.labels" . | nindent 4 }} +data: + {{ tpl (.Files.Glob "resources/set-up-netopeer.sh").AsConfig . | indent 2 }} +{{- end }} \ No newline at end of file diff --git a/helm/netconf/templates/deployment.yaml b/helm/netconf/templates/deployment.yaml index 4a4663a..0b1af99 100644 --- a/helm/netconf/templates/deployment.yaml +++ b/helm/netconf/templates/deployment.yaml @@ -1,7 +1,22 @@ +# Copyright © 2022 Nokia. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "netconf-server.fullname" . }} + namespace: {{ include "netconf.namespace" . }} labels: {{- include "netconf-server.labels" . | nindent 4 }} spec: @@ -28,6 +43,8 @@ spec: - env: - name: KAFKA_HOST_NAME value: {{ .Values.config.kafka_hostname | quote }} + - name: ENABLE_TLS + value: {{ .Values.config.tls.enabled | quote }} name: {{ .Chart.Name }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} @@ -41,6 +58,14 @@ spec: httpGet: path: /readiness port: {{ .Values.service.port }} + {{- if .Values.config.certService.enabled }} + volumeMounts: + - name: certstore + mountPath: {{ .Values.certsDir }} + - name: prep-certs + mountPath: /scripts/set-up-netopeer.sh + subPath: set-up-netopeer.sh + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -53,4 +78,33 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + {{- if .Values.config.certService.enabled }} + volumes: + - name: certstore + projected: + sources: + - secret: + name: '{{.Values.clientCertificates.name}}-secret' + items: + - key: tls.key + path: client.key + - key: tls.crt + path: client.crt + - key: ca.crt + path: ca.crt + - secret: + name: '{{.Values.serverCertificates.name}}-secret' + items: + - key: tls.key + path: server.key + - key: tls.crt + path: server.crt + - name: prep-certs + configMap: + name: {{ include "netconf-server.fullname" . }}-prep-certs + defaultMode: 0777 + {{- end }} + + + diff --git a/helm/netconf/templates/secret.yaml b/helm/netconf/templates/secret.yaml new file mode 100644 index 0000000..a9e21e2 --- /dev/null +++ b/helm/netconf/templates/secret.yaml @@ -0,0 +1,34 @@ +# Copyright © 2022 Nokia. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.config.certService.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: '{{ .Values.clientCertificates.name }}-secret' + namespace: {{ include "netconf.namespace" . }} +data: + p12.pass: MjNlOTE3NzVjOTE4ZTRmNjY4ZTFhYzgyZDY5ZjExYWU0ZWU0ZGM2MTM3YzUwMzZkZjE3MmEyODJhYTA5 +type: Opaque + +--- +apiVersion: v1 +kind: Secret +metadata: + name: '{{ .Values.serverCertificates.name }}-secret' + namespace: {{ include "netconf.namespace" . }} +data: + p12.pass: MjNlOTE3NzVjOTE4ZTRmNjY4ZTFhYzgyZDY5ZjExYWU0ZWU0ZGM2MTM3YzUwMzZkZjE3MmEyODJhYTA5 +type: Opaque +{{- end }} diff --git a/helm/netconf/templates/service.yaml b/helm/netconf/templates/service.yaml index e359b81..81688fc 100644 --- a/helm/netconf/templates/service.yaml +++ b/helm/netconf/templates/service.yaml @@ -1,7 +1,22 @@ +# Copyright © 2022 Nokia. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + apiVersion: v1 kind: Service metadata: name: {{ include "netconf-server.fullname" . }} + namespace: {{ include "netconf.namespace" . }} labels: {{- include "netconf-server.labels" . | nindent 4 }} spec: diff --git a/helm/netconf/values.yaml b/helm/netconf/values.yaml index 3feebe1..9bd8862 100644 --- a/helm/netconf/values.yaml +++ b/helm/netconf/values.yaml @@ -1,6 +1,16 @@ -# Default values for ves-client. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. +# Copyright © 2022 Nokia. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. replicaCount: 1 @@ -47,9 +57,61 @@ kafka: config: kafka_hostname: "nf-simulator-kafka" + tls: + enabled: true + certService: + enabled: true nodeSelector: {} tolerations: [] affinity: {} + +certsDir: "/tmp/certs" + +serverCertificates: + name: netconfserver + dnsNames: + - netconfserver + renewBefore: 720h #30 days + duration: 8760h #365 days + commonName: netconfserver + subject: + organization: "Linux-Foundation" + country: "US" + locality: "San-Francisco" + province: "California" + organizationalUnit: "ONAP" + # issuer: + # group: certmanager.onap.org + # kind: CMPv2Issuer + # name: cmpv2-issuer-onap + issuerRef: + group: certmanager.onap.org + kind: CMPv2Issuer + name: cmpv2-issuer-onap + # ipAddresses: "127.0.0.1" + +clientCertificates: + name: netconfclient + dnsNames: + - netconfclient + renewBefore: 720h #30 days + duration: 8760h #365 days + commonName: netconfclient + subject: + organization: "Linux-Foundation" + country: "US" + locality: "San-Francisco" + province: "California" + organizationalUnit: "ONAP" + # issuer: + # group: certmanager.onap.org + # kind: CMPv2Issuer + # name: cmpv2-issuer-onap + issuerRef: + group: certmanager.onap.org + kind: CMPv2Issuer + name: cmpv2-issuer-onap + # ipAddresses: "127.0.0.1" diff --git a/helm/ves-client/values_cmpv2.yaml b/helm/ves-client/values_cmpv2.yaml index 5a8a60d..dc401be 100644 --- a/helm/ves-client/values_cmpv2.yaml +++ b/helm/ves-client/values_cmpv2.yaml @@ -14,11 +14,12 @@ mongodb: certInitializer: nameOverride: vesclient-cert-initializer-cmpv2 - + certificates: name: ves-client-cert-cmpv2 secretName: ves-client-secret-cmpv2 + commonName: dcae-ves-collector keystores: jks: create: true -- cgit 1.2.3-korg