summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJack Lucas <jflucas@research.att.com>2019-05-31 08:35:34 -0400
committerJack Lucas <jflucas@research.att.com>2019-06-27 15:41:04 +0000
commitc5f685fd58b54f2a6fb21d33cc427f487db6be2b (patch)
treecd8873fb75399fa41802d9987921ea5f2ff5f2fa
parent3befe3f9fe76963beb76b360dac9ea8743616a72 (diff)
Add TLS server support for CM and CBS
Issue-ID: DCAEGEN2-909 Issue-ID: DCAEGEN2-904 Issue-ID: DCAEGEN2-1513 Issue-ID: DCAEGEN2-1550 Issue-ID: DCAEGEN2-1550 Change-Id: Ia59284e3ed786dcecd397482ca04b6b06c7e610d Signed-off-by: Jack Lucas <jflucas@research.att.com>
-rw-r--r--kubernetes/dcaegen2/charts/dcae-bootstrap/resources/inputs/k8s-dashboard-inputs.yaml2
-rw-r--r--kubernetes/dcaegen2/charts/dcae-bootstrap/templates/deployment.yaml24
-rw-r--r--kubernetes/dcaegen2/charts/dcae-bootstrap/values.yaml7
-rw-r--r--kubernetes/dcaegen2/charts/dcae-cloudify-manager/templates/deployment.yaml26
-rw-r--r--kubernetes/dcaegen2/charts/dcae-cloudify-manager/values.yaml6
-rw-r--r--kubernetes/dcaegen2/charts/dcae-config-binding-service/templates/deployment.yaml86
-rw-r--r--kubernetes/dcaegen2/charts/dcae-config-binding-service/templates/service.yaml31
-rw-r--r--kubernetes/dcaegen2/charts/dcae-config-binding-service/values.yaml19
-rw-r--r--kubernetes/dcaegen2/charts/dcae-deployment-handler/resources/config/config.json2
-rw-r--r--kubernetes/dcaegen2/charts/dcae-deployment-handler/templates/deployment.yaml4
-rw-r--r--kubernetes/dcaegen2/charts/dcae-deployment-handler/values.yaml2
-rw-r--r--kubernetes/dcaegen2/charts/dcae-servicechange-handler/values.yaml2
12 files changed, 183 insertions, 28 deletions
diff --git a/kubernetes/dcaegen2/charts/dcae-bootstrap/resources/inputs/k8s-dashboard-inputs.yaml b/kubernetes/dcaegen2/charts/dcae-bootstrap/resources/inputs/k8s-dashboard-inputs.yaml
index e40a03068c..2718e1882f 100644
--- a/kubernetes/dcaegen2/charts/dcae-bootstrap/resources/inputs/k8s-dashboard-inputs.yaml
+++ b/kubernetes/dcaegen2/charts/dcae-bootstrap/resources/inputs/k8s-dashboard-inputs.yaml
@@ -24,7 +24,7 @@ external_tls_port: {{ .Values.config.address.dashboard.portSecure }}
database_cluster_name: {{ .Values.postgres.service.name2 }}.{{ include "common.namespace" . }}
database_cluster_fqdn: {{ .Values.postgres.service.name2 }}.{{ include "common.namespace" . }}.{{ .Values.postgres.suffix }}
database_name: "dashboard_pg"
-cloudify_ip: {{ .Values.config.address.cm }}
+cloudify_ip: {{ .Values.config.address.cm.host }}
cloudify_user: "admin"
cloudify_password: "admin"
consul_url: {{ .Values.config.address.consul_ui }}
diff --git a/kubernetes/dcaegen2/charts/dcae-bootstrap/templates/deployment.yaml b/kubernetes/dcaegen2/charts/dcae-bootstrap/templates/deployment.yaml
index 0463655c79..be5a769a37 100644
--- a/kubernetes/dcaegen2/charts/dcae-bootstrap/templates/deployment.yaml
+++ b/kubernetes/dcaegen2/charts/dcae-bootstrap/templates/deployment.yaml
@@ -61,6 +61,19 @@ spec:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
+ - name: init-tls
+ env:
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ image: {{ .Values.global.tlsRepository }}/{{ .Values.global.tlsImage }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ resources: {}
+ volumeMounts:
+ - mountPath: /opt/tls/shared
+ name: tls-info
containers:
- name: {{ include "common.name" . }}
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
@@ -75,14 +88,21 @@ spec:
- mountPath: /etc/localtime
name: localtime
readOnly: true
+ - mountPath: /certs
+ name: tls-info
+ readOnly: true
env:
- name: CMADDR
- value: {{ .Values.config.address.cm }}
+ value: {{ .Values.config.address.cm.host }}
- name: CMPASS
valueFrom:
secretKeyRef:
name: {{ include "common.name" . }}-cmpass
key: password
+ - name: CMPROTO
+ value: {{ .Values.config.address.cm.proto }}
+ - name: CMPORT
+ value: !!string {{ .Values.config.address.cm.port }}
- name: CONSUL
value: {{ .Values.config.address.consul.host }}:{{ .Values.config.address.consul.port }}
- name: DCAE_NAMESPACE
@@ -99,5 +119,7 @@ spec:
- name: localtime
hostPath:
path: /etc/localtime
+ - name: tls-info
+ emptyDir: {}
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/dcaegen2/charts/dcae-bootstrap/values.yaml b/kubernetes/dcaegen2/charts/dcae-bootstrap/values.yaml
index aec082fe15..882cf371e7 100644
--- a/kubernetes/dcaegen2/charts/dcae-bootstrap/values.yaml
+++ b/kubernetes/dcaegen2/charts/dcae-bootstrap/values.yaml
@@ -38,7 +38,10 @@ config:
host: consul-server
port: 8500
consul_ui: consul-server-ui
- cm: dcae-cloudify-manager
+ cm:
+ host: dcae-cloudify-manager
+ port: 443
+ proto: https
dashboard:
port: 30418
portSecure: 30419
@@ -90,7 +93,7 @@ postgres:
# application image
repository: nexus3.onap.org:10001
-image: onap/org.onap.dcaegen2.deployments.k8s-bootstrap-container:1.4.18
+image: onap/org.onap.dcaegen2.deployments.k8s-bootstrap-container:1.6.0-STAGING-latest
default_k8s_location: central
# DCAE component images to be deployed via Cloudify Manager
diff --git a/kubernetes/dcaegen2/charts/dcae-cloudify-manager/templates/deployment.yaml b/kubernetes/dcaegen2/charts/dcae-cloudify-manager/templates/deployment.yaml
index d6c58cd75f..b3e90a2efb 100644
--- a/kubernetes/dcaegen2/charts/dcae-cloudify-manager/templates/deployment.yaml
+++ b/kubernetes/dcaegen2/charts/dcae-cloudify-manager/templates/deployment.yaml
@@ -34,6 +34,12 @@ spec:
app: {{ include "common.name" . }}
release: {{ .Release.Name }}
spec:
+ # host alias allows local 'cfy' command to use https and match
+ # the host name in the certificate
+ hostAliases:
+ - ip: "127.0.0.1"
+ hostnames:
+ - "dcae-cloudify-manager"
initContainers:
- name: {{ include "common.name" . }}-multisite-init
image: {{ include "common.repository" . }}/{{ .Values.multisiteInitImage }}
@@ -44,10 +50,26 @@ spec:
- --configmap
- {{ .Values.multisiteConfigMapName }}
restartPolicy: Never
+ - name: init-tls
+ env:
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ image: {{ .Values.global.tlsRepository }}/{{ .Values.global.tlsImage }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ resources: {}
+ volumeMounts:
+ - mountPath: /opt/tls/shared
+ name: tls-info
containers:
- name: {{ include "common.name" . }}
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ env:
+ - name: REQUESTS_CA_BUNDLE
+ value: "/opt/onap/certs/cacert.pem"
resources:
{{ include "common.resources" . | indent 12 }}
ports:
@@ -86,6 +108,8 @@ spec:
readOnly: true
- mountPath: /cfy-persist
name: cm-persistent
+ - mountPath: /opt/onap/certs
+ name: tls-info
securityContext:
privileged: True
volumes:
@@ -107,5 +131,7 @@ spec:
- name: cm-persistent
persistentVolumeClaim:
claimName: {{ include "common.fullname" . }}-data
+ - emptyDir: {}
+ name: tls-info
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/dcaegen2/charts/dcae-cloudify-manager/values.yaml b/kubernetes/dcaegen2/charts/dcae-cloudify-manager/values.yaml
index 41f0750c78..b015143a1a 100644
--- a/kubernetes/dcaegen2/charts/dcae-cloudify-manager/values.yaml
+++ b/kubernetes/dcaegen2/charts/dcae-cloudify-manager/values.yaml
@@ -44,7 +44,7 @@ config:
#################################################################
# application image
repository: nexus3.onap.org:10001
-image: onap/org.onap.dcaegen2.deployments.cm-container:1.6.2
+image: onap/org.onap.dcaegen2.deployments.cm-container:2.0.0-STAGING-latest
pullPolicy: Always
# name of shared ConfigMap with kubeconfig for multiple clusters
@@ -69,8 +69,8 @@ readiness:
service:
type: ClusterIP
name: dcae-cloudify-manager
- externalPort: 80
- internalPort: 80
+ externalPort: 443
+ internalPort: 443
# Resource Limit flavor -By Default using small
flavor: small
diff --git a/kubernetes/dcaegen2/charts/dcae-config-binding-service/templates/deployment.yaml b/kubernetes/dcaegen2/charts/dcae-config-binding-service/templates/deployment.yaml
index a968204575..19fe038d44 100644
--- a/kubernetes/dcaegen2/charts/dcae-config-binding-service/templates/deployment.yaml
+++ b/kubernetes/dcaegen2/charts/dcae-config-binding-service/templates/deployment.yaml
@@ -50,36 +50,60 @@ spec:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
+ {{- if .Values.service.secure.enabled }}
+ - name: init-tls
+ env:
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ image: {{ .Values.global.tlsRepository }}/{{ .Values.global.tlsImage }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ resources: {}
+ volumeMounts:
+ - mountPath: /opt/tls/shared
+ name: tls-info
+ {{ end }}
containers:
+ {{- if .Values.service.secure.enabled }}
- name: {{ include "common.name" . }}
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
resources:
{{ include "common.resources" . | indent 12 }}
ports:
- - containerPort: {{ .Values.service.internalPort }}
+ - containerPort: {{ .Values.service.secure.internalPort }}
# disable liveness probe when breakpoints set in debugger
# so K8s doesn't restart unresponsive container
{{- if eq .Values.liveness.enabled true }}
livenessProbe:
tcpSocket:
- port: {{ .Values.service.internalPort }}
+ port: {{ .Values.service.secure.internalPort }}
initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.liveness.periodSeconds }}
{{ end -}}
readinessProbe:
httpGet:
+ scheme: "HTTPS"
path: {{ .Values.readiness.path }}
- port: {{ .Values.service.internalPort }}
+ port: {{ .Values.service.secure.internalPort }}
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
volumeMounts:
- name: {{ include "common.fullname" . }}-logs
mountPath: /opt/logs
+ - name: tls-info
+ mountPath: /opt/tls
env:
- name: CONSUL_HOST
value: consul.{{ include "common.namespace" . }}
-
+ - name: USE_HTTPS
+ value: "1"
+ - name: HTTPS_CERT_PATH
+ value: "/opt/tls/cert.pem"
+ - name: HTTPS_KEY_PATH
+ value: "/opt/tls/key.pem"
- name: {{ include "common.name" . }}-filebeat-onap
image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
@@ -91,13 +115,67 @@ spec:
mountPath: /usr/share/filebeat/data
- name: {{ include "common.fullname" . }}-logs
mountPath: /var/log/onap
+ {{ end }}
+ {{- if .Values.service.insecure.enabled }}
+ - name: {{ include "common.name" . }}-insecure
+ image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ resources:
+{{ include "common.resources" . | indent 12 }}
+ ports:
+ - containerPort: {{ .Values.service.insecure.internalPort }}
+ # disable liveness probe when breakpoints set in debugger
+ # so K8s doesn't restart unresponsive container
+ {{- if eq .Values.liveness.enabled true }}
+ livenessProbe:
+ tcpSocket:
+ port: {{ .Values.service.insecure.internalPort }}
+ initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
+ periodSeconds: {{ .Values.liveness.periodSeconds }}
+ {{ end -}}
+ readinessProbe:
+ httpGet:
+ scheme: "HTTP"
+ path: {{ .Values.readiness.path }}
+ port: {{ .Values.service.insecure.internalPort }}
+ initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
+ periodSeconds: {{ .Values.readiness.periodSeconds }}
+ volumeMounts:
+ - name: {{ include "common.fullname" . }}-logs-insecure
+ mountPath: /opt/logs
+ env:
+ - name: CONSUL_HOST
+ value: consul.{{ include "common.namespace" . }}
+ - name: {{ include "common.name" . }}-filebeat-onap-insecure
+ image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ volumeMounts:
+ - name: {{ include "common.fullname" . }}-filebeat-conf
+ mountPath: /usr/share/filebeat/filebeat.yml
+ subPath: filebeat.yml
+ - name: {{ include "common.fullname" . }}-data-filebeat-insecure
+ mountPath: /usr/share/filebeat/data
+ - name: {{ include "common.fullname" . }}-logs-insecure
+ mountPath: /var/log/onap
+ {{ end }}
volumes:
- name: {{ include "common.fullname" . }}-filebeat-conf
configMap:
name: {{ .Release.Name }}-cbs-filebeat-configmap
+ {{- if .Values.service.secure.enabled }}
- name: {{ include "common.fullname" . }}-data-filebeat
emptyDir: {}
- name: {{ include "common.fullname" . }}-logs
emptyDir: {}
+ - name: tls-info
+ emptyDir: {}
+ {{ end }}
+ {{- if .Values.service.insecure.enabled }}
+ - name: {{ include "common.fullname" . }}-data-filebeat-insecure
+ emptyDir: {}
+ - name: {{ include "common.fullname" . }}-logs-insecure
+ emptyDir: {}
+ {{ end }}
+
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/dcaegen2/charts/dcae-config-binding-service/templates/service.yaml b/kubernetes/dcaegen2/charts/dcae-config-binding-service/templates/service.yaml
index 794b896eef..8176e77c1e 100644
--- a/kubernetes/dcaegen2/charts/dcae-config-binding-service/templates/service.yaml
+++ b/kubernetes/dcaegen2/charts/dcae-config-binding-service/templates/service.yaml
@@ -28,16 +28,29 @@ metadata:
spec:
type: {{ .Values.service.type }}
ports:
- {{if eq .Values.service.type "NodePort" -}}
- - port: {{ .Values.service.externalPort }}
- nodePort: {{ .Values.global.nodePortPrefixExt| default .Values.nodePortPrefixExt }}{{ .Values.service.nodePort }}
- name: {{ .Values.service.name }}
+ {{ if eq .Values.service.type "NodePort" -}}
+ {{ if .Values.service.insecure.enabled -}}
+ - port: {{ .Values.service.insecure.externalPort }}
+ nodePort: {{ .Values.global.nodePortPrefixExt| default .Values.nodePortPrefixExt }}{{ .Values.service.insecure.nodePort }}
+ name: {{ .Values.service.name }}-insecure
+ {{- end }}
+ {{ if .Values.service.secure.enabled -}}
+ - port: {{ .Values.service.secure.externalPort }}
+ nodePort: {{ .Values.global.nodePortPrefixExt| default .Values.nodePortPrefixExt }}{{ .Values.service.secure.nodePort }}
+ name: {{ .Values.service.name }}-secure
+ {{- end }}
{{- else -}}
- - port: {{ .Values.service.externalPort }}
- targetPort: {{ .Values.service.internalPort }}
- name: {{ .Values.service.name }}
- {{- end}}
+ {{ if .Values.service.insecure.enabled -}}
+ - port: {{ .Values.service.insecure.externalPort }}
+ targetPort: {{ .Values.service.insecure.internalPort }}
+ name: {{ .Values.service.name }}-insecure
+ {{- end }}
+ {{ if .Values.service.secure.enabled -}}
+ - port: {{ .Values.service.secure.externalPort }}
+ targetPort: {{ .Values.service.secure.internalPort }}
+ name: {{ .Values.service.name }}-secure
+ {{- end }}
+ {{- end }}
selector:
app: {{ include "common.name" . }}
release: {{ .Release.Name }}
-
diff --git a/kubernetes/dcaegen2/charts/dcae-config-binding-service/values.yaml b/kubernetes/dcaegen2/charts/dcae-config-binding-service/values.yaml
index 4605e88c09..9adbffda20 100644
--- a/kubernetes/dcaegen2/charts/dcae-config-binding-service/values.yaml
+++ b/kubernetes/dcaegen2/charts/dcae-config-binding-service/values.yaml
@@ -25,6 +25,8 @@ global:
readinessImage: readiness-check:2.0.0
loggingRepository: docker.elastic.co
loggingImage: beats/filebeat:5.5.0
+ tlsRepository: nexus3.onap.org:10001
+ tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:1.0.3
repositoryCred:
user: docker
password: docker
@@ -43,7 +45,7 @@ config:
#################################################################
# application image
repository: nexus3.onap.org:10001
-image: onap/org.onap.dcaegen2.platform.configbinding.app-app:2.3.0
+image: onap/org.onap.dcaegen2.platform.configbinding:2.5.1-STAGING-latest
pullPolicy: Always
# probe configuration parameters
@@ -63,9 +65,18 @@ readiness:
service:
type: NodePort
name: config-binding-service
- externalPort: 10000
- internalPort: 10000
- nodePort: 15
+ # TLS service
+ secure:
+ enabled: true
+ externalPort: 10443
+ internalPort: 10443
+ nodePort: 14
+ # Non-TLS service
+ insecure:
+ enabled: true
+ externalPort: 10000
+ internalPort: 10000
+ nodePort: 15
# Resource Limit flavor -By Default using small
flavor: small
diff --git a/kubernetes/dcaegen2/charts/dcae-deployment-handler/resources/config/config.json b/kubernetes/dcaegen2/charts/dcae-deployment-handler/resources/config/config.json
index 600f07c457..3b20fc4e98 100644
--- a/kubernetes/dcaegen2/charts/dcae-deployment-handler/resources/config/config.json
+++ b/kubernetes/dcaegen2/charts/dcae-deployment-handler/resources/config/config.json
@@ -1,6 +1,6 @@
{
"cloudify": {
- "protocol": "http"
+ "protocol": "https"
},
"inventory": {
"protocol": "http"
diff --git a/kubernetes/dcaegen2/charts/dcae-deployment-handler/templates/deployment.yaml b/kubernetes/dcaegen2/charts/dcae-deployment-handler/templates/deployment.yaml
index 3e4e53b679..a67197849f 100644
--- a/kubernetes/dcaegen2/charts/dcae-deployment-handler/templates/deployment.yaml
+++ b/kubernetes/dcaegen2/charts/dcae-deployment-handler/templates/deployment.yaml
@@ -72,7 +72,7 @@ spec:
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
args:
- --service
- - "cloudify_manager|dcae-cloudify-manager.{{ include "common.namespace" . }}|80"
+ - "cloudify_manager|dcae-cloudify-manager.{{ include "common.namespace" . }}|443"
- --service
- "inventory|inventory.{{ include "common.namespace" . }}|8080"
- --key
@@ -119,6 +119,8 @@ spec:
value: admin
- name: CONFIG_BINDING_SERVICE
value: config-binding-service
+ - name: NODE_EXTRA_CA_CERTS
+ value: /opt/app/dh/etc/cert/cacert.pem
- name: POD_IP
valueFrom:
fieldRef:
diff --git a/kubernetes/dcaegen2/charts/dcae-deployment-handler/values.yaml b/kubernetes/dcaegen2/charts/dcae-deployment-handler/values.yaml
index 0eddf7c1a0..30893b6d7c 100644
--- a/kubernetes/dcaegen2/charts/dcae-deployment-handler/values.yaml
+++ b/kubernetes/dcaegen2/charts/dcae-deployment-handler/values.yaml
@@ -46,7 +46,7 @@ config:
#################################################################
# application image
repository: nexus3.onap.org:10001
-image: onap/org.onap.dcaegen2.platform.deployment-handler:4.0.1
+image: onap/org.onap.dcaegen2.platform.deployment-handler:4.2.0
pullPolicy: Always
# probe configuration parameters
diff --git a/kubernetes/dcaegen2/charts/dcae-servicechange-handler/values.yaml b/kubernetes/dcaegen2/charts/dcae-servicechange-handler/values.yaml
index dd985163c1..6e03f52713 100644
--- a/kubernetes/dcaegen2/charts/dcae-servicechange-handler/values.yaml
+++ b/kubernetes/dcaegen2/charts/dcae-servicechange-handler/values.yaml
@@ -40,7 +40,7 @@ config:
#################################################################
# application image
repository: nexus3.onap.org:10001
-image: onap/org.onap.dcaegen2.platform.servicechange-handler:1.1.5
+image: onap/org.onap.dcaegen2.platform.servicechange-handler:1.2.0
pullPolicy: Always