Add Pluggable Security to Champ

Note that by default this feature is turned off. To enable update the installSidecarSecurity in aai/values.yaml to true Change-Id: I19d4755a58041c58070e0cd36d263e4e49b3f743 Issue-ID: AAF-587 Signed-off-by: Ravi Geda <gravik@amdocs.com>
author: Ravi Geda <gravik@amdocs.com> 2018-10-30 10:03:44 +0000
committer: Alexis de Talhouët <alexis.de_talhouet@bell.ca> 2018-12-04 13:00:15 +0000
commit: 9234bdec7f994e8b11953fdbc358768defba8fc7 (patch)
tree: 2ce587d54c1da688ad77f2c51abbbc3aacf24410 /kubernetes/aai/charts/aai-champ/templates
parent: 693bc2491bb1249f3e0313a31c4240f5f65e3ba3 (diff)
4 files changed, 184 insertions, 0 deletions
diff --git a/kubernetes/aai/charts/aai-champ/templates/configmap.yaml b/kubernetes/aai/charts/aai-champ/templates/configmap.yaml
index b2f16d9034..db77ae2c27 100644
--- a/kubernetes/aai/charts/aai-champ/templates/configmap.yaml
+++ b/kubernetes/aai/charts/aai-champ/templates/configmap.yaml
@@ -51,3 +51,37 @@ metadata:
     heritage: {{ .Release.Service }}
 data:
 {{ tpl (.Files.Glob "resources/config/log/*").AsConfig . | indent 2 }}
+{{ if .Values.global.installSidecarSecurity }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "common.fullname" . }}-fproxy-config
+  namespace: {{ include "common.namespace" . }}
+data:
+{{ tpl (.Files.Glob "resources/fproxy/config/*").AsConfig . | indent 2 }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "common.fullname" . }}-fproxy-log-config
+  namespace: {{ include "common.namespace" . }}
+data:
+{{ tpl (.Files.Glob "resources/fproxy/config/logback-spring.xml").AsConfig . | indent 2 }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "common.fullname" . }}-rproxy-config
+  namespace: {{ include "common.namespace" . }}
+data:
+{{ tpl (.Files.Glob "resources/rproxy/config/*").AsConfig . | indent 2 }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "common.fullname" . }}-rproxy-log-config
+  namespace: {{ include "common.namespace" . }}
+data:
+{{ tpl (.Files.Glob "resources/rproxy/config/logback-spring.xml").AsConfig . | indent 2 }}
+{{ end }}
+\ No newline at end of file
diff --git a/kubernetes/aai/charts/aai-champ/templates/deployment.yaml b/kubernetes/aai/charts/aai-champ/templates/deployment.yaml
index 4e1866c8b9..aa9157fe47 100644
--- a/kubernetes/aai/charts/aai-champ/templates/deployment.yaml
+++ b/kubernetes/aai/charts/aai-champ/templates/deployment.yaml
@@ -31,6 +31,12 @@ spec:
         app: {{ include "common.name" . }}
         release: {{ .Release.Name }}
     spec:
+    {{ if .Values.global.installSidecarSecurity }}
+      hostAliases:
+      - ip: {{ .Values.global.aaf.serverIp }}
+        hostnames:
+        - {{ .Values.global.aaf.serverHostname }}
+    {{ end }}
       initContainers:
         - command:
           - /root/ready.py
@@ -46,6 +52,13 @@ spec:
           image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
           name: {{ include "common.name" . }}-readiness
+    {{ if .Values.global.installSidecarSecurity }}
+        - name: {{ .Values.global.tproxyConfig.name }}
+          image: "{{ include "common.repository" . }}/{{ .Values.global.tproxyConfig.image }}"
+          imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+          securityContext:
+            privileged: true
+    {{ end }}
       containers:
         - name: {{ include "common.name" . }}
           image: "{{ include "common.repository" . }}/{{ .Values.image }}"
@@ -123,6 +136,78 @@ spec:
             name: {{ include "common.fullname" . }}-logs
           - mountPath: /usr/share/filebeat/data
             name: aai-filebeat
+    {{ if .Values.global.installSidecarSecurity }}
+        - name: {{ .Values.global.rproxy.name }}
+          image: "{{ include "common.repository" . }}/{{ .Values.global.rproxy.image }}"
+          imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+          env:
+          - name: CONFIG_HOME
+            value: "/opt/app/rproxy/config"
+          - name: KEY_STORE_PASSWORD
+            value: {{ .Values.config.keyStorePassword }} 
+          - name: spring_profiles_active
+            value: {{ .Values.global.rproxy.activeSpringProfiles }}
+          volumeMounts:
+          - name: {{ include "common.fullname" . }}-rproxy-config
+            mountPath: /opt/app/rproxy/config/forward-proxy.properties
+            subPath: forward-proxy.properties
+          - name: {{ include "common.fullname" . }}-rproxy-config
+            mountPath: /opt/app/rproxy/config/primary-service.properties
+            subPath: primary-service.properties
+          - name: {{ include "common.fullname" . }}-rproxy-config
+            mountPath: /opt/app/rproxy/config/reverse-proxy.properties
+            subPath: reverse-proxy.properties
+          - name: {{ include "common.fullname" . }}-rproxy-config
+            mountPath: /opt/app/rproxy/config/cadi.properties
+            subPath: cadi.properties
+          - name: {{ include "common.fullname" . }}-rproxy-log-config
+            mountPath: /opt/app/rproxy/config/logback-spring.xml
+            subPath: logback-spring.xml
+          - name: {{ include "common.fullname" . }}-rproxy-auth-config
+            mountPath: /opt/app/rproxy/config/auth/tomcat_keystore
+            subPath: tomcat_keystore
+          - name: {{ include "common.fullname" . }}-rproxy-auth-config
+            mountPath: /opt/app/rproxy/config/auth/client-cert.p12
+            subPath: client-cert.p12
+          - name: {{ include "common.fullname" . }}-rproxy-auth-config
+            mountPath: /opt/app/rproxy/config/auth/uri-authorization.json
+            subPath: uri-authorization.json
+          #- name: {{ include "common.fullname" . }}-rproxy-auth-config
+          #  mountPath: /opt/app/rproxy/config/auth/aaf_truststore.jks
+          #  subPath: aaf_truststore.jks
+          - name: {{ include "common.fullname" . }}-rproxy-security-config
+            mountPath: /opt/app/rproxy/config/security/keyfile
+            subPath: keyfile
+
+          ports:
+          - containerPort: {{ .Values.global.rproxy.port }}
+
+        - name: {{ .Values.global.fproxy.name }}
+          image: "{{ include "common.repository" . }}/{{ .Values.global.fproxy.image }}"
+          imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+          env:
+          - name: CONFIG_HOME
+            value: "/opt/app/fproxy/config"
+          - name: KEY_STORE_PASSWORD
+            value: {{ .Values.config.keyStorePassword }} 
+          - name: spring_profiles_active
+            value: {{ .Values.global.fproxy.activeSpringProfiles }}
+          volumeMounts:
+          - name: {{ include "common.fullname" . }}-fproxy-config
+            mountPath: /opt/app/fproxy/config/fproxy.properties
+            subPath: fproxy.properties
+          - name: {{ include "common.fullname" . }}-fproxy-log-config
+            mountPath: /opt/app/fproxy/config/logback-spring.xml
+            subPath: logback-spring.xml
+          - name: {{ include "common.fullname" . }}-fproxy-auth-config
+            mountPath: /opt/app/fproxy/config/auth/tomcat_keystore
+            subPath: tomcat_keystore
+          - name: {{ include "common.fullname" . }}-fproxy-auth-config
+            mountPath: /opt/app/fproxy/config/auth/client-cert.p12
+            subPath: client-cert.p12
+          ports:
+          - containerPort: {{ .Values.global.fproxy.port }}
+    {{ end }}      
 
       volumes:
         - name: localtime
@@ -156,5 +241,28 @@ spec:
             name: aai-filebeat
         - name: aai-filebeat
           emptyDir: {}
+    {{ if .Values.global.installSidecarSecurity }}
+        - name: {{ include "common.fullname" . }}-rproxy-config
+          configMap:
+            name: {{ include "common.fullname" . }}-rproxy-config
+        - name: {{ include "common.fullname" . }}-rproxy-log-config
+          configMap:
+            name: {{ include "common.fullname" . }}-rproxy-log-config
+        - name: {{ include "common.fullname" . }}-rproxy-auth-config
+          secret:
+            secretName: {{ include "common.fullname" . }}-rproxy-auth-config
+        - name: {{ include "common.fullname" . }}-rproxy-security-config
+          secret:
+            secretName: {{ include "common.fullname" . }}-rproxy-security-config
+        - name: {{ include "common.fullname" . }}-fproxy-config
+          configMap:
+            name: {{ include "common.fullname" . }}-fproxy-config
+        - name: {{ include "common.fullname" . }}-fproxy-log-config
+          configMap:
+            name: {{ include "common.fullname" . }}-fproxy-log-config
+        - name: {{ include "common.fullname" . }}-fproxy-auth-config
+          secret:
+            secretName: {{ include "common.fullname" . }}-fproxy-auth-config
+    {{ end }}
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/aai/charts/aai-champ/templates/secrets.yaml b/kubernetes/aai/charts/aai-champ/templates/secrets.yaml
index dddf15609b..a0a1519c26 100644
--- a/kubernetes/aai/charts/aai-champ/templates/secrets.yaml
+++ b/kubernetes/aai/charts/aai-champ/templates/secrets.yaml
@@ -37,3 +37,32 @@ data:
   KEY_STORE_PASSWORD: {{ .Values.config.keyStorePassword | b64enc | quote }}
   KEY_MANAGER_PASSWORD: {{ .Values.config.keyManagerPassword | b64enc | quote }}
 
+{{ if .Values.global.installSidecarSecurity }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "common.fullname" . }}-fproxy-auth-config
+  namespace: {{ include "common.namespace" . }}
+type: Opaque
+data:
+{{ tpl (.Files.Glob "resources/fproxy/config/auth/*").AsSecrets . | indent 2 }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "common.fullname" . }}-rproxy-auth-config
+  namespace: {{ include "common.namespace" . }}
+type: Opaque
+data:
+{{ tpl (.Files.Glob "resources/rproxy/config/auth/*").AsSecrets . | indent 2 }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "common.fullname" . }}-rproxy-security-config
+  namespace: {{ include "common.namespace" . }}
+type: Opaque
+data:
+{{ tpl (.Files.Glob "resources/rproxy/config/security/*").AsSecrets . | indent 2 }}
+{{ end }}
+\ No newline at end of file
diff --git a/kubernetes/aai/charts/aai-champ/templates/service.yaml b/kubernetes/aai/charts/aai-champ/templates/service.yaml
index eeb27edffb..e67d42a5ff 100644
--- a/kubernetes/aai/charts/aai-champ/templates/service.yaml
+++ b/kubernetes/aai/charts/aai-champ/templates/service.yaml
@@ -26,6 +26,18 @@ metadata:
 spec:
   type: {{ .Values.service.type }}
   ports:
+  {{ if .Values.global.installSidecarSecurity }}
+      {{if eq .Values.service.type "NodePort" -}}
+      - port: {{ .Values.service.internalPort }}
+        nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
+        targetPort: {{ .Values.global.rproxy.port }}
+        name: {{ .Values.service.portName }}
+      {{- else -}}
+      - port: {{ .Values.service.externalPort }}
+        targetPort: {{ .Values.global.rproxy.port }}
+        name: {{ .Values.service.portName }}
+      {{- end}}
+  {{ else }}
     {{if eq .Values.service.type "NodePort" -}}
     - port: {{ .Values.service.internalPort}}
       nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort}}
@@ -35,6 +47,7 @@ spec:
       targetPort: {{ .Values.service.internalPort }}
       name: {{ .Values.service.portName }}
     {{- end}}
+  {{ end }}
   selector:
     app: {{ include "common.name" . }}
     release: {{ .Release.Name }}
author	Ravi Geda <gravik@amdocs.com>	2018-10-30 10:03:44 +0000
committer	Alexis de Talhouët <alexis.de_talhouet@bell.ca>	2018-12-04 13:00:15 +0000
commit	9234bdec7f994e8b11953fdbc358768defba8fc7 (patch)
tree	2ce587d54c1da688ad77f2c51abbbc3aacf24410 /kubernetes/aai/charts/aai-champ/templates
parent	693bc2491bb1249f3e0313a31c4240f5f65e3ba3 (diff)