summaryrefslogtreecommitdiffstats
path: root/kubernetes/aai/charts/aai-champ
diff options
context:
space:
mode:
authorLee, Tian (tl5884) <TianL@amdocs.com>2019-01-11 16:52:27 +0000
committerLee, Tian (tl5884) <TianL@amdocs.com>2019-01-31 16:59:20 +0000
commitfd8e7fbf73b93b2dd302108c7a1bcebb132647cd (patch)
treefee2a3df8807052a243eed1cf995b7b747ef6e45 /kubernetes/aai/charts/aai-champ
parentde248c3afe78f01e955375dac18edd742a5943de (diff)
Update Gizmo and Champ security config
- Update rProxy to use AAF geo-locate endpoint rather than hard coded IP address - Update fProxy to use separate truststore - Restructure charts to reduce certificate duplication Change-Id: I1e63ceb0ebabd8bb3dfacc71dac841858279b6f1 Issue-ID: AAF-718 Signed-off-by: Lee, Tian (tl5884) <TianL@amdocs.com>
Diffstat (limited to 'kubernetes/aai/charts/aai-champ')
-rw-r--r--kubernetes/aai/charts/aai-champ/resources/fproxy/config/auth/client-cert.p12bin2556 -> 0 bytes
-rw-r--r--kubernetes/aai/charts/aai-champ/resources/fproxy/config/auth/tomcat_keystorebin3659 -> 0 bytes
-rw-r--r--kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/client-cert.p12bin2556 -> 0 bytes
-rw-r--r--kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/tomcat_keystorebin3594 -> 0 bytes
-rw-r--r--kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/uri-authorization.json16
-rw-r--r--kubernetes/aai/charts/aai-champ/resources/rproxy/config/cadi.properties20
-rw-r--r--kubernetes/aai/charts/aai-champ/resources/rproxy/config/security/keyfile27
-rw-r--r--kubernetes/aai/charts/aai-champ/templates/deployment.yaml36
-rw-r--r--kubernetes/aai/charts/aai-champ/templates/secrets.yaml18
-rw-r--r--kubernetes/aai/charts/aai-champ/values.yaml1
10 files changed, 45 insertions, 73 deletions
diff --git a/kubernetes/aai/charts/aai-champ/resources/fproxy/config/auth/client-cert.p12 b/kubernetes/aai/charts/aai-champ/resources/fproxy/config/auth/client-cert.p12
deleted file mode 100644
index dbf4fcacec..0000000000
--- a/kubernetes/aai/charts/aai-champ/resources/fproxy/config/auth/client-cert.p12
+++ /dev/null
Binary files differ
diff --git a/kubernetes/aai/charts/aai-champ/resources/fproxy/config/auth/tomcat_keystore b/kubernetes/aai/charts/aai-champ/resources/fproxy/config/auth/tomcat_keystore
deleted file mode 100644
index f3ac0701a2..0000000000
--- a/kubernetes/aai/charts/aai-champ/resources/fproxy/config/auth/tomcat_keystore
+++ /dev/null
Binary files differ
diff --git a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/client-cert.p12 b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/client-cert.p12
deleted file mode 100644
index dbf4fcacec..0000000000
--- a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/client-cert.p12
+++ /dev/null
Binary files differ
diff --git a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/tomcat_keystore b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/tomcat_keystore
deleted file mode 100644
index 99129c145f..0000000000
--- a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/tomcat_keystore
+++ /dev/null
Binary files differ
diff --git a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/uri-authorization.json b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/uri-authorization.json
index 2865e01cd6..ca34049ec2 100644
--- a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/uri-authorization.json
+++ b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/uri-authorization.json
@@ -82,18 +82,18 @@
"permissions": [
"test\\.auth\\.access\\|services\\|GET,PUT",
"\\|services\\|GET"
- ]
+ ]
},
{
"uri": "\/services\/inventory\/.*",
"permissions": [
- "org\\.access\\|\\*\\|\\*"
- ]
+ "org\\.onap\\.aai\\.resources\\|\\*\\|.*"
+ ]
},
{
- "uri": "\/services\/champ-service\/.*",
- "permissions": [
- "org\\.access\\|\\*\\|\\*"
- ]
- }
+ "uri": "\/services\/champ-service\/.*",
+ "permissions": [
+ "org\\.onap\\.aai\\.resources\\|\\*\\|.*"
+ ]
+ }
]
diff --git a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/cadi.properties b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/cadi.properties
index 33daa73b67..1878a4de70 100644
--- a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/cadi.properties
+++ b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/cadi.properties
@@ -9,13 +9,27 @@
#hostname=test.aic.cip.att.com
cadi_loglevel=DEBUG
-cadi_keyfile=/opt/app/rproxy/config/security/keyfile
+# OAuth2
+aaf_oauth2_token_url=https://AAF_LOCATE_URL/AAF_NS.token:2.0/token
+aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/AAF_NS.introspect:2.0/introspect
+
+cadi_latitude=37.78187
+cadi_longitude=-122.26147
+
+# Locate URL (which AAF Env)
+aaf_locate_url=https://aaf-locate.{{.Release.Namespace}}:8095
+
+# AAF URL
+aaf_url=https://AAF_LOCATE_URL/AAF_NS.service:2.0
+
+cadi_keyfile=/opt/app/rproxy/config/security/keyfile
+cadi_keystore=/opt/app/rproxy/config/auth/org.onap.aai.p12
+cadi_keystore_password=enc:383RDJRFA6yQz9AOxUxC1iIg3xTJXityw05MswnpnEtelRQy2D4r5INQjrea7GTV
+cadi_alias=aai@aai.onap.org
cadi_truststore=/opt/app/rproxy/config/auth/tomcat_keystore
cadi_truststore_password=OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
-# Configure AAF
-aaf_url=https://{{.Values.global.aaf.serverHostname}}:{{.Values.global.aaf.serverPort}}
aaf_env=DEV
aaf_id=demo@people.osaaf.org
diff --git a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/security/keyfile b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/security/keyfile
deleted file mode 100644
index 6cd12fcfb4..0000000000
--- a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/security/keyfile
+++ /dev/null
@@ -1,27 +0,0 @@
-bZNOXiGDJ2_eiKBKWYLIFx27URvb-SWfmOl2d-QKetcVKIupOrsG-ScS_VXOtKN3Yxfb2cR6t7oM
-1RNpDnhsKAxDLM6A62IkS_h_Rp3Q9c2JeyomVmyiuHR7a2ARbelaMrX8WDrxXI_t9ce4pIHDVE29
-xiQm3Bdp7d7IiKkgg-ipvOU7Y6NEzeQbvHlHvRTJ3ZZMSwHxBOA5M8DhKN-AF1sqwozEVaNAuJxK
-BVdh72A6KTW7ieb_GvVQQp8h32BuOz8oJhZV7KaGXsWTEvXg9ImboY0h7Sl9hufgn1ZtDK1jxzGm
-6O6LBg1qezzZaFGTXRmHvaeYmEeYSu0bGsU4x-JCU0RyhNTzFhkhjNoccaqPXBdcJymLf096mD99
-QLS8nyji_KtLQJL1fqr500c8p6SOURLPgG6Gzkn4ghgFYlfgve92xs1R3ggHKhNTLV4HJ4O6iSDm
-zCoHeRbsZR1JER9yxT-v8NtcHOMAZe1oDQeY6jVyxb-bhaonN6eZPI4nyF6MHJQtWKhGARC_kOs6
-x9E0ZdAEp5TrX7F7J5PwkXzbCOuSiTVftOBum43iUB4q9He8tn2tJ0X4LtLHT3bPl16wWnZm9RPf
-8wBtTJh4QP_cTStPq1ftSaLIAuqVFpbiC2DxGemXZn3QvykuYqa-rKeYPoIJ5dtWd5rNb_hhcSIz
-FakKTELb0HWYGji98TBF6PaStea2f2m-wGX_uQGD7_Dijl6AgnV9koKVs1bN1XljLtNMPbLdD8sz
-UCvc5lwvCFyyeunljI7os1fgwBmaMyckflq5VfZv9kFxom6jFLbcozylQ_uBg4j7oCP79IXVUI-r
-banZltOSmm8zHGc2R9UlUyxJWBi01yxwi1hUtn9g1H4RtncQpu3BY0Qvu5YLAmS5imivUnGVZWbv
-6wcqnJt5HwaVatE9NHONSLNTViQPsUOutWZBZxhJtAncdZuWOYZSh4TPzUJWvt6zT0E3YMBc_UuG
-yPmdLyqo7qGHR8YWRqq_vq6ISJqENMnVD6X9-BeI6KM4GPEAlDWyhgENXxQFjG45ufg3UpP8LBTB
-xDntlfkphRumsd13-8IlvwVtlpgnbuCMbwP_-lNVeNJcdA1InPt79oY-SEVZ-RVM1881ZASCnFeB
-lh3BTc_bGQ8YoC9s6iHtcCK_1SdbwzBfQBJUqqcYsa8hJLe-j8di7KCaFzI3a-UXWKuuWljpbKbq
-ibd48UFJt_34_GxkD6bmLxycuNH-og2Sd2VcYU0o5UarcrY4-2sgFPE7Mzxovrl98uayfgNF9DqE
-fJ4MwFGqLRtEHlm4zfuMxQ5Rh_giMUHDJApc1DYRkxdGbNUd4bC4aRBln2IhN-rNKbSVtiW_uT6v
-1KTMGmElvktjPWybJd2SvhT5qOLUM81-cmZzAsNa04jxZLBlQn_1fel3IroVos4Ohbdhar2NG6T5
-liten9RZ9P4Cg9RWhgeQonAD5kqLWXAHnCfffb5CVcAU5PHqkCgCbdThvD0-zIGETLO9AE0jKISc
-0o67CUZn3MzJ9pP_3gh-ALr2w-KAwqasqCf0igf1wmEDijv9wEDcgDm39ERIElTpGKgfyuVl4F8u
-PrpK5ZfpUYySUB6CZFQVVz0MvH6E7orQk4dCKFIimV_XwEtGijBttrTvyV6xYNScAEw_olt-0mdm
-8UEKSsuqSyDMxUWLjKJT19rNedahYJNtI87WR9Fhhjsrai9Or3a-srOYa56wcvSj2ZHbkevbO9Xv
-dQ2wzWCGEAMQSpSr83n0XEpR2pZT19Z19Svbhr08mnt2JNykCk60FLCeDTUOylJtYw6YOjqBizQZ
--85B51BCbSEaAKJkgT9-8n_-LGW5aPBrBB_9FT7UIYczNEt3B1Lqr2s4ipPI_36JecEfqaS2cNLn
-c0ObAtNGAONkhO5LYLneMR3fZPMFuOX1-rMObPgE0i9dYqWDZ_30w9rpRsmiWyxYi5lvWDxU5L1J
-uJxwREz3oa_VgpSC3Y2oxCufdQwzBk57iVLDOb1qs_Hwj1SWd1nukWyAo2-g5sR1folAEcao \ No newline at end of file
diff --git a/kubernetes/aai/charts/aai-champ/templates/deployment.yaml b/kubernetes/aai/charts/aai-champ/templates/deployment.yaml
index aa9157fe47..537763a6db 100644
--- a/kubernetes/aai/charts/aai-champ/templates/deployment.yaml
+++ b/kubernetes/aai/charts/aai-champ/templates/deployment.yaml
@@ -31,12 +31,6 @@ spec:
app: {{ include "common.name" . }}
release: {{ .Release.Name }}
spec:
- {{ if .Values.global.installSidecarSecurity }}
- hostAliases:
- - ip: {{ .Values.global.aaf.serverIp }}
- hostnames:
- - {{ .Values.global.aaf.serverHostname }}
- {{ end }}
initContainers:
- command:
- /root/ready.py
@@ -163,18 +157,18 @@ spec:
- name: {{ include "common.fullname" . }}-rproxy-log-config
mountPath: /opt/app/rproxy/config/logback-spring.xml
subPath: logback-spring.xml
- - name: {{ include "common.fullname" . }}-rproxy-auth-config
+ - name: {{ include "common.fullname" . }}-rproxy-auth-certs
mountPath: /opt/app/rproxy/config/auth/tomcat_keystore
subPath: tomcat_keystore
- - name: {{ include "common.fullname" . }}-rproxy-auth-config
+ - name: {{ include "common.fullname" . }}-rproxy-auth-certs
mountPath: /opt/app/rproxy/config/auth/client-cert.p12
subPath: client-cert.p12
+ - name: {{ include "common.fullname" . }}-rproxy-auth-certs
+ mountPath: /opt/app/rproxy/config/auth/org.onap.aai.p12
+ subPath: org.onap.aai.p12
- name: {{ include "common.fullname" . }}-rproxy-auth-config
mountPath: /opt/app/rproxy/config/auth/uri-authorization.json
subPath: uri-authorization.json
- #- name: {{ include "common.fullname" . }}-rproxy-auth-config
- # mountPath: /opt/app/rproxy/config/auth/aaf_truststore.jks
- # subPath: aaf_truststore.jks
- name: {{ include "common.fullname" . }}-rproxy-security-config
mountPath: /opt/app/rproxy/config/security/keyfile
subPath: keyfile
@@ -189,7 +183,9 @@ spec:
- name: CONFIG_HOME
value: "/opt/app/fproxy/config"
- name: KEY_STORE_PASSWORD
- value: {{ .Values.config.keyStorePassword }}
+ value: {{ .Values.config.keyStorePassword }}
+ - name: TRUST_STORE_PASSWORD
+ value: {{ .Values.config.trustStorePassword }}
- name: spring_profiles_active
value: {{ .Values.global.fproxy.activeSpringProfiles }}
volumeMounts:
@@ -199,10 +195,13 @@ spec:
- name: {{ include "common.fullname" . }}-fproxy-log-config
mountPath: /opt/app/fproxy/config/logback-spring.xml
subPath: logback-spring.xml
- - name: {{ include "common.fullname" . }}-fproxy-auth-config
+ - name: {{ include "common.fullname" . }}-fproxy-auth-certs
mountPath: /opt/app/fproxy/config/auth/tomcat_keystore
subPath: tomcat_keystore
- - name: {{ include "common.fullname" . }}-fproxy-auth-config
+ - name: {{ include "common.fullname" . }}-fproxy-auth-certs
+ mountPath: /opt/app/fproxy/config/auth/fproxy_truststore
+ subPath: fproxy_truststore
+ - name: {{ include "common.fullname" . }}-fproxy-auth-certs
mountPath: /opt/app/fproxy/config/auth/client-cert.p12
subPath: client-cert.p12
ports:
@@ -251,18 +250,21 @@ spec:
- name: {{ include "common.fullname" . }}-rproxy-auth-config
secret:
secretName: {{ include "common.fullname" . }}-rproxy-auth-config
+ - name: {{ include "common.fullname" . }}-rproxy-auth-certs
+ secret:
+ secretName: aai-rproxy-auth-certs
- name: {{ include "common.fullname" . }}-rproxy-security-config
secret:
- secretName: {{ include "common.fullname" . }}-rproxy-security-config
+ secretName: aai-rproxy-security-config
- name: {{ include "common.fullname" . }}-fproxy-config
configMap:
name: {{ include "common.fullname" . }}-fproxy-config
- name: {{ include "common.fullname" . }}-fproxy-log-config
configMap:
name: {{ include "common.fullname" . }}-fproxy-log-config
- - name: {{ include "common.fullname" . }}-fproxy-auth-config
+ - name: {{ include "common.fullname" . }}-fproxy-auth-certs
secret:
- secretName: {{ include "common.fullname" . }}-fproxy-auth-config
+ secretName: aai-fproxy-auth-certs
{{ end }}
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/aai/charts/aai-champ/templates/secrets.yaml b/kubernetes/aai/charts/aai-champ/templates/secrets.yaml
index a0a1519c26..b0a62f63f6 100644
--- a/kubernetes/aai/charts/aai-champ/templates/secrets.yaml
+++ b/kubernetes/aai/charts/aai-champ/templates/secrets.yaml
@@ -42,27 +42,9 @@ data:
apiVersion: v1
kind: Secret
metadata:
- name: {{ include "common.fullname" . }}-fproxy-auth-config
- namespace: {{ include "common.namespace" . }}
-type: Opaque
-data:
-{{ tpl (.Files.Glob "resources/fproxy/config/auth/*").AsSecrets . | indent 2 }}
----
-apiVersion: v1
-kind: Secret
-metadata:
name: {{ include "common.fullname" . }}-rproxy-auth-config
namespace: {{ include "common.namespace" . }}
type: Opaque
data:
{{ tpl (.Files.Glob "resources/rproxy/config/auth/*").AsSecrets . | indent 2 }}
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ include "common.fullname" . }}-rproxy-security-config
- namespace: {{ include "common.namespace" . }}
-type: Opaque
-data:
-{{ tpl (.Files.Glob "resources/rproxy/config/security/*").AsSecrets . | indent 2 }}
{{ end }} \ No newline at end of file
diff --git a/kubernetes/aai/charts/aai-champ/values.yaml b/kubernetes/aai/charts/aai-champ/values.yaml
index b865b0050e..b1ce34dd1d 100644
--- a/kubernetes/aai/charts/aai-champ/values.yaml
+++ b/kubernetes/aai/charts/aai-champ/values.yaml
@@ -33,6 +33,7 @@ flavor: small
config:
keyStorePassword: OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
keyManagerPassword: OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
+ trustStorePassword: OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
# default number of instances
replicaCount: 1