diff options
| author |   Sylvain Desbureaux <sylvain.desbureaux@orange.com> | 2021-02-28 14:59:22 +0100 |
|---|---|---|
| committer | Sylvain Desbureaux <sylvain.desbureaux@orange.com> | 2021-11-10 08:31:39 +0000 |
| commit | 1e99719c0224863cf26c5362243a4fa1b955c362 (patch) | |
| tree | 4cb228fdce7a331a4c16afe3ae24da79a2020f9e /kubernetes/aai/components/aai-modelloader | |
| parent | 8e67e73081c7ca3b7a0236c8f6cd291f18f69de7 (diff) | |
[AAI][BABEL] Remove Hardcoded certificates
Use Certinitializer in order to retrieve needed certificates.
Change ModelLoader also as it needs valid certificate to communicate
with Babel.
Issue-ID: OOM-2693
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: I64b8ede24643f942dc99956030c202c50d41ad1e
Diffstat (limited to 'kubernetes/aai/components/aai-modelloader')
9 files changed, 126 insertions, 105 deletions
diff --git a/kubernetes/aai/components/aai-modelloader/requirements.yaml b/kubernetes/aai/components/aai-modelloader/requirements.yaml index d80dc5aea2..5a41aefe84 100644 --- a/kubernetes/aai/components/aai-modelloader/requirements.yaml +++ b/kubernetes/aai/components/aai-modelloader/requirements.yaml @@ -21,6 +21,9 @@ dependencies: # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' + - name: certInitializer + version: ~9.x-0 + repository: '@local' - name: repositoryGenerator version: ~9.x-0 repository: '@local' diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/auth/babel-client-cert.p12 b/kubernetes/aai/components/aai-modelloader/resources/config/auth/babel-client-cert.p12 Binary files differdeleted file mode 100644 index e64895e911..0000000000 --- a/kubernetes/aai/components/aai-modelloader/resources/config/auth/babel-client-cert.p12 +++ /dev/null diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/auth/tomcat_keystore b/kubernetes/aai/components/aai-modelloader/resources/config/auth/tomcat_keystore Binary files differdeleted file mode 100644 index e1d24d9b4d..0000000000 --- a/kubernetes/aai/components/aai-modelloader/resources/config/auth/tomcat_keystore +++ /dev/null diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/log/logback.xml b/kubernetes/aai/components/aai-modelloader/resources/config/log/logback.xml index cd36e799d6..129af8f2ac 100644 --- a/kubernetes/aai/components/aai-modelloader/resources/config/log/logback.xml +++ b/kubernetes/aai/components/aai-modelloader/resources/config/log/logback.xml @@ -1,6 +1,7 @@ {{/* <!-- # Copyright © 2018 Amdocs, Bell Canada, AT&T +# Modifications Copyright © 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,8 +27,7 @@ <property name="auditLogName" value="audit" /> <property name="debugLogName" value="debug" /> - <property name="errorLogPattern" - value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{RequestId}|%thread|ModelLoader|%mdc{PartnerName}|%logger||%.-5level|%msg%n" /> + <property name="errorLogPattern" value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{RequestId}|%thread|ModelLoader|%mdc{PartnerName}|%logger||%.-5level|%msg%n" /> <property name="auditMetricPattern" value="%m%n" /> <property name="logDirectory" value="${logDir}/${componentName}" /> @@ -35,9 +35,12 @@ <!-- Example evaluator filter applied against console appender --> <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender"> <encoder> - <pattern>${defaultPattern}</pattern> + <pattern>${errorLogPattern}</pattern> </encoder> </appender> + <appender name="AsyncSysOut" class="ch.qos.logback.classic.AsyncAppender"> + <appender-ref ref="STDOUT" /> + </appender> <!-- ============================================================================ --> <!-- EELF Appenders --> @@ -46,8 +49,7 @@ <!-- The EELFAppender is used to record events to the general application log --> - <appender name="EELF" - class="ch.qos.logback.core.rolling.RollingFileAppender"> + <appender name="EELF" class="ch.qos.logback.core.rolling.RollingFileAppender"> <file>${logDirectory}/${generalLogName}.log</file> <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> <fileNamePattern>${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.log.zip</fileNamePattern> @@ -66,8 +68,7 @@ <appender-ref ref="EELF" /> </appender> - <appender name="EELFAudit" - class="ch.qos.logback.core.rolling.RollingFileAppender"> + <appender name="EELFAudit" class="ch.qos.logback.core.rolling.RollingFileAppender"> <file>${logDirectory}/${auditLogName}.log</file> <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> <fileNamePattern>${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.log.zip</fileNamePattern> @@ -82,8 +83,7 @@ <appender-ref ref="EELFAudit" /> </appender> - <appender name="EELFMetrics" - class="ch.qos.logback.core.rolling.RollingFileAppender"> + <appender name="EELFMetrics" class="ch.qos.logback.core.rolling.RollingFileAppender"> <file>${logDirectory}/${metricsLogName}.log</file> <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> <fileNamePattern>${logDirectory}/${metricsLogName}.%d{yyyy-MM-dd}.log.zip</fileNamePattern> @@ -98,8 +98,7 @@ <appender-ref ref="EELFMetrics" /> </appender> - <appender name="EELFDebug" - class="ch.qos.logback.core.rolling.RollingFileAppender"> + <appender name="EELFDebug" class="ch.qos.logback.core.rolling.RollingFileAppender"> <file>${logDirectory}/${debugLogName}.log</file> <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> <fileNamePattern>${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.log.zip</fileNamePattern> @@ -121,12 +120,15 @@ <logger name="com.att.eelf" level="info" additivity="false"> <appender-ref ref="asyncEELF" /> <appender-ref ref="asyncEELFDebug" /> + <appender-ref ref="AsyncSysOut" /> </logger> <logger name="com.att.eelf.audit" level="info" additivity="false"> <appender-ref ref="asyncEELFAudit" /> + <appender-ref ref="AsyncSysOut" /> </logger> <logger name="com.att.eelf.metrics" level="info" additivity="false"> <appender-ref ref="asyncEELFMetrics" /> + <appender-ref ref="AsyncSysOut" /> </logger> <!-- Spring related loggers --> @@ -162,8 +164,9 @@ <logger name="ch.qos.logback.core" level="WARN" /> <root> - <appender-ref ref="asyncEELF" /> - <!-- <appender-ref ref="asyncEELFDebug" /> --> -</root> + <appender-ref ref="asyncEELF" /> + <appender-ref ref="AsyncSysOut" /> + <!-- <appender-ref ref="asyncEELFDebug" /> --> + </root> </configuration> diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties b/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties index 41b855490a..09eb397860 100644 --- a/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties +++ b/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties @@ -1,5 +1,6 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T +# Modifications Copyright © 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -20,7 +21,7 @@ ml.distribution.ACTIVE_SERVER_TLS_AUTH=false ml.distribution.ASDC_ADDRESS=sdc-be.{{.Release.Namespace}}:8443 ml.distribution.ASDC_USE_HTTPS=true ml.distribution.KEYSTORE_PASSWORD= -ml.distribution.KEYSTORE_FILE=asdc-client.jks +ml.distribution.KEYSTORE_FILE= ml.distribution.PASSWORD=OBF:1ks51l8d1o3i1pcc1r2r1e211r391kls1pyj1z7u1njf1lx51go21hnj1y0k1mli1sop1k8o1j651vu91mxw1vun1mze1vv11j8x1k5i1sp11mjc1y161hlr1gm41m111nkj1z781pw31kku1r4p1e391r571pbm1o741l4x1ksp {{ else }} ml.distribution.ASDC_ADDRESS=sdc-be.{{.Release.Namespace}}:8080 @@ -54,8 +55,8 @@ ml.aai.AUTH_PASSWORD=OBF:1qvu1v2h1sov1sar1wfw1j7j1wg21saj1sov1v1x1qxw ml.babel.BASE_URL={{ include "common.scheme" . }}://aai-babel.{{.Release.Namespace}}:9516 ml.babel.GENERATE_ARTIFACTS_URL=/services/babel-service/v1/app/generateArtifacts {{ if ( include "common.needTLS" .) }} -ml.babel.KEYSTORE_FILE=babel-client-cert.p12 -ml.babel.KEYSTORE_PASSWORD=OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10 -ml.babel.TRUSTSTORE_FILE=tomcat_keystore -ml.babel.TRUSTSTORE_PASSWORD=OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10 +ml.babel.KEYSTORE_FILE=aaf/local/{{ .Values.certInitializer.fqi_namespace }}.p12 +ml.babel.KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD} +ml.babel.TRUSTSTORE_FILE=aaf/local/{{ .Values.certInitializer.fqi_namespace }}.trust.jks +ml.babel.TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD} {{ end }} diff --git a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml index 7e05d3b6cf..0213d631a3 100644 --- a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml @@ -1,7 +1,7 @@ {{/* # Copyright © 2018 Amdocs, AT&T # Modifications Copyright © 2018 Bell Canada -# Modifications Copyright © 2020 Orange +# Modifications Copyright © 2020-2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -39,12 +39,53 @@ spec: name: {{ include "common.name" . }} spec: {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} {{- end -}} {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} + affinity: {{ toYaml .Values.affinity | nindent 8 }} + {{- end }} + {{- if .Values.global.aafEnabled }} + initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + - command: + - sh + args: + - -c + - | + echo "*** retrieve Truststore and Keystore password" + export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) + echo "*** obfuscate them " + export KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD} + export TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD} + export KEYSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` + export TRUSTSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` + echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop + echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop + image: {{ include "repositoryGenerator.image.jetty" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-obfuscate + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} + securityContext: + runAsUser: {{ .Values.securityContext.user_id }} + - command: + - sh + args: + - -c + - | + echo "*** Set obfuscated Truststore and Keystore password into configuration file" + export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) + cd /config-input + for PFILE in `ls -1` + do + envsubst <${PFILE} >/config/${PFILE} + done + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} + - mountPath: /config-input + name: prop-config-input + - mountPath: /config + name: prop-config + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config {{- end }} containers: - name: {{ include "common.name" . }} @@ -53,43 +94,41 @@ spec: env: - name: CONFIG_HOME value: /opt/app/model-loader/config/ - volumeMounts: + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - mountPath: /etc/localtime name: localtime readOnly: true - mountPath: /opt/app/model-loader/config/model-loader.properties subPath: model-loader.properties - name: {{ include "common.fullname" . }}-prop-config + name: prop-config - mountPath: /opt/app/model-loader/config/auth/ - name: {{ include "common.fullname" . }}-auth-config + name: auth-config - mountPath: {{ .Values.log.path }} name: logs - mountPath: /opt/app/model-loader/logback.xml - name: {{ include "common.fullname" . }}-log-conf + name: log-config subPath: logback.xml - ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPort2 }} - resources: -{{ include "common.resources" . }} - + resources: {{ include "common.resources" . | nindent 10 }} # side car containers {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: + volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - name: localtime hostPath: path: /etc/localtime - - name: {{ include "common.fullname" . }}-prop-config + - name: prop-config-input configMap: name: {{ include "common.fullname" . }}-prop - - name: {{ include "common.fullname" . }}-auth-config + - name: prop-config + emptyDir: + medium: Memory + - name: auth-config secret: secretName: {{ include "common.fullname" . }} - name: logs emptyDir: {} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - - name: {{ include "common.fullname" . }}-log-conf + - name: log-config configMap: name: {{ include "common.fullname" . }}-log restartPolicy: {{ .Values.global.restartPolicy | default .Values.restartPolicy }} diff --git a/kubernetes/aai/components/aai-modelloader/templates/ingress.yaml b/kubernetes/aai/components/aai-modelloader/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/aai/components/aai-modelloader/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/aai/components/aai-modelloader/templates/service.yaml b/kubernetes/aai/components/aai-modelloader/templates/service.yaml deleted file mode 100644 index fad857bb41..0000000000 --- a/kubernetes/aai/components/aai-modelloader/templates/service.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - - port: {{ .Values.service.internalPort2 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} - name: {{ .Values.service.portName2 }} - {{- else -}} - - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - - port: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.portName2 }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/aai/components/aai-modelloader/values.yaml b/kubernetes/aai/components/aai-modelloader/values.yaml index 443bf40122..95eae6a80b 100644 --- a/kubernetes/aai/components/aai-modelloader/values.yaml +++ b/kubernetes/aai/components/aai-modelloader/values.yaml @@ -1,5 +1,5 @@ # Copyright © 2018 Amdocs, Bell Canada, AT&T -# Modifications Copyright © 2020 Orange +# Modifications Copyright © 2020-2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,6 +19,42 @@ global: # global defaults nodePortPrefix: 302 +################################################################# +# Certificate configuration +################################################################# +certInitializer: + nameOverride: aai-ml-cert-initializer + aafDeployFqi: deployer@people.osaaf.org + aafDeployPass: demo123456! + # aafDeployCredsExternalSecret: some secret + fqdn: aai + fqi: aai@aai.onap.org + public_fqdn: aai.onap.org + cadi_longitude: "0.0" + cadi_latitude: "0.0" + app_ns: org.osaaf.aaf + credsPath: /opt/app/osaaf/local + appMountPath: /opt/app/model-loader/config/auth/aaf + fqi_namespace: org.onap.aai + user_id: &user_id 1000 + group_id: &group_id 1000 + aaf_add_config: | + echo "*** changing them into shell safe ones" + export KEYSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) + export TRUSTSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) + cd {{ .Values.credsPath }} + keytool -storepasswd -new "${KEYSTORE_PLAIN_PASSWORD}" \ + -storepass "${cadi_keystore_password_p12}" \ + -keystore {{ .Values.fqi_namespace }}.p12 + keytool -storepasswd -new "${TRUSTSTORE_PLAIN_PASSWORD}" \ + -storepass "${cadi_truststore_password}" \ + -keystore {{ .Values.fqi_namespace }}.trust.jks + echo "*** writing passwords into prop file" + echo "KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop + echo "TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop + echo "*** change ownership of certificates to targeted user" + chown -R {{ .Values.user_id }}:{{ .Values.group_id }} {{ .Values.credsPath }} + # application image image: onap/model-loader:1.9.1 pullPolicy: Always @@ -47,26 +83,6 @@ readiness: initialDelaySeconds: 10 periodSeconds: 10 -service: - type: NodePort - portName: http - externalPort: 8080 - internalPort: 8080 - nodePort: 10 - portName2: https - externalPort2: 8443 - internalPort2: 8443 - nodePort2: 29 - -ingress: - enabled: false - service: - - baseaddr: "aaimodelloader" - name: "aai-modelloader" - port: 8443 - config: - ssl: "redirect" - resources: small: limits: @@ -90,6 +106,11 @@ serviceAccount: roles: - read +# Not fully used for now +securityContext: + user_id: *user_id + group_id: *group_id + #Log configuration log: path: /var/log/onap |