diff options
author | Sylvain Desbureaux <sylvain.desbureaux@orange.com> | 2021-03-08 16:52:20 +0000 |
---|---|---|
committer | Sylvain Desbureaux <sylvain.desbureaux@orange.com> | 2021-04-04 07:42:24 +0000 |
commit | 375d0eaa1368368df3c2b9512d9ac8ee6056c63d (patch) | |
tree | 35e6c2dbbe78cb8ba714eb03038ec10e3948894a /kubernetes/aai/components/aai-sparky-be/resources | |
parent | 333281b85d86c356ab0f09caab82890fce0442fb (diff) |
[AAI][SPARKY] Automatically retrieve certs
Instead of using hardcoded certificates, use certInitializer in order to
retrieve them automatically.
Issue-ID: OOM-2683
Change-Id: I1bd3fe575c1d3450905bdc5876b442fdb43660a9
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Diffstat (limited to 'kubernetes/aai/components/aai-sparky-be/resources')
14 files changed, 214 insertions, 20 deletions
diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application-oxm-default.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-default.properties index 084f6e46bc..084f6e46bc 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application-oxm-default.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-default.properties diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application-oxm-override.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-override.properties index 4465fb3e11..4465fb3e11 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application-oxm-override.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-override.properties diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application-oxm-schema-prod.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-schema-prod.properties index 094c815744..fe8bd16fa1 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application-oxm-schema-prod.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-schema-prod.properties @@ -15,14 +15,14 @@ */}} oxm.schemaNodeDir=/opt/app/sparky/onap/oxm -#schemaServiceTranslator is used to define whether to retreive the oxm from schema service microservice or read from the disk, possible values are schema-service/config +#schemaServiceTranslator is used to define whether to retreive the oxm from schema service microservice or read from the disk, possible values are schema-service/config oxm.schemaServiceTranslatorList=config # The end point for onap is https://<hostname>:<port>/onap/schema-service/v1/ oxm.schemaServiceBaseUrl=https://<schema-service/config>/aai/schema-service/v1/ -oxm.schemaServiceKeystore=file:${CONFIG_HOME}/auth/aai-client-cert.p12 -oxm.schemaServiceTruststore=file:${CONFIG_HOME}/auth/tomcat_keystore -oxm.schemaServiceKeystorePassword=OBF:1i9a1u2a1unz1lr61wn51wn11lss1unz1u301i6o -oxm.schemaServiceTruststorePassword=OBF:1i9a1u2a1unz1lr61wn51wn11lss1unz1u301i6o +oxm.schemaServiceKeystore=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 +oxm.schemaServiceTruststore=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks +oxm.schemaServiceKeystorePassword=${KEYSTORE_PASSWORD} +oxm.schemaServiceTruststorePassword=${TRUSTSTORE_PASSWORD} diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application-resources.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties index 59c0349b06..3c6bd4e1ad 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application-resources.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties @@ -19,4 +19,7 @@ resources.port=8443 resources.authType=SSL_BASIC resources.basicAuthUserName=aai@aai.onap.org resources.basicAuthPassword=1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek -resources.trust-store=tomcat_keystore +resources.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks +resources.trust-store-password=${TRUSTSTORE_PASSWORD} +resources.client-cert={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 +resources.client-cert-password=${KEYSTORE_PASSWORD} diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application-ssl.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-ssl.properties index 4db6c0a374..2e2351ad95 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application-ssl.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-ssl.properties @@ -13,8 +13,8 @@ # limitations under the License. server.port=8000 -server.ssl.key-store=file:${CONFIG_HOME}/auth/org.onap.aai.p12 -server.ssl.key-store-password=OBF:1xfz1qie1jf81b3s1ir91tag1h381cvr1kze1zli16kj1b301b4y16kb1zm01kzo1cw71gze1t9y1ivd1b461je21qiw1xf3 +server.ssl.key-store=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 +server.ssl.key-store-password=${KEYSTORE_PASSWORD} server.ssl.enabled-protocols=TLSv1.1,TLSv1.2 -server.ssl.trust-store=file:${CONFIG_HOME}/auth/truststoreONAPall.jks -server.ssl.trust-store-password=OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0 +server.ssl.trust-store=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks +server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application-sync.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-sync.properties index 4fb10a21f7..4fb10a21f7 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application-sync.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-sync.properties diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application.properties index 1269f25355..120f8ac114 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application.properties @@ -25,11 +25,11 @@ spring.mvc.favicon.enabled=false spring.profiles.active=camel,ssl,fe-prod,oxm-schema-prod,oxm-default,resources,aai-proxy portal.cadiFileLocation={{.Values.config.cadiFileLocation}} -portal.cadiFileLocation={{.Values.config.cadiFileLocation}} searchservice.hostname={{.Values.global.searchData.serviceName}} searchservice.port=9509 -searchservice.client-cert=client-cert-onap.p12 -searchservice.client-cert-password=1xfz1qie1jf81b3s1ir91tag1h381cvr1kze1zli16kj1b301b4y16kb1zm01kzo1cw71gze1t9y1ivd1b461je21qiw1xf3 -searchservice.truststore=tomcat_keystore +searchservice.client-cert={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 +searchservice.client-cert-password=${KEYSTORE_PASSWORD} +searchservice.truststore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks +searchservice.truststore-password=${TRUSTSTORE_PASSWORD} schema.ingest.file=${CONFIG_HOME}/schemaIngest.properties diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/logback.xml b/kubernetes/aai/components/aai-sparky-be/resources/config/application/logback.xml new file mode 100644 index 0000000000..cd5338f5b3 --- /dev/null +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/logback.xml @@ -0,0 +1,187 @@ +<configuration scan="true" scanPeriod="3 seconds" debug="false"> + <!--{{/* + # Copyright © 2018 AT&T + # Copyright © 2021 Orange + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + */}}--> + <!--<jmxConfigurator /> --> + <!-- directory path for all other type logs --> + + <property name="logDir" value="/var/log/onap" /> + + <!-- <ECOMP-component-name>::= "MSO" | "DCAE" | "ASDC " | "AAI" |"Policy" + | "SDNC" | "AC" --> + <property name="componentName" value="AAI-UI"></property> + + <!-- default eelf log file names --> + <property name="generalLogName" value="error" /> + <property name="metricsLogName" value="metrics" /> + <property name="auditLogName" value="audit" /> + <property name="debugLogName" value="debug" /> + + <property name="errorLogPattern" value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{RequestId}|%thread|AAIUI|%mdc{PartnerName}|%logger|%.-5level|%msg%n" /> + <property name="auditMetricPattern" value="%m%n" /> + + <property name="logDirectory" value="${logDir}/${componentName}" /> + + + <!-- Example evaluator filter applied against console appender --> + <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender"> + <encoder> + <pattern>${errorLogPattern}</pattern> + </encoder> + </appender> + + <!-- ============================================================================ --> + <!-- EELF Appenders --> + <!-- ============================================================================ --> + + <!-- The EELFAppender is used to record events to the general application + log --> + + <appender name="EELF" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${logDirectory}/${generalLogName}.log</file> + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.log.zip +</fileNamePattern> + <maxHistory>60</maxHistory> + </rollingPolicy> + <encoder> + <pattern>${errorLogPattern}</pattern> + </encoder> + </appender> + <appender name="asyncEELF" class="ch.qos.logback.classic.AsyncAppender"> + <!-- deny all events with a level below INFO, that is TRACE and DEBUG --> + <filter class="ch.qos.logback.classic.filter.ThresholdFilter"> + <level>INFO</level> + </filter> + <queueSize>256</queueSize> + <appender-ref ref="EELF" /> + </appender> + + + <!-- EELF Audit Appender. This appender is used to record audit engine related + logging events. The audit logger and appender are specializations of the + EELF application root logger and appender. This can be used to segregate + Policy engine events from other components, or it can be eliminated to record + these events as part of the application root log. --> + + <appender name="EELFAudit" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${logDirectory}/${auditLogName}.log</file> + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.log.zip +</fileNamePattern> + <maxHistory>60</maxHistory> + </rollingPolicy> + <encoder> + <pattern>${auditMetricPattern}</pattern> + </encoder> + </appender> + <appender name="asyncEELFAudit" class="ch.qos.logback.classic.AsyncAppender"> + <queueSize>256</queueSize> + <appender-ref ref="EELFAudit" /> + </appender> + + <appender name="EELFMetrics" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${logDirectory}/${metricsLogName}.log</file> + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${logDirectory}/${metricsLogName}.%d{yyyy-MM-dd}.log.zip +</fileNamePattern> + <maxHistory>60</maxHistory> + </rollingPolicy> + <encoder> + <!-- <pattern>"%d{HH:mm:ss.SSS} [%thread] %-5level %logger{1024} - %msg%n"</pattern> --> + <pattern>${auditMetricPattern}</pattern> + </encoder> + </appender> + + + <appender name="asyncEELFMetrics" class="ch.qos.logback.classic.AsyncAppender"> + <queueSize>256</queueSize> + <appender-ref ref="EELFMetrics" /> + </appender> + + <appender name="EELFDebug" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${logDirectory}/${debugLogName}.log</file> + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.log.zip +</fileNamePattern> + <maxHistory>60</maxHistory> + </rollingPolicy> + <encoder> + <pattern>${errorLogPattern}</pattern> + </encoder> + </appender> + + <appender name="asyncEELFDebug" class="ch.qos.logback.classic.AsyncAppender"> + <queueSize>256</queueSize> + <appender-ref ref="EELFDebug" /> + <includeCallerData>false</includeCallerData> + </appender> + + <!-- ============================================================================ --> + <!-- EELF loggers --> + <!-- ============================================================================ --> + <logger name="com.att.eelf" level="info" additivity="false"> + <appender-ref ref="asyncEELF" /> + <appender-ref ref="asyncEELFDebug" /> + <appender-ref ref="STDOUT" /> + </logger> + + <logger name="com.att.eelf.audit" level="info" additivity="false"> + <appender-ref ref="asyncEELFAudit" /> + </logger> + <logger name="com.att.eelf.metrics" level="info" additivity="false"> + <appender-ref ref="asyncEELFMetrics" /> + </logger> + + <!-- Spring related loggers --> + <logger name="org.springframework" level="WARN" /> + <logger name="org.springframework.beans" level="WARN" /> + <logger name="org.springframework.web" level="WARN" /> + <logger name="com.blog.spring.jms" level="WARN" /> + + <!-- Sparky loggers --> + <logger name="org.onap" level="INFO"> + <appender-ref ref="STDOUT" /> + </logger> + + <!-- Other Loggers that may help troubleshoot --> + <logger name="net.sf" level="WARN" /> + <logger name="org.apache.commons.httpclient" level="WARN" /> + <logger name="org.apache.commons" level="WARN" /> + <logger name="org.apache.coyote" level="WARN" /> + <logger name="org.apache.jasper" level="WARN" /> + + <!-- Camel Related Loggers (including restlet/servlet/jaxrs/cxf logging. + May aid in troubleshooting) --> + <logger name="org.apache.camel" level="WARN" /> + <logger name="org.apache.cxf" level="WARN" /> + <logger name="org.apache.camel.processor.interceptor" level="WARN" /> + <logger name="org.apache.cxf.jaxrs.interceptor" level="WARN" /> + <logger name="org.apache.cxf.service" level="WARN" /> + <logger name="org.restlet" level="WARN" /> + <logger name="org.apache.camel.component.restlet" level="WARN" /> + + <!-- logback internals logging --> + <logger name="ch.qos.logback.classic" level="WARN" /> + <logger name="ch.qos.logback.core" level="WARN" /> + + <root> + <appender-ref ref="asyncEELF" /> + <appender-ref ref="STDOUT" /> + <!-- <appender-ref ref="asyncEELFDebug" /> --> + </root> + +</configuration>
\ No newline at end of file diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/roles.config b/kubernetes/aai/components/aai-sparky-be/resources/config/application/roles.config index df41395058..df41395058 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/roles.config +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/roles.config diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/users.config b/kubernetes/aai/components/aai-sparky-be/resources/config/application/users.config index ce69e88918..ce69e88918 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/users.config +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/users.config diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/auth/client-cert-onap.p12 b/kubernetes/aai/components/aai-sparky-be/resources/config/auth/client-cert-onap.p12 Binary files differdeleted file mode 100644 index 2601acf88a..0000000000 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/auth/client-cert-onap.p12 +++ /dev/null diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/auth/org.onap.aai.p12 b/kubernetes/aai/components/aai-sparky-be/resources/config/auth/org.onap.aai.p12 Binary files differdeleted file mode 100644 index 2601acf88a..0000000000 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/auth/org.onap.aai.p12 +++ /dev/null diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/portal.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/portal.properties index 2592e5ca7c..7a0fb8250b 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/portal.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/portal.properties @@ -46,4 +46,4 @@ ext_req_connection_timeout=15000 ext_req_read_timeout=20000 #Add AAF namespace if the app is centralized -auth_namespace={{.Values.config.aafNamespace}} +auth_namespace={{ .Values.certInitializer.fqi_namespace }} diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/cadi.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/portal/cadi.properties index 1f154b6101..baefd9806b 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/cadi.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/portal/cadi.properties @@ -6,14 +6,18 @@ aaf_url=<%=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1 # AAF Environment Designation #if you are running aaf service from a docker image you have to use aaf service IP and port number -aaf_id={{.Values.config.aafUsername}} +aaf_id={{ .Values.certInitializer.fqi }} #Encrypt the password using AAF Jar -aaf_password={{.Values.config.aafPassword}} +aaf_password={{ .Values.certInitializer.aafDeployPass }} # Sample CADI Properties, from CADI 1.4.2 #hostname=org.onap.aai.orr csp_domain=PROD # Add Absolute path to Keyfile -cadi_keyfile={{.Values.config.cadiKeyFile}} +cadi_keyfile={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.keyfile +cadi_keystore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 +cadi_keystore_password=${KEYSTORE_PASSWORD} + +cadi_alias={{ .Values.certInitializer.fqi }} # This is required to accept Certificate Authentication from Certman certificates. # can be TEST, IST or PROD @@ -23,9 +27,9 @@ aaf_env=DEV cadi_loglevel=DEBUG # Add Absolute path to truststore2018.jks -cadi_truststore={{.Values.config.cadiTrustStore}} +cadi_truststore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks # Note: This is the ONLY password that doesn't have to be encrypted. All Java's TrustStores are this passcode by default, because they are public certs -cadi_truststore_password={{.Values.config.cadiTrustStorePassword}} +cadi_truststore_password=${TRUSTSTORE_PASSWORD} # how to turn on SSL Logging #javax.net.debug=ssl |