aboutsummaryrefslogtreecommitdiffstats
path: root/kubernetes/aai/resources/config
diff options
context:
space:
mode:
authorosk11461 <ondrej1.frindrich@orange.com>2021-06-18 00:51:17 +0200
committerosk11461 <ondrej1.frindrich@orange.com>2021-09-13 14:39:31 +0200
commit27fd7d8750ceeb798052eb8af36264c79b6536fb (patch)
tree13d2896ff9c8e6dd4c1139500cf4909e8efd0fc7 /kubernetes/aai/resources/config
parentf0e88b345f6c6dd6d5733d74016fc44027ac407f (diff)
[AAI] Service Mesh compatibility
This patch makes AAI to work on service mesh by removing https calls from everywhere. It allows also to use AAI on an environment without need of TLS. Issue-ID: OOM-2670 Signed-off-by: Ondrej Frindrich <ondrej1.frindrich@orange.com> Change-Id: I19adabc7b33c1ada243ec16f77dbf8fde19b1386
Diffstat (limited to 'kubernetes/aai/resources/config')
-rw-r--r--kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg2
-rw-r--r--kubernetes/aai/resources/config/haproxy/haproxy.cfg47
2 files changed, 44 insertions, 5 deletions
diff --git a/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg
index e605e1886f..9fa6d2ee9b 100644
--- a/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg
+++ b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg
@@ -106,7 +106,7 @@ frontend IST_8443
#######################
-#DEFAULT BACKEND 847###
+#DEFAULT BACKEND 8447##
#######################
backend IST_Default_8447
diff --git a/kubernetes/aai/resources/config/haproxy/haproxy.cfg b/kubernetes/aai/resources/config/haproxy/haproxy.cfg
index c8f3670349..1db4addb5a 100644
--- a/kubernetes/aai/resources/config/haproxy/haproxy.cfg
+++ b/kubernetes/aai/resources/config/haproxy/haproxy.cfg
@@ -35,7 +35,9 @@ defaults
log global
mode http
option httplog
+{{- if ( include "common.needTLS" .) }}
option ssl-hello-chk
+{{- end }}
option httpchk GET /aai/util/echo HTTP/1.1\r\nHost:\ aai\r\nX-TransactionId:\ haproxy-0111\r\nX-FromAppId:\ haproxy\r\nAccept:\ application/json\r\nAuthorization:\ Basic\ QUFJOkFBSQ==
default-server init-addr none
# option dontlognull
@@ -58,6 +60,37 @@ defaults
timeout http-keep-alive 30000
+frontend IST_8080
+ mode http
+ bind 0.0.0.0:8080
+ log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
+ option httplog
+ log global
+ option logasap
+ option forwardfor
+ capture request header Host len 100
+ capture response header Host len 100
+ option log-separate-errors
+ option forwardfor
+ http-request set-header X-Forwarded-Proto http
+ reqadd X-Forwarded-Proto:\ http
+ reqadd X-Forwarded-Port:\ 8080
+
+#######################
+#ACLS FOR PORT 8446####
+#######################
+
+ acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$
+ acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$
+ acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$
+ acl is_dsl path_reg -i ^/aai/v[0-9]+/dsl$
+ acl is_named-query path_beg -i /aai/search/named-query
+ acl is_search-model path_beg -i /aai/search/model
+ use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model or is_dsl
+
+ default_backend IST_Default_8447
+
+{{- if ( include "common.needTLS" .) }}
frontend IST_8443
mode http
bind 0.0.0.0:8443 name https ssl crt /opt/app/osaaf/local/certs/fullchain.pem
@@ -88,6 +121,7 @@ frontend IST_8443
http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)]
reqadd X-Forwarded-Proto:\ https
reqadd X-Forwarded-Port:\ 8443
+{{- end }}
#######################
#ACLS FOR PORT 8446####
@@ -103,17 +137,19 @@ frontend IST_8443
default_backend IST_Default_8447
-
#######################
-#DEFAULT BACKEND 847###
+#DEFAULT BACKEND 8447##
#######################
backend IST_Default_8447
balance roundrobin
http-request set-header X-Forwarded-Port %[src_port]
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
+{{- if ( include "common.needTLS" .) }}
server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none
-
+{{- else }}
+ server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check port 8447
+{{- end }}
#######################
# BACKEND 8446#########
@@ -123,5 +159,8 @@ backend IST_AAI_8446
balance roundrobin
http-request set-header X-Forwarded-Port %[src_port]
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
+{{- if ( include "common.needTLS" .) }}
server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none
-
+{{- else }}
+ server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check port 8446
+{{- end }}