diff options
author | osgn422w <gervais-martial.ngueko@intl.att.com> | 2020-09-25 02:28:02 +0200 |
---|---|---|
committer | Sylvain Desbureaux <sylvain.desbureaux@orange.com> | 2020-09-25 09:15:21 +0000 |
commit | 798144599328ad1a17830a297a0539553f35f97b (patch) | |
tree | 0934a21a9b91093b30128da564a571a1f5c43369 /kubernetes/clamp/components/clamp-dash-es | |
parent | 5686a7b4b7d72c716467827c55737cbdab12a49a (diff) |
[CLAMP] AAF certificate using certinializer(2)
use of auto-generated certificates via AAF side-car
at OOM deployment time for CLAMP dashboard part.
Issue-ID: CLAMP-884
Change-Id: If1c1cfb7d218060dde129546cadf38647a8d496e
Signed-off-by: osgn422w <gervais-martial.ngueko@intl.att.com>
Diffstat (limited to 'kubernetes/clamp/components/clamp-dash-es')
4 files changed, 67 insertions, 4 deletions
diff --git a/kubernetes/clamp/components/clamp-dash-es/requirements.yaml b/kubernetes/clamp/components/clamp-dash-es/requirements.yaml index caff1e5dc4..317d5b5d79 100644 --- a/kubernetes/clamp/components/clamp-dash-es/requirements.yaml +++ b/kubernetes/clamp/components/clamp-dash-es/requirements.yaml @@ -17,3 +17,6 @@ dependencies: - name: common version: ~6.x-0 repository: '@local' + - name: certInitializer + version: ~6.x-0 + repository: '@local'
\ No newline at end of file diff --git a/kubernetes/clamp/components/clamp-dash-es/resources/config/elasticsearch.yml b/kubernetes/clamp/components/clamp-dash-es/resources/config/elasticsearch.yml index 1eb20fce89..9e04d5ae01 100644 --- a/kubernetes/clamp/components/clamp-dash-es/resources/config/elasticsearch.yml +++ b/kubernetes/clamp/components/clamp-dash-es/resources/config/elasticsearch.yml @@ -106,14 +106,24 @@ transport.tcp.port: {{.Values.service.externalPort2}} ######## Start OpenDistro for Elasticsearch Security Demo Configuration ######## # WARNING: revise all the lines below before you go into production +{{- if .Values.global.aafEnabled }} +opendistro_security.ssl.transport.pemcert_filepath: {{ .Values.certInitializer.clamp_pem }} +opendistro_security.ssl.transport.pemkey_filepath: {{ .Values.certInitializer.clamp_key }} +opendistro_security.ssl.transport.pemtrustedcas_filepath: {{ .Values.certInitializer.clamp_ca_certs_pem }} +opendistro_security.ssl.http.pemcert_filepath: {{ .Values.certInitializer.clamp_pem }} +opendistro_security.ssl.http.pemkey_filepath: {{ .Values.certInitializer.clamp_key }} +opendistro_security.ssl.http.pemtrustedcas_filepath: {{ .Values.certInitializer.clamp_ca_certs_pem }} +{{- else }} opendistro_security.ssl.transport.pemcert_filepath: esnode.pem opendistro_security.ssl.transport.pemkey_filepath: esnode-key.pem opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem -opendistro_security.ssl.transport.enforce_hostname_verification: false -opendistro_security.ssl.http.enabled: {{.Values.security.ssl.enabled}} opendistro_security.ssl.http.pemcert_filepath: esnode.pem opendistro_security.ssl.http.pemkey_filepath: esnode-key.pem opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem +{{- end }} +opendistro_security.ssl.transport.enforce_hostname_verification: false +opendistro_security.ssl.http.enabled: {{.Values.security.ssl.enabled}} + opendistro_security.allow_unsafe_democertificates: true opendistro_security.allow_default_init_securityindex: true opendistro_security.authcz.admin_dn: diff --git a/kubernetes/clamp/components/clamp-dash-es/templates/deployment.yaml b/kubernetes/clamp/components/clamp-dash-es/templates/deployment.yaml index 0ec38b08e3..0e37df7ddc 100644 --- a/kubernetes/clamp/components/clamp-dash-es/templates/deployment.yaml +++ b/kubernetes/clamp/components/clamp-dash-es/templates/deployment.yaml @@ -59,10 +59,22 @@ spec: mountPath: /usr/share/elasticsearch/logs/ - name: {{ include "common.fullname" . }}-data mountPath: /usr/share/elasticsearch/data/ +{{ include "common.certInitializer.initContainer" . | indent 6 }} containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- if .Values.global.aafEnabled }} + command: + - sh + args: + - -c + - | + cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.clamp_key }} /usr/share/elasticsearch/config/{{ .Values.certInitializer.clamp_key }} + cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.clamp_pem }} /usr/share/elasticsearch/config/{{ .Values.certInitializer.clamp_pem }} + cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.clamp_ca_certs_pem }} /usr/share/elasticsearch/config/{{ .Values.certInitializer.clamp_ca_certs_pem }} + /usr/local/bin/docker-entrypoint.sh + {{- end }} ports: - containerPort: {{ .Values.service.internalPort }} name: {{ include "common.servicename" . }} @@ -85,7 +97,7 @@ spec: periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} env: - volumeMounts: + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - mountPath: /etc/localtime name: localtime readOnly: true @@ -104,7 +116,7 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} - volumes: + volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - name: localtime hostPath: path: /etc/localtime diff --git a/kubernetes/clamp/components/clamp-dash-es/values.yaml b/kubernetes/clamp/components/clamp-dash-es/values.yaml index 27158a6668..a4ff555e83 100644 --- a/kubernetes/clamp/components/clamp-dash-es/values.yaml +++ b/kubernetes/clamp/components/clamp-dash-es/values.yaml @@ -20,6 +20,44 @@ global: nodePortPrefix: 302 repositorySecret: eyJuZXh1czMub25hcC5vcmc6MTAwMDEiOnsidXNlcm5hbWUiOiJkb2NrZXIiLCJwYXNzd29yZCI6ImRvY2tlciIsImVtYWlsIjoiQCIsImF1dGgiOiJaRzlqYTJWeU9tUnZZMnRsY2c9PSJ9fQ== persistence: {} + centralizedLoggingEnabled: true + #AAF service + aafEnabled: true + +################################################################# +# AAF part +################################################################# +certInitializer: + permission_user: 1000 + permission_group: 999 + addconfig: true + keystoreFile: "org.onap.clamp.p12" + truststoreFile: "org.onap.clamp.trust.jks" + keyFile: "org.onap.clamp.keyfile" + truststoreFileONAP: "truststoreONAPall.jks" + clamp_key: "org.onap.clamp.crt.key" + clamp_pem: "org.onap.clamp.key.pem" + clamp_ca_certs_pem: "clamp-ca-certs.pem" + nameOverride: clamp-es-cert-initializer + aafDeployFqi: deployer@people.osaaf.org + aafDeployPass: demo123456! + # aafDeployCredsExternalSecret: some secret + fqdn: clamp + fqi: clamp@clamp.onap.org + public_fqdn: clamp.onap.org + cadi_longitude: "0.0" + cadi_latitude: "0.0" + app_ns: org.osaaf.aaf + credsPath: /opt/app/osaaf/local + aaf_add_config: > + /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop; + export $(/opt/app/aaf_config/bin/agent.sh local showpass | grep '^c' | xargs -0); + cd {{ .Values.credsPath }}; + openssl pkcs12 -in {{ .Values.keystoreFile }} -nocerts -nodes -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_key }}; + openssl pkcs12 -in {{ .Values.keystoreFile }} -clcerts -nokeys -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_pem }}; + openssl pkcs12 -in {{ .Values.keystoreFile }} -cacerts -nokeys -chain -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_ca_certs_pem }}; + chmod a+rx *; + flavor: small ################################################################# |