summaryrefslogtreecommitdiffstats
path: root/kubernetes/clamp/components/clamp-dash-es
diff options
context:
space:
mode:
authorosgn422w <gervais-martial.ngueko@intl.att.com>2020-09-25 02:28:02 +0200
committerSylvain Desbureaux <sylvain.desbureaux@orange.com>2020-09-25 09:15:21 +0000
commit798144599328ad1a17830a297a0539553f35f97b (patch)
tree0934a21a9b91093b30128da564a571a1f5c43369 /kubernetes/clamp/components/clamp-dash-es
parent5686a7b4b7d72c716467827c55737cbdab12a49a (diff)
[CLAMP] AAF certificate using certinializer(2)
use of auto-generated certificates via AAF side-car at OOM deployment time for CLAMP dashboard part. Issue-ID: CLAMP-884 Change-Id: If1c1cfb7d218060dde129546cadf38647a8d496e Signed-off-by: osgn422w <gervais-martial.ngueko@intl.att.com>
Diffstat (limited to 'kubernetes/clamp/components/clamp-dash-es')
-rw-r--r--kubernetes/clamp/components/clamp-dash-es/requirements.yaml3
-rw-r--r--kubernetes/clamp/components/clamp-dash-es/resources/config/elasticsearch.yml14
-rw-r--r--kubernetes/clamp/components/clamp-dash-es/templates/deployment.yaml16
-rw-r--r--kubernetes/clamp/components/clamp-dash-es/values.yaml38
4 files changed, 67 insertions, 4 deletions
diff --git a/kubernetes/clamp/components/clamp-dash-es/requirements.yaml b/kubernetes/clamp/components/clamp-dash-es/requirements.yaml
index caff1e5dc4..317d5b5d79 100644
--- a/kubernetes/clamp/components/clamp-dash-es/requirements.yaml
+++ b/kubernetes/clamp/components/clamp-dash-es/requirements.yaml
@@ -17,3 +17,6 @@ dependencies:
- name: common
version: ~6.x-0
repository: '@local'
+ - name: certInitializer
+ version: ~6.x-0
+ repository: '@local' \ No newline at end of file
diff --git a/kubernetes/clamp/components/clamp-dash-es/resources/config/elasticsearch.yml b/kubernetes/clamp/components/clamp-dash-es/resources/config/elasticsearch.yml
index 1eb20fce89..9e04d5ae01 100644
--- a/kubernetes/clamp/components/clamp-dash-es/resources/config/elasticsearch.yml
+++ b/kubernetes/clamp/components/clamp-dash-es/resources/config/elasticsearch.yml
@@ -106,14 +106,24 @@ transport.tcp.port: {{.Values.service.externalPort2}}
######## Start OpenDistro for Elasticsearch Security Demo Configuration ########
# WARNING: revise all the lines below before you go into production
+{{- if .Values.global.aafEnabled }}
+opendistro_security.ssl.transport.pemcert_filepath: {{ .Values.certInitializer.clamp_pem }}
+opendistro_security.ssl.transport.pemkey_filepath: {{ .Values.certInitializer.clamp_key }}
+opendistro_security.ssl.transport.pemtrustedcas_filepath: {{ .Values.certInitializer.clamp_ca_certs_pem }}
+opendistro_security.ssl.http.pemcert_filepath: {{ .Values.certInitializer.clamp_pem }}
+opendistro_security.ssl.http.pemkey_filepath: {{ .Values.certInitializer.clamp_key }}
+opendistro_security.ssl.http.pemtrustedcas_filepath: {{ .Values.certInitializer.clamp_ca_certs_pem }}
+{{- else }}
opendistro_security.ssl.transport.pemcert_filepath: esnode.pem
opendistro_security.ssl.transport.pemkey_filepath: esnode-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
-opendistro_security.ssl.transport.enforce_hostname_verification: false
-opendistro_security.ssl.http.enabled: {{.Values.security.ssl.enabled}}
opendistro_security.ssl.http.pemcert_filepath: esnode.pem
opendistro_security.ssl.http.pemkey_filepath: esnode-key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
+{{- end }}
+opendistro_security.ssl.transport.enforce_hostname_verification: false
+opendistro_security.ssl.http.enabled: {{.Values.security.ssl.enabled}}
+
opendistro_security.allow_unsafe_democertificates: true
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:
diff --git a/kubernetes/clamp/components/clamp-dash-es/templates/deployment.yaml b/kubernetes/clamp/components/clamp-dash-es/templates/deployment.yaml
index 0ec38b08e3..0e37df7ddc 100644
--- a/kubernetes/clamp/components/clamp-dash-es/templates/deployment.yaml
+++ b/kubernetes/clamp/components/clamp-dash-es/templates/deployment.yaml
@@ -59,10 +59,22 @@ spec:
mountPath: /usr/share/elasticsearch/logs/
- name: {{ include "common.fullname" . }}-data
mountPath: /usr/share/elasticsearch/data/
+{{ include "common.certInitializer.initContainer" . | indent 6 }}
containers:
- name: {{ include "common.name" . }}
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{- if .Values.global.aafEnabled }}
+ command:
+ - sh
+ args:
+ - -c
+ - |
+ cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.clamp_key }} /usr/share/elasticsearch/config/{{ .Values.certInitializer.clamp_key }}
+ cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.clamp_pem }} /usr/share/elasticsearch/config/{{ .Values.certInitializer.clamp_pem }}
+ cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.clamp_ca_certs_pem }} /usr/share/elasticsearch/config/{{ .Values.certInitializer.clamp_ca_certs_pem }}
+ /usr/local/bin/docker-entrypoint.sh
+ {{- end }}
ports:
- containerPort: {{ .Values.service.internalPort }}
name: {{ include "common.servicename" . }}
@@ -85,7 +97,7 @@ spec:
periodSeconds: {{ .Values.readiness.periodSeconds }}
timeoutSeconds: {{ .Values.readiness.timeoutSeconds }}
env:
- volumeMounts:
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
@@ -104,7 +116,7 @@ spec:
affinity:
{{ toYaml .Values.affinity | indent 10 }}
{{- end }}
- volumes:
+ volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }}
- name: localtime
hostPath:
path: /etc/localtime
diff --git a/kubernetes/clamp/components/clamp-dash-es/values.yaml b/kubernetes/clamp/components/clamp-dash-es/values.yaml
index 27158a6668..a4ff555e83 100644
--- a/kubernetes/clamp/components/clamp-dash-es/values.yaml
+++ b/kubernetes/clamp/components/clamp-dash-es/values.yaml
@@ -20,6 +20,44 @@ global:
nodePortPrefix: 302
repositorySecret: eyJuZXh1czMub25hcC5vcmc6MTAwMDEiOnsidXNlcm5hbWUiOiJkb2NrZXIiLCJwYXNzd29yZCI6ImRvY2tlciIsImVtYWlsIjoiQCIsImF1dGgiOiJaRzlqYTJWeU9tUnZZMnRsY2c9PSJ9fQ==
persistence: {}
+ centralizedLoggingEnabled: true
+ #AAF service
+ aafEnabled: true
+
+#################################################################
+# AAF part
+#################################################################
+certInitializer:
+ permission_user: 1000
+ permission_group: 999
+ addconfig: true
+ keystoreFile: "org.onap.clamp.p12"
+ truststoreFile: "org.onap.clamp.trust.jks"
+ keyFile: "org.onap.clamp.keyfile"
+ truststoreFileONAP: "truststoreONAPall.jks"
+ clamp_key: "org.onap.clamp.crt.key"
+ clamp_pem: "org.onap.clamp.key.pem"
+ clamp_ca_certs_pem: "clamp-ca-certs.pem"
+ nameOverride: clamp-es-cert-initializer
+ aafDeployFqi: deployer@people.osaaf.org
+ aafDeployPass: demo123456!
+ # aafDeployCredsExternalSecret: some secret
+ fqdn: clamp
+ fqi: clamp@clamp.onap.org
+ public_fqdn: clamp.onap.org
+ cadi_longitude: "0.0"
+ cadi_latitude: "0.0"
+ app_ns: org.osaaf.aaf
+ credsPath: /opt/app/osaaf/local
+ aaf_add_config: >
+ /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop;
+ export $(/opt/app/aaf_config/bin/agent.sh local showpass | grep '^c' | xargs -0);
+ cd {{ .Values.credsPath }};
+ openssl pkcs12 -in {{ .Values.keystoreFile }} -nocerts -nodes -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_key }};
+ openssl pkcs12 -in {{ .Values.keystoreFile }} -clcerts -nokeys -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_pem }};
+ openssl pkcs12 -in {{ .Values.keystoreFile }} -cacerts -nokeys -chain -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_ca_certs_pem }};
+ chmod a+rx *;
+
flavor: small
#################################################################