diff options
author | Krzysztof Opasiak <k.opasiak@samsung.com> | 2021-03-26 13:19:25 +0000 |
---|---|---|
committer | Gerrit Code Review <gerrit@onap.org> | 2021-03-26 13:19:25 +0000 |
commit | 75a52ff6aa54884e3b79e538c77d64caacdce6ba (patch) | |
tree | 71aa517b1a975611cec3939e1187ac66264016dd /kubernetes/dmaap/components | |
parent | 08b973568127ca4cffbfdb86c3525a3a4addb188 (diff) | |
parent | e5b6ffc663a2314fd545aa540cbdee6380adf00b (diff) |
Merge "[DMAAP][MR] Retrieve certs automatically"
Diffstat (limited to 'kubernetes/dmaap/components')
14 files changed, 573 insertions, 79 deletions
diff --git a/kubernetes/dmaap/components/message-router/components/message-router-kafka/requirements.yaml b/kubernetes/dmaap/components/message-router/components/message-router-kafka/requirements.yaml index 343812db25..68c3169e68 100644 --- a/kubernetes/dmaap/components/message-router/components/message-router-kafka/requirements.yaml +++ b/kubernetes/dmaap/components/message-router/components/message-router-kafka/requirements.yaml @@ -20,6 +20,9 @@ dependencies: # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' + - name: certInitializer + version: ~8.x-0 + repository: '@local' - name: repositoryGenerator version: ~8.x-0 repository: '@local' diff --git a/kubernetes/dmaap/components/message-router/components/message-router-kafka/resources/config/cadi.properties b/kubernetes/dmaap/components/message-router/components/message-router-kafka/resources/config/cadi.properties deleted file mode 100644 index 2bee404c0b..0000000000 --- a/kubernetes/dmaap/components/message-router/components/message-router-kafka/resources/config/cadi.properties +++ /dev/null @@ -1,18 +0,0 @@ -aaf_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1 -aaf_env=DEV -aaf_lur=org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm - -cadi_truststore=/etc/kafka/secrets/cert/org.onap.dmaap.mr.trust.jks -cadi_truststore_password=enc:mN6GiIzFQxKGDzAXDOs7b4j8DdIX02QrZ9QOWNRpxV3rD6whPCfizSMZkJwxi_FJ - -cadi_keyfile=/etc/kafka/secrets/cert/org.onap.dmaap.mr.keyfile - -cadi_alias=dmaapmr@mr.dmaap.onap.org -cadi_keystore=/etc/kafka/secrets/cert/org.onap.dmaap.mr.p12 -cadi_keystore_password=enc:_JJT2gAEkRzXla5xfDIHal8pIoIB5iIos3USvZQT6sL-l14LpI5fRFR_QIGUCh5W -cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US - -cadi_loglevel=INFO -cadi_protocols=TLSv1.1,TLSv1.2 -cadi_latitude=37.78187 -cadi_longitude=-122.26147
\ No newline at end of file diff --git a/kubernetes/dmaap/components/message-router/components/message-router-kafka/templates/configmap.yaml b/kubernetes/dmaap/components/message-router/components/message-router-kafka/templates/configmap.yaml index b5eed38e5d..d881fef128 100644 --- a/kubernetes/dmaap/components/message-router/components/message-router-kafka/templates/configmap.yaml +++ b/kubernetes/dmaap/components/message-router/components/message-router-kafka/templates/configmap.yaml @@ -18,19 +18,6 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "common.fullname" . }}-cadi-prop-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/cadi.properties").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: name: {{ include "common.fullname" . }}-jaas-configmap namespace: {{ include "common.namespace" . }} labels: @@ -57,7 +44,6 @@ data: {{ tpl (.Files.Glob "resources/jaas/zk_client_jaas.conf").AsConfig . | indent 2 }} --- {{- end }} - {{- if .Values.prometheus.jmx.enabled }} apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/dmaap/components/message-router/components/message-router-kafka/templates/statefulset.yaml b/kubernetes/dmaap/components/message-router/components/message-router-kafka/templates/statefulset.yaml index 1eabe3aad6..62a25e67d8 100644 --- a/kubernetes/dmaap/components/message-router/components/message-router-kafka/templates/statefulset.yaml +++ b/kubernetes/dmaap/components/message-router/components/message-router-kafka/templates/statefulset.yaml @@ -97,6 +97,7 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config + {{ include "common.certInitializer.initContainer" . | indent 6 | trim }} containers: {{- if .Values.prometheus.jmx.enabled }} - name: prometheus-jmx-exporter @@ -129,6 +130,7 @@ spec: - | export KAFKA_BROKER_ID=${HOSTNAME##*-} && \ {{- if .Values.global.aafEnabled }} + cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.final_cadi_files }} /etc/kafka/data/{{ .Values.certInitializer.final_cadi_files }} && \ export KAFKA_ADVERTISED_LISTENERS=EXTERNAL_SASL_PLAINTEXT://$(HOST_IP):$(( $KAFKA_BROKER_ID + {{ .Values.service.baseNodePort }} )),INTERNAL_SASL_PLAINTEXT://:{{ .Values.service.internalPort }} && \ {{ else }} export KAFKA_ADVERTISED_LISTENERS=EXTERNAL_PLAINTEXT://$(HOST_IP):$(( $KAFKA_BROKER_ID + {{ .Values.service.baseNodePort }} )),INTERNAL_PLAINTEXT://:{{ .Values.service.internalPort }} && \ @@ -143,7 +145,7 @@ spec: - containerPort: {{ .Values.jmx.port }} name: jmx {{- end }} - {{ if eq .Values.liveness.enabled true }} + {{ if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: port: {{ .Values.service.internalPort }} @@ -167,8 +169,6 @@ spec: value: {{ include "common.release" . }}-{{.Values.zookeeper.name}}-0.{{.Values.zookeeper.name}}.{{.Release.Namespace}}.svc.cluster.local:{{.Values.zookeeper.port}},{{ include "common.release" . }}-{{.Values.zookeeper.name}}-1.{{.Values.zookeeper.name}}.{{.Release.Namespace}}.svc.cluster.local:{{.Values.zookeeper.port}},{{ include "common.release" . }}-{{.Values.zookeeper.name}}-2.{{.Values.zookeeper.name}}.{{.Release.Namespace}}.svc.cluster.local:{{.Values.zookeeper.port}} - name: KAFKA_CONFLUENT_SUPPORT_METRICS_ENABLE value: "{{ .Values.kafka.enableSupport }}" - - name: KAFKA_OPTS - value: "{{ .Values.kafka.jaasOptions }}" {{- if .Values.global.aafEnabled }} - name: KAFKA_OPTS value: "{{ .Values.kafka.jaasOptionsAaf }}" @@ -206,17 +206,12 @@ spec: {{- end }} - name: enableCadi value: "{{ .Values.global.aafEnabled }}" - volumeMounts: + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - mountPath: /etc/localtime name: localtime readOnly: true - mountPath: /var/run/docker.sock name: docker-socket - {{- if .Values.global.aafEnabled }} - - mountPath: /etc/kafka/data/cadi.properties - subPath: cadi.properties - name: cadi - {{ end }} - name: jaas-config mountPath: /etc/kafka/secrets/jaas - mountPath: /var/lib/kafka/data @@ -225,7 +220,7 @@ spec: tolerations: {{ toYaml .Values.tolerations | indent 10 }} {{- end }} - volumes: + volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - name: localtime hostPath: path: /etc/localtime @@ -243,11 +238,11 @@ spec: - name: jaas configMap: name: {{ include "common.fullname" . }}-jaas-configmap - {{- if .Values.prometheus.jmx.enabled }} + {{- if .Values.prometheus.jmx.enabled }} - name: jmx-config configMap: name: {{ include "common.fullname" . }}-prometheus-configmap - {{- end }} + {{- end }} {{ if not .Values.persistence.enabled }} - name: kafka-data emptyDir: {} diff --git a/kubernetes/dmaap/components/message-router/components/message-router-kafka/values.yaml b/kubernetes/dmaap/components/message-router/components/message-router-kafka/values.yaml index 6c3cbc385a..fa3218b6a8 100644 --- a/kubernetes/dmaap/components/message-router/components/message-router-kafka/values.yaml +++ b/kubernetes/dmaap/components/message-router/components/message-router-kafka/values.yaml @@ -20,6 +20,35 @@ global: nodePortPrefix: 302 persistence: {} + +################################################################# +# AAF part +################################################################# +certInitializer: + nameOverride: dmaap-mr-kafka-cert-initializer + aafDeployFqi: deployer@people.osaaf.org + aafDeployPass: demo123456! + # aafDeployCredsExternalSecret: some secret + fqdn: dmaap-mr + fqi: dmaapmr@mr.dmaap.onap.org + public_fqdn: mr.dmaap.onap.org + cadi_longitude: "-122.26147" + cadi_latitude: "37.78187" + app_ns: org.osaaf.aaf + credsPath: /opt/app/osaaf/local + fqi_namespace: org.onap.dmaap.mr + final_cadi_files: cadi.properties + aaf_add_config: | + echo "*** concat the three prop files" + cd {{ .Values.credsPath }} + cat {{ .Values.fqi_namespace }}.props > {{ .Values.final_cadi_files }} + cat {{ .Values.fqi_namespace }}.cred.props >> {{ .Values.final_cadi_files }} + cat {{ .Values.fqi_namespace }}.location.props >> {{ .Values.final_cadi_files }} + echo "*** configuration result:" + cat {{ .Values.final_cadi_files }} + chown -R 1000 . + + ################################################################# # Application configuration defaults. ################################################################# diff --git a/kubernetes/dmaap/components/message-router/requirements.yaml b/kubernetes/dmaap/components/message-router/requirements.yaml index fd0ae68849..5adbb623bd 100644 --- a/kubernetes/dmaap/components/message-router/requirements.yaml +++ b/kubernetes/dmaap/components/message-router/requirements.yaml @@ -1,5 +1,6 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T +# Modifications Copyright © 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -20,6 +21,9 @@ dependencies: # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' + - name: certInitializer + version: ~8.x-0 + repository: '@local' - name: repositoryGenerator version: ~8.x-0 repository: '@local' diff --git a/kubernetes/dmaap/components/message-router/resources/config/dmaap/cadi.properties b/kubernetes/dmaap/components/message-router/resources/config/dmaap/cadi.properties deleted file mode 100755 index dca56c823d..0000000000 --- a/kubernetes/dmaap/components/message-router/resources/config/dmaap/cadi.properties +++ /dev/null @@ -1,19 +0,0 @@ -aaf_locate_url=https://aaf-locate.{{ include "common.namespace" . }}:8095 -aaf_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1 -aaf_env=DEV -aaf_lur=org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm - -cadi_truststore=/appl/dmaapMR1/etc/org.onap.dmaap.mr.trust.jks -cadi_truststore_password=enc:mN6GiIzFQxKGDzAXDOs7b4j8DdIX02QrZ9QOWNRpxV3rD6whPCfizSMZkJwxi_FJ - -cadi_keyfile=/appl/dmaapMR1/etc/org.onap.dmaap.mr.keyfile - -cadi_alias=dmaapmr@mr.dmaap.onap.org -cadi_keystore=/appl/dmaapMR1/etc/org.onap.dmaap.mr.p12 -cadi_keystore_password=enc:_JJT2gAEkRzXla5xfDIHal8pIoIB5iIos3USvZQT6sL-l14LpI5fRFR_QIGUCh5W -cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US - -cadi_loglevel=INFO -cadi_protocols=TLSv1.1,TLSv1.2 -cadi_latitude=37.78187 -cadi_longitude=-122.26147
\ No newline at end of file diff --git a/kubernetes/dmaap/components/message-router/resources/config/dmaap/sys-props.properties b/kubernetes/dmaap/components/message-router/resources/config/dmaap/sys-props.properties new file mode 100644 index 0000000000..cd88565ed0 --- /dev/null +++ b/kubernetes/dmaap/components/message-router/resources/config/dmaap/sys-props.properties @@ -0,0 +1,165 @@ +############################################################################### +# ============LICENSE_START======================================================= +# org.onap.dmaap +# ================================================================================ +# Copyright (c) 2017-201 AT&T Intellectual Property. All rights reserved. +# Copyright (c) 2021 Orange Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +# +# ECOMP is a trademark and service mark of AT&T Intellectual Property. +# +############################################################################### +#This file is used for defining AJSC system properties for different configuration schemes and is necessary for the AJSC to run properly. +#The sys-props.properties file is used for running locally. The template.sys-props.properties file will be used when deployed +#to a SOA/CSI Cloud node. For more information, + +#AJSC System Properties. The following properties are required for ALL AJSC services. If you are adding System Properties for your +#particular service, please add them AFTER all AJSC related System Properties. + +#For Cadi Authorization, use value="authentication-scheme-1 +CadiAuthN=authentication-scheme-1 + +#For Basic Authorization, use value="authentication-scheme-1 +authN=authentication-scheme-2 + +#Persistence used for AJSC meta-data storage. For most environments, "file" should be used. +ajscPersistence=file + +# If using hawtio for local development, these properties will allow for faster server startup and usage for local development +hawtio.authenticationEnabled=false +hawtio.config.pullOnStartup=false + +#Removes the extraneous restlet console output +org.restlet.engine.loggerFacadeClass=org.restlet.ext.slf4j.Slf4jLoggerFacade + +#server.host property to be enabled for local DME2 related testing +#server.host=<Your network IP address> + +#Enable/disable SSL (values=true/false). This property also determines which protocol to use (https if true, http otherwise), to register services into GRM through DME2. +enableSSL=false + +#Enable/disable csi logging (values=true/false). This can be disabled during local development +csiEnable=false + +#Enable/disable CAET This can be disabled during local development +isCAETEnable=true + +#Enable/disable EJB Container +ENABLE_EJB=false + +#Enable/disable OSGI +isOSGIEnable=false + +#Configure JMS Queue (WMQ/TIBCO) +JMS_BROKER=WMQ + +#Generate/Skip api docs +isApiDoc=false + + +#WMQ connectivity +JMS_WMQ_PROVIDER_URL=aftdsc://AFTUAT/34.07/-84.28 +JMS_WMQ_CONNECTION_FACTORY_NAME=aftdsc://AFTUAT/?service=CSILOG,version=1.0,bindingType=fusionBus,envContext=Q,Q30A=YES +JMS_WMQ_INITIAL_CONNECTION_FACTORY_NAME=com.att.aft.jms.FusionCtxFactory +JMS_WMQ_AUDIT_DESTINATION_NAME=queue:///CSILOGQL.M2E.DASHBOARD01.NOT.Q30A +JMS_WMQ_PERF_DESTINATION_NAME=queue:///CSILOGQL.M2E.PERFORMANCE01.NOT.Q30A + +#CSI related variables for CSM framework +csm.hostname=d1a-m2e-q112m2e1.edc.cingular.net + +#Enable/disable endpoint level logging (values=true/false). This can be disabled during local development +endpointLogging=false + +#Enable/disable trail logging and trail logging summary +enableTrailLogging=false +enableTrailLoggingSummary=false + +#SOA_CLOUD_ENV is used to register your service with dme2 and can be turned off for local development (values=true/false). +SOA_CLOUD_ENV=false + +#CONTINUE_ON_LISTENER_EXCEPTION will exit the application if there is a DME2 exception at the time of registration. +CONTINUE_ON_LISTENER_EXCEPTION=false + +#Jetty Container ThreadCount Configuration Variables +AJSC_JETTY_ThreadCount_MIN=1 +AJSC_JETTY_ThreadCount_MAX=200 +AJSC_JETTY_IDLETIME_MAX=3000 + +#Camel Context level default threadPool Profile configuration +CAMEL_POOL_SIZE=10 +CAMEL_MAX_POOL_SIZE=20 +CAMEL_KEEP_ALIVE_TIME=60 +CAMEL_MAX_QUEUE_SIZE=1000 + +#File Monitor configurations +ssf_filemonitor_polling_interval=5 +ssf_filemonitor_threadpool_size=10 + +#GRM/DME2 System Properties +AFT_DME2_CONN_IDLE_TIMEOUTMS=5000 +AJSC_ENV=SOACLOUD + +SOACLOUD_NAMESPACE=org.onap.dmaap.dev +SOACLOUD_ENV_CONTEXT=TEST +SOACLOUD_PROTOCOL=http +SOACLOUD_ROUTE_OFFER=DEFAULT + +AFT_LATITUDE=23.4 +AFT_LONGITUDE=33.6 +AFT_ENVIRONMENT=AFTUAT + +#Restlet Component Default Properties +RESTLET_COMPONENT_CONTROLLER_DAEMON=true +RESTLET_COMPONENT_CONTROLLER_SLEEP_TIME_MS=100 +RESTLET_COMPONENT_INBOUND_BUFFER_SIZE=8192 +RESTLET_COMPONENT_MIN_THREADS=1 +RESTLET_COMPONENT_MAX_THREADS=10 +RESTLET_COMPONENT_LOW_THREADS=8 +RESTLET_COMPONENT_MAX_QUEUED=0 +RESTLET_COMPONENT_MAX_CONNECTIONS_PER_HOST=-1 +RESTLET_COMPONENT_MAX_TOTAL_CONNECTIONS=-1 +RESTLET_COMPONENT_OUTBOUND_BUFFER_SIZE=8192 +RESTLET_COMPONENT_PERSISTING_CONNECTIONS=true +RESTLET_COMPONENT_PIPELINING_CONNECTIONS=false +RESTLET_COMPONENT_THREAD_MAX_IDLE_TIME_MS=60000 +RESTLET_COMPONENT_USE_FORWARDED_HEADER=false +RESTLET_COMPONENT_REUSE_ADDRESS=true + +#Externalized jar and properties file location. In CSI environments, there are a few libs that have been externalized to aid +#in CSTEM maintenance of the versions of these libs. The most important to the AJSC is the DME2 lib. Not only is this lib necessary +#for proper registration of your AJSC service on a node, but it is also necessary for running locally as well. Another framework +#used in CSI envs is the CSM framework. These 2 framework libs are shown as "provided" dependencies within the pom.xml. These +#dependencies will be copied into the target/commonLibs folder with the normal "mvn clean package" goal of the AJSC. They will +#then be added to the classpath via AJSC_EXTERNAL_LIB_FOLDERS system property. Any files (mainly property files) that need +#to be on the classpath should be added to the AJSC_EXTERNAL_PROPERTIES_FOLDERS system property. The default scenario when +#testing your AJSC service locally will utilize the target/commonLibs directory for DME2 and CSM related artifacts and 2 +#default csm properties files will be used for local testing with anything CSM knorelated. +#NOTE: we are using maven-replacer-plugin to replace "(doubleUnderscore)basedir(doubleUnderscore)" with ${basedir} within the +#target directory for running locally. Multiple folder locations can be separated by the pipe ("|") character. +#Please, NOTE: for running locally, we are setting this system property in the antBuild/build.xml "runLocal" target and in the +#"runAjsc" profile within the pom.xml. This is to most effectively use maven variables (${basedir}, most specifically. Therefore, +#when running locally, the following 2 properties should be set within the profile(s) themselves. +#Example: target/commonLibs|target/otherLibs +#AJSC_EXTERNAL_LIB_FOLDERS=__basedir__/target/commonLibs +#AJSC_EXTERNAL_PROPERTIES_FOLDERS=__basedir__/ajsc-shared-config/etc +#End of AJSC System Properties + +#Service System Properties. Please, place any Service related System Properties below. + +#msgrtr content length and error message +#100mb +maxcontentlength=10000 +msg_size_exceeds=Message size exceeds the default size. +forceAAF=false +cadi_prop_files={{.Values.certInitializer.appMountPath}}/local/{{.Values.certInitializer.fqi_namespace}}.properties
\ No newline at end of file diff --git a/kubernetes/dmaap/components/message-router/resources/config/etc/ajsc-jetty.xml b/kubernetes/dmaap/components/message-router/resources/config/etc/ajsc-jetty.xml new file mode 100644 index 0000000000..49196e441b --- /dev/null +++ b/kubernetes/dmaap/components/message-router/resources/config/etc/ajsc-jetty.xml @@ -0,0 +1,138 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- {{/* + ============LICENSE_START======================================================= + org.onap.dmaap + ================================================================================ + Copyright © 2017-2021 AT&T Intellectual Property. All rights reserved. + Copyright © 2021 Orange Intellectual Property. All rights reserved. + ================================================================================ + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + ============LICENSE_END========================================================= + ECOMP is a trademark and service mark of AT&T Intellectual Property. +*/}} +--> + +<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd"> +<Configure id="ajsc-server" class="org.eclipse.jetty.server.Server"> + <!-- DO NOT REMOVE!!!! This is setting up the AJSC Context --> + <New id="ajscContext" class="org.eclipse.jetty.webapp.WebAppContext"> + <Set name="contextPath"><SystemProperty name="AJSC_CONTEXT_PATH" /></Set> + <Set name="extractWAR">true</Set> + <Set name="tempDirectory"><SystemProperty name="AJSC_TEMP_DIR" /></Set> + <Set name="war"><SystemProperty name="AJSC_WAR_PATH" /></Set> + <Set name="descriptor"><SystemProperty name="AJSC_HOME" />/etc/runner-web.xml</Set> + <Set name="overrideDescriptor"><SystemProperty name="AJSC_HOME" />/etc/ajsc-override-web.xml</Set> + <Set name="throwUnavailableOnStartupException">true</Set> + <Set name="extraClasspath"><SystemProperty name="AJSC_HOME" />/extJars/json-20131018.jar</Set> + <Set name="servletHandler"> + <New class="org.eclipse.jetty.servlet.ServletHandler"> + <Set name="startWithUnavailable">false</Set> + </New> + </Set> + </New> + + <Set name="handler"> + <New id="Contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection"> + <Set name="Handlers"> + <Array type="org.eclipse.jetty.webapp.WebAppContext"> + <Item> + <Ref refid="ajscContext" /> + </Item> + </Array> + </Set> + </New> + </Set> + + <Call name="addBean"> + <Arg> + <New id="DeploymentManager" class="org.eclipse.jetty.deploy.DeploymentManager"> + <Set name="contexts"> + <Ref refid="Contexts" /> + </Set> + <Call id="extAppHotDeployProvider" name="addAppProvider"> + <Arg> + <New class="org.eclipse.jetty.deploy.providers.WebAppProvider"> + <Set name="monitoredDirName"><SystemProperty name="AJSC_HOME" />/extApps</Set> + <Set name="scanInterval">10</Set> + <Set name="extractWars">true</Set> + </New> + </Arg> + </Call> + </New> + </Arg> + </Call> + + <Call name="addConnector"> + <Arg> + <New class="org.eclipse.jetty.server.ServerConnector"> + <Arg name="server"> + <Ref refid="ajsc-server" /> + </Arg> + <Set name="port"><SystemProperty name="AJSC_HTTP_PORT" default="8080" /></Set> + </New> + </Arg> + </Call> + + + <!-- SSL Keystore configuration --> + + <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory"> + <Set name="KeyStorePath">{{.Values.certInitializer.appMountPath}}/local/{{.Values.certInitializer.fqi_namespace}}.jks</Set> + <Set name="KeyStorePassword">${KEYSTORE_PASSWORD}</Set> + <Set name="KeyManagerPassword">${KEYSTORE_PASSWORD}</Set> + <Set name="WantClientAuth">true</Set> + </New> + <Call id="sslConnector" name="addConnector"> + <Arg> + <New class="org.eclipse.jetty.server.ServerConnector"> + <Arg name="server"> + <Ref refid="ajsc-server" /> + </Arg> + <Arg name="factories"> + <Array type="org.eclipse.jetty.server.ConnectionFactory"> + <Item> + <New class="org.eclipse.jetty.server.SslConnectionFactory"> + <Arg name="next">http/1.1</Arg> + <Arg name="sslContextFactory"> + <Ref refid="sslContextFactory" /> + </Arg> + </New> + </Item> + <Item> + <New class="org.eclipse.jetty.server.HttpConnectionFactory"> + <Arg name="config"> + <New class="org.eclipse.jetty.server.HttpConfiguration"> + <Call name="addCustomizer"> + <Arg> + <New class="org.eclipse.jetty.server.SecureRequestCustomizer" /> + </Arg> + </Call> + </New> + </Arg> + </New> + </Item> + </Array> + </Arg> + <Set name="port"><SystemProperty name="AJSC_HTTPS_PORT" default="0" /></Set> + <Set name="idleTimeout">30000</Set> + </New> + </Arg> + </Call> + + + <Get name="ThreadPool"> + <Set name="minThreads"><SystemProperty name="AJSC_JETTY_ThreadCount_MIN" /></Set> + <Set name="maxThreads"><SystemProperty name="AJSC_JETTY_ThreadCount_MAX" /></Set> + <Set name="idleTimeout"><SystemProperty name="AJSC_JETTY_IDLETIME_MAX" /></Set> + <Set name="detailedDump">false</Set> + </Get> + +</Configure> diff --git a/kubernetes/dmaap/components/message-router/resources/config/etc/cadi.properties b/kubernetes/dmaap/components/message-router/resources/config/etc/cadi.properties new file mode 100644 index 0000000000..596a316d77 --- /dev/null +++ b/kubernetes/dmaap/components/message-router/resources/config/etc/cadi.properties @@ -0,0 +1,19 @@ +aaf_locate_url=https://aaf-locate.onap:8095 +aaf_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1 +aaf_env=DEV +aaf_lur=org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm + +cadi_truststore={{ .Values.certInitializer.appMountPath }}/local/{{ .Values.certInitializer.fqi_namespace }}.trust.jks +cadi_truststore_password=${TRUSTSTORE_PASSWORD} + +cadi_keyfile={{ .Values.certInitializer.appMountPath }}/local/{{ .Values.certInitializer.fqi_namespace }}.keyfile + +cadi_alias={{ .Values.certInitializer.fqi }} +cadi_keystore={{ .Values.certInitializer.appMountPath }}/local/{{ .Values.certInitializer.fqi_namespace }}.p12 +cadi_keystore_password=${KEYSTORE_PASSWORD_P12} +cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US + +cadi_loglevel=INFO +cadi_protocols=TLSv1.1,TLSv1.2 +cadi_latitude=37.78187 +cadi_longitude=-122.26147 diff --git a/kubernetes/dmaap/components/message-router/resources/config/etc/runner-web.xml b/kubernetes/dmaap/components/message-router/resources/config/etc/runner-web.xml new file mode 100644 index 0000000000..116c52499f --- /dev/null +++ b/kubernetes/dmaap/components/message-router/resources/config/etc/runner-web.xml @@ -0,0 +1,108 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!--{{/* + ============LICENSE_START======================================================= + org.onap.dmaap + ================================================================================ + Copyright c 2017 AT&T Intellectual Property. All rights reserved. + Copyright c 2021 Orange Intellectual Property. All rights reserved. + ================================================================================ + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + ============LICENSE_END========================================================= + + ECOMP is a trademark and service mark of AT&T Intellectual Property.*/}} +--> +<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" metadata-complete="false" version="3.0"> + + <context-param> + <param-name>contextConfigLocation</param-name> + <param-value>/WEB-INF/spring-servlet.xml, + classpath:applicationContext.xml +</param-value> + </context-param> + + <context-param> + <param-name>spring.profiles.default</param-name> + <param-value>nooauth</param-value> + </context-param> + + <listener> + <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> + </listener> + + <servlet> + <servlet-name>ManagementServlet</servlet-name> + <servlet-class>ajsc.ManagementServlet</servlet-class> + </servlet> + + <filter> + <filter-name>WriteableRequestFilter</filter-name> + <filter-class>com.att.ajsc.csi.writeablerequestfilter.WriteableRequestFilter</filter-class> + </filter> + + <filter> + <filter-name>InterceptorFilter</filter-name> + <filter-class>ajsc.filters.InterceptorFilter</filter-class> + <init-param> + <param-name>preProcessor_interceptor_config_file</param-name> + <param-value>/etc/PreProcessorInterceptors.properties</param-value> + </init-param> + <init-param> + <param-name>postProcessor_interceptor_config_file</param-name> + <param-value>/etc/PostProcessorInterceptors.properties</param-value> + </init-param> + + </filter> + + <!-- Content length filter for Msgrtr --> + <filter> + <display-name>DMaaPAuthFilter</display-name> + <filter-name>DMaaPAuthFilter</filter-name> + <filter-class>org.onap.dmaap.util.DMaaPAuthFilter</filter-class> + <init-param> + <param-name>cadi_prop_files</param-name> + <param-value>{{.Values.certInitializer.appMountPath}}/local/cadi.properties</param-value> + </init-param> + </filter> + + <!-- End Content length filter for Msgrtr --> + <servlet> + <servlet-name>RestletServlet</servlet-name> + <servlet-class>ajsc.restlet.RestletSpringServlet</servlet-class> + <init-param> + <param-name>org.restlet.component</param-name> + <param-value>restletComponent</param-value> + </init-param> + </servlet> + + <servlet> + <servlet-name>CamelServlet</servlet-name> + <servlet-class>ajsc.servlet.AjscCamelServlet</servlet-class> + </servlet> + + + <filter> + <filter-name>springSecurityFilterChain</filter-name> + <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> + </filter> + + <servlet> + <servlet-name>spring</servlet-name> + <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> + <load-on-startup>1</load-on-startup> + </servlet> + + <servlet-mapping> + <servlet-name>spring</servlet-name> + <url-pattern>/</url-pattern> + </servlet-mapping> + +</web-app> diff --git a/kubernetes/dmaap/components/message-router/templates/configmap.yaml b/kubernetes/dmaap/components/message-router/templates/configmap.yaml index a253c512eb..75a5e22d40 100644 --- a/kubernetes/dmaap/components/message-router/templates/configmap.yaml +++ b/kubernetes/dmaap/components/message-router/templates/configmap.yaml @@ -30,7 +30,7 @@ data: apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "common.fullname" . }}-cadi-prop-configmap + name: {{ include "common.fullname" . }}-logback-xml-configmap namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} @@ -38,13 +38,12 @@ metadata: release: {{ include "common.release" . }} heritage: {{ .Release.Service }} data: -{{ tpl (.Files.Glob "resources/config/dmaap/cadi.properties").AsConfig . | indent 2 }} +{{ tpl (.Files.Glob "resources/config/dmaap/logback.xml").AsConfig . | indent 2 }} --- - apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "common.fullname" . }}-logback-xml-configmap + name: {{ include "common.fullname" . }}-etc namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} @@ -52,9 +51,8 @@ metadata: release: {{ include "common.release" . }} heritage: {{ .Release.Service }} data: -{{ tpl (.Files.Glob "resources/config/dmaap/logback.xml").AsConfig . | indent 2 }} +{{ tpl (.Files.Glob "resources/config/etc/*").AsConfig . | indent 2 }} --- - apiVersion: v1 kind: ConfigMap metadata: @@ -81,6 +79,19 @@ metadata: data: {{ tpl (.Files.Glob "resources/topics/*.json").AsConfig . | indent 2 }} --- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-sys-props + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/dmaap/sys-props.properties").AsConfig . | indent 2 }} +--- {{- if .Values.prometheus.jmx.enabled }} apiVersion: v1 kind: ConfigMap @@ -96,5 +107,3 @@ data: {{ tpl (.Files.Glob "resources/config/dmaap/jmx-mrservice-prometheus.yml").AsConfig . | indent 2 }} --- {{ end }} - - diff --git a/kubernetes/dmaap/components/message-router/templates/statefulset.yaml b/kubernetes/dmaap/components/message-router/templates/statefulset.yaml index e936ed2fb6..706fe298bd 100644 --- a/kubernetes/dmaap/components/message-router/templates/statefulset.yaml +++ b/kubernetes/dmaap/components/message-router/templates/statefulset.yaml @@ -42,6 +42,24 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + {{ include "common.certInitializer.initContainer" . | indent 6 | trim }} + {{- if .Values.global.aafEnabled }} + - name: {{ include "common.name" . }}-update-config + command: + - sh + args: + - -c + - | + export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0); + cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} + - mountPath: /config + name: jetty + - mountPath: /config-input + name: etc + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- end }} containers: {{- if .Values.prometheus.jmx.enabled }} - name: prometheus-jmx-exporter @@ -67,6 +85,16 @@ spec: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- if .Values.global.aafEnabled }} + command: + - sh + args: + - -c + - | + cp /jetty-config/ajsc-jetty.xml /appl/dmaapMR1/etc/ + cp /jetty-config/cadi.properties {{ .Values.certInitializer.appMountPath }}/local/cadi.properties + /bin/sh /appl/startup.sh + {{- end }} ports: {{ include "common.containerPorts" . | nindent 10 }} {{- if eq .Values.liveness.enabled true }} livenessProbe: @@ -85,7 +113,7 @@ spec: env: - name: enableCadi value: "{{ .Values.global.aafEnabled }}" - volumeMounts: + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - mountPath: /etc/localtime name: localtime readOnly: true @@ -95,26 +123,31 @@ spec: - mountPath: /appl/dmaapMR1/bundleconfig/etc/logback.xml subPath: logback.xml name: logback - - mountPath: /appl/dmaapMR1/etc/cadi.properties - subPath: cadi.properties - name: cadi - mountPath: /appl/dmaapMR1/etc/keyfile subPath: mykey name: mykey + - mountPath: /appl/dmaapMR1/etc/runner-web.xml + subPath: runner-web.xml + name: etc + - mountPath: /appl/dmaapMR1/bundleconfig/etc/sysprops/sys-props.properties + subPath: sys-props.properties + name: sys-props + - mountPath: /jetty-config + name: jetty resources: {{ include "common.resources" . | nindent 12 }} - volumes: + volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - name: localtime hostPath: path: /etc/localtime - name: appprops configMap: name: {{ include "common.fullname" . }}-msgrtrapi-prop-configmap + - name: etc + configMap: + name: {{ include "common.fullname" . }}-etc - name: logback configMap: name: {{ include "common.fullname" . }}-logback-xml-configmap - - name: cadi - configMap: - name: {{ include "common.fullname" . }}-cadi-prop-configmap {{- if .Values.prometheus.jmx.enabled }} - name: jmx-config configMap: @@ -123,5 +156,10 @@ spec: - name: mykey secret: secretName: {{ include "common.fullname" . }}-secret + - name: sys-props + configMap: + name: {{ include "common.fullname" . }}-sys-props + - name: jetty + emptyDir: {} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dmaap/components/message-router/values.yaml b/kubernetes/dmaap/components/message-router/values.yaml index c4bab2350a..daca6215f7 100644 --- a/kubernetes/dmaap/components/message-router/values.yaml +++ b/kubernetes/dmaap/components/message-router/values.yaml @@ -19,6 +19,43 @@ global: nodePortPrefix: 302 + +################################################################# +# AAF part +################################################################# +certInitializer: + nameOverride: dmaap-mr-cert-initializer + aafDeployFqi: deployer@people.osaaf.org + aafDeployPass: demo123456! + # aafDeployCredsExternalSecret: some secret + fqdn: dmaap-mr + fqi: dmaapmr@mr.dmaap.onap.org + public_fqdn: mr.dmaap.onap.org + cadi_longitude: "-122.26147" + cadi_latitude: "37.78187" + app_ns: org.osaaf.aaf + credsPath: /opt/app/osaaf/local + appMountPath: /appl/dmaapMR1/bundleconfig/etc/sysprops + fqi_namespace: org.onap.dmaap.mr + aaf_add_config: | + cd {{ .Values.credsPath }} + echo "*** change jks password into shell safe one" + export KEYSTORE_PASSWD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) + keytool -storepasswd -new "${KEYSTORE_PASSWD}" \ + -storepass "${cadi_keystore_password_jks}" \ + -keystore {{ .Values.fqi_namespace }}.jks + echo "*** set key password as same password as jks keystore password" + keytool -keypasswd -new "${KEYSTORE_PASSWD}" \ + -keystore {{ .Values.fqi_namespace }}.jks \ + -keypass "${cadi_keystore_password_jks}" \ + -storepass "${KEYSTORE_PASSWD}" -alias {{ .Values.fqi }} + echo "*** store the passwords" + echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWD}" > mycreds.prop + echo "KEYSTORE_PASSWORD_P12=${cadi_keystore_password_p12}" >> mycreds.prop + echo "TRUSTSTORE_PASSWORD=${cadi_truststore_password}" >> mycreds.prop + echo "*** give ownership of files to the user" + chown -R 1000 . + ################################################################# # Application configuration defaults. ################################################################# |