diff options
author | amatthews <adrian.matthews@est.tech> | 2022-08-18 15:31:12 +0100 |
---|---|---|
committer | Andreas Geissler <andreas-geissler@telekom.de> | 2022-10-24 13:39:32 +0000 |
commit | 379daacca80d748ea9fee3c4185c828a9559b509 (patch) | |
tree | 91591b52e8402e61821e811f5973548deab060ef /kubernetes/oof/components | |
parent | 702d68ae02195cbe56ab5f5cd61bddc816880076 (diff) |
[OOF] Service Mesh Compliance for OOF
Updating basic requirements for Service Mesh Compliance within OOF.
Removed AAF dependencies in OOF deployments.
Resolved merge conflict for oof-has/resources/conflict/conductor.conf for DCAE
Issue-ID: OOM-2253
Change-Id: I660085ca94db723e4880dfa67aa31b604e712d15
Signed-off-by: amatthews <adrian.matthews@est.tech>
Diffstat (limited to 'kubernetes/oof/components')
10 files changed, 65 insertions, 13 deletions
diff --git a/kubernetes/oof/components/oof-has/components/oof-has-api/templates/deployment.yaml b/kubernetes/oof/components/oof-has/components/oof-has-api/templates/deployment.yaml index 3ed20ba8a6..4e38c830f0 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-api/templates/deployment.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-api/templates/deployment.yaml @@ -44,8 +44,10 @@ spec: args: - --container-name - oof-has-controller + {{- if (include "common.needTLS" .) }} - --container-name - aaf-service + {{- end }} env: - name: NAMESPACE valueFrom: @@ -55,6 +57,7 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- if (include "common.needTLS" .) }} - name: {{ include "common.name" . }}-has-sms-readiness command: - sh @@ -73,6 +76,7 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.curl" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- end }} {{ include "common.certInitializer.initContainer" . | indent 6 }} containers: @@ -108,9 +112,11 @@ spec: - mountPath: /usr/local/bin/log.conf name: {{ .Values.global.commonConfigPrefix }}-config subPath: log.conf + {{- if (include "common.needTLS" .) }} - mountPath: /usr/local/bin/AAF_RootCA.cer name: {{ include "common.fullname" . }}-onap-certs subPath: aaf_root_ca.cer + {{- end }} resources: {{ include "common.resources" . | indent 12 }} - name: {{ include "common.name" . }}-nginx @@ -121,8 +127,10 @@ spec: args: - "-c" - | + {{- if (include "common.needTLS" .) }} grep -v '^$' /opt/bitnami/nginx/ssl/local/org.onap.oof.crt > /tmp/oof.crt cat /tmp/oof.crt /tmp/intermediate_root_ca.pem /tmp/AAF_RootCA.cer >> /opt/bitnami/nginx/org.onap.oof.crt + {{- end }} /opt/bitnami/scripts/nginx/entrypoint.sh /opt/bitnami/scripts/nginx/run.sh ports: - containerPort: {{ .Values.service.internalPort }} @@ -146,12 +154,14 @@ spec: - mountPath: /opt/bitnami/nginx/conf/nginx.conf name: {{ .Values.global.commonConfigPrefix }}-config subPath: nginx.conf + {{- if (include "common.needTLS" .) }} - mountPath: /tmp/AAF_RootCA.cer name: {{ include "common.fullname" . }}-onap-certs subPath: aaf_root_ca.cer - mountPath: /tmp/intermediate_root_ca.pem name: {{ include "common.fullname" . }}-onap-certs subPath: intermediate_root_ca.pem + {{- end }} resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -178,6 +188,8 @@ spec: path: conductor.conf - key: log.conf path: log.conf +{{- if (include "common.needTLS" .) }} {{ include "oof.certificate.volume" . | indent 8 }} +{{- end }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/oof/components/oof-has/components/oof-has-api/templates/service.yaml b/kubernetes/oof/components/oof-has/components/oof-has-api/templates/service.yaml index 751545ebef..f13e7cea9b 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-api/templates/service.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-api/templates/service.yaml @@ -32,11 +32,11 @@ spec: {{if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.externalPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} {{- else -}} - port: {{ .Values.service.externalPort }} targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} {{- end}} selector: app: {{ include "common.name" . }} diff --git a/kubernetes/oof/components/oof-has/components/oof-has-api/values.yaml b/kubernetes/oof/components/oof-has/components/oof-has-api/values.yaml index e4e843ac3e..c850cb7752 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-api/values.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-api/values.yaml @@ -45,7 +45,7 @@ service: externalPort: 8091 internalPort: 8091 nodePort: 75 - portName: oof-has-api + portName: http #backend container info uwsgi: diff --git a/kubernetes/oof/components/oof-has/components/oof-has-controller/templates/deployment.yaml b/kubernetes/oof/components/oof-has/components/oof-has-controller/templates/deployment.yaml index 55bb4f620d..92be670db6 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-controller/templates/deployment.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-controller/templates/deployment.yaml @@ -43,8 +43,10 @@ spec: args: - --job-name - {{ include "common.release" . }}-{{ .Values.config.etcd.configJobNameOverride }}-job + {{- if (include "common.needTLS" .) }} - --container-name - aaf-sms + {{- end }} env: - name: NAMESPACE valueFrom: @@ -54,6 +56,7 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- if (include "common.needTLS" .) }} - name: {{ include "common.name" . }}-cont-sms-readiness command: - sh @@ -72,6 +75,7 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.curl" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- end }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.image.optf_has }} @@ -113,9 +117,11 @@ spec: - mountPath: /usr/local/bin/healthy.sh name: {{ .Values.global.commonConfigPrefix }}-config subPath: healthy.sh + {{- if (include "common.needTLS" .) }} - mountPath: /usr/local/bin/AAF_RootCA.cer name: {{ include "common.fullname" . }}-onap-certs subPath: aaf_root_ca.cer + {{- end }} resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -141,6 +147,8 @@ spec: path: log.conf - key: healthy.sh path: healthy.sh +{{- if (include "common.needTLS" .) }} {{ include "oof.certificate.volume" . | indent 8 }} +{{- end }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/oof/components/oof-has/components/oof-has-data/templates/deployment.yaml b/kubernetes/oof/components/oof-has/components/oof-has-data/templates/deployment.yaml index 4f58ec3b94..72ecd7db2d 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-data/templates/deployment.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-data/templates/deployment.yaml @@ -52,6 +52,7 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- if (include "common.needTLS" .) }} - name: {{ include "common.name" . }}-data-sms-readiness command: - sh @@ -70,6 +71,7 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.curl" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- end }} containers: - name: {{ include "common.name" . }} @@ -112,6 +114,7 @@ spec: - mountPath: /usr/local/bin/healthy.sh name: {{ .Values.global.commonConfigPrefix }}-config subPath: healthy.sh + {{- if (include "common.needTLS" .) }} - mountPath: /usr/local/bin/aai_cert.cer name: {{ .Values.global.commonConfigPrefix }}-config subPath: aai_cert.cer @@ -121,6 +124,7 @@ spec: - mountPath: /usr/local/bin/AAF_RootCA.cer name: {{ include "common.fullname" . }}-onap-certs subPath: aaf_root_ca.cer + {{- end }} resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -146,10 +150,14 @@ spec: path: log.conf - key: healthy.sh path: healthy.sh + {{- if (include "common.needTLS" .) }} - key: aai_cert.cer path: aai_cert.cer - key: aai_key.key path: aai_key.key + {{- end }} +{{- if (include "common.needTLS" .) }} {{ include "oof.certificate.volume" . | indent 8 }} +{{- end }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/oof/components/oof-has/components/oof-has-reservation/templates/deployment.yaml b/kubernetes/oof/components/oof-has/components/oof-has-reservation/templates/deployment.yaml index f8755ea66b..b90a6f6e89 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-reservation/templates/deployment.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-reservation/templates/deployment.yaml @@ -52,6 +52,7 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- if (include "common.needTLS" .) }} - name: {{ include "common.name" . }}-resrv-sms-readiness command: - sh @@ -70,6 +71,7 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.curl" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- end }} containers: - name: {{ include "common.name" . }} @@ -112,9 +114,11 @@ spec: - mountPath: /usr/local/bin/healthy.sh name: {{ .Values.global.commonConfigPrefix }}-config subPath: healthy.sh + {{- if (include "common.needTLS" .) }} - mountPath: /usr/local/bin/AAF_RootCA.cer name: {{ include "common.fullname" . }}-onap-certs subPath: aaf_root_ca.cer + {{- end }} resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -140,6 +144,8 @@ spec: path: log.conf - key: healthy.sh path: healthy.sh +{{- if (include "common.needTLS" .) }} {{ include "oof.certificate.volume" . | indent 8 }} +{{- end }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/oof/components/oof-has/components/oof-has-solver/templates/deployment.yaml b/kubernetes/oof/components/oof-has/components/oof-has-solver/templates/deployment.yaml index 154bc78e41..4499d9806e 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-solver/templates/deployment.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-solver/templates/deployment.yaml @@ -52,6 +52,7 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- if (include "common.needTLS" .) }} - name: {{ include "common.name" . }}-solvr-sms-readiness command: - sh @@ -70,6 +71,7 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.curl" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- end }} containers: - name: {{ include "common.name" . }} @@ -112,9 +114,11 @@ spec: - mountPath: /usr/local/bin/healthy.sh name: {{ .Values.global.commonConfigPrefix }}-config subPath: healthy.sh + {{- if (include "common.needTLS" .) }} - mountPath: /usr/local/bin/AAF_RootCA.cer name: {{ include "common.fullname" . }}-onap-certs subPath: aaf_root_ca.cer + {{- end }} resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -140,6 +144,8 @@ spec: path: log.conf - key: healthy.sh path: healthy.sh +{{- if (include "common.needTLS" .) }} {{ include "oof.certificate.volume" . | indent 8 }} +{{- end }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/oof/components/oof-has/resources/config/conductor.conf b/kubernetes/oof/components/oof-has/resources/config/conductor.conf index 78553d73af..d650808036 100755 --- a/kubernetes/oof/components/oof-has/resources/config/conductor.conf +++ b/kubernetes/oof/components/oof-has/resources/config/conductor.conf @@ -159,13 +159,13 @@ appkey = "" # # is_aaf_enabled. (boolean value) -is_aaf_enabled = true +is_aaf_enabled = {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} # aaf_cache_expiry_hrs. (integer value) aaf_cache_expiry_hrs = 3 # aaf_url. (string value) -aaf_url = https://{{.Values.config.aaf.serviceName}}:{{.Values.config.aaf.port}}/authz/perms/user/ +aaf_url = http{{ if (include "common.needTLS" .) }}s{{ end }}://{{.Values.config.aaf.serviceName}}:{{.Values.config.aaf.port}}/authz/perms/user/ # aaf_cert_file. (string value) #aaf_cert_file = <None> @@ -175,7 +175,7 @@ aaf_url = https://{{.Values.config.aaf.serviceName}}:{{.Values.config.aaf.port}} # aaf_ca_bundle_file. (string value) #aaf_ca_bundle_file = -aaf_ca_bundle_file = /usr/local/bin/AAF_RootCA.cer +aaf_ca_bundle_file = {{ if (include "common.needTLS" .) }}/usr/local/bin/AAF_RootCA.cer{{ end }} # aaf_retries. (integer value) #aaf_retries = 3 @@ -193,9 +193,12 @@ aaf_ca_bundle_file = /usr/local/bin/AAF_RootCA.cer # From conductor # +# is_enabled. (boolean value) +is_enabled = {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} + # Base URL for SMS, up to and not including the version, and without a trailing # slash. (string value) -aaf_sms_url = https://{{.Values.config.sms.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.sms.port}} +aaf_sms_url = http{{ if (include "common.needTLS" .) }}s{{ end }}://{{.Values.config.sms.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.sms.port}} # Timeout for SMS API Call (integer value) @@ -231,7 +234,8 @@ complex_cache_refresh_interval = 60 # Base URL for A&AI, up to and not including the version, and without a # trailing slash. (string value) -server_url = https://{{.Values.config.aai.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.aai.port}}/aai +#server_url = https://{{.Values.config.aai.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.aai.port}}/aai +server_url = http{{ if (include "common.needTLS" .) }}s{{ end }}://{{.Values.config.aai.serviceName}}.{{ include "common.namespace" . }}:{{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.aai.port .Values.config.aai.plainPort }}/aai # Timeout for A&AI Rest Call (string value) #aai_rest_timeout = 30 @@ -252,7 +256,7 @@ certificate_key_file = # Certificate Authority Bundle file in pem format. Must contain the appropriate # trust chain for the Certificate file. (string value) #certificate_authority_bundle_file = certificate_authority_bundle.pem -certificate_authority_bundle_file = /usr/local/bin/AAF_RootCA.cer +certificate_authority_bundle_file = {{ if (include "common.needTLS" .) }}/usr/local/bin/AAF_RootCA.cer{{ end }} # Username for AAI. (string value) username = OOF @@ -676,7 +680,8 @@ concurrent = true # Base URL for SDC, up to and not including the version, and without a # trailing slash. (string value) #server_url = https://controller:8443/sdc -server_url = https://{{.Values.config.sdc.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.sdc.port}}/sdc +#server_url = https://{{.Values.config.sdc.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.sdc.port}}/sdc +server_url = http{{ if (include "common.needTLS" .) }}s{{ end }}://{{.Values.config.sdc.serviceName}}.{{ include "common.namespace" . }}:{{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.sdc.port .Values.config.sdc.plainPort }}/sdc # Timeout for SDC Rest Call (string value) #sdc_rest_timeout = 30 @@ -699,7 +704,7 @@ certificate_key_file = # Certificate Authority Bundle file in pem format. Must contain the appropriate # trust chain for the Certificate file. (string value) #certificate_authority_bundle_file = certificate_authority_bundle.pem -certificate_authority_bundle_file = /usr/local/bin/AAF_RootCA.cer +certificate_authority_bundle_file = {{ if (include "common.needTLS" .) }}/usr/local/bin/AAF_RootCA.cer{{ end }} # Username for SDC. (string value) #username = @@ -744,7 +749,7 @@ certificate_key_file = # Certificate Authority Bundle file in pem format. Must contain the appropriate # trust chain for the Certificate file. (string value) #certificate_authority_bundle_file = certificate_authority_bundle.pem -certificate_authority_bundle_file = /usr/local/bin/AAF_RootCA.cer +certificate_authority_bundle_file = {{ if (include "common.needTLS" .) }}/usr/local/bin/AAF_RootCA.cer{{ end }} # Username for CPS. (string value) #username = @@ -788,7 +793,7 @@ certificate_key_file = # Certificate Authority Bundle file in pem format. Must contain the appropriate # trust chain for the Certificate file. (string value) #certificate_authority_bundle_file = certificate_authority_bundle.pem -certificate_authority_bundle_file = /usr/local/bin/AAF_RootCA.cer +certificate_authority_bundle_file = {{ if (include "common.needTLS" .) }}/usr/local/bin/AAF_RootCA.cer{{ end }} # Username for DCAE. (string value) #username = diff --git a/kubernetes/oof/components/oof-has/resources/config/nginx.conf b/kubernetes/oof/components/oof-has/resources/config/nginx.conf index cbb1b60a58..9272e8581c 100644 --- a/kubernetes/oof/components/oof-has/resources/config/nginx.conf +++ b/kubernetes/oof/components/oof-has/resources/config/nginx.conf @@ -11,12 +11,17 @@ http { server { +{{ if (include "common.needTLS" .) }} listen 8091 ssl; server_name oof; ssl_certificate /opt/bitnami/nginx/org.onap.oof.crt; ssl_certificate_key /opt/bitnami/nginx/ssl/local/org.onap.oof.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; +{{ else }} + listen 8091; + server_name oof; +{{ end }} location / { include /opt/bitnami/nginx/conf/uwsgi_params; diff --git a/kubernetes/oof/components/oof-has/values.yaml b/kubernetes/oof/components/oof-has/values.yaml index 733b9209b5..0c5397c5a8 100755 --- a/kubernetes/oof/components/oof-has/values.yaml +++ b/kubernetes/oof/components/oof-has/values.yaml @@ -56,6 +56,7 @@ config: aai: serviceName: aai port: 8443 + plainPort: 80 msb: serviceName: msb-iag port: 80 @@ -68,6 +69,7 @@ config: sdc: serviceName: sdc-be port: 8443 + plainPort: 8080 cps: service: cps-tbdmt port: 8080 |