aboutsummaryrefslogtreecommitdiffstats
path: root/kubernetes/portal
diff options
context:
space:
mode:
authorChrisC <christophe.closset@intl.att.com>2020-02-19 09:45:54 +0100
committerChrisC <christophe.closset@intl.att.com>2020-03-05 12:03:38 +0100
commit4993144c1f74bb4089fb83865d5a67120e2152b7 (patch)
tree2812d0c4b01453e75ec206ad552e0051b5ee5d38 /kubernetes/portal
parentb679d7bfa1ff3bdba9d70fee6beecdbf9f45d015 (diff)
HTTPS/AAF auto cert gen for Portal SDK
integrate portal-sdk with AAF agent init container. add pv to store init-container certs generated at startup. add aafEnabled flag to switch on/off aaf integration. modify tomcat startup to load p12 and enable HTTPS based on flag. Issue-ID: PORTAL-261 Signed-off-by: ChrisC <christophe.closset@intl.att.com> Change-Id: Ia2b05b8661bf9e0c03a60467212e80d1c9d02bac
Diffstat (limited to 'kubernetes/portal')
-rwxr-xr-xkubernetes/portal/charts/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties11
-rw-r--r--kubernetes/portal/charts/portal-sdk/resources/server/server.xml155
-rw-r--r--kubernetes/portal/charts/portal-sdk/templates/configmap.yaml1
-rw-r--r--kubernetes/portal/charts/portal-sdk/templates/deployment.yaml83
-rw-r--r--kubernetes/portal/charts/portal-sdk/templates/secrets.yaml15
-rw-r--r--kubernetes/portal/charts/portal-sdk/values.yaml43
6 files changed, 298 insertions, 10 deletions
diff --git a/kubernetes/portal/charts/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties b/kubernetes/portal/charts/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties
index 3bbb1a7f9b..063ba3d122 100755
--- a/kubernetes/portal/charts/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties
+++ b/kubernetes/portal/charts/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties
@@ -81,3 +81,14 @@ authenticate_user_server=http://{{.Values.global.portalHostName}}:8383/openid-co
#cookie domain
cookie_domain = onap.org
+
+{{- if .Values.global.aafEnabled }}
+# External Access System Basic Auth Credentials & Rest endpoint(These credentials doesn't work as these are place holders for now)
+ext_central_access_user_name = aaf_admin@people.osaaf.org
+ext_central_access_password = thiswillbereplacedatruntime
+ext_central_access_url = {{ .Values.aafURL }}/authz/
+ext_central_access_user_domain = @people.osaaf.org
+
+# External Central Auth system access
+remote_centralized_system_access = true
+{{- end }} \ No newline at end of file
diff --git a/kubernetes/portal/charts/portal-sdk/resources/server/server.xml b/kubernetes/portal/charts/portal-sdk/resources/server/server.xml
new file mode 100644
index 0000000000..506a1ca4cd
--- /dev/null
+++ b/kubernetes/portal/charts/portal-sdk/resources/server/server.xml
@@ -0,0 +1,155 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+ Modifications to this file for use in ONAP are also subject to the Apache-2.0 license.
+-->
+<!-- Note: A "Server" is not itself a "Container", so you may not
+ define subcomponents such as "Valves" at this level.
+ Documentation at /docs/config/server.html
+ -->
+<Server port="8005" shutdown="SHUTDOWN">
+ <Listener className="org.apache.catalina.startup.VersionLoggerListener" logArgs="false"/>
+ <!-- Security listener. Documentation at /docs/config/listeners.html
+ <Listener className="org.apache.catalina.security.SecurityListener" />
+ -->
+ <!--APR library loader. Documentation at /docs/apr.html -->
+ <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+ <!-- Prevent memory leaks due to use of particular java/javax APIs-->
+ <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
+ <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
+ <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
+
+ <!-- Global JNDI resources
+ Documentation at /docs/jndi-resources-howto.html
+ -->
+ <GlobalNamingResources>
+ <!-- Editable user database that can also be used by
+ UserDatabaseRealm to authenticate users
+ -->
+ <Resource name="UserDatabase" auth="Container"
+ type="org.apache.catalina.UserDatabase"
+ description="User database that can be updated and saved"
+ factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
+ pathname="conf/tomcat-users.xml" />
+ </GlobalNamingResources>
+
+ <!-- A "Service" is a collection of one or more "Connectors" that share
+ a single "Container" Note: A "Service" is not itself a "Container",
+ so you may not define subcomponents such as "Valves" at this level.
+ Documentation at /docs/config/service.html
+ -->
+ <Service name="Catalina">
+
+ <!--The connectors can use a shared executor, you can define one or more named thread pools-->
+ <!--
+ <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
+ maxThreads="150" minSpareThreads="4"/>
+ -->
+
+
+ <!-- A "Connector" represents an endpoint by which requests are received
+ and responses are returned. Documentation at :
+ Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
+ Java AJP Connector: /docs/config/ajp.html
+ APR (HTTP/AJP) Connector: /docs/apr.html
+ Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
+ -->
+ <Connector port="8080" protocol="HTTP/1.1"
+ connectionTimeout="20000"
+ {{ if .Values.global.aafEnabled }}
+ redirectPort="8443"
+ {{ end }}
+ />
+ <!-- A "Connector" using the shared thread pool-->
+ <!--
+ <Connector executor="tomcatThreadPool"
+ port="8080" protocol="HTTP/1.1"
+ connectionTimeout="20000"
+ redirectPort="8443" />
+ -->
+ <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
+ This connector uses the NIO implementation that requires the JSSE
+ style configuration. When using the APR/native implementation, the
+ OpenSSL style configuration is required as described in the APR/native
+ documentation -->
+ <!--
+ <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
+ maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
+ clientAuth="false" sslProtocol="TLS" />
+ -->
+ {{ if .Values.global.aafEnabled }}
+ <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
+ maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
+ keystoreFile="{{.Values.persistence.aafCredsPath}}/{{.Values.aafConfig.keystoreFile}}"
+ keystorePass="${javax.net.ssl.keyStorePassword}"
+ clientAuth="false" sslProtocol="TLS" />
+ {{ end }}
+ <!-- Define an AJP 1.3 Connector on port 8009 -->
+ <Connector port="8009" protocol="AJP/1.3"
+ {{ if .Values.global.aafEnabled }}
+ redirectPort="8443"
+ {{ end }}
+ />
+
+
+ <!-- An Engine represents the entry point (within Catalina) that processes
+ every request. The Engine implementation for Tomcat stand alone
+ analyzes the HTTP headers included with the request, and passes them
+ on to the appropriate Host (virtual host).
+ Documentation at /docs/config/engine.html -->
+
+ <!-- You should set jvmRoute to support load-balancing via AJP ie :
+ <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
+ -->
+ <Engine name="Catalina" defaultHost="localhost">
+
+ <!--For clustering, please take a look at documentation at:
+ /docs/cluster-howto.html (simple how to)
+ /docs/config/cluster.html (reference documentation) -->
+ <!--
+ <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
+ -->
+
+ <!-- Use the LockOutRealm to prevent attempts to guess user passwords
+ via a brute-force attack -->
+ <Realm className="org.apache.catalina.realm.LockOutRealm">
+ <!-- This Realm uses the UserDatabase configured in the global JNDI
+ resources under the key "UserDatabase". Any edits
+ that are performed against this UserDatabase are immediately
+ available for use by the Realm. -->
+ <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
+ resourceName="UserDatabase"/>
+ </Realm>
+
+ <Host name="localhost" appBase="webapps"
+ unpackWARs="true" autoDeploy="true">
+
+ <!-- SingleSignOn valve, share authentication between web applications
+ Documentation at: /docs/config/valve.html -->
+ <!--
+ <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
+ -->
+ <!-- Access log processes all example.
+ Documentation at: /docs/config/valve.html
+ Note: The pattern used is equivalent to using pattern="common" -->
+ <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
+ prefix="localhost_access_log" suffix=".txt"
+ pattern="%h %l %u %t &quot;%r&quot; %s %b" />
+ </Host>
+ </Engine>
+ </Service>
+</Server> \ No newline at end of file
diff --git a/kubernetes/portal/charts/portal-sdk/templates/configmap.yaml b/kubernetes/portal/charts/portal-sdk/templates/configmap.yaml
index 51346197db..154276ea26 100644
--- a/kubernetes/portal/charts/portal-sdk/templates/configmap.yaml
+++ b/kubernetes/portal/charts/portal-sdk/templates/configmap.yaml
@@ -25,3 +25,4 @@ metadata:
heritage: {{ .Release.Service }}
data:
{{ tpl (.Files.Glob "resources/config/deliveries/properties/ONAPPORTALSDK/*").AsConfig . | indent 2 }}
+{{ tpl (.Files.Glob "resources/server/*").AsConfig . | indent 2 }} \ No newline at end of file
diff --git a/kubernetes/portal/charts/portal-sdk/templates/deployment.yaml b/kubernetes/portal/charts/portal-sdk/templates/deployment.yaml
index ccdd013cbc..09080fca94 100644
--- a/kubernetes/portal/charts/portal-sdk/templates/deployment.yaml
+++ b/kubernetes/portal/charts/portal-sdk/templates/deployment.yaml
@@ -1,5 +1,5 @@
# Copyright © 2017 Amdocs, Bell Canada
-# Modifications Copyright © 2018 AT&T
+# Modifications Copyright © 2018,2020 AT&T
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -46,14 +46,75 @@ spec:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
+ {{- if .Values.global.aafEnabled }}
+ - name: {{ include "common.name" . }}-aaf-readiness
+ image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ command:
+ - /root/ready.py
+ args:
+ - --container-name
+ - aaf-locate
+ - --container-name
+ - aaf-cm
+ env:
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: {{ include "common.name" . }}-aaf-config
+ image: "{{ include "common.repository" . }}/{{ .Values.global.aafAgentImage }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ command: ["bash","-c"]
+ args: ["/opt/app/aaf_config/bin/agent.sh;/opt/app/aaf_config/bin/agent.sh local showpass \
+ {{.Values.aafConfig.fqi}} {{ .Values.aafConfig.fqdn }} > {{ .Values.persistence.aafCredsPath }}/mycreds.prop"]
+ volumeMounts:
+ - mountPath: {{ .Values.persistence.aafCredsPath }}
+ name: {{ include "common.fullname" . }}-aaf-config-vol
+ env:
+ - name: APP_FQI
+ value: "{{ .Values.aafConfig.fqi }}"
+ - name: aaf_locate_url
+ value: "https://aaf-locate.{{ .Release.Namespace }}:8095"
+ - name: aaf_locator_container
+ value: "{{ .Values.global.aafLocatorContainer }}"
+ - name: aaf_locator_container_ns
+ value: "{{ .Release.Namespace }}"
+ - name: aaf_locator_fqdn
+ value: "{{ .Values.aafConfig.fqdn }}"
+ - name: aaf_locator_public_fqdn
+ value: "{{.Values.aafConfig.publicFqdn}}"
+ - name: aaf_locator_app_ns
+ value: "{{ .Values.global.aafAppNs }}"
+ - name: DEPLOY_FQI
+ {{- include "common.secret.envFromSecret" (dict "global" . "uid" "aaf-deploy-creds" "key" "login") | indent 12 }}
+ - name: DEPLOY_PASSWORD
+ {{- include "common.secret.envFromSecret" (dict "global" . "uid" "aaf-deploy-creds" "key" "password") | indent 12 }}
+ - name: cadi_longitude
+ value: "{{ .Values.aafConfig.cadiLongitude }}"
+ - name: cadi_latitude
+ value: "{{ .Values.aafConfig.cadiLatitude }}"
+ {{ end }}
containers:
- name: {{ include "common.name" . }}
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- command:
- - /start-apache-tomcat.sh
- - -b
- - "{{ .Values.global.env.tomcatDir }}"
+ command: ["bash","-c"]
+ {{- if .Values.global.aafEnabled }}
+ args: ["export $(grep '^c' {{ .Values.persistence.aafCredsPath }}/mycreds.prop | xargs -0);\
+ export _JAVA_OPTIONS=\"-Djavax.net.ssl.trustStorePassword=$cadi_truststore_password \
+ -Djavax.net.ssl.keyStorePassword=$cadi_keystore_password_p12\";\
+ cat /dev/null > {{ .Values.persistence.aafCredsPath }}/mycreds.prop;\
+ /start-apache-tomcat.sh -b {{ .Values.global.env.tomcatDir }}"]
+ env:
+ - name: _CATALINA_OPTS
+ value: >
+ -Djavax.net.ssl.keyStore="{{ .Values.persistence.aafCredsPath }}/{{ .Values.aafConfig.keystoreFile }}"
+ -Djavax.net.ssl.trustStore="{{ .Values.persistence.aafCredsPath }}/{{ .Values.aafConfig.truststoreFile }}"
+ {{- else }}
+ args: ["/start-apache-tomcat.sh -b {{ .Values.global.env.tomcatDir }}"]
+ {{- end }}
ports:
- containerPort: {{ .Values.service.internalPort }}
{{- if eq .Values.liveness.enabled true }}
@@ -69,6 +130,13 @@ spec:
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
volumeMounts:
+ {{- if .Values.global.aafEnabled }}
+ - mountPath: {{ .Values.persistence.aafCredsPath }}
+ name: {{ include "common.fullname" . }}-aaf-config-vol
+ {{- end }}
+ - name: properties-onapportalsdk
+ mountPath: "{{ .Values.global.env.tomcatDir }}/conf/server.xml"
+ subPath: server.xml
- mountPath: /etc/localtime
name: localtime
readOnly: true
@@ -129,5 +197,10 @@ spec:
emptyDir: {}
- name: portal-tomcat-logs
emptyDir: {}
+ {{- if .Values.global.aafEnabled }}
+ - name: {{ include "common.fullname" . }}-aaf-config-vol
+ emptyDir:
+ medium: Memory
+ {{- end }}
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/portal/charts/portal-sdk/templates/secrets.yaml b/kubernetes/portal/charts/portal-sdk/templates/secrets.yaml
new file mode 100644
index 0000000000..b79179bc6b
--- /dev/null
+++ b/kubernetes/portal/charts/portal-sdk/templates/secrets.yaml
@@ -0,0 +1,15 @@
+# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{ include "common.secret" . }}
diff --git a/kubernetes/portal/charts/portal-sdk/values.yaml b/kubernetes/portal/charts/portal-sdk/values.yaml
index 8572ff83da..34c29b5be1 100644
--- a/kubernetes/portal/charts/portal-sdk/values.yaml
+++ b/kubernetes/portal/charts/portal-sdk/values.yaml
@@ -1,5 +1,5 @@
# Copyright © 2017 Amdocs, Bell Canada
-# Modifications Copyright © 2018 AT&T
+# Modifications Copyright © 2018, 2020 AT&T
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -22,15 +22,48 @@ global:
readinessImage: readiness-check:2.0.0
loggingRepository: docker.elastic.co
loggingImage: beats/filebeat:5.5.0
-
+ persistence: {}
+ #AAF global config overrides
+ aafEnabled: true
+ aafAgentImage: onap/aaf/aaf_agent:2.1.15
+ aafAppNs: org.osaaf.aaf
+ aafLocatorContainer: oom
#################################################################
# Application configuration defaults.
#################################################################
+secrets:
+ - uid: aaf-deploy-creds
+ type: basicAuth
+ externalSecret: '{{ ternary (tpl (default "" .Values.aafConfig.aafDeployCredsExternalSecret) .) "aafIsDiabled" .Values.global.aafEnabled }}'
+ login: '{{ .Values.aafConfig.aafDeployFqi }}'
+ password: '{{ .Values.aafConfig.aafDeployPass }}'
+ passwordPolicy: required
+
+## Persist cert data to a memory volume
+persistence:
+ aafCredsPath: /opt/app/osaaf/local
+
# application image
repository: nexus3.onap.org:10001
image: onap/portal-sdk:2.6.0
pullPolicy: Always
+#AAF service
+aafURL: https://aaf-service:8100/
+aafLocateUrl: https://aaf-locate:8095
+
+#AAF local config
+aafConfig:
+ aafDeployFqi: deployer@people.osaaf.org
+ aafDeployPass: demo123456!
+ fqdn: portal
+ fqi: portal@portal.onap.org
+ publicFqdn: portal.onap.org
+ cadiLatitude: 0.0
+ cadiLongitude: 0.0
+ keystoreFile: "org.onap.portal.p12"
+ truststoreFile: "org.onap.portal.trust.jks"
+
# flag to enable debugging - application support required
debugEnabled: false
@@ -57,8 +90,8 @@ service:
type: NodePort
name: portal-sdk
portName: portal-sdk
- internalPort: 8080
- externalPort: 8080
+ internalPort: 8443
+ externalPort: 8443
nodePort: 12
mariadb:
@@ -85,7 +118,7 @@ ingress:
service:
- baseaddr: portalsdk
name: "portal-sdk"
- port: 8080
+ port: 8443
config:
ssl: "none"