diff options
author | st782s <statta@research.att.com> | 2018-09-28 17:56:29 -0400 |
---|---|---|
committer | st782s <statta@research.att.com> | 2018-09-28 17:56:29 -0400 |
commit | bd2c6126ce400ff0e17d1f64840e4ade0ba26fd9 (patch) | |
tree | 0a60b5027f625d28ad4edbc88c6aebcb585bce83 /kubernetes/portal | |
parent | 0d4b4b58b2e6d980bd659d512ea23bd79fc7e7eb (diff) |
Portal HTTPs support
Issue-ID: PORTAL-389
Change-Id: Ibdb91bcf1164d6c79312597416a0fa3214361f8f
Signed-off-by: st782s <statta@research.att.com>
Diffstat (limited to 'kubernetes/portal')
-rw-r--r-- | kubernetes/portal/charts/portal-app/resources/certs/keystoreONAP.keystore | bin | 0 -> 2228 bytes | |||
-rw-r--r-- | kubernetes/portal/charts/portal-app/resources/certs/truststoreONAPall.jks | bin | 0 -> 117990 bytes | |||
-rw-r--r-- | kubernetes/portal/charts/portal-app/resources/server/server.xml | 147 | ||||
-rw-r--r-- | kubernetes/portal/charts/portal-app/templates/configmap.yaml | 2 | ||||
-rw-r--r-- | kubernetes/portal/charts/portal-app/templates/deployment.yaml | 21 | ||||
-rw-r--r-- | kubernetes/portal/charts/portal-app/values.yaml | 3 | ||||
-rw-r--r-- | kubernetes/portal/values.yaml | 5 |
7 files changed, 175 insertions, 3 deletions
diff --git a/kubernetes/portal/charts/portal-app/resources/certs/keystoreONAP.keystore b/kubernetes/portal/charts/portal-app/resources/certs/keystoreONAP.keystore Binary files differnew file mode 100644 index 0000000000..ff0f0d76a4 --- /dev/null +++ b/kubernetes/portal/charts/portal-app/resources/certs/keystoreONAP.keystore diff --git a/kubernetes/portal/charts/portal-app/resources/certs/truststoreONAPall.jks b/kubernetes/portal/charts/portal-app/resources/certs/truststoreONAPall.jks Binary files differnew file mode 100644 index 0000000000..ff844b109d --- /dev/null +++ b/kubernetes/portal/charts/portal-app/resources/certs/truststoreONAPall.jks diff --git a/kubernetes/portal/charts/portal-app/resources/server/server.xml b/kubernetes/portal/charts/portal-app/resources/server/server.xml new file mode 100644 index 0000000000..09c2f8405f --- /dev/null +++ b/kubernetes/portal/charts/portal-app/resources/server/server.xml @@ -0,0 +1,147 @@ +<?xml version='1.0' encoding='utf-8'?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<!-- Note: A "Server" is not itself a "Container", so you may not + define subcomponents such as "Valves" at this level. + Documentation at /docs/config/server.html + --> +<Server port="8005" shutdown="SHUTDOWN"> + <Listener className="org.apache.catalina.startup.VersionLoggerListener" /> + <!-- Security listener. Documentation at /docs/config/listeners.html + <Listener className="org.apache.catalina.security.SecurityListener" /> + --> + <!--APR library loader. Documentation at /docs/apr.html --> + <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> + <!-- Prevent memory leaks due to use of particular java/javax APIs--> + <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> + <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> + <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" /> + + <!-- Global JNDI resources + Documentation at /docs/jndi-resources-howto.html + --> + <GlobalNamingResources> + <!-- Editable user database that can also be used by + UserDatabaseRealm to authenticate users + --> + <Resource name="UserDatabase" auth="Container" + type="org.apache.catalina.UserDatabase" + description="User database that can be updated and saved" + factory="org.apache.catalina.users.MemoryUserDatabaseFactory" + pathname="conf/tomcat-users.xml" /> + </GlobalNamingResources> + + <!-- A "Service" is a collection of one or more "Connectors" that share + a single "Container" Note: A "Service" is not itself a "Container", + so you may not define subcomponents such as "Valves" at this level. + Documentation at /docs/config/service.html + --> + <Service name="Catalina"> + + <!--The connectors can use a shared executor, you can define one or more named thread pools--> + <!-- + <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" + maxThreads="150" minSpareThreads="4"/> + --> + + + <!-- A "Connector" represents an endpoint by which requests are received + and responses are returned. Documentation at : + Java HTTP Connector: /docs/config/http.html (blocking & non-blocking) + Java AJP Connector: /docs/config/ajp.html + APR (HTTP/AJP) Connector: /docs/apr.html + Define a non-SSL/TLS HTTP/1.1 Connector on port 8080 + --> + <Connector port="8080" protocol="HTTP/1.1" + connectionTimeout="20000" + redirectPort="8443" /> + <!-- A "Connector" using the shared thread pool--> + <!-- + <Connector executor="tomcatThreadPool" + port="8080" protocol="HTTP/1.1" + connectionTimeout="20000" + redirectPort="8443" /> + --> + <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 + This connector uses the NIO implementation that requires the JSSE + style configuration. When using the APR/native implementation, the + OpenSSL style configuration is required as described in the APR/native + documentation --> + <!-- + <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" + maxThreads="150" SSLEnabled="true" scheme="https" secure="true" + clientAuth="false" sslProtocol="TLS" /> + --> + + <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" + maxThreads="150" SSLEnabled="true" scheme="https" secure="true" + keystoreFile="keystoreONAP.keystore" keystorePass="{{ .Values.global.keypass }}" + clientAuth="false" sslProtocol="TLS" /> + + <!-- Define an AJP 1.3 Connector on port 8009 --> + <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> + + + <!-- An Engine represents the entry point (within Catalina) that processes + every request. The Engine implementation for Tomcat stand alone + analyzes the HTTP headers included with the request, and passes them + on to the appropriate Host (virtual host). + Documentation at /docs/config/engine.html --> + + <!-- You should set jvmRoute to support load-balancing via AJP ie : + <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> + --> + <Engine name="Catalina" defaultHost="localhost"> + + <!--For clustering, please take a look at documentation at: + /docs/cluster-howto.html (simple how to) + /docs/config/cluster.html (reference documentation) --> + <!-- + <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> + --> + + <!-- Use the LockOutRealm to prevent attempts to guess user passwords + via a brute-force attack --> + <Realm className="org.apache.catalina.realm.LockOutRealm"> + <!-- This Realm uses the UserDatabase configured in the global JNDI + resources under the key "UserDatabase". Any edits + that are performed against this UserDatabase are immediately + available for use by the Realm. --> + <Realm className="org.apache.catalina.realm.UserDatabaseRealm" + resourceName="UserDatabase"/> + </Realm> + + <Host name="localhost" appBase="webapps" + unpackWARs="true" autoDeploy="true"> + + <!-- SingleSignOn valve, share authentication between web applications + Documentation at: /docs/config/valve.html --> + <!-- + <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> + --> + + <!-- Access log processes all example. + Documentation at: /docs/config/valve.html + Note: The pattern used is equivalent to using pattern="common" --> + <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" + prefix="localhost_access_log" suffix=".txt" + pattern="%h %l %u %t "%r" %s %b" /> + + </Host> + </Engine> + </Service> +</Server>
\ No newline at end of file diff --git a/kubernetes/portal/charts/portal-app/templates/configmap.yaml b/kubernetes/portal/charts/portal-app/templates/configmap.yaml index 178e91c5fc..d4ef698f71 100644 --- a/kubernetes/portal/charts/portal-app/templates/configmap.yaml +++ b/kubernetes/portal/charts/portal-app/templates/configmap.yaml @@ -24,3 +24,5 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/deliveries/properties/ONAPPORTAL/*").AsConfig . | indent 2 }} +{{ tpl (.Files.Glob "resources/server/*").AsConfig . | indent 2 }} +{{ tpl (.Files.Glob "resources/certs/*").AsConfig . | indent 2 }} diff --git a/kubernetes/portal/charts/portal-app/templates/deployment.yaml b/kubernetes/portal/charts/portal-app/templates/deployment.yaml index 2ab570aab2..3fc2741556 100644 --- a/kubernetes/portal/charts/portal-app/templates/deployment.yaml +++ b/kubernetes/portal/charts/portal-app/templates/deployment.yaml @@ -55,10 +55,20 @@ spec: - "" - -n - "" + env: + - name: javax.net.ssl.keyStore + value: {{ .Values.global.env.tomcatDir }}/{{ .Values.global.truststoreFile}} + - name: javax.net.ssl.keyStorePassword + value: {{ .Values.global.keypass }} + - name: javax.net.ssl.trustStore + value: {{ .Values.global.env.tomcatDir }}/{{ .Values.global.truststoreFile}} + - name: javax.net.ssl.trustStorePassword + value: {{ .Values.global.keypass }} ports: - containerPort: {{ .Values.service.internalPort }} - containerPort: {{ .Values.service.internalPort2 }} - containerPort: {{ .Values.service.internalPort3 }} + - containerPort: {{ .Values.service.internalPort4 }} {{- if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: @@ -93,8 +103,15 @@ spec: - name: properties-onapportal mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/logback.xml" subPath: logback.xml - - name: portal-tomcat-logs - mountPath: "{{ .Values.global.env.tomcatDir }}/logs" + - name: properties-onapportal + mountPath: "{{ .Values.global.env.tomcatDir }}/conf/server.xml" + subPath: server.xml + - name: properties-onapportal + mountPath: "{{ .Values.global.env.tomcatDir }}/{{ .Values.global.keystoreFile}}" + subPath: {{ .Values.global.keystoreFile}} + - name: properties-onapportal + mountPath: "{{ .Values.global.env.tomcatDir }}/{{ .Values.global.truststoreFile}}" + subPath: {{ .Values.global.truststoreFile}} - name: var-log-onap mountPath: /var/log/onap resources: diff --git a/kubernetes/portal/charts/portal-app/values.yaml b/kubernetes/portal/charts/portal-app/values.yaml index a71e0c4da3..0aba001fa4 100644 --- a/kubernetes/portal/charts/portal-app/values.yaml +++ b/kubernetes/portal/charts/portal-app/values.yaml @@ -63,6 +63,9 @@ service: externalPort3: 8010 internalPort3: 8009 nodePort3: 14 + externalPort4: 8443 + internalPort4: 8443 + nodePort4: 16 mariadb: service: diff --git a/kubernetes/portal/values.yaml b/kubernetes/portal/values.yaml index ac575b3c30..ecb7d5ecf6 100644 --- a/kubernetes/portal/values.yaml +++ b/kubernetes/portal/values.yaml @@ -20,11 +20,14 @@ global: portalPort: "8989" # application's front end hostname. Must be resolvable on the client side environment portalHostName: "portal.api.simpledemo.onap.org" + keystoreFile: "keystoreONAP.keystore" + truststoreFile: "keystoreONAPall.jks" + keypass: "changeit" config: logstashServiceName: log-ls logstashPort: 5044 - + portal-mariadb: nameOverride: portal-db |