summaryrefslogtreecommitdiffstats
path: root/kubernetes/sdc/charts/sdc-wfd-be/templates
diff options
context:
space:
mode:
authorIlanaP <ilanap@amdocs.com>2019-11-18 21:10:08 +0200
committerIlanaP <ilanap@amdocs.com>2019-12-17 14:27:45 +0200
commitc80bff934c950c2ad75fe06b0abcc91502f57fdf (patch)
treec75408726c62d0e38c295c0aa10686cac23f2f9b /kubernetes/sdc/charts/sdc-wfd-be/templates
parent8501d7cee5a887f9e19d5fe3671ef8180bce526b (diff)
Secure FE communications to the workflow backend
Update of the workflow fe and be charts to secure the communications and to start the backend server is https mode with a secured connection to SDC Issue-ID: OOM-1954 Signed-off-by: IlanaP <ilanap@amdocs.com> Change-Id: Ia3c4c714e317b8f8b6b4ee9245daa50eea50275f Signed-off-by: IlanaP <ilanap@amdocs.com>
Diffstat (limited to 'kubernetes/sdc/charts/sdc-wfd-be/templates')
-rw-r--r--kubernetes/sdc/charts/sdc-wfd-be/templates/_helper.tpl30
-rw-r--r--kubernetes/sdc/charts/sdc-wfd-be/templates/deployment.yaml27
-rw-r--r--kubernetes/sdc/charts/sdc-wfd-be/templates/service.yaml10
3 files changed, 22 insertions, 45 deletions
diff --git a/kubernetes/sdc/charts/sdc-wfd-be/templates/_helper.tpl b/kubernetes/sdc/charts/sdc-wfd-be/templates/_helper.tpl
index c69fb7c81c..298a2cd673 100644
--- a/kubernetes/sdc/charts/sdc-wfd-be/templates/_helper.tpl
+++ b/kubernetes/sdc/charts/sdc-wfd-be/templates/_helper.tpl
@@ -1,29 +1 @@
-{{- define "sdc-wfd-be.volumes" }}
- {{ if .Values.config.cassandraSSLEnabled }}
- - name: {{ include "common.fullname" . }}-cassandra-client-truststore
- hostPath:
- path: /etc/cassandra-client-truststore/truststore
- type: File
- {{- end }}
- {{ if .Values.config.serverSSLEnabled }}
- - name: {{ include "common.fullname" . }}-server-https-keystore
- hostPath:
- path: /config/server-https-keystore/keystore
- type: File
- {{- end }}
-{{- end }}
-
-{{- define "sdc-wfd-be.volumeMounts" }}
- {{ if .Values.config.cassandraSSLEnabled }}
- - name: {{ include "common.fullname" . }}-cassandra-client-truststore
- mountPath: /etc/cassandra-client-truststore/truststore
- subPath: truststore
- readOnly: true
- {{- end }}
- {{ if .Values.config.serverSSLEnabled }}
- - name: {{ include "common.fullname" . }}-server-https-keystore
- mountPath: /etc/server-https-keystore/keystore
- subPath: keystore
- readOnly: true
- {{- end }}
-{{- end }} \ No newline at end of file
+{{- define "wfd-be.internalPort" }}{{ if .Values.config.serverSSLEnabled }}{{ .Values.service.internalPort2 }}{{ else }}{{ .Values.service.internalPort }}{{ end }}{{- end }}
diff --git a/kubernetes/sdc/charts/sdc-wfd-be/templates/deployment.yaml b/kubernetes/sdc/charts/sdc-wfd-be/templates/deployment.yaml
index 31ab7d5eaf..00a986f4d2 100644
--- a/kubernetes/sdc/charts/sdc-wfd-be/templates/deployment.yaml
+++ b/kubernetes/sdc/charts/sdc-wfd-be/templates/deployment.yaml
@@ -53,20 +53,19 @@ spec:
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
ports:
- - containerPort: {{ .Values.service.internalPort }}
- - containerPort: {{ .Values.service.internalPort2 }}
+ - containerPort: {{ template "wfd-be.internalPort" . }}
# disable liveness probe when breakpoints set in debugger
# so K8s doesn't restart unresponsive container
{{ if .Values.liveness.enabled }}
livenessProbe:
tcpSocket:
- port: {{ .Values.service.internalPort2 }}
+ port: {{ template "wfd-be.internalPort" . }}
initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.liveness.periodSeconds }}
{{ end }}
readinessProbe:
tcpSocket:
- port: {{ .Values.service.internalPort2 }}
+ port: {{ template "wfd-be.internalPort" . }}
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
env:
@@ -89,7 +88,8 @@ spec:
- name: CS_TRUST_STORE_PATH
value: "{{ .Values.config.cassandraTrustStorePath }}"
- name: CS_TRUST_STORE_PASSWORD
- value: "{{ .Values.config.cassandraTrustStorePassword }}"
+ valueFrom:
+ secretKeyRef: {name: {{ .Release.Name }}-sdc-cs-secrets, key: cs_truststore_password}
- name: SDC_PROTOCOL
value: "{{ .Values.config.sdcProtocol }}"
- name: SDC_ENDPOINT
@@ -97,7 +97,8 @@ spec:
- name: SDC_USER
value: "{{ .Values.config.sdcExternalUser }}"
- name: SDC_PASSWORD
- value: "{{ .Values.config.sdcExternalUserPassword }}"
+ valueFrom:
+ secretKeyRef: {name: {{ .Release.Name }}-sdc-cs-secrets, key: wf_external_user_password}
- name: SERVER_SSL_ENABLED
value: "{{ .Values.config.serverSSLEnabled }}"
- name: SERVER_SSL_KEYSTORE_TYPE
@@ -105,10 +106,14 @@ spec:
- name: SERVER_SSL_KEYSTORE_PATH
value: "{{ .Values.config.serverSSLKeyStorePath }}"
- name: SERVER_SSL_KEY_PASSWORD
- value: "{{ .Values.config.serverSSLKeyPassword }}"
- volumeMounts:
- {{- template "sdc-wfd-be.volumeMounts" . }}
- volumes:
- {{- template "sdc-wfd-be.volumes" . }}
+ valueFrom:
+ secretKeyRef: {name: {{ .Release.Name }}-sdc-cs-secrets, key: keystore_password}
+ - name: SERVER_SSL_TRUSTSTORE_TYPE
+ value: "{{ .Values.config.serverSSLTrustStoreType }}"
+ - name: SERVER_SSL_TRUSTSTORE_PATH
+ value: "{{ .Values.config.serverSSLTrustStorePath }}"
+ - name: SERVER_SSL_TRUST_PASSWORD
+ valueFrom:
+ secretKeyRef: {name: {{ .Release.Name }}-sdc-cs-secrets, key: truststore_password}
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/sdc/charts/sdc-wfd-be/templates/service.yaml b/kubernetes/sdc/charts/sdc-wfd-be/templates/service.yaml
index 14a937fe00..fee95ba42e 100644
--- a/kubernetes/sdc/charts/sdc-wfd-be/templates/service.yaml
+++ b/kubernetes/sdc/charts/sdc-wfd-be/templates/service.yaml
@@ -28,13 +28,13 @@ spec:
type: {{ .Values.service.type }}
ports:
{{if eq .Values.service.type "NodePort" -}}
- - port: {{ .Values.service.internalPort }}
+ - port: {{ template "wfd-be.internalPort" . }}
nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
- name: {{ .Values.service.portName | default "http" }}
+ name: {{ .Values.service.portName }}
{{- else -}}
- - port: {{ .Values.service.externalPort }}
- targetPort: {{ .Values.service.internalPort }}
- name: {{ .Values.service.portName | default "http" }}
+ - port: {{ if .Values.config.serverSslEnabled }}{{ .Values.service.externalPort2 }}{{ else }}{{ .Values.service.externalPort }}{{ end }}
+ targetPort: {{ template "wfd-be.internalPort" . }}
+ name: {{ .Values.service.portName }}
{{- end}}
selector:
app: {{ include "common.name" . }}